Ads 468x60px

12 November 2018

Revue Stratégique Cyberdéfense de France (I)



The CISA and CISM certifications were my first contact with security strategies and since then I’ve read several cyber strategies such as the Cybersecurity Strategy of the EU, the National Security Strategy of Spain, the National Cybersecurity Strategy of Spain, the Department of Defense (DoD) Cyber Strategy of the United States and the National Cyber Strategy of the United States. Today, I want to write about the last Cybersecurity Strategy I’m reading, the review of the Cyberdefense Strategy of France. In fact, I’m only going to write about the first part of the strategy, “Les dangers du monde cyber”, due to the fact that this strategy is too extend for just one post.

The Cybersecurity Strategy of France starts speaking about how threats are moving quickly to cyber spying, cybercrime, destabilization, and cyber sabotage. For instance, the strategy highlights the Operation Aurora and Mandiant reports where United States organizations were attacked from China. It also highlights the darkweb for cybercrime, and social networks for terrorism and political destabilization. The strategy makes also reference other cyber operations such as Stuxnet, NotPetya, DDoS attacks, etc.

Action de sabotage informatique
 
The main actions and the operation modes of cyber attacks are also discussed into the cyber strategy. In fact, we can read, and see an example, of the four phases of a cyber attack: Reconnaissance, Intrusion, Malware Insertion, and Exploitation. In addition, we can read about the attacker infrastructure needed for a cyber attack such as C&C servers and exploitation toolkit. The threat structure is also commented into the strategy where we can read an overview of lots of cyber attacks (Shamoon, Carbanak, WannaCry, etc)

Exfiltration de données par envoi d'un courriel piégé
 
This Cybersecurity Strategy has also into account the vulnerabilities. It’s said that the National Security is insufficient because there are increasingly more and more digital services, which could have vulnerabilities, and therefore there is more risk for the State. For instance, a vulnerability into an important system, like the Swift System for worldwide payments, can be able to break the reputation of the system.

Resilience for mitigating risks of cyber attacks is also into this strategy. How can we get resiliency? Integrating cybersecurity into organizations, considering security throughout the information system lifecycle, knowing technologies and threats, and considering active defenses.

Cycle de vie de la sécurité d'un systéme d'information
 
There are many other sections in this first part of the Cybersecurity Strategy of France such as international regulation, which is not too good, or cybersecurity models for protection. I think the review of dangers of the cyber world in this strategy is very complete with lots of examples, concepts and references. I like it!!

On va continuer comme ça la semaine prochaine!!

5 November 2018

The Art of Intrusion by Kevin Mitnick



I really love reading. It’s the best time of the day. I’m relaxed. I’m quieted. Nobody disturbs me. I’m just reading. I think reading has lots of advantages such as increasing attention capacity, it also helps us to improve the writing skill as well as it helps us to improve the speaking skill. I think it’s a good way to active the mind and, at the same time, we are learning, enjoying and relaxed. This is why I try reading more and more, although it’s increasingly difficult for me to have time for reading. I would like reading more than I read. The last book I’ve been reading these weeks is “The Art of Intrusion” by Kevin D. Mitnick.

Kevin Mitnick is a computer security consultant, author and hacker who was arrested for five years in 1995 because he was charged with wire fraud, possession of unauthorized access devices, interception of wire or electronic communications, unauthorized access to a federal computer, and causing damage to a computer. What’s more, according to Mitnick, law enforcement officials convinced a judge that he had the ability to “start a nuclear war by whistling into a pay phone”. Amazing!! Today, he runs a security firm and he is the keynote speaker in many security conferences.

The Art of Intrusion book has more than ten stories about hackers. All of them are anonymous because some crimes still hadn’t prescribed when the book was written. The most interesting story for me has been about social engineering because we don’t need technical skills but social skills to get confidential information from companies. However, we have to be able to deceive people which is not easy. This chapter speaks about psychological behaviour of human beings. Maybe, the previous book, “The Art of Deception” by Mitnick, teaches more tricks for social engineering.

Another story that I like is about intrusion into casinos for one million dollars. In fact, it’s the first chapter on the book. Four guys who worked in high technological firms as consultants went to Las Vegas for visiting a trade fair, where they also played in slot machines. However, they wanted to win more and more money, then they were thinking about hack the slot machines, till they got it. They were able to understand how the slot machines worked, I mean, the algorithm, and they developed a system to know when the slot machines were going to give money. At the end, the avarice did they was caught by guards.

There is another story that I would like to highlight. It is about crackers. I’ve always thought that cracking software was full of malware, where malicious developers inserted codes to break into computers of people who don’t want to pay money for genuine software. However, the book says that some crackers research how to crack software and develop the crack just for pride, attribution or revenge.

Actually, I think the book is interesting for newbies because there are lots of stories with some technical details. Maybe a little bit outdated. For instance, I’ve enjoyed much more with Countdown to Zero Day” by Kim Zetter than with this one. However, I’ll try reading “The Art of Deception”. I think, it could be interesting for reinforce my knowledge about social engineering.

Regards my friends. Keep reading. Keep learning!!

29 October 2018

National Cyber Strategy of the U.S. of America



I read the Department of Defense (DoD) Cyber Strategy of the United States of America last week and this week I’ve been reading the National Cyber Strategy of the United States. Why? I think reading Cyber Strategies is the best way to understand and learn how to write a Cyber Strategy. This is obvious! In addition, reading Cyber Strategies, we can find out what are the security risks of the States or what they are worrying about. For instance, the DoD Cyber Strategy speaks about the competition with China and Russia as well as the malicious cyber activities of North Korea and Iran. Another example is the Cybersecurity Strategy of the EU which highlight the security risk of depending excessively on ICT produced outside the EU.

The first pillar of the National Cyber Strategy of the U.S. is about protecting the American People, the Homeland, and the American Way of Life. How is the government going to do this? Securing Federal Networks and Information, Securing Critical Infrastructure, Combating Cybercrime and Improving Incident Reporting. The government has written many priority actions in the first pillar such as improving federal supply chain risk management which is interesting to exclude risky vendors, products and services.

Promote American Prosperity is the second pillar of the National Cyber Strategy. The government wants to foster a vibrant and resilient digital economy. They also want to foster and protect United States ingenuity. Finally, the government wants to develop a superior cybersecurity workforce, which is aligned with the DoD Cyber Strategy of the U.S. I would like to highlight the priority action of maintaining United States leadership in emerging technologies, which means most ICT are produced in the EEUU and they want to maintain this leadership. Another interesting priority action is about updating mechanism to review foreign investment and operation in the United States where they want to know who and what foreign companies invest in the United States.

The third pillar is about preserving peace through strength. Peace and Strength in the same sentence. Interesting!! The aim is enhancing cyber stability through norms of responsible state behaviour as well as attributing and deterring unacceptable behaviour in cyberspace. The priority actions in the third pillar talk about information campaigns and non-state propaganda and disinformation. Do you remember the Cambridge Analytica consulting firm and the Trump campaign? Yes, this is to fight against online malign influences.

Advance American Influence is the last pillar of the Cyber Strategy. The government will promote an open, interoperable, reliable, and secure Internet as well as they’ll build international cyber capacity. It seems they are interested in protecting and promoting Internet freedom, me too, but I think they are especially interested in market opportunities for technological American firms because why they don’t also promote free trade? why there are a chaotic trade war?

Regards my friends. Keep reading. Keep learning!!

22 October 2018

DoD Cyber Strategy of the U.S. of America



I’ve been reading the Department of Defense (DoD) Cyber Strategy of the United States of America this week. This new strategy seems more offensive than the last one because the Trump administration “will employ offensive cyber capabilities and innovative concepts” as well as they “must ensure the U.S. military’s ability to fight and win wars in any domain, including cyberspace”. However, the devil is in the details, of course. And the strategy includes no much details.

The first line of effort is to build a more lethal Joint Force which means accelerating cyber capabilities development and innovating to foster agility. In addition, the Department will use automation and data analysis tools to improve effectiveness with the aim of operating at machine speed and analysing large-scale of data to identify quickly malicious cyber activities. It’s interesting as well how they are also willing to employ commercial-off-the-shelf (COTS) cyber capabilities to optimized cyber operations.

The second line of effort is to compete and deter in cyberspace which means deterring malicious cyber activities and persistently fighting malicious cyber activity in day-to-day competition. The Department will also increase the resilience of U.S. critical infrastructure working with other agencies and the private sector and sharing information with them. It’s important to highlight most critical infrastructure is managed by the private sector thus sharing information is mandatory for protecting the country.

The third line of effort is to strengthen alliances and attract new partnerships for building trusted private sector partnerships and making international partnerships with the goal of getting advanced cyber capabilities. In addition, the Department wants to reinforce norms of responsible State behaviour in cyberspace to improve behaviour in cyberspace such as including prohibitions against damaging civilian critical infrastructure during peacetime.

Another line of effort is to reform the Department for incorporating cyber awareness into DoD institutional culture because leaders and their staffs should know about security risks as well as they should be able to identify opportunities to gain advantages. The Department will also increase cybersecurity accountability into the private sector and personnel so that each person is accountable for their cybersecurity practices and choices. This line of effort also seeks material solutions that are affordable, flexible, and robust which will be got from COTS. What’s more, the Department wants to expand crowd-sourced vulnerability identification with hack-a-thons and bug-bounties to identify and mitigate vulnerabilities.

Finally, the last line of effort is for cultivating talent. The aim of this line is to enhance the Nation’s cyber talent and sustain a ready cyber workforce. This is going to be done with education, training and awareness as well as with the use of the Reserve Components. Moreover, software and hardware expertise will be in the core of DoD competencies as well as establishing a cyber top talent management program will be one of the main objectives of the DoD.

This is a summary of the Department of Defense Cyber Security. Five lines of effort to compete, deter, and win in the cyberspace domain.

Regards my friends. Keep reading. Keep learning!!

15 October 2018

Crowd Counting Researches



I’m not a research but I like reading papers to know and learn about new technologies and trends because many papers later on are useful in the future. For instance, I read about Notos, which is a dynamic reputation system; Pleiades, which is a DGA malware detection system, and Phoenix, which is another DGA botnets searching system. These papers helped me to understand how Domain Generation Algorithms work and, therefore, helped me to win the ISACA Challenge in 2015. Today, I want to write about some papers I’ve been reading about Crowd Counting.

I knew a little bit about crowd counting using computer-vision techniques which is useful to know how many people are in the area. However, after reading more about crowd counting, I’ve realised that crowd counting is interesting for many other applications. For instance, crowd counting can be used in smart buildings to optimize the energy consumption based on the number of people in the building or crowd counting can also be used by retailers for better plan their business by assessing which parts of the store get more visitors. In addition, crowd counting is not only investigated from computer-vision but also from environmental science communities and wireless networking.

I didn’t know environmental science communities also studied about crowd counting. They utilize the characteristics of the area of interest such as temperature, concentration of carbon dioxide, lighting, relative humidity, motion, acoustics, etc to identify the number of people in the area. It’s interesting. However, it requires installing specialized sensors such as gas detection sensors, ambient sensors or CO2 sensors, which are expensive. In addition, it requires access to the area of interest.

Wireless networking is another technique to identify the number of people in the area where radio frequency (RF) signals can penetrate through objects, such as walls, that combined with wireless devices, such as WiFi routers, provide a great potential for imaging, tracking, and occupancy estimation. There are two methods using RF signals, which are the device-based active methods and the device-free passive methods.

The device-based active methods rely on pedestrians to carry smartphones. For instance, device-based active methods can use GPS or Bluetooth to assess crowd density. It’s interesting how some researches are based in the walking speed of pedestrians to know the crowd density. However, the device-free passive methods don’t require people to carry any device. Instead, device-free methods rely on the interaction of the wireless signals with the people in the area of interest. It’s interesting how these methods can count people through walls using WiFi.

Crowd Counting Through Walls Using WiFi

Once I read the first paper “Crowd Counting Through Walls Using WiFi”, I wanted to know and learn more and more. After reading this paper, I also read “Occupancy Detection Through An Extensive Environmental Sensor Network In An Open-Plan Office Building”, “Indoor Occupancy Estimation From Carbon Dioxide Concentration”, “Bluetooth Based Collaborative Crowd Density Estimation with Mobile Phones” and “Probing Crowd Density Through Smartphones In City-Scale Mass Gatherings”. It’s been interesting, it’s been funny reading about Crowd Counting Researches.

Regards my friends. Keep studying. Keep reading!

8 October 2018

Linux Privilege Escalation Example



Privilege escalation is when someone exploits an error, design failure or application configuration, into an operating system or application. Privilege escalation is used to get administrative access into operating systems and applications by malicious users. Most systems have two types of user profiles: users which configure the system with administrator privilege and users which use the system without administrator privilege. Therefore, privilege escalation exploits are used by attackers to get superuser privileges into systems.

There are many web pages out there where we can find privilege escalation exploits which can be used to get into operating systems and applications. Most of them take advantage of bugs and vulnerabilities. One of them, which have many exploits and I like it, is the Exploits Database by Offensive Security where we can search exploits and shellcodes by CVE and platforms. In addition, we can even download the vulnerable application and information to learn how to get into the system.

I’ve uploaded to my YouTube channel a new video where we can watch how to get root access in a Linux machine with a local privilege escalation exploit, which I’ve downloaded from www.exploit-db.com. This exploit takes advantage of a vulnerability in Linux Kernel 2.6.39 < 3.2.2. On the other hand, we can also watch how to get remote root access abusing the weak service permission configuration on Linux. As we can watch, privilege escalation is got through bugs and vulnerabilities but also through misconfiguration.


Regards my friends. Keep studying. Keep testing!!

1 October 2018

Linux Buffer Overflow Example



I uploaded a video and I wrote about Windows Buffer Overflow Example two weeks ago. I learnt a lot with this example but I wanted to study about Linux Buffer Overflow as well. Therefore, I’ve been testing with the crossfire-server 1.9.0 - 'SetUp()' Remote Buffer Overflow these days. I installed a Kali Linux 32 bits with the crossfire server, which is an online computer game, and thanks to the edb debugger and python scripts, I’ve been able to learn how to exploit a Linux Buffer Overflow vulnerability. You can check in the next video.


Firstly, I’ve started the virtual machine with the NX protection disabled (noexec=off) and I’ve executed the crossfire server, which listens in the 13327 TCP port. I’ve also tested a simple python script to send 4379 ‘A’s to the vulnerable service. We can see how the program crashes and ESP register contains many ‘A’s or ‘41’ in hex. However, we have to find the specific EIP memory location thus I’ve created a unique string which is sent to the vulnerable server through the malicious script. After I’ve controlled the EIP register, I have to know where I’m going to save the shellcode. Following the EIP register, only 7 bytes are left thus shellcode can’t be saved there. As a result, I’ve pointed to the EAX register where the shellcode is going to be located. The next challenge is to locate a JMP ESP instruction into the memory to insert it into the EIP register. Finally, I’ve created a payload with the msfvenom tool to add it into the script, which give us a Linux remote reverse shell.

Regards my friends. This is another amazing demo to know how Buffer Overflow works. I recommend you do it by yourself.

24 September 2018

Training on Networks, Systems and Hacking



I want to write about next security courses on Networks, Systems and Hacking which are going to be delivered for free by FEVAL in Extremadura. It will be five training courses where students will learn basic and advanced security techniques to protect and attack networks and systems. In addition, students will learn computer forensic techniques to analyse digital evidences. Last year, I was the teacher. However, this year, I don’t know yet who are going to provide these training. Nevertheless, I think it’s a good opportunity for learning about security information.

 
The first course, which start next month, is about basic security on networks and systems, where students will learn concepts and skills to understand main information security issues on networks and systems. Students will learn methodologies, and they’ll also use security tools, for protecting IT infrastructures and implementing security plans. Besides, students will manage the Risk Management Process and they’ll also read and create Business Continuity and Disaster Recovery Plans. For instance, last year, we spoke about Antivirus, Application Control, Web Filtering, Antispam, IPS/IDS and we even deployed a virtual firewall.

After finishing the basic security course on networks and systems, we can continue learning information security in the advanced security course on networks and systems. Students will get a deep knowledge about security management and operations, access management techniques, security software methodologies, cryptography, and security laws and regulations. For example, last year, we introduced Web Application Firewalls with SQLi and XSS attacks.

If you like hacking, you can also take the ethical hacking fundamental course where students will learn concepts and technical skills to discover vulnerabilities and attack services with the aim of auditing information systems. For instance, last year, we spoke about vulnerabilities such as Heartbleed, Apache Struts and Shellshock as well as we tested with vulnerabilities assessment systems like Greenbone and OpenVAS into Kali Linux and OSSIM.

If you really love hacking, the ethical hacking fundamental course is not enough because you’ll want more and more hacking techniques. Therefore, the advanced ethical hacking course will be interesting for those students who want to learn advanced techniques to get unauthorized access by targeting systems. For example, last year, we were talking about Social-Engineering Toolkit (SET), Windows Powershell attack, OWASP - Top 10, Web Application Vulnerabilities, DoS Attacks, etc.

This year, there is a new course about Digital Forensics, which sounds fascinating, where students will learn methodologies, procedures and techniques to look for electronic evidences. Computer forensics activities are increasingly requested by organizations because there are lots of security incidents which have to be analysed to determine the scope of attacks.

Regards my friends. I hope this will be interesting for you. Keep studying.

17 September 2018

Windows Buffer Overflow Example



I’m learning these days how to exploit Buffer Overflow Vulnerabilities and how to find this kind of vulnerabilities. I think the best way to learn about Buffer Overflow is exploiting these vulnerabilities in a laboratory by ourself. Therefore, I’ve installed a vulnerable server in a Windows machine along with Immunity Debugger and Mona tools. I’ve also installed a Kali Linux machine, which has been the attacker machine. This is the laboratory I’ve deployed to test a simple buffer overflow vulnerability that you can check in the next video.


Firstly, I've scanned the vulnerable server with the Nmap tool to know whether POP3 service is open. I’ve also tested a simple script to send 3000 ‘A’s to the vulnerable server. We can see the program crashes and ESP registry contains many ‘A’s or ‘41’ in hex. However, we have to find the specific EIP memory location thus I’ve created a unique string which is sent to the vulnerable server through the malicious script. Once I’ve controlled the EIP registry, we have to know which bytes cause problems within the vulnerable server such as truncation with bad characters \x00\x0a\x0d. The next challenge is to locate a JMP ESP instruction into the memory to insert it into the EIP register. Finally, I’ve created a payload with the msfvenom tool to add it into the script, which give us a Windows reverse shell.

Regards my friends. This has been an amazing demo to know how Buffer Overflow works. I recommend you do it by yourself.

10 September 2018

Buffer Overflow Attack



I remember when I was at University and I studied the “Computer Introduction” and “Operating Systems” subjects. I learnt about registers and how computers use them. I learnt about assembly language. I learnt about Little-Endian and Big-Endian. When I was studying these subjects, I just wanted to pass my exams. However, I realise this knowledge is useful to discover vulnerabilities. It’s also useful to understand attacks such as Buffer Overflow attacks. These knowledge which I learnt 14 years ago is still useful and it’s the basis of new vulnerabilities and attacks.

If we want to understand how Buffer Overflow attacks work, firstly, we have to understand how the memory is segmented and organized, secondly, why the registers are used and what they are used for, lastly, how attackers take advantages of Buffer Overflow vulnerabilities to take control of computers. If we have these knowledge, we will be ready to discover this kind of vulnerabilities and we will also be ready to develop exploits. However, this is not easy because there are different CPU architectures to take into account and there are increasingly security protections such as ASLR or DEP.


The memory model for an x86 Processor is segmented and organised from higher address to the lower address where the stack is at the top of the memory and the program code is at the bottom of the memory. On the x86-32bit architecture there are 8 general purpose registers that are used to store data and address that point to other positions in memory. The most important registers for Buffer Overflow attacks are ESP, EBP and EIP. The first one, ESP, tells us where on the stack we are, thus, the ESP register always mark the top of the stack. The second one, EBP, points to the base address of the stack. Finally, the EIP register contains the address of the next instruction to read on the program, thus, points always to the “Program Code” memory segment.


When we are developing applications, we can use functions like strcpy, gets, scanf, and others. If we call these functions without previously limiting the buffer, we can allow the program writes out of the buffer. For instance, if the parameter value is higher than the memory buffer space, the EIP register could be overwritten by the parameter value. Obviously, the program will crash and it will stop because the CPU doesn’t know where is the next instruction to read on the program.


What an attacker does to exploit a Buffer Overflow vulnerability? Actually, the attacker writes the address of a malicious code in the EIP section. In other words, the attacker overflows the buffer to write into the EIP section the address which points to the exploit.

 
However, a Buffer Overflow attack is not so simple. There are some problems. First, we don’t really know where the address of the EIP register is located. Second, we have to capture the ESP value when the buffer overflow exception occur. Third, there are some values that could cause a problem if the address of ESP contains one of this bad characters. Of course, these problems can be resolved. The first one can be resolved sending a unique pattern of characters to find the offset position in the original string. The second one can be resolved using any Disassembler/Debugger. The last problem can be resolved sending all the characters (from 0x00 to 0xFF) and monitor manually with a Disassembler/Debugger thus when a bad character is sent, the string sent is truncated just before the bad character revealing one of the bad characters

Regards my friends. Maybe, this is a very technical post. I've obviated many things. I’ll try making a video.

3 September 2018

I’ve been reading ...



I got back from holiday. This is my first post of this new season. I want to start writing about reading books. Six years ago, I opened this blog where I write weekly and I think writing is important to organize ideas and improve writing skills. However, today, I want to write about reading books. I think it’s the best for learning new techniques, concepts, ideas. It’s the best way to get knowledge from others. Therefore, I’m going to tell you what books I’ve been reading during this summer. I’m sorry, none of them are tech books.

At the beginning of the summer, I read “Aprendiendo de los mejores” by Francisco Alcaide. It’s a book where Francisco has written sentences and comments from important people such as Steve Jobs, Bill Gates or Amancio Ortega, among others. We can read their lifestyles and their thoughts to discover that the patience, persistence and discipline have been their abilities to be successful. I think, this is an excellent book for getting motivation because you can easily realise that success is built step by step and happiness is a feeling that it should be throughout the process.


I’ve also read “Thinking, fast and slow” by Daniel Kahneman this summer. This is a book to understand how the mind works. He explains that human beings have two types of minds. A mind which is fast, intuitive, and emotional. It is called system 1. This system helps us to make decisions faster based in intuition which, sometimes, could be helpful and beneficial but it could also be harmful because there are some things which should be thought slowly. We use the system 1 while we are walking, driving the car or even speaking. The system 1 is used for routine activities. On the other hand, we also have a mind which is slower, more deliberative, and more logical. It is called system 2. This system helps us to make logical decisions based in arguments which is useful often to make the right decision. However, this system is slower because it requests lots of mind efforts and human beings don’t like to make efforts by nature thus we prefer to use system 1 instead of system 2 most of the time. I’m using system 2 right now to write in English language and it’s also used for maths calculations or learning new skills.


The last book that I hope to finish this week is “Factfulness” by Hans Rosling. This is a book where we can see the progress of the world. We can see most countries are getting better. Most people around the world live better than before. Hans Rosling show lots of data sets from the United Nations (UN) where we can see that, although there are still countries which live in poverty, most countries are making progress in health, democracy and human rights.


These are the books I’ve been reading for this summer. I recommend you these books. The first one to be motivated. The second one to understand how the mind works when we make decisions. The last one to know that things are better than we think.

I really love reading. Quietly. Reading in my room. Nobody disturbs me. I think it’s the best way to get knowledge from others. I hope keep reading for a long time.

Regards my friends. I hope these books are interesting for you. Keep reading.

30 July 2018

Six years ago ...



Writing is too difficult. We have to think deeply to know what we want to say. We have to organize our thoughts and we have to decide how many paragraph we are going to write about something. I have already been writing for six years and it is still difficult for me. I have to recognize writing this post is easier than the first one but words and sentences are still difficult to find on my head to write what I want to say. This was the aim of creating this blog. Writing, writing and writing to improve my writing skill because it was too difficult for me when I was studying English language and I had to take the writing exam.

Six years ago I decided to write about tech things. Particularly, I decided to write about security and networks. Since then, I write weekly about what I’m learning, what I’m reading or what I’m doing in my job. This is going to be my last post before going on holiday thus I want to write about what I have been doing in the last year which has been full of experiences and technologies.

This year, I’ve learnt new technologies such as AWS Cloud and Web Application Firewall where I created my virtual Data Center in the Amazon Web Services with AWS Elastic Load Balancing, AWS Shield & AWS WAF and Amazon CloudFront. With regard to WAF, I deployed several F5 BIG-IP WAF where I learnt clearly the difference between WAF vs IPS and I ended up getting F5 BIG-IP ASM Certified Technology Specialist. In fact, I had to deploy F5 BIG-IP DNS for Data Center Load Balancing as well.

What has been demanding, but delighted at the same time, has been the Ethical Hacking Course and the Security courses on Networks and Systems where my students learnt how to create a backdoor for Android systems, make their own malicious WhatsApp as well as making app safer with HTTP Security Policy. It was demanding because I was also studying French language at Official School of Languages and I had to do my homework such as the Video Selfie in French Language or talking about Sophie Germain. However, it was delighted because I learnt a lot about security and I passed the A2 level in French Language.

In the meantime, I’ve been reading about security, economics and psychologist such as No Place to Hide and Thinking, Fast and Slow. I’ve been also studying about Computer Forensics and I’ve had time to go to the ForoCIBER 2018 where I resolved the CyberSecurity Challenge.

An overview about the most widely read posts in the last six years:

Posts

With regard about from where the blog is visited, we can see the statistics:

Posts by countries

Last but not less important, I would like to say thanks who read this blog and support me because they are the main reason why I have already written 292 posts with almost 225000 views. If someone has something to say for improving this blog, it is welcome.

Regards my friends and I hope to see you again back in September after a great holiday.

23 July 2018

Risk assessments for GDPR compliance




When I was studying for CISA and CISM certifications, I read a lot about Business Impact Analysis and the Risk Management Process. That was cool because Ariadnex was ISO 27001 compliance and I had to help them to be ready compliance with this kind of processes. Today, we have also to be GDPR compliance where all EU citizens have cyber rights from the new GDPR. This is a good opportunity for reinforce my knowledge about risk assessments because it is essential for the new regulation.

All businesses have to comply with GDPR because most of them process personal data of its employees for salaries, benefits and social security. Most of them have also a recruitment process or they evaluate their employees. There are also companies which they store and process lots of personal data for advertising campaigns or they process sensitive data as the health sector does. Therefore, there is personal data processing everywhere and these businesses have to comply with the new regulation.

The first step for compliance is to know what personal data the company is processing because we’ll have to define and design the processing operation of personal data as well as the processing purpose. Once this is done, we can use tools such as Facilita which tell us what we have to do with personal data processing. If we don’t have too much personal data and the risk level is low, maybe, we only have to do some paper work and buy some tech stuff.

Workflow for GDPR compliance

However, if we have too much personal data or sensitive data, we should evaluate a proposal to identify potential effects on individuals’ privacy and personal data. Therefore, we have to know if a basic risk assessment is enough for the company or it will be necessary a Data Protection Impact Assessment (DPIA), which is an exhaustive process known as privacy by design where projects are designed with data protection in mind from the beginning.

If the company doesn’t have high risk personal data processing, we’ll have to do a basic risk assessment. This risk assessment will have to take into account the loss of integrity, availability and confidentiality for personal data protection and it will also have to take into account rights and freedoms of individuals. However, this risk assessment shouldn’t be a exhaustive risk assessment but a essential one where only critical risks should be considered such as unauthorized access, unintentional loss or lack of procedures.

Finally, if the company has high risk personal data processing, we’ll have to do an exhaustive risk assessment through the DPIA process where we evaluate impact and the threat occurrence probability of risks to know the level of risk of each personal data processing activity. I know, it is a demanding work but mandatory for GDPR compliance.

Regards my friends and remember protecting your data!!

16 July 2018

A2 level in French language



Last summer, I wrote about French language A1 level passed because I started learning a new language, French language, at Official School of Languages and I passed the A1 level exam. These were my beginnings in French language, although I had already studied some of French at High School. As a result, my wishes for this year 2018 was keep studying French language and I’ve just successfully passed the A2 level in French. I feel happy to be able to pass to the next level, B1 level, because it means I'm improving my French language skills.


I got 9,5 in the listening skill which is very good. I mean, it's amazing! I think, I got it because I’ve done a lot of listening exercises. Almost five listening exercises a week since I started the course. They are online clicking on apprendre.tv5monde.com. Besides, I’ve heard the France Info radio on live from time to time. While I’m working, while I'm taking a shower or while I’m in the gym, I can listen the radio in French language. All of this has been enough to have a good marks in the listening skill.

The speaking skill is the most difficult skill from my point of view because students have to speak about a topic for a few minutes but you don’t have a lot of time to think about it. Therefore, students have to improvise and devise what they want to say. I got 8 in the speaking skill which is also very good. I’ve been speaking alone in my house with Vaughan Bonjour! and I’ve been also speaking with schoolmates in French language which has allowed me to improve my speaking skill. In addition, I think the Video Selfie in French language, my talk about the mathematician, physicist and French philosopher Sophie Germain, and the talk about La région Île de France have helped me to get this good marks.

I think the reading skill is the easier skill because although you don’t understand the whole document, you can know what you are reading by the context. I really love reading. Therefore, I’ve read three books in French language in this course. I still read books for beginners which means I read books with basic vocabulary and easy grammatical sentences but I hope getting more and more vocabulary and complex grammatical sentences in the next years for reading more interesting books.

Finally, I have to admit that the writing skill is not easy. Although I usually write in this blog, writing is not easy even for me because you have to think about what you are going to write as well as you have to think about how you are going to organise the text. How many paragraph you are going to write, what verbal tense you are going to use for the story, the letter, mail or whatever. Many thing you have to think and decide before writing the first letter. However, I got 9 in writing skill which is also a very good mark.

To sum up, I’ve been studying for the whole course and I've finished with very good marks. Thanks for the teacher, thanks for the schoolmates and thanks for my supporters.

Regards my friends and keep studying!!

9 July 2018

F5 ASM - Denial of Service (DoS) Mitigation



From time to time, I talk about techniques and methods of DoS attacks with workmates and customers, and when we speak about it, most of them always think about DDoS Attacks where a botnet flood the targeted server with excessive bandwidth consumption. However, we shouldn’t forget that an attacker can also make services unavailable with just requesting heavy URLs. Therefore, it’s not necessary to have lots of resources, neither a botnet, to make services unavailable because it can also be accomplish with a simple DoS Attack.

Mainly, there are three DoS attack categories: volumetric attacks, computational attacks and application attacks. Firstly, volumetric attacks, like UDP Flood Attacks or Amplification DDoS Attacks, which are the most known DoS attacks. Secondly, computational attacks, like SYN Flood Attacks, are less known than volumetric attacks where attackers want to exhaust resources such as firewall session tables. Finally, application attacks, like HTTP Flood Attacks, are easy to execute with DoS attack tools such as LOIC or slowloris. However, these last attacks are little known by companies and most of them even don’t know how to mitigate it nor which mitigation tools are on the market.

DoS Attacks Categories

When we are mitigating DoS attacks, it’s important to have a good classification between malicious traffic and legitimate traffic because the mitigation process could also block legitimate users when DoS mitigation tools are not well configured. In addition, DoS attacks are increasingly sophisticated and targeted which are delivered in SSL traffic as well against servers and applications. As a result, behavioural analytics, ultra-fast automated detection and comprehensive protection are required for a good mitigation strategy.

F5 BIG-IP WAF is also able to detect and block DoS attacks. We can watch in the next video how I configure a DoS profile to detect and block attacks based in TPS (Transactions Per Second). When the bot iMacros requests two transactions per second, the DoS profile blocks requests and the DoS attack is stopped. In addition, the video shows how to block DoS attacks with a CAPTCHA challenge to find out who is behind the web server whether a bot or a human being. Last but not least, DoS reporting are very important to know what’s going on and what happened in the services.

  
Regards my friends and don’t forget to protect your services.
Related Posts Plugin for WordPress, Blogger...

Entradas populares