Posted on

How to Manage Vulnerabilities on Your Home Network

Cables image.

Image Credit

Many people erroneously assume that their home networks are too small to be targeted by cyberattackers and that cybersecurity is only meant for enterprises. Nothing could be more wrong. If the past few years have taught us anything about cybersecurity, it is that nothing is too small to be exploited, not even the smallest IoT device. Therefore, people need to be more serious about managing vulnerabilities on their home networks beyond the basic passwords. Now that many people are working from home, home security is more important than ever. 

Posted on

Extracting Server Certificates Made Easy With Certificate Ripper

Introduction

As engineers, we sometimes need to grab a certificate for different purposes. It may occur that we need it to update the truststore of our application with a new trusted certificate, or just want to analyze the content of it, or use it for testing or just for some other purpose. There are multiple ways to accomplish this such as drag-and-drop the certificate from your browser to your desktop or by using OpenSSL. The browser is only capable of exporting binary certificates and the commands of OpenSSL might be sometimes complex or tricky to build depending on which kind of output you want. I was seeking a simple way of just printing server certificates to either a pem format or human-readable format and I also wanted to export all of it into a truststore file and in that way Certificate, Ripper came into life. 

Certificate Ripper is a CLI application available for Windows, Mac OS X, and Linux and can be found here: GitHub - Certificate Ripper

Posted on

An Analysis of Near-Field Communication

Introduction

From telegraphs to online video calls and from fax machines to emails, the communication means have evolved exceptionally. Now the world has shifted from wired networks to wireless transmission, the internet being the most significant model. 

Nowadays people do not want to wait for replies; messages are sent and received in milliseconds. Modern messaging apps are an example of it. Transferring large files was a problem for businesses in the past, as it could take hours to load. Currently, centralized cloud storage is giving easy access to data anywhere in no time. 

Posted on

Revealing the Secrets of Kubernetes Secrets

Kubernetes secrets are the native resources for storing and managing sensitive data, like passwords, cloud access keys, or authentication tokens. You need to distribute this information across your Kubernetes clusters and protect it at the same time. When sending your password to each node in your cluster, it’s critical to ensure that only authorized entities—users, services, or workloads—are able to access it.

Kubernetes Secrets

The building blocks of Kubernetes computation are pods made up of containers. You can bake your sensitive passwords into container images or configure them as part of pod definitions. The more secure and Kubernetes-native approach uses secret objects and introduces them in pod specifications (e.g., a file or environment variable).

Posted on

A Quick Guide Through UFW: Uncomplicated Firewall

UFW, short for Uncomplicated Firewall, is basically a simplified firewall mechanism that is implemented upon IPtables itself, making it much easier to configure UFW than to configure IPtables. Therefore, it can be said that UFW is technically a program for managing a netfilter firewall which aims to provide an easy to use interface for the user.

The Need for UFW: Uncomplicated Firewall

Consider a situation where protocols like ssh, ftp, etc., which if left open for everyone and anyone to connect, might result in a massive security breach by the attackers or malicious users. Hence, this originated the need for a firewall. Firewall is useful to us in a way, that it allows us the remote access to the system but in a limited fashion. A simple example would be, firewall can allow certain ports to be left open to only a few IP addresses to limit security breach and also allowing connections to only a trusted device.

Posted on

6 Ways to Secure APIs

Migrating to a microservices from old an monolithic application is gaining traction and has become a trend. Most organizations are encouraging  developers to create APIs that can help them to achieve digital transformation goals. If you have a complex system to develop but you need to deliver quickly and iteratively over a long period, then going with APIs is a good choice. Now, the question is: How do you secure these APIs? Securing APIs should start from the beginning — from design itself. Below are some patterns that can help secure your APIs.

1. Secure Coding

Developers should think about writing secure code at the beginning. If we follow OWASP (Open Web Application Security Project) guidelines, tools, and training, almost 85% of code vulnerabilities can be fixed. It is very important to validate each and every input that my application receives. For example, let's say my API is accepting name as string parameter and doing some business logic. Instead of just looking for name as not null, make sure to look for a specific pattern, like that name will contain only characters or numbers. This will rule out any pattern which might use for SQL injection.

Posted on

An Introduction to SSH – Secure Shell

What Is SSH?

SSH is a network protocol that allows a secure connection between different computers. SSH protocol also referred to as Secure Shell, provides many functionalities like,

  • Strong connection and security
  • Strong authentication
  • Maintains connection integrity
  • Strong encryption.

In general, there are different ways of logging in to a remote machine,

Posted on

Implementation of Hybrid Encryption Using Java 1.8 and OpenSSL

Symmetric encryption is a type of encryption in which a single key is used to both encrypt and decrypt the data. Whereas in asymmetric encryption approach public/private key pair is used to do the same. This rules out the risk of mishandling of the key as the public key is only shared with the clients and the private key is kept secret. Client can encrypt the data with the key and send the data securely over any standard data sharing protocols. At the receiver end, the private key is used to decrypt the data.

But the time to encrypt the data with asymmetric encryption grows significantly proportionately with the size of data. Here symmetric encryption does the job quite efficiently.

Posted on

SecureSDLC – The Next Gen SDLC

People with exposure to software development space will very well understand SDLC (Software Development Life Cycle). Still, let’s do a quick recap. The SDLC framework defines the processes used by organizations to build applications/products from inception to decommission. Organization and industry leaders have defined and implemented various SDLC models (like waterfall , agile ,etc ) over the years to fit organization needs. A typical SDLC has the requirements, design and architecture, development, testing, release and maintenance phases.

What Is SecureSDLC and Why Should We Care?

SecureSDLC is an SDLC variant with emphasis on security. Secure SDLC is taking SDLC model and embedding security into every phase starting from requirements. Security is paramount for organizations dealing in and responsible to safeguard the confidentiality, integrity, and availability of organization or user data.

Posted on

What I Learned About How Facebook Infrastructure Serves Our Photos

On July 3, users across the globe came to a standstill when they weren’t able to load photos on both Facebook and Instagram. Likewise, users of Facebook-owned WhatsApp weren’t able to send images or videos.

If Facebook was a standalone CDN, it would probably be in the top three CDNs in the world because of the sheer number of assets and traffic. Running the CDN infrastructure and networks at Facebook cannot be a small task.

Posted on

Mule 4: Enable HTTPS Connector Using OpenSSL

Introduction

This article demonstrates how to generate self-signed certificates and use a private key to configure the HTTPS connector using OpenSSL.

Generate Private Key and Public Cert Using OpenSSL

$ openssl req -newkey rsa:2048 -x509 -keyout cakey.pem -out cacert.pem -days 3650
Generating a RSA private key
....+++++
...................................................+++++
writing new private key to 'cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Texas
Locality Name (eg, city) [Default City]:Dallas
Organization Name (eg, company) [Default Company Ltd]:GGL Consulting Inc
Organizational Unit Name (eg, section) []:EA
Common Name (eg, your name or your server's hostname) []:Gary Liu
Email Address []:gary.liu1119@gmail.com


Posted on

Five Ways Technology Is Revolutionizing Risk Management

In the realm of cybersecurity, risk management refers to the process in which organizations identify, analyze, and address various types of cyber risks that they may face in case their IT systems fail as a result of internal and external threats. These risks include the possibility of losing sensitive, private corporate data, experiencing disruptions in their day-to-day business operations, suffering reputational damages, and more.

Cyber risk management enables security teams to spot, measure, and evaluate vulnerabilities in their IT environment. Its connected systems and applications allow users to implement strategic ways to fix potential issues, thereby allowing organizations to avoid or reduce the impact of potential cyber risks. Unfortunately, many organizations find it difficult to implement cyber risk management effectively.

Posted on

AppSec Concerns

To understand the current and future state of application security, we obtained insights from five IT executives. We asked them, “Do you have any concerns regarding the current state of application security?” Here’s what they told us: 

  • Terminology is a concern, where different tools simply claim to be things that they are not and lead to a false sense of integration. For example, WAF vendors are a network tier: security in the front, application in the back. While they may claim visibility into the runtime, they do not actually achieve this and therefore cannot achieve accuracy.
  • Culture. Security has grown up with pen testing and modern tools, the software has grown with cloud and scale. We need to automate security. We need security to embrace automation.
  • 1) Internal threats (nothing new), 2) Machine Identity (due to Internet of Things/containers), 3) Security Vulnerability Administration and Patching strategy (due to more software and microservices, so more runtimes), 4) The risk of a hacker jumping from a low-risk component to a higher-risk component (due to microservices and containers, with bulkhead pattern being an example to safeguard against that).
  • We commonly see application security is only applied to a certain portion of a network, but a truly secure approach applies end-to-end. Our solution secures an application throughout a packet’s journey from source to destination.
  • AppSec is not getting better. Vulnerabilities are not being fixed fast enough. Every code fix has to go back and be tested for vulnerabilities, quality, and performance. Then, the entire application level needs to be tested. It takes a lot of time. There is a lack of understanding of how much testing is necessary, when to use tools instead of services, and how necessary vulnerability remediation is. DevOps is the right approach to develop applications, but today, it results in paying less attention to security. Adopt a security-first mindset.

Here’s who shared their insights:

Posted on

Playing With TOTP (2FA) and Mobile Applications With Ionic

Today I want to play with Two Factor Authentication. When we speak about 2FA, TOTP comes to mind. There are many TOTP clients (e.g. Google Authenticator).

My idea with this prototype is to build one mobile application (with Ionic) and validate one TOTP token in a server (in this case a Python/Flask application). The token will be generated with a standard TOTP client. Let’s start

Posted on

Cloud APIs and How to Mitigate the Security Risks

Due to its agile, flexible, and cost-efficient services, cloud solutions are inevitable for business operations and so are the unavoidable security risks and the probability of malicious attacks that you might have to endure. Cloud security threats are plenty. CSA’s nefarious twelves have listed and positioned Cloud API and insecure interfaces in the number three among the other persistent risk factors that are associated with cloud computing and the OWASP Top Ten report also acknowledged it as a primary security concern that demands intensive risk mitigation efforts.

Cloud Application Programming Interface (Cloud API)

A Cloud Application Programming Interface (Cloud API) is what facilitates the cloud services by enabling the development of applications and services provisioning the cloud hardware, software, and platforms. Cloud API is a gateway that provides access to the direct and indirect cloud infrastructures and software as the services. Cloud APIs are the means to interact with the cloud infrastructure to designate the computing, storage, and network resources for the concerned cloud applications or services. A key element in provisioning the cloud services cloud APIs are primarily based on the REST and SOAP frameworks. Along with cross-platform and cloud providers' APIs, there are also open APIs and vendor-specific APIs that helps to control the cloud resources and their distribution.