HOME


Top 10 List of Week 02

  1. System Security and Protection
    Security is a measure of confidence that the integrity of a system and its data will be preserved. Meanwhile protection is the set of mechanisms that control the access of processes and users to the resources defined by a computer system.

    There are four levels at which a system must be protected:

    • Physical - The easiest way to steal data is to pocket the backup tapes. Also, access to the root console will often give the user special privileges, such as rebooting the system as root from removable media. Even general access to terminals in a computer room offers some opportunities for an attacker, although today’s modern high-speed networking environment provides more and more opportunities for remote attacks.
    • Human - There is some concern that the humans who are allowed access to a system be trustworthy, and that they cannot be coerced into breaching security. However more and more attacks today are made via social engineering, which basically means fooling trustworthy people into accidentally breaching security.
    • Phishing involves sending an innocent-looking e-mail or web site designed to fool people into revealing confidential information. E.g. spam e-mails pretending to be from e-Bay, PayPal, or any of a number of banks or credit-card companies.
    • Dumpster Diving involves searching the trash or other locations for passwords that are written down. ( Note: Passwords that are too hard to remember, or which must be changed frequently are more likely to be written down somewhere close to the user’s station. )
    • Password Cracking involves divining users passwords, either by watching them type in their passwords, knowing something about them like their pet’s names, or simply trying all words in common dictionaries. ( Note: “Good” passwords should involve a minimum number of characters, include non-alphabetical characters, and not appear in any dictionary ( in any language ), and should be changed frequently. Note also that it is proper etiquette to look away from the keyboard while someone else is entering their password. )
    • Operating System - The OS must protect itself from security breaches, such as runaway processes ( denial of service ), memory-access violations, stack overflow violations, the launching of programs with excessive privileges, and many others.
    • Network - As network communications become ever more important and pervasive in modern computing environments, it becomes ever more important to protect this area of the system. ( Both protecting the network itself from attack, and protecting the local system from attacks coming in through the network. ) This is a growing area of concern as wireless communications and portable devices become more and more prevalent.
  2. Software-level Security
    On Software-level Security, it involves several things, including:
    • Hashing (Using SHA1, SHA2, etc.)
    • Encryption (Symetric-based key e.g. AES256, or Assymetric-based key e.g. RSA)
    • Role-based Access Control
    • Code Obfuscation

    Usually, softwares implements one of these methods. It is up to the needs of the client and the expertise of the developer on which methods to implement. However, in entities such as banking, there are usually a governing rule that controls how the data should be protected (i.e. PCIDSS)

  3. Encryption
    Encryption involves obfuscation of data such that it is illegible and near impossible to comprehend. In general, it involves mathematical functions and prime number. The data that is encrypted is called cypher text.

    There are two types of Data Encryption:

    • Asymmetric Key (e.g. RSA) - is a method of encryption involving a “private” and “public” keys. These keys are prime numbers are correlated by RSA Algorithm. While prime numbers are unique, recent studies have shown that only prime numbers above 2^2048 is secure. These shows that while RSA is secure, generating and decrypting a message in RSA is extremely slow. In a way, it is like a Locked door with two keys, one only turning right, and one only turning left. More of it can be easily explained here
    • Symmetric Key (e.g. AES256) - is a method of encryption involving a “shared” secret. It is usually generated via a “Handshake” – either electronically (by TLS Handshake or Diffie Hellman Key Exchange) or physically (via mail or word). As it only involves a series of mathematical functions (called “rounds”, usually 9-14 rounds), it is much faster than Asymmetric Encryptions.

  4. Role Based Access Control
    Role-based access control (RBAC) is a method of restricting network access based on the roles of individual users within an enterprise. RBAC lets employees have access rights only to the information they need to do their jobs and prevents them from accessing information that doesn’t pertain to them.

    In the role-based access control data model, roles are based on several factors, including authorization, responsibility and job competency. As such, companies can designate whether a user is an end user, an administrator or a specialist user. In addition, access to computer resources can be limited to specific tasks, such as the ability to view, create or modify files.

  5. Authentication
    Authentication is the process of determining whether someone or something is, in fact, who or what it declares itself to be. Authentication technology provides access control for systems by checking to see if a user’s credentials match the credentials in a database of authorized users or in a data authentication server. Sensitive data such as passwords or credit card numbers are stored as cypher text, usually in hashed form.

    Users are usually identified with a user ID, and authentication is accomplished when the user provides a credential, for example a password, that matches with that user ID. Most users are most familiar with using a password, which, as a piece of information that should be known only to the user, is called a knowledge authentication factor.

  6. Authentication Factors
    An authentication factor is a category of credential that is intended to verify, sometimes in combination with other factors, that an entity involved in some kind of communication or requesting access to some system is who, or what, they are declared to be. Each category is considered a factor. For example, user names and passwords are both the same type of factor, so their combined use is single-factor authentication (SFA), despite the fact that there are two elements involved.

    Types of authentication factors:

    • Knowledge factors: A knowledge factor is something you know, such as a user name and password.
    • Possession factors: A possession factor is something you have, such as a smart card or a security token.
    • Inherence factors: An inherence factor is something you are, an inherent biometric characteristic such as a fingerprint, voice or iris pattern.

  7. Hashing and Data Signature
    Hashing is the process of converting a given key into another value. A hash function is used to generate the new value according to a mathematical algorithm (A series of compressing data, data substitution, and row substitutions). The result of a hash function is known as a hash value or simply, a hash.

    A good hash function must satisfy these criteria:

    • Should be very fast to compute
    • Should minimize Hash Collisions (Where two data have the same hash)

    Hashing is commonly used to signature certain data. The data would be concatenated in a certain way, and then hashed with an algorithm (i.e. MD5, SHA256, Keccak, etc.) An example of implemented technology would be Blockchains, where it would be significantly difficult to change the data in the blockchain as there is it’s signature.

  8. Password Hashing
    As a good hash function is very fast (fyi. There is a governing body such as NSA that ratify which hash functions should we use), it is also terrifyingly fast to brute force a hash, especially a password. Nowadays, computer hardware are soo powerful that they can brute force “unsecure passwords” in about 40,000,000,000 Hash/s. Moreover, there are a type of password cracking called Dictionary Attacks or Rainbow Tables that looks up commonly used password, concat them, and then looks up if the hash is the same. They utilize breached databases on the dark web to fill their dictionaries. As such, it is imperative that we use strong, random passwords.

    To counter these, “Good” software developers use hashing functions specifically for passwords such as bCrypt. They are intentionally made a bit slow such that computers cannot easily brute force them.

  9. MD5 Fallout
    Using MD5 for passwords is a bad idea. Not because of MD5’s cryptographic weaknesses, but because it’s fast. This means that an attacker can try billions of candidate passwords per second on a single GPU. MD5 is often used because of Tradition, not because of performance. People who deal with databases are not the same people as those who deal with security. They often see no problem in using weak algorithms (e.g. see the joke of an algorithm that MySQL was using for hashing passwords). They use MD5 because they used to use MD5 and are used to using MD5.

Performance is much more often discussed than measured; and yet, logically, there cannot be a performance issue if there is nothing to measure. Using one core of a basic CPU, you can hash more than 400 MBytes per second with MD5, closer to 300 MB/s with SHA-1, and 150 MB/s with SHA-256. On the other hand, a decent hard disk will yield data at an even lower rate (100 to 120 MB/s would be typical) so the hash function is hardly ever the bottleneck. Consequently, there is no performance issue relatively to hashing in databases.

  1. Internet Privacy
    A few days ago, I watched a movie called The Social Dilemma. It concerns how our data and privacy are handled by the tech giants of the world. Eventhough data privacy is already regulated by the GDPR, many companies still doesn’t upheld their standards. This data is collected, compiled, analyzed, and used to try to sell us stuff. Personalized advertising is how these companies make money, and is why so much of the internet is free to users. We’re the product, not the customer. This is why in this day and age we should be concerned and aware of our rights of privacy when breaches of privacy are happening everywhere.