DEV Community

Tari R. Alfaro
Tari R. Alfaro

Posted on

Be educated about today's security.

Disclaimer: Security is a moving and vast subject. Stay updated! What is secure today could be insecure tomorrow.

Second disclaimer: Sorry for any errors in this post. It's really long, and I'm not a editor.

Links could be broken in the future.

Security has many sub categories, and it all really depends on what the context is. It is probably one of the most complex subjects of today. I will cover a lot of topics in this article, but not all. Security is extremely vast, there is more to it than cryptography.

If you're a developer, take a web application security quiz, and look at some cryptographic right answers.

Security is important, spread the word, participate, share your knowledge(preferably without being rude).

I go over some myths, attack vectors, best practices and resources.

Alright! Let's go over some myths.

Yep, myth busting time.

"VPNs provide anonymity." (No, they don't.)

Private Internet Access says:

Private Internet Access® VPN Service encrypts your connection and provides you with an anonymous IP to protect your privacy.

ProtonVPN says:

Keep your browsing history private. As a Swiss VPN provider, we do not log user activity or share data with third parties. Our anonymous VPN service enables Internet without surveillance.

NordVPN says:

Imagine VPN as a hack-proof, encrypted tunnel for online traffic to flow. Nobody can see through the tunnel and get their hands on your internet data. NordVPN gives you peace of mind each time you use public Wi-Fi, access personal and work accounts on the road, or want to keep your browsing history to yourself.

Nothing is hack-proof. No one is 100% anonymous. VPNs do not provide anonymity. VPNs see everything your ISP does. The question is, do you trust your VPN provider more than your ISP? VPNs are great for bypassing censorship and preventing ISPs from seeing requests you make through the internet.

It's good practice to use a VPN to encrypt your internet traffic when you're using public WiFi.

But Tari, VPNs mask your IP!

Yes, I know that. But that's not the only factor in obtaining anonymity.

If you're looking for anonymity, check out Tor Project and I2P.

"I don't need anti-virus on a UNIX-like machine." (Yes, you do.)

Just because you are using a UNIX-like machine does not make you immune to virus. Generally it's less common for there to be viruses for them, mostly because a lot of viruses are targeting Windows and MacOS users. I am referring to desktop use, not servers.

This does not mean anti-virus programs are a silver-bullet. Don't click on those phishy Facebook messages with "Check out yourself in this YouTube video!". Don't. Click. Random. Links.

Check out ClamAV.

Common sense is important!

"I am not important, hackers won't target me." (Yes they will, speaking from experience.)

Often, many people have many accounts on the internet for many services. Hulu, Netflix, banking, etc.

Banking is sensitive. Some people have bank accounts, with money in them. Why wouldn't a hacker want your money, or your credit card information? Or your Amazon account to buy stuff?

True story, my Mom's Hulu account got attacked by a malicious third-party. And my Dad's email and Amazon account were breached. Yes, this was recent, only a couple/few months ago.

"I must trade my privacy for security." (No you don't.)

Privacy is a category of security. Cryptography helps maintain your privacy. Conversations between you and your therapist are supposed to be confidential, private, secret.

Definition of confidential ...

Cryptography can be used in a way to ensure that secrets stay secret(Or private things stay private).

Example

Let's say you're signing into a service. They log your IP, user agent, device, etc. It's stored in plaintext. NO! They could encrypt it so only you could see the list of authenticated IPs and user agents. They could also hash them, and compare. If they don't match, send information saying that potentially there is a suspicious authentication action going on, and require additional authentication factors for that session trying to sign in.

Privacy is not anonymity!

Moving onto attack vectors and vulnerabilities.

This section is geared towards developers. There are so many attack vectors. I will only be going over a few.

SQL Injection; XML External Entities; Session Fixation; Weak Session Identifiers; Cross-Site Request Forgery; Cross-Site Scripting; Reflected Cross-Site Scripting; Command Execution; Click Jacking; Directory Traversal; Document-Object-Mapping Based Cross-Site Scripting; File Upload Vulnerabilities; Broken Access Control; Open Redirects; Unencrypted Communications; Data Mismanagement;

XXE/XEE. Read more ...

XML has some security issues. Things like XML External Entities (XXE/XEE) are possible.

XSS. Read more ...

There is more to Cross-Site Scripting (XSS) than simple alert(1). Much more. It is a complex subject, issues like these are STILL around today. Because there are different parsers for JS, HTML, CSS, that means they parse things differently from each other. And that means it can be hard to push security updates.

This is a parser differential issue, and there are many different ways to attack different browsers.

This post is already really long. Learn to mitigate XSS.

SQLi. Read more ...

SQL Injection (SQLi) is for the most part solved. It's mostly due to legacy projects. However vulnerabilities still popup, but they are usually spotted and patched quickly.

Make sure to use prepared SQL statements to avoid these issues.

Session fixation. Read more ...

The most common place for session identifiers are usually in cookies. Things like XSS can extract the session identifier IF the flag http_only is set to false, well, as far as I know.

If anyone has this, they can be logged into your account.

Make sure only HTTP may access the session identifier cookies. Destroy XSS vulnerabilities.

Don't store session identifiers in JavaScript localStorage! No, I don't have a solution/alternative other than build a native desktop and mobile applications.

Weak session identifier. Read more ...

A low entropy/easily guessable session identifier makes it easy for attackers to pose as an authenticated session.

The solution would be to create a CSPRNG 256-bit session identifier. The attacker would have to guess 2^256 possibilities, which would just take too long. Hash this session identifier, then store it on the client. Hashing it is important in case there was a issue with the CSPRNG.

Improper storage.

Not hashing the session identifier on the server could create issues. If a attacker breaches the server, they could be authenticated as any individual. In this instance, the server administrator is also the attacker, since they have access to session identifiers.

Hash the session identifier with a good algorithm. Preferably SHA2 family/SHA3 family/Blake2b. Yes! Hash it again here.

Cookie tampering.

Cookies are stored on individuals' devices. They have complete control over it. They can edit it, delete it, make cookies, etc. They cannot be trusted.

The solution is to use digital signatures to ensure that cookie values are not tampered with. If the value doesn't match up with the digital signature, report it, make it scream, AND DO NOT USE THE COOKIE VALUE.

Best practices.

Follow along with these best practices, and be sure to suggest these to your family, friends, acquaintances and strangers. This section is geared towards the average user.

Secure your passwords/passphrases.

You should be using diceware passphrases to protect your password manager, device login, and wherever else a password manager isn't appropriate.

Use a password manager.

You probably have lots of credentials. Use a password manager to secure your data. There are many of them. Stick with free open-source solutions because developers can verify the security of the applications.

I recommend KeePassXC for desktop, and KeePassDX for Android-based devices. There is also BitWarden.

Use multiple factors of authentication wherever possible.

Things like Hardware Security Keys, TOTP authenticator applications, email and SMS OTPs are great for securing your accounts. Use them wherever possible.

NOTE: SMS two-factor authentication is insecure, but it's better than no two-factor authentication.

Double check links.

Make sure you are double checking links, and not trusting random ones at that. Do not click them if they seem suspicious.

Use anti-virus and firewall software.

Make sure to use anti-virus software on your systems, and a firewall too.


Stay informed and learn from good sources.

Do note that some(ahem, a lot) of these links are geared towards people who understand technical details about certain subjects. I am being vague for a reason, because the subjects vary.

All these I have personally been using for a while.


Don't be afraid. Share your thoughts and resources below.

Top comments (3)

Collapse
 
7explorer7 profile image
Michel Cloutier

Merci monsieur Tari pour cette "vulgarisation" sur la cyber-sécurité. je découvre votre site et l'ai ajouté à mes favoris. Suis un amateur-débutant et passionné de cyber-sécurité.
En effet, comme co-animateur d'un club informatique pour aînés dans ma communauté, je fais des capsules sur le sujet à l'occasion.
Si vous me le permettez, j'apprécierais votre autorisation pour utiliser quelques passages et quelques liens.
Merci et bien à vous,
Michel Cloutier
Longueuil, QC, Canada

Collapse
 
tarialfaro profile image
Tari R. Alfaro

Sure, you may use some passages and links.

Collapse
 
7explorer7 profile image
Michel Cloutier

Thank you Mr. Alfaro, appreciate it!
Our local computing Association will be off for summer time and myself as well.
In the meantime, you will see my IP address regularly.
Regards,
Michel Cloutier
Longueuil, QC, Canada