erzadel.net

Speaking of Security June 7, 2016

Tags: Internet, Technology

My last post was about security by obscurity and I talked a little about trying to implement security techniques into my projects. This is really great timing.

Last week, various online services ran by my university were down. It was really inconvenient not having access to my e-mail but I took it in stride. I figured it was just the servers acting up or malware or something like that. It turns out that my university was dealing with a ransomware attack. I was half right. Ransomware is malware that basically holds a system hostage until a ransom is paid. My university gave into it and paid $20 000 to get the systems back.

Honestly, it seems to me like paying the ransom was the smart choice. Thousands of users were affected by this attack and it’s probably costing them a lot more not having their systems than to pay the money. It’s probably the easiest route. I haven’t done much research on it but apparently FBI recommends this. It’s better if you don’t pay the ransom but if you’re not tech savvy or the stakes are too high (but not like top secret government stakes), it’s probably a good idea.

Also, personal anecdote. I’ve had an instance of “ransomeware.” It was more like adware ransomware. I was browsing around and all of a sudden my screen flashed and accused me of a crime and asked me to pay a fine. I read through it several times and I froze a bit. I was innocent of the crime (of course) but I was worried that maybe it was something that could easily look like I commited it (think like authors who joke about being on some kind of list for researching murder methods for a book). But I calmly opened up my phone and looked up the message. Common ransomware. So I safely ignored it. Thank goodness because the amount they were asking was easily ten times more than what’s in my bank account.


Security By Obscurity: Just Hide It? June 6, 2016

Tags: Technology ,

Last semester I took an introductory course to information security. One of the concepts we touched on was “security by obscurity.” Basically what that means is if no one is aware of something, they can’t possibly break into it. For example, hiding your diary is a form of security by obscurity. Of course, this has it flaws. There is always the possibility that someone could somehow stumble upon your diary by accident. There might people actively looking for something valuable to you but they won’t know what it is until they find it. Notice I didn’t mention “if” they find it. It’s always a good practice to assume that they will find it. This is one of the reasons why security by obscurity is not ideal.

Truth be told, I use security by obscurity. The diary analogy I used was something that I actually do. Now, my mom loves to poke around and I still live with her. She has read my diaries in the past so it’s not far-fetched that she would find my diary one day and read it. This is why I don’t use it as my only form of security. My journal entries are either about really mundane stuff or encrypted with Elian script. So unless my mother is good at cracking ciphers (which I highly doubt as English is her second language and frequency analysis is probably lost on her), I can safely assume that my secrets are safe with me.

The reason why I suddenly started thinking about this is because I have a project that I’ve been working on. I’ve been trying to build a book management script. Right now I’m just finishing up simple features for the admin panel such as tagging a book, adding a review to a book, editing author names, etc. All of this is currently in a folder with an obscure name. At first I thought that if my admin folder wasn’t named something obvious like “admin,” I would less likely have a security breach. Who would want to hack my tiny and unpopular websites anyway? Then I realized, wait, that’s a really bad idea.

Curious, I looked up if there was a way to discover folders that were not explicitly linked publically. I was not surprised when I saw that such a way does indeed exist. In fact, there are several ways (or programs) to do this. Software like URL Fuzzer and DirBuster utilize a method called fuzzing. In my introductory class, we would classify this as a brute force method. What fuzzing does is try any possible number of combinations in order to find a weakness. In this case, it tries to find out if a folder exists. Specifically, DirBuster goes through a list of words (have not checked if it includes random strings or just common words) and appends them to a URL. Depending on the HTTP status code (things like 404 not found or 403 forbidden), it can determine if a folder exists on the website or not.

So, knowing this, I could still use security by obscurity. However, like my diary, I plan to implement other layers of security. Whether or not it will increase security or just give it security it didn’t have in the first place, I’m not sure (entropy wasn’t my strong point in my information security course). But I am sure that leaving it as a randomly named folder is not the way to go. I know how to do simple PHP sessions with a login but only with matching the submitted password with a plaintext password in a database. That’s a whole other realm of security issues so I’m going to start reading up on hashing passwords in PHP. I’ve poked around some open source scripts and have found MD5 hash functions so that’s probably what I’m aiming for. Honestly, I’m not well-versed in web security specifically (other than SQL injections are bad and you have to sanitize them) but that’s why I’m still learning.

So the next time you think you’re just going to hide something and think you’ll be fine, you probably will be but it’s better if you combine it with some other security technique especially if it contains sensitive information.


CCNA1 8.2.1.4 Packet Tracer – Designing and Implementing a VLSM Addressing Scheme June 4, 2016

Tags: Technology ,

I’m currently taking the CCNA1 course offered by Cisco. I struggled a lot with this activity so I thought it would be good to share how I finally figured it out. If you’re a little lazy and just want the answers, click here to go straight to the addressing table or here to download the PDF. Be aware that the addresses may vary but the process is the same regardless.

I am only human and will make mistakes so do not hesitate to point out any errors!

Part 1: Examine the Network Requirements

Step 1: Determine the number of subnets needed.

You will subnet the network address 192.168.72.0/24. The network has the following requirstrongents:

How many subnets are needed in the network topology?

8

5 subnets are needed. If you look at the topology, there are 4 LANs (coloured in orange) and 1 serial connection between Building1 and Building2. Therefore, you need 5 subnets.

Step 2: Determine the subnet mask information for each subnet.

The original subnet mask of the network address is 255.255.255.0. This comes from the prefix length /24, which indicates that there are 24 bits set in the subnet mask. We will use this as the basis for subnetting.

11111111 11111111 11111111 00000000
255 255 255 00000000
a. Which subnet mask will accommodate the number of IP addresses required for ASW-1?

255.255.255.240 with a prefix length of /28.

First, calculate the number of host bits that will be able to contain at least 7 hosts.

\(2^n-2\\
= 2^4 – 2\\
= 14 usable >= 7 required\)

14 is greater than 7, so this gives 4 bits are not set in the subnet mask.

255 255 255 240
128+64+32+16+8+2+1 128+64+32+16+8+2+1 128+64+32+16+8+2+1 128+64+32+16
11111111 11111111 11111111 11110000
How many usable host addresses will this subnet support?

14. This comes from the formula in the previous question.

b. Which subnet mask will accommodate the number of IP addresses required for ASW-2?

255.255.255.224 with a prefix length of /27.

\(2^n-2\\
= 2^5 – 2\\
= 30 usable >= 15 required\)
255 255 255 224
11111111 11111111 11111111 11100000
How many usable host addresses will this subnet support?

30.

c. Which subnet mask will accommodate the number of IP addresses required for ASW-3?

255.255.255.224 with a prefix length of /27.

\(2^n-2\\
= 2^5 – 2\\
= 30 usable >= 29 required\)
255 255 255 224
11111111 11111111 11111111 11100000
How many usable host addresses will this subnet support?

30.

d. Which subnet mask will accommodate the number of IP addresses required for ASW-4?

255.255.255.192 with a prefix length of /26.

\(2^n-2\\
= 2^6 – 2\\
= 62 usable >= 58 required\)
255 255 255 224
11111111 11111111 11111111 11000000
How many usable host addresses will this subnet support?

62.

e. Which subnet mask will accommodate the number of IP addresses required for the connection between Building1 and Building2?

255.255.255.2552 with a prefix length of /30.

We can use one subnet for the WAN. Since there are only two routers involved, we just need two addresses for this subnet.

\(2^n-2\\
= 2^2 – 2\\
= 2 usable >= 2 required\)
255 255 255 252
11111111 11111111 11111111 11111100

Part 2: Design the VLSM Addressing Schstronge

Step 1: Divide the 192.168.72.0/24 network based on the number of hosts per subnet.

a. Use the first subnet to accommodate the largest LAN.

192.168.72.0/26. The largest LAN is ASW-4 with 58 hosts. Subnet 192.168.72.0/24 into 192.168.72.0/26. This will give us 4 subnets (\(2^2 = 4\)) with 64 hosts per subnet.

The subnets are:

Since the subnets each contain 64 hosts, simple add 64 to the last octet. This method will not be as feasible for subnets with a large number of hosts. Another way is to convert everything to binary. Only the first 2 bits will change while the rstrongaining 6 bits stay the same.

192.168.72.0 110000.10101000.01001000.00000000
192.168.72.64 110000.10101000.01001000.01000000
192.168.72.128 110000.10101000.01001000.10000000
192.168.72.192 110000.10101000.01001000.11000000
b. Use the second subnet to accommodate the second largest LAN.

192.168.72.64/27.. We are using the second subnet because we are reserving the first subnet for the ASW-4 network. The second largest LAN is ASW-3 with 29 hosts. Subnet 192.168.72.62/26 into 192.168.72.62/27. This will give 2 subnets (\(2^1 = 2\)) with 32 hosts per subnet. We use \(2^1\) because the base is /26 and /27 is only one bit longer.

The subnets are:

192.168.72.64 110000.10101000.01001000.01000000
192.168.72.96 110000.10101000.01001000.01100000
c. Use the third subnet to accommodate the third largest LAN.

192.168.72.96/27. The third largest LAN is ASW-2 with 15 hosts. In the previous question, we already have 2 subnets that have 32 addresses each. The second subnet will be able to accomodate ASW-2. So we do not need to subnet further.

d. Use the fourth subnet to accommodate the fourth largest LAN.

192.168.72.128/28. Subnet 192.168.72.128/26 into 192.168.72.128/28. This will give 4 subnets (\(2^2 = 4\)) with 16 hosts per subnet. We use \(2^2\) because the base is /26 and /28 is two bits longer.

The subnets are:

192.168.72.128 110000.10101000.01001000.10000000
192.168.72.144 110000.10101000.01001000.10010000
192.168.72.160 110000.10101000.01001000.10100000
192.168.72.176 110000.10101000.01001000.10110000
e. Use the fifth subnet to accommodate the connection between Building1 and Building2.

192.168.72.145/30 and 192.168.72.146/30. Subnet 192.168.72.144/28 into 192.168.72.144/30. This will give 4 subnets (\(2^2 = 4\)) with 2 hosts per subnet.

The subnets are:

192.168.72.144 110000.10101000.01001000.10010000
192.168.72.148 110000.10101000.01001000.10010100
192.168.72.152 110000.10101000.01001000.10011000
192.168.72.156 110000.10101000.01001000.10011100

Step 2: Document the VLSM subnets.

Complete the Subnet Table, listing the subnet descriptions (e.g. ASW-1 LAN), number of hosts needed, then network address for the subnet, the first usable host address, and the broadcast address. Repeat until all addresses are listed.

Subnet Table
Subnet Description Number of Hosts Needed Network Address/CIDR First Usable Host Address Broadcast Address
ASW-1 LAN 7 192.168.72.128/28 192.168.128.129 192.168.128.143
ASW-2 LAN 15 192.168.72.64/27 192.168.72.65 192.168.72.95
ASW-3 LAN 29 192.168.72.96/27 192.168.72.97 192.168.72.127
ASW-4 LAN 58 192.168.72.0/26 192.168.72.1 192.168.72.63
Serial WAN 2 192.168.72.144/30 192.168.72.145 192.168.72.147

Step 3: Document the addressing schstronge.

a. Assign the first usable IP addresses to Building1 for the two LAN links and the WAN link.
b. Assign the first usable IP addresses to Building2 for the two LANs links. Assign the last usable IP address for the WAN link.
c. Assign the second usable IP addresses to the switches.
d. Assign the last usable IP addresses to the hosts.

Part 3: Assign IP Addresses to Devices and Verify Connectivity

Now it’s just a matter of plugging in values into Packet Tracer if you haven’t already.

Addressing Table

Device Interface IP Address Subnet Mask Default Gateway
Remote-Site 1 G0/0 192.168.72.129 255.255.255.240 N/A
G0/1 192.168.72.97 255.255.255.224 N/A
S0/0/0 192.168.72.145 255.255.255.252 N/A
Remote-Site 2 G0/0 192.168.72.65 255.255.255.224 N/A
G0/1 192.168.72.1 255.255.255.192 N/A
S0/0/0 192.168.72.146 255.255.255.252 N/A
SW1 VLAN 1 192.168.72.130 255.255.255.240 192.168.72.129
SW2 VLAN 1 192.168.72.98 255.255.255.224 192.168.72.97
SW3 VLAN 1 192.168.72.66 255.255.255.224 192.168.72.65
SW4 VLAN 1 192.168.72.2 255.255.255.192 192.168.72.1
User-1 NIC 192.168.72.142 255.255.255.240 192.168.72.129
User-2 NIC 192.168.72.126 255.255.255.224 192.168.72.97
User-3 NIC 192.168.72.94 255.255.255.224 192.168.72.65
User-4 NIC 192.168.72.62 255.255.255.192 192.168.72.1

Blogilates Beginner’s Workout Calendar 2.0: Day 28 March 15, 2016

Tags: Fitness, Life , ,

Disclaimer: This “review”/blog series is NOT sponsored in any way and all opinions are entirely of my own.

blogilates-beginners-calender-2

Day 28: Rest Day

Oh my goodness, today is the last day of the fitness calendar! I can’t believe I made it! I didn’t make this cookie (I haven’t made any of the rest day recipes) but like with the rest of the recipes, I would love to try this eventually!

Video 1: Easiest Cookie in the World


Blogilates Beginner’s Workout Calendar 2.0: Day 27 March 14, 2016

Tags: Fitness, Life , ,

Disclaimer: This “review”/blog series is NOT sponsored in any way and all opinions are entirely of my own.

blogilates-beginners-calender-2

Day 27: Total Body

Today is the last day of the beginner’s workout calendar, not including the rest day tomorrow! I think I’ll make a blog post the day after rest day to talk about how the month went. As for today, today was a lot of sweat and groaning! A lot of cardio today, even if it isn’t intensive.

Video 1: Fat Burning Ladder for Toned Thighs and Abs

There is a couple of basic moves done in 45, 30, and 20 second bursts. Thankfully, the moves are pretty doable. The only time I paused was when I had to position my laptop to see the screen properly between moves.

Video 2: Flat Belly Fat Burner

Video 3: 6 Minutes to a Sexy Booty

Still debating whether or not I want a “booty” or not. I did the video anyway.


HostSponsorWordpress