Author: Akeem Spencer
This week has been a roller coaster in terms of website security, failsafe proofing, and making sure my content isn't distributed in the wrong hands.
In today's generation, we're starting to truly envision what I like to call "maverickism". The tech industry is beginning to realize that content should be shared, yes, but at what cost? Young entrepreneurs are rising and seeing a cost increase in efficient productive IoT in their own companies. Stores are beginning to cut back on their square lot space for smaller store fronts and are relying on internal transaction and analytics for revenue. However data breaches are still a common issue and if public information is exposed, it is quite likely blackmailing and fraud will occur subsequently as well. The latest attacks in worldwide CDN sites like GitHub, Reddit, and Sony were brute-force DDOS attacks where a traceback from the attack is hard to pinpoint.
Brute force attacks occur with a continuous trial and error of using authentication credentials until a valid login and password combination is correct. But it isn't reflected on everyday devices such as laptops, desktops, or even mobile devices. This happens to occur on small-to-mid size semi-industrial applications like drones, headphones, home-automation security, and the underlying fastest growing IoT device......vehicles.
I understand how important and sacred our personal information is, but for small-businesses and Americans, your information is still at the disposal of many cyber threats due to the fact that millions of computers have wi-fi and high LTE satellite connection. At least get to know your computer software, the personnel and staff you're giving admin rights to, and the OS platform you're doing most of your work on. I find it beneficial to give some tips on safety being a tech geek myself. Take a moment to inform yourself on how to become more data sensitive with your technology before it gets into the wrong hands (or the wrong servers!).
## **1. SSL everything! **
You're about to purchase a new car, that new Hyundai Elantra and you've done the cost calculations. It has great mileage, low maintenance fees, powertrain warranty and yeah you get the gist. It also has voice navigation, push-to-start key electric ignition and a touch-panel dashboard interface. Yeah that's really cool, but is it safe? And when I safe, I'm not talking about safe from carjackers or from collisions, but safe from cyber-threats. Is the software configured in the car SSL and ssh-proof? What are the chances of "hacking" or "hijacking" the motherboard cpu within the car? These aren't stupid questions, you're asking your phone-provider these questions when you'r looking to purchase a new phone, so why aren't you asking your car dealer the same questions? As cars become more innovative with technology, you're also growing your content within your cloud or database. All of that information is going to a customized server somewhere. It makes sense to make sure the integrity of the manufacturer is scaling the product with close-to-seal-proof internet access and public/private keys are stored within the environment of non-sentient machines. Make sure the devices you have ownership on have a PROVEN track-record on low data breaches and overall cyber safety.
SSL stands for *Secured Socket Layers*, the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral according to [googles top-link]. As you begin to start your own content or have more integral components across different architectures, your beginning to spread yourself thin and exposed. Make sure your web browser has an SSL link and certification. I know I'm not practicing what I'm preaching, but I'm beginning to take nothing for granted and seal everything and close off all sites trying to gain access. Malware and viruses were and are still prominent in software, but your personal and business material should be safely secured due to an increasing presence of malacious and devious outsiders. According to Tim-Lee Bernes (the godfather of WWW), networks are available in 40% of the world population, and the number is increasing drastically by 2% each year. With all the data threats existing and counting, be sure to take security measures seriously by safeguarding your personal and corporate data which leads me to my next point.
## ** 2. Treat algorithms like a box of chocolates **
Nothing is 100% prone to data penetration, nothing. When I say you have to treat algorithms like a box of chocolates, you truly have to treat them as such. Algorithms like boxes of chocolate, are unique in taste, but are gone after awhile. Your login authentication hashing encryption, whether it be bcrypt, devise, or your trusted SHA encryption, begins to have flaws after a large community sources these types of encryption dependencies. If I'm scaring you then good, you need to have a jolt of awareness with the amount of data breaches going on. Iteration solvers are becoming faster and taking less In-Memory processing computation. Combined with higher presence of IoT physical applications, a novice hacker can move on to each CPU and perform solver hashing iterations. Be sure to look at how exactly login authentication works.
For me, I come from a Ruby on Rails platform utilizing an MVC framework, but it's crucial to try and search for algorithms that are correct for your design constraints. Take for instance, this very website you're viewing. I used Django and flask for WSGI connections, and you don't have to sign in or login to view my page. But if I wanted to add that extra parameter where people sign in (a dwindling concept in some areas) I can. You don't have to reinvent the wheels so to speak when creating user authentication. Django is powered by Python, and python has some unique hashing algorithms. I like python for the simplicity of OOC inheritance, but it can also do good for security purposes as well. Django follows the MVC framework but's its switched to MTV, "Model-Template-Views", and its consortium of using binary dependencies are similar to Ruby on Rails, Node, or whatever backend framework you use. You could go and use the same middleware security for your network that django supplies, but it safe to devise (not the dependency, but an actual independent construction of your own password) a function that keeps password encrypted.
Python has something that's called a `decorator`, that wraps and modifies the usage of a function you have implemented. What's nice about this syntactic feature is the expressive power of it.
For instance, I can delegate a markdown for my headers using this script:
empty_tag = "<%s>"
empty_close_tag = "</%s>"
extended_close = ""
for tag in listargs:
extended_close += empty_tag %(tag)
extended_close += " " + func(name)
tag_list = list(tupargs)
for tag in tag_list:
extended_close += empty_close_tag %(tag)
@tags("body", "div", "header", "div", "h1", "span", "strong", "em")
"""returns a header wrapped in HTML tags"""
return "%s is a one percenter, contact him at such and such" %(name)
Now the last few lines written towards the end would print the name, documentation, and module all concealed by the functionwrapper and takes precedence over all the attributes defined for the function I initially called for. The name would be listed as `func_wrapper` and the documentation would be overwritten to `None` with a module location of `__main__`. But functionwrappers are used within the django framework, in particular for views that shouldn't be shared via cross-browser by anyone. We can also create a custom password encryption for our login. Here is sample model file that would take security to an extra measure.
from Crypto import Random
from Crypto.Cipher import AES
from binascii import hexlify, unhexlify
from sys import stdout as puts #stdout rather than print
def __init__(self, key):
self.key = key
def encrypt_password(self, key):
iv = Random.new().read(AES.block_size)
cipher = AES.new(key, AES.MODE_CFB, iv)
password_encrypted = hexlify(iv + cipher.encrypt(func))
def decrypt_password(self, key):
decrypted = unhexlify(password_encrypted)
cipher = AES.new(key, AES.MODE_CFB, decrypted[:AES.block_size])
The following is just a module WITH dependencies I downloaded including Naked, Crypto, and pyyaml. Now take your data sensitive information, let's say your User model, you can import your encryption tool directly into the model stored within the database
from aesmodule import * #everything from our custom AESModule
user = models.CharField(max_length=120)
""" all your db table columns stored here INCLUDING THE PASSWORD
ENCRYPTION & DECRYPTION PARAMS"""
keygen = AESCipher(hashlib.sha256("userpassword"))
#now the password can be encrypted without disclosing the current file location or
#the module location adding a layer of invisiblity
Now with the wrappers currently storing the data pertinent to your customers, you have safe reliable password encrypted without having to save the password within your database and call the function to save it to a variable within the columns of your choice (Let you decide how to save the variables).
These methods/techniques are one of the many ways to keep your data sensitive and stay away from hackers trying to persist there way in from webserver standpoint.
## **3. Remind Yourself...**
Remind yourself to always read on current trends on how to keep yourself from becoming a risk. There's [Hacker News], [Security Week], and Oauth periodicals found online to stay current and in the trend of green management
I know sooner or later I have to convert my own website into a valid HTTPS domain, but at least I "woke" up to potential attackers. In order for a business to grow, ethics and sound guidance will win over customers who trust you to make sound decisions with monetary investments within your company for the sake of a peace of comfort.
> * A special thanks to Stephen Carmen, Arun Mavumakal, and everyone else who continues to push me in the right direction. *
> * Special shoutout to Lipton Thompson*