Learn software engineering

Python_logo_and_wordmark.svg

I’ve recently decided to brush up on my programming skills with one of the courses on Udemy. Despite completing a degree in Computer Science back in the day, my recent focus has been away from software development and a lot has changed since I graduated.

At university I studied mathematics and algorithms but actual programming was performed on archaic languages – such as Pascal for high-level and Assembly for low-level programming.

Although they provide a solid foundation, I was looking for something more practical and because of this I ended up taking up Python because of its versatility. Python is not only widely used, but can also be applied to a variety of projects, including data analysis and machine learning.

The course has been very good and Jupyter notebooks with extensive comments and exercises are available for free on GitHub.

You can start applying it in practice straight away or just have some fun with your own pet projects.

If you’re an experienced developer or just want to have some extra practice, I found the below brain teasers quite entertaining:

On the other hand, if you are just starting up and would like some more grounding in computer science, check out Harvard University’s CS50’s Introduction to Computer Science. It’s completely free, online and self-paced. It starts with some basic principles and lets you put them into practice straight away through Scratch, a graphical programming language developed by MIT.  You then go on to learn more advanced concepts and apply them using C, Python, JavaScript and more.

The course also has a great community, so I highly recommend checking it out.


Securing JSON Web Tokens

snip20190118_5

JSON Web Tokens (JWTs) are quickly becoming a popular way to implement information exchange and authorisation in single sign-on scenarios.

As with many things, this technology can be either quite secure or very insecure at the same time and a lot is dependent on the implementation. This opens a number of possibilities for attackers to exploit vulnerabilities if this standard is poorly implemented or outdated libraries are sued.

Here are some of the possible attack scenarios:

  • A attackers can modify the token and hashing algorithm to indicate, through the ‘none’ keyword, that the integrity of the token has already been verified, fooling the server into accepting it as a valid token
  • Attackers can change the algorithm from ‘RS256’ to ‘HS256’ and use the public key to generate a HMAC signature for the token, as server trusts the data inside the header of a JWT and doesn’t validate the algorithm it used to issue a token. The server will now treat this token as one generated with ‘HS256’ algorithm and use its public key to decode and verify it
  • JWTs signed with HS256 algorithm could be susceptible to private key disclosure when weak keys are used. Attackers can conduct offline brute-force or dictionary attacks against the token, since a client does not need to interact with the server to check the validity of the private key after a token has been issued by the server
  • Sensitive information (e.g. internal IP addresses) can be revealed, as all the information inside the JWT payload is stored in plain text

I recommend the following steps to address the concerns above:

  • Reject tokens set with ‘none’ algorithm when a private key was used to issue them
  • Use appropriate key length (e.g. 256 bit) to protect against brute force attacks
  • Adjust the JWT token validation time depending on required security level (e.g. from few minutes up to an hour). For extra security, consider using reference tokens if there’s a need to be able to revoke/invalidate them
  • Use HTTPS/SSL to ensure JWTs are encrypted during client-server communication, reducing the risk of the man-in-the-middle attack
  • Overall, follow the best practices for implementing them, only use up-to-date and secure libraries and choose the right algorithm for requirements

OWASP have more detailed recommendations with Java code samples alongside other noteworthy material for common vulnerabilities and secure coding practices, so I encourage you to check it out if you need more information.


A trip to Bletchley Park

IMG_3807

For everyone interested in history of information security I highly recommend visiting Bletchley Park. Among other things, visitors can explore legendary British WW2 Codebreaking Huts, learn more about the cryptography and the Enigma machine in particular.

IMG_3803

There is even a computer simulation available that explains in simple terms the basic principles behind the device.

IMG_3808

Some interesting facts about Alan Turing and more modern exhibitions definitely sparkle the curiosity of any visitor.


Teaching Information Security Concepts at KPMG

KPMG1

I delivered a 1,5-day Information Security Concepts course at KPMG UK.

We covered a wide range of topics, including information security risk management, access control, threat and vulnerability management, etc.

According to the feedback I received after the course, the participants were able to understand the core security concepts much better and, more importantly, apply their knowledge in practice.

Leron is very engaging and interesting to listen to
Leron has the knowledge and he’s very effective making simple delivery of a complex topic
Leron is an effective communicator and explained everything that he was instructing on in a clear and concise manner

There will be continuous collaboration with the Learning and Development team to deliver this course to all new joiners to the Information Protection and Business Resilience team at KPMG.


Won the UK Cyber Security Challenge

UK cyber

I participated in UK Cyber Security Challenge.

Our university team won the competition.

It was an interesting experience and through teamwork we solved all the challenging puzzles other universities had submitted.

Try to crack Christmas Cipher 2012 to practice for upcoming UK Cyber Security challenges.


Cryptography

crypto=mindmap13.58.04

Enigma Machine Spreadsheet

You can try encrypting your own messages using this spreadsheet

How AES encryption works –  a flash clip demonstrating Rijndael cipher in action

A Stick Figure Guide to the Advanced Encryption Standard

Public Key Cryptography: Diffie-Hellman Key Exchange


Information security e-learning

The Internet gives us unlimited opportunities to educate ourselves. Here I want to share with you some free resources, which can help you understand information security concepts better.

1. For those of you who want to familiarize yourself with ISO 27001 standard  I recommend free e-learning course

“The purpose of this course is to enable information security practitioners to successfully implement an ISO 27001 compatible information security management system in their respective organizations. This course is made freely available to interested candidates and is modeled on ISO 27001 Lead Implementer courses.” (c) ISQ

2. Designing and Executing Information Security Strategies course provides you with opportunities to integrate and apply your information security knowledge. Following the case-study approach, you will be introduced to current, real-world cases developed and presented by the practitioner community. You will design and execute information assurance strategies to solve these cases. A term-long capstone project leads you through an actual consulting engagement with a local organisation  adding experience to your resume before you even complete the program.

3. Stanford University provides free online cryptography courses.

Basic

“This course explains the inner workings of cryptographic primitives and how to correctly use them. Students will learn how to reason about the security of cryptographic constructions and how to apply this knowledge to real-world applications. The course begins with a detailed discussion of how two parties who have a shared secret key can communicate securely when a powerful adversary eavesdrops and tampers with traffic. We will examine many deployed protocols and analyze mistakes in existing systems. The second half of the course discusses public-key techniques that let two or more parties generate a shared secret key. We will cover the relevant number theory and discuss public-key encryption and basic key-exchange. Throughout the course students will be exposed to many exciting open problems in the field.” (c) Dan Boneh

Advanced

“The course begins with constructions for digital signatures and their applications.   We will then discuss protocols for user authentication and zero-knowledge protocols.    Next we will turn to privacy applications of cryptography supporting anonymous credentials and private database lookup.  We will conclude with more advanced topics including multi-party computation and elliptic curve cryptography” (c) Dan Boneh

4. One-hour seminar by Xeno Kovah (Mitre) on rootkits highlights the few weaknesses in detection methodologies and many weaknesses in tools

5. Using buffer overflows

– Understanding the Stack – The beginning of this video explain Intel x86 function-call conventions when C code is compile

– Buffer Overflow Exploitation Megaprimer for Linux video series

6. Series of videos introducing wireless networking and the application of penetration testing tools to WLANs