Secure the unsecured


A recent issue in my home country has surface this month regarding an information leak. Our “highly” trained officers says it managed to caught and apprehend the actual hacker but never give any resolution as to what they will do to ensure that it will never happen again.

Much like what they usually do, this doesn’t surprise me at all. A lot of catastrophes had come and go and they (and so as the majority of our people) only manages to react. Yes, just react – nobody seems to want to be pro-active, no one wants to stand up, everyone is just good at reacting and blaming.

I won’t dive in into the details of the past but I’d like to put a stamp of myself on the current issue since this is closer to my profession. I am a Software Application Developer with extensive experience in the field, I do have a background in IT systems, infrastructure and services. I believe at the very least, I am qualified to give a say and propose a solution.

Let’s dive into the details (details that I know)

Problem

Obviously, the information leak is the issue but that would be the cause of the actual problem. The actual problem is the non-secured systems that makes it vulnerable and easily penetrable by highly intelligent malware.

Solution

SSL (Secure Socket Layers) and SSH (Secure Socket Shell)

In the context of someone who is not familiar with the tech, SSL is a technology that encrypts a clients data over the web. When a user tries to log on to a website, an SSL secures what you entered by encrypting it. The encrypted data will then pass through layers of network until it reaches the actual host. Only the host can decrypt this data (which is what we wanted). What this ultimately means is that your data is like “compressed” in a secured way and passed over the wire. Only the host (the owner of the site or application) can “decompressed” it.

This approach ensures that no one in between will copy your information and even if they got hold of your information over the wire and transfer, they won’t be able to read it since it’s encrypted.

For administrators, this is a simple installation on the host. Sure an additional cost, but it won’t be as much as the cost of someone’s privacy. With today’s tools for developers, installation of SSL is not that complicated. Sure you need to study and still comprehend, but if you know the fundamentals of networking, it’s not impossible to understand.

SSH – Secure Socket Shell is a way for any person (usually the admin) to access the server via a secure port and protocol. The concept is like a key and a padlock. A padlock (public key) is installed on your server and a counterpart key (private key) is the only way to access it. This key will be the sole access key to that padlock.

Data Server, DNS gateway, Site Selector / Gateway

This leak could’ve been avoided if they isolated the data sensitive services to a more secured environment. They would’ve invested on a RAID server (RAID3) and control the incoming and outgoing connects to be constantly via SSL. This ensures that whomever goes in and also goes out goes through a secured socket virtual layers.

In addition, the company could’ve invested on a DNS technology that can filter out and redirect request to any of their sites. This will allow them to evaluate all of the clients that tries to access their site. A good technology would be a Cisco Global Site Selector. This is one of the most globally used routing hardware that allows filtering of wire request. You can also disallow multiple and concurrent request to the server using this device.

Competent IT personnel

No questions on this one, get someone who is knowledgable. Get someone who can set up everything and is competent enough to do the maintenance and monitoring. Don’t just get someone who knows to setup a Web Server. Infrastructure security is far more complex than just decompressing a standalone source/binary to create a virtual web server.

The personnel should take care of managing the infrastructure, creating smurf/notification if there are warning treats to the server, potential DDOS attacks or brute force attacks. Enable security features such as SSL, Ip deny, traffic routing, filtering and identification.

There are a lot of ways to monitor the network for potential intrusion.

Quick take aways

A few take aways. Hackers have a million ways to hack. In all honesty, nothing is 100% secured over the wire. Virtually, everything is hackable, but we can minimize the probability of being a victim if we practice and apply even the most fundamental way of security practice. Secure the infrastructure, secure the protocols your services uses, secure incoming and outgoing and always be cautious of threats – understand how hackers can hack and you can get ahead of them.

For the non-tech savvy individual, you can always do the following the protect yourself

  • First line of defence is yourself. Don’t put too much of your details on social media. 60 to 70% of hacks comes from Social Engineering. Hackers uses any details it can find from you and they’ll try to get as much gains from that information as possible. Minimize your details in Social Media.
  • Install and Invest on Anti-virus/Malware programs. Always update your Virus Dictionary. There are millions and millions of malware, spywares and virus programs that can penetrate one’s computer. Installing an anti-virus,malware and spyware minimize the risk of penetration and even more important is updating them to keep it up to date with the newest treat available.
  • Be cautious on emails and the websites you visit. A single CLICK to a link can cost you. Hackers only need you to click a specific button or link to get information from you.

I’ll be tackling more on IT security approach on the next couple of blog posts.

FreeCssTemplates


I once aimed at being a Web Designer, I even have my own noob-like deviantart account (that I will not post here since it’s so noob) just to get me going with graphics development. Yet as soon as I got caught up in Web Development (using PHP), It literally changed my perspective.

So now as a Developer, its now a challenge for me to even create a good, eye-catching design for my clients. Good thing there is FreeCssTemplates! 🙂

The sites purpose is as clear as its domain name, it has free css templates. A little tweak here and there and *pooff*!

Try it yourself! 🙂 http://www.freecsstemplates.org/

Mobile Application Development – Tiggzi


I’ve been checking out Tiggzi for a while and I say, it’s really stunning to see what you can do with the automation tools nowadays. Tiggzi is a cloud-based Mobile Application Development IDE that lets developers developed mobile apps without having to write any code.

Here’s the quickest application I created so far (took 10mins to developed). It’s a very basic twitter search engine that let the user search anything in twitter given a keyword. 🙂

The take:

IDE and REST Services – With a very intuitive IDE interface and support for REST Services, the IDE is by far surpass any mobile application development (cloud based or not).

REST Services – Create your own REST API (or use any generator out there), expose it in a server and your mobile application is ready to consume and use. 🙂

Try it yourself: http://tiggzi.com/. I still need a few days of geek mode with this IDE, and a lot of ideas are running down this brain of mine right now. I can share a lot of awesome feature it has, but you might be bored with this post already and wants to try it, so go. :p

Here is a quick start: http://help.gotiggr.com/

MonoDevelop – Porting .Net Applications to your unix/linux based OS


Even though I now own a Mac, I’m still having thoughts of getting myself a Windows Machine. The .Net Framework with its development tools made developing business applications more at ease. You can have a form based applications with reports in just a matter of minutes, possibly without writing any code.

MonoDevelop is an IDE primarily designed for C# and other .NET languages. MonoDevelop enables developers to quickly write desktop and ASP.NET Web applications on Linux, Windows and Mac OSX. MonoDevelop makes it easy for developers to port .NET applications created with Visual Studio to Linux and to maintain a single code base for all platforms.

A quick download of it and its runtime environment gave me a bit of experience using it.

As an experience .Net Developer, I thought the experience is far less at ease from its master (visual studio.net), but it had a lot of tools that quite matched. Not only that you can develop .Net Applications using the IDE, you can also develop Android Applications using the C#. 🙂 (Just wrong in 3 different levels). I’ll write up a tutorial and post it right here!

You might want to give it a try! http://monodevelop.com/

Creating Mockups – with Omnigraffle (MacOSX)


Every Software Development project needs to do mockups. Mockups will basically break or make the quality of the product because:

  • Without mockups, there will be a significant probability that the developers doing the development will most likely be lost and in the end, doing it all wrong.
  • Without mockups, it will be hard for an inexperience developer to visualize what to do.
  • With mockup, there will be more chances of potential refinement of the module (product) being designed
  • Visualization is (in my opinion) is the fastest and easiest way for anyone to understand and comprehend the process (aside from UML diagrams).

Not all developers have the same perspective, some might have an idea in mind on how to go about on a project, some might take the leadership role and some just needs a better perspective at putting up the right solution. Mockups are indeed a crucial tool on every software development process, designs should be able to not just put the flow of the business process by doing UMLs, it should also include the potential screens.

In this example, it would be easier for anyone (not just developer) to know that this screen is a main screen of a data for a system. Components such as button to manage data, table to display them, action keys to manage and search feature to look up are “actually” the most basic components that a sub-system (module) would have. The thing is, the functionality can be explained just by looking at the mockups, this gives the developers the baseline on what to think of when creating the actual solution. This will then be followed through with some questions from them and further clarifications from the designer to define the design thoroughly.

I’ve chosen Omnigraffle (http://www.omnigroup.com/products/omnigraffle/) tool because of the wide arrays of mockup screens and stencils available. There are wireframes, stenciles, sketch, UMLs etc.  With a plugin site hosting different kinds of sketch and a custom sketch and stencil creation tool, there is virtually nothing that this tool can mock. 🙂

Design your Applications on your MAC or IPad! http://www.omnigroup.com/products/omnigraffle/