martes, 13 de febrero de 2018

Baby Monitor - TC2027

To introduce you to the topic I'll be writing about, I'll first explain the context.

My father works and lives out of Jalisco, but he comes and visits us every two weekends or so.
My brothers and I (we're 3 male, young adults - this might be relevant) live with my mother, she went a few days ago to my place of birth, to take care of her parents. 

Why do I have to tell you this? Well... because before my mother left, my father set up two Baby Cameras to "watch the house", more like keeping an eye on their sons.
Some of you might ask what does this have to do with security, well, let me tell you some stories that came up in the news:

  • A couple's 3 year old son told their parents he was afraid of the man talking over the monitor at night. One day, the father heard “Wake up little boy, daddy’s looking for you,” coming from the monitor. (CBS)
  • A family in London was sleeping their child when they heard eerie music coming from the monitor and a voice that said "you're being watched". (CTV News)
These news are creepy, but we're not babies, so what could go wrong? Well, if someone gained access to the monitors, they could watch us everytime, see our movements, when do we go out, at what time do we come back, what do we do when we're at the house, etc. There is a webpage, insecam which has this on their webpage:

Welcome to Insecam project. The world biggest directory of online surveillance security cameras. Select a country to watch live street, traffic, parking, office, road, beach, earth online webcams. Now you can search live web cams around the world.



Meaning that they have access to many cameras all around the world that don't have passwords protecting them, or they have the default ones "root : password", etc.
This sure raises awareness, and I found a really good post and I will try to explain it, just not as in depth, for how hackers get access and how to protect yourself, I encourage you to read the full post here: https://www.groovypost.com/howto/secure-your-video-baby-monitor/

First, how do hackers get access to a monitor?

It can be by gaining administrative access to your router, unless you've enabled port forwarding or created a demilitarized zone, you're safe here. This is done by BitTorrent clients or high bandwidth online video games. They can also gain access if you have an open wireless network (no password), but, you wouldn't do this, right? (another tip for protecting your router is to update the firmare regularly, when there's an update)

After they gained access, they can access the baby monitor configuration, these monitors usually come with a default password (or no password at all), so be sure to put a strong password in place.

However, many parents (like mine) want to access that monitor via the internet, when they're not at home, but "the bandwidth and security implications of enabling this feature are too great if you don't know what you're doing", because instead of hackers first gaining access to your router, they just have to gain access to the monitor (a strong password is needed, please, and keep the firmware of the camera updated)

My father and I took the required measurements to secure the webcams, so for now, I can rest in peace knowing that only my parents are watching me...


Read more:
http://newyork.cbslocal.com/2015/04/21/seen-at-11-cyber-spies-could-target-your-child-through-a-baby-monitor/
https://london.ctvnews.ca/baby-monitor-camera-hacked-while-child-rocked-to-sleep-1.2483149

domingo, 4 de febrero de 2018

Security or Convenience, TC2027

With the increasing number of devices connected to the Internet, sometimes (most of the times, really) we do things thinking they are making us more secure on the internet, but we are unintentionally doing the opposite.

I will talk about some authentication methods or things we do on the Web and analyze if they are keeping us safe or actually harming us.

Whenever we go to a park, a mall, or any public space, we are tempted to see the latest memes, videos, check/send important work emails, or do some work on a coffee shop. To do this, we connect (sometimes automatically) to Free Public Wi-Fi's, I know it is very convenient, but please DO NOT USE FREE PUBLIC WI-FI to do important work or send sensitive data, WHY? Because you need NO AUTHENTICATION to establish a network connection, this means anyone can see whatever information you're sending (important emails, credit card information, you name it). Some measures you can do to be safer are: use a VPN (maybe I will write a Blog about this), on your browser, type "https" instead of "http" for the websites you're visiting, this adds an extra layer of security.
 = not safe

 = safe!


A very convenient thing for when we forget our password, is to recieve a code via SMS to your mobile phone, this is kind of safe but there are some risks with it:
SMS are not protected from someone else seeing them.
There's no assurance they will go to the intended recipient. (Databreach)

Fingerprints! I think most smartphones nowadays come with this option, forget about those boring, old-fashioned secure passwords, now you can unlock your device wih your fingerprint! Is this convenient? hell yes, is this safe? maybe not so much.
Researchers developed a set of MasterPrints that could match real prints similar to those used by smartphones as much as 65% of the time. (NY Times)

I can't list every single authentication method and its risks, these methods change over time, but we must start thinking about which authentication methods we use and why we use them, is it for security (most times, really secure methods are a pain in the buttocks) or is it for convenience? Then we should search for the risks of doing so, to stay more secure.

If you want to learn more:

https://www.kaspersky.com/resource-center/preemptive-safety/public-wifi-risks
https://www.lifewire.com/disable-automatic-wireless-connections-153376
https://www.databreachtoday.com/blogs/convenience-over-security-often-best-policy-p-2233
https://www.nytimes.com/2017/04/10/technology/fingerprint-security-smartphones-apple-google-samsung.html

sábado, 3 de febrero de 2018

Authorization vs Authentication, TC2027

I think these concepts are sometimes used incorrectly, or used one meaning the other, but these two concepts are closely related which is why it can cause some confusion to some.

Today I will try to explain these concepts.

Authentication

It is a way to prove that you are who you say you are. Outside the tech environment, if an officer pulls you over and asks for your ID, is a way for him to know who are you. If he asked your name, you could come up with a fake name, but an official ID will let him know your name, and other accurate information about you, proving that you are you. 

In the tech world, authentication is used by a server to know who is trying to access the information, and it is used by a client to know if the server is who it claims to be. 

There are different types of Authentication:
  • Single-factor: it is giving access to a system by using only one category or credentials. An example could be passwords. 
  • Two-factor: it is giving access to a system by using two categories or credentials, in order to add an "extra layer" of security. It's usually added to the username - password authentication but adding information that only the user knows or has, this can be a token, an SMS they send to your phone number.
  • Multi-factor: it is giving access to a system by using two or more categories or credentials. 
  • Strong: it is combining two mutually-independent factors of authentication so if one is compromised, the other isn't automatically compromised. Usually, a category or credential is non-reusable, like a specific token for only one transaction, to add even more security.
______________________________________________________________________________
Authorization

Simply put, are you allowed to do that? Whenever we go to a building, there are always certain doors or areas that not everyone is authorized to go in. For example, ITESM students can access the campus with their ID, but there are certain rooms that, even if you're a student, you're not allowed (authorized) to go in (only authorized personnel). 

But it can also mean of giving specific access rights or privileges to resources related to information security and computer security in general and to access control in particular (Wikipedida). And this is usally implemented as a role in the user to specify and limit the actions they can perform within the system. 
______________________________________________________________________________

In the beginning I said these two concepts are closely related, why? Take the following example, my 
User in my computer has administrator rights, but in order for me to use them and access every right on my computer, I have to login and verify that it is actually me, Sebastián, who is trying to get access. I am authorized to do any changes to my computer, however, only after I've authenticated myself, is that I am granted the access.

In conclusion, these two concepts are really important for Computer and Information Security, to prevent damages, unauthorized access, loss of data and bad stuff like that.