OpenSSL is a free and open-source software cryptography library that provides cryptographic functionality to applications to ensure secure internet communication. It is widely used on many server applications, and it is available for most Unix-like operating systems (including Solaris, Linux, Mac OS X, the four open-source BSD operating systems), OpenVMS and Microsoft Windows.
Besides that, OpenSSL is also a fully equipped instrumentation for implementation of the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
With the OpenSSL toolkit, we can perform various SSL related tasks along with a variety of cryptographic functions. Among these other tasks, we can generate CSRs (Certificate Signing Requests) and private keys. We can perform an SSL certificate installation, or we can convert our certificates into different formats. Then, we can verify its details or even extract information about the certificate.
If we are talking about cryptographic function, we can use it for file encryption and decryption purposes along with generating password hashes.
However, today, we are going to dedicate ourselves to a completely different function of this free toolkit – verifying a secure connection.
One of the Unix/Linux OS platforms, which include the OpenSSL program by default. On Microsoft Windows, we must download and install OpenSSL from a binary and install it.
As the natural environment for OpenSSL is a Unix platform, we will assume we are working on one. Before we start with checking our connections, we need to make sure our OpenSSL is up to date, so let us check which version are we running with the following command.
[root@host ~]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
For those a bit more experienced and interested in the full details, we can append the -a flag.
[root@host ~]# openssl version -a OpenSSL 1.0.2k-fips 26 Jan 2017 built on: reproducible build, date unspecified platform: linux-x86_64 options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM OPENSSLDIR: "/etc/pki/tls" engines: rdrand dynamic [root@host ~]#
In most cases, we will be using the system-supplied version of OpenSSL. However, if we find ourselves in need of an upgrade, we will need to download the latest version, extract it and compile from source.
There is not a specific help keyword among OpenSSL commands, but if we append a flag that OpenSSL does not recognize to our command, a help text will be provided to us. To examine the available options of this powerful tool, we can use the following command.
root@host:~# openssl help Standard commands asn1parse ca ciphers cms crl crl2pkcs7 dgst dhparam dsa dsaparam ec ecparam enc engine errstr gendsa genpkey genrsa help list nseq ocsp passwd pkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand rehash req rsa rsautl s_client s_server s_time sess_id smime speed spkac srp storeutl ts verify version x509 Message Digest commands (see the `dgst' command for more details) blake2b512 blake2s256 gost md4 md5 rmd160 sha1 sha224 sha256 sha3-224 sha3-256 sha3-384 sha3-512 sha384 sha512 sha512-224 sha512-256 shake128 shake256 sm3 Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1 aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8 aria-256-ctr aria-256-ecb aria-256-ofb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 seed seed-cbc seed-cfb seed-ecb seed-ofb sm4-cbc sm4-cfb sm4-ctr sm4-ecb sm4-ofb root@host:~#
For additional guidance, feel free to explore the man pages using the following command.
[root@host ~]# man openssl
#tutorials #aes #cast #ciphers #csr #security
Everything around us has become smart, like smart infrastructures, smart cities, autonomous vehicles, to name a few. The innovation of smart devices makes it possible to achieve these heights in science and technology. But, data is vulnerable, there is a risk of attack by cybercriminals. To get started, let’s know about IoT devices.
The Internet Of Things(IoT) is a system that interrelates computer devices like sensors, software, and actuators, digital machines, etc. They are linked together with particular objects that work through the internet and transfer data over devices without humans interference.
Famous examples are Amazon Alexa, Apple SIRI, Interconnected baby monitors, video doorbells, and smart thermostats.
When technologies grow and evolve, risks are also on the high stakes. Ransomware attacks are on the continuous increase; securing data has become the top priority.
When you think your smart home won’t fudge a thing against cybercriminals, you should also know that they are vulnerable. When cybercriminals access our smart voice speakers like Amazon Alexa or Apple Siri, it becomes easy for them to steal your data.
Cybersecurity report 2020 says popular hacking forums expose 770 million email addresses and 21 million unique passwords, 620 million accounts have been compromised from 16 hacked websites.
The attacks are likely to increase every year. To help you secure your data of IoT devices, here are some best tips you can implement.
Your router has the default name of make and model. When we stick with the manufacturer name, attackers can quickly identify our make and model. So give the router name different from your addresses, without giving away personal information.
If your devices are connected to the internet, these connections are vulnerable to cyber attacks when your devices don’t have the proper security. Almost every web interface is equipped with multiple devices, so it’s hard to track the device. But, it’s crucial to stay aware of them.
When we use the default usernames and passwords, it is attackable. Because the cybercriminals possibly know the default passwords come with IoT devices. So use strong passwords to access our IoT devices.
Use strong or unique passwords that are easily assumed, such as ‘123456’ or ‘password1234’ to protect your accounts. Give strong and complex passwords formed by combinations of alphabets, numeric, and not easily bypassed symbols.
Also, change passwords for multiple accounts and change them regularly to avoid attacks. We can also set several attempts to wrong passwords to set locking the account to safeguard from the hackers.
Are you try to keep an eye on your IoT devices through your mobile devices in different locations. I recommend you not to use the public WI-FI network to access them. Because they are easily accessible through for everyone, you are still in a hurry to access, use VPN that gives them protection against cyber-attacks, giving them privacy and security features, for example, using Express VPN.
There are software and firewalls like intrusion detection system/intrusion prevention system in the market. This will be useful to screen and analyze the wire traffic of a network. You can identify the security weakness by the firewall scanners within the network structure. Use these firewalls to get rid of unwanted security issues and vulnerabilities.
Every smart device comes with the insecure default settings, and sometimes we are not able to change these default settings configurations. These conditions need to be assessed and need to reconfigure the default settings.
Nowadays, every smart app offers authentication to secure the accounts. There are many types of authentication methods like single-factor authentication, two-step authentication, and multi-factor authentication. Use any one of these to send a one time password (OTP) to verify the user who logs in the smart device to keep our accounts from falling into the wrong hands.
Every smart device manufacturer releases updates to fix bugs in their software. These security patches help us to improve our protection of the device. Also, update the software on the smartphone, which we are used to monitoring the IoT devices to avoid vulnerabilities.
When we connect the smart home to the smartphone and control them via smartphone, you need to keep them safe. If you miss the phone almost, every personal information is at risk to the cybercriminals. But sometimes it happens by accident, makes sure that you can clear all the data remotely.
However, securing smart devices is essential in the world of data. There are still cybercriminals bypassing the securities. So make sure to do the safety measures to avoid our accounts falling out into the wrong hands. I hope these steps will help you all to secure your IoT devices.
If you have any, feel free to share them in the comments! I’d love to know them.
Are you looking for more? Subscribe to weekly newsletters that can help your stay updated IoT application developments.
#iot #enterprise iot security #how iot can be used to enhance security #how to improve iot security #how to protect iot devices from hackers #how to secure iot devices #iot security #iot security devices #iot security offerings #iot security technologies iot security plus #iot vulnerable devices #risk based iot security program
Only about half of enterprises are satisfied with their ability to detect cybersecurity threats, according to a survey from Forrester Consulting – with respondents painting a picture of major resource and technology gaps hamstringing their efforts to block cyberattacks.
According to the just-released 2020 State of Security Operations survey of 314 enterprise security professionals, enterprise security teams around the world feel that they struggle with the growing pace, volume and sophistication of cyberattacks. A whopping 79 percent of enterprises covered in the survey have experienced a cyber-breach in the past year, and nearly 50 percent have been breached in the past six months.
#cloud security #hacks #malware #most recent threatlists #uncategorized #web security #2020 #automated triage #enterprise security #forrester consulting #manual processes #secops #security alerts #security defense #state of security operations #survey #workforce skills gap
Due to rising customer demands and rapid, feature-driven development, security often takes the backseat and vulnerabilities are introduced and oftentimes go undetected.
A secure code review helps identify these security vulnerabilities and weaknesses that might go undetected otherwise. It applies a set of security standards to the code to ensure secure coding best practices and development have been followed.
Secure code reviews use automated tools, checklists, thread modeling, software development experience, and security experience to identify security vulnerabilities can be mitigated.
#code #security #web-applications #web-development #web-security
The term web design simply encompasses a design process related to the front-end design of website that includes writing mark-up. Creative web design has a considerable impact on your perceived business credibility and quality. It taps onto the broader scopes of web development services.
Web designing is identified as a critical factor for the success of websites and eCommerce. The internet has completely changed the way businesses and brands operate. Web design and web development go hand-in-hand and the need for a professional web design and development company, offering a blend of creative designs and user-centric elements at an affordable rate, is growing at a significant rate.
In this blog, we have focused on the different areas of designing a website that covers all the trends, tools, and techniques coming up with time.
In 2020 itself, the number of smartphone users across the globe stands at 6.95 billion, with experts suggesting a high rise of 17.75 billion by 2024. On the other hand, the percentage of Gen Z web and internet users worldwide is up to 98%. This is not just a huge market but a ginormous one to boost your business and grow your presence online.
Web Design History
At a huge particle physics laboratory, CERN in Switzerland, the son of computer scientist Barner Lee published the first-ever website on August 6, 1991. He is not only the first web designer but also the creator of HTML (HyperText Markup Language). The worldwide web persisted and after two years, the world’s first search engine was born. This was just the beginning.
Evolution of Web Design over the years
With the release of the Internet web browser and Windows 95 in 1995, most trading companies at that time saw innumerable possibilities of instant worldwide information and public sharing of websites to increase their sales. This led to the prospect of eCommerce and worldwide group communications.
The next few years saw a soaring launch of the now-so-famous websites such as Yahoo, Amazon, eBay, Google, and substantially more. In 2004, by the time Facebook was launched, there were more than 50 million websites online.
Then came the era of Google, the ruler of all search engines introducing us to search engine optimization (SEO) and businesses sought their ways to improve their ranks. The world turned more towards mobile web experiences and responsive mobile-friendly web designs became requisite.
Let’s take a deep look at the evolution of illustrious brands to have a profound understanding of web design.
Here is a retrospection of a few widely acclaimed brands over the years.
From a simple idea of renting DVDs online to a multi-billion-dollar business, saying that Netflix has come a long way is an understatement. A company that has sent shockwaves across Hollywood in the form of content delivery. Abundantly, Netflix (NFLX) is responsible for the rise in streaming services across 190 countries and meaningful changes in the entertainment industry.
The idea of Netflix was born when Reed Hastings and Marc Randolph decided to rent DVDs by mail. With 925 titles and a pay-per-rental model, Netflix.com debuts the first DVD rental and sales site with all novel features. It offered unlimited rentals without due dates or monthly rental limitations with a personalized movie recommendation system.
Announcing its initial public offering (IPO) under the NASDAQ ticker NFLX, Netflix reached over 1 million subscribers in the United States by introducing a profile feature in their influential website design along with a free trial allowing members to create lists and rate their favorite movies. The user experience was quite engaging with the categorization of content, recommendations based on history, search engine, and a queue of movies to watch.
Netflix 2001-2005 -2003
They then unleashed streaming and partnering with electronic brands such as blu-ray, Xbox, and set-top boxes so that users can watch series and films straight away. Later in 2010, they also launched their sophisticated website on mobile devices with its iconic red and black themed background.
Netflix 2006-2010 -2007
In 2013, an eye-tracking test revealed that the users didn’t focus on the details of the movie or show in the existing interface and were perplexed with the flow of information. Hence, the professional web designers simply shifted the text from the right side to the top of the screen. With Daredevil, an audio description feature was also launched for the visually impaired ones.
These years, Netflix came with a plethora of new features for their modern website design such as AutoPay, snippets of trailers, recommendations categorized by genre, percentage based on user experience, upcoming shows, top 10 lists, etc. These web application features yielded better results in visual hierarchy and flow of information across the website.
With a sleek logo in their iconic red N, timeless black background with a ‘Watch anywhere, Cancel anytime’ the color, the combination, the statement, and the leading ott platform for top video streaming service Netflix has overgrown into a revolutionary lifestyle of Netflix and Chill.
Contunue to read: Evolution in Web Design: A Case Study of 25 Years
#web #web-design #web-design-development #web-design-case-study #web-design-history #web-development
More than 100 smart-irrigation systems deployed across the globe were installed without changing the factory’s default, passwordless setting, leaving them vulnerable to malicious attacks, according to recent findings from Israeli security research firm Security Joes.
The researchers immediately alerted CERT Israel, the affected companies and the irrigation system vendor, Mottech Water Management, which did not immediately respond to a request for comment from Threatpost.
Mottech’s system allows for real-time control and monitoring of irrigation for both agricultural and turf/landscaping installations, via desktop and mobile phone. Sensor networks allow for the flexible and real-time allocation of water and fertilizer to different valves in the system. Access to the network could result in an attacker being able to flood fields or over-deliver fertilizer, for instance.
Security Joes regularly scans for Israeli open devices on the internet to check for vulnerabilities, the firm’s co-founder Ido Naor told Threatpost. Recently, its researchers discovered that 55 irrigation systems within Israel were visible on the open internet without password protections. After expanding their search, they found 50 others scattered around the world in countries including France, South Korea, Switzerland and the U.S.
“We’re talking about full-fledged irrigation systems, they could be entire cities,” Naor said. “We don’t look closely at what’s behind the address, because we don’t want to cause any trouble.”
Naor said that at last check, only about 20 percent of the identified vulnerable irrigation devices have had mitigation efforts taken to protect them so far.
There’s good reason for alarm about water systems not being secured, particularly in Israel. Just last April, a cyberattack on Israeli water systems, reportedly launched by Iran, attempted to increase the mix of chlorine in the water to poison the civilian population and ultimately interrupt the population’s water supply, The Times of Israel reported.
Yigal Unna, the head of the country’s National Cyber Directorate addressed the CybertechLive Asia conference in late May with the ominous warning that the direct cyberattack on people represented a new chapter in cyberwarfare, according to The Times of Israel.
“Cyber-winter is coming and coming even faster than I suspected,” he told the conference, according to the report. “We are just seeing the beginning.”
Unna was correct. Just weeks later in July, the Israeli Water Authority said that it was able to stop an attack on agricultural water pumps in Galilee, and another on water-supply infrastructure in the “center of the country,” reports.
The irrigation systems which were discovered without password protection aren’t related to the previous attacks, Naor said.
These types of vulnerabilities certainly aren’t limited to Israel.
Last month, six critical flaws in CodeMeter, software used to power industrial systems in the U.S., including water and electric utilities, were discovered which could be exploited to launch attacks or even allow third-party takeovers of systems.
Over the summer, researchers found that VPNs used for remote access to operational technology (OT) networks in industrial environments left field devices open to attacks, which could cause shutdowns or even physical damage.
Governments are making attempts to keep up with the proliferation of internet-of-things (IoT) devices throughout critical-infrastructure systems. In the U.S., the House of Representatives passed legislation in September establishing minimum requirements for IoT devices within the federal government.
“Most experts expect tens of billions of devices operating on our networks within the next several years as the [IoT] landscape continues to expand,” the legislation’s so-sponsor Senator Cory Gardner (R-Co.) said in a press release. “We need to make sure these devices are secure from malicious cyberattacks as they continue to transform our society and add countless new entry points into our networks, particularly when they are integrated into the federal government’s networks.”
#cloud security #critical infrastructure #iot #web security #connected devices #cory gardner bill #critical infrastructure #cyberattack #cybersecurity #default password #galilee #government #infrastructure security #internet of things #irrigation systems #israel #mottech water management #open to internet #security joes #smart irrigation #water system attacks