Forem: gen2soulk

10 Reasons To Use AWS in Your Projects

gen2soulk — Mon, 26 Feb 2024 07:46:15 +0000

Amazon Web Services (AWS) is a cloud computing platform that provides a wide range of services, including computing power, storage, databases, machine learning, and more. Here are ten reasons why you might consider using AWS in your projects:

Scalability: AWS allows you to scale your resources up or down based on demand. This means you can handle sudden spikes in traffic without worrying about infrastructure limitations.

Cost-Effectiveness: AWS offers a pay-as-you-go pricing model, which means you only pay for the resources you use. This can be more cost-effective than maintaining your own infrastructure.

Global Reach: AWS has data centers in multiple regions around the world, allowing you to deploy your applications closer to your users for lower latency and better performance.

Security: AWS provides a wide range of security features, including encryption, identity and access management, and compliance certifications. This can help you keep your data safe and meet regulatory requirements.

Reliability: AWS has a highly reliable infrastructure, with multiple data centers in each region and automatic failover capabilities. This means your applications can stay up and running even in the face of hardware failures or other issues.

Flexibility: AWS offers a wide range of services, from virtual servers to machine learning tools. This means you can choose the right tools for your project without being locked into a specific technology stack.

Ease of Use: AWS provides a user-friendly web interface, as well as APIs and command-line tools for more advanced users. This makes it easy to manage your resources and automate common tasks.

Integration: AWS integrates with a wide range of third-party services, including popular development tools like GitHub and Jenkins. This can help you streamline your development process and improve collaboration.

Innovation: AWS is constantly adding new features and services, allowing you to take advantage of the latest technologies without having to invest in new hardware or software.

Community: AWS has a large and active community of developers and users, which means you can find plenty of resources and support if you run into problems or need help with your project.

These are just a few of the reasons why you might consider using AWS in your projects. Ultimately, the decision will depend on your specific needs and requirements.

Building A Highly Available Web Applications in AWS

gen2soulk — Wed, 24 Jan 2024 11:21:05 +0000

This is a short article on how to build Highly Available Web Applications in AWS.
Summary Steps

Migrate an Auto Scaling Group behind an Application Load Balancer in one Availability Zone.
Set up Load Balancer health monitoring for an Amazon EC2 Auto scaling group. Add a second Availability scaling group to the Amazon EC2 Auto Scaling Group.
Configure an Auto scaling group to include a new EC2 instance in a third Availability zone.

** Step-by-step guide**

Visit your AWS Console page
In the top navigation bar search box, type: ec2
In the search results, under Services, click EC2.
In the left navigation pane, click Auto Scaling Groups.
In the Auto Scaling groups section, choose the check box to select your WebServers.
On the Details tab, review the current capacity details.
Click the Instance management tab.
Review to see that there is currently one instance in the Auto Scaling group.
Click the Details tab.
Scroll down to Network.
In the Network section, review to see that the Auto Scaling group is configured with a single subnet from one Availability Zone.
Scroll down to Load balancing.
Click Edit.
Click Add a new load balancer.
For Load balancer type, choose Application Load Balancer.
For Load balancer scheme, choose Internet-facing.
For Availability Zones and subnets, choose the three check boxes to select all three Availability Zones.
On each of the three dropdown menus, choose the available public subnet.
For Default routing (forward to), choose Create a target group.

Keep the defaults.

To create the Application Load Balancer, click Update.
In the left navigation pane, click Security Groups.
In the Security Groups section, click Create security group. 22 . In the Basic details section, for the Security group name, type: **LoadBalancer **name
For Description, type a description that you like, such as Allow access to the travel agency load balancer from the internet.
For VPC, choose your VPC

_- To remove the existing VPC entry, you might need to click the X.
_

In the Inbound rules section, click Add rule.
Go to the next step.
In the Inbound rules section, for Type, choose HTTP.
To allow all inbound traffic, for Source, in the Custom search box, choose 0.0.0.0/0.
In the Outbound rules section, for Type, choose HTTP.
For Destination, choose the your security group.
Remove the 0.0.0.0/0 destination.
Scroll down to the bottom of the page.
Click Create security group.
In the left navigation pane, click Security Groups.
In the Security Groups section, choose the check box to select the security group.
On the Actions dropdown menu, choose Edit inbound rules.
In the Inbound rules section, to remove the existing rule, click Delete.

- You must delete the existing rule to modify the rule type.

To add a new rule, click Add rule.
For Type, choose HTTP.
For Source, choose your LoadBalancer security group.
Click Save rules.
In the left navigation pane, click Load Balancers.
In the Load balancers section, click your LoadBalancer.
Scroll down to the Security tab.
On the Security tab, click Edit.
For Security groups, click the X icon to deselect the WebServer security group.
Choose the LoadBalancer.
Click Save changes.
In the success alert, review the message.
For the Application Load Balancer, under DNS name, click the copy icon to copy the provided name.
In a new browser tab (or window) address bar, paste the DNS name that you just copied, and then add http:// to the beginning and press Enter.

_- The website is hosted only with HTTP.
_

Congratulations! You have moved the travel agency website behind an Application Load Balancer.

Top 5 Password Cracking Techniques Used by Hackers

gen2soulk — Thu, 11 May 2023 10:32:12 +0000

One of the biggest security threats is password cracking. Are you an IT system administrator concerned about the security of your organization's data?

In this article, we'll provide an overview of password cracking, discuss the importance of strong passwords, and detail the top 5 password cracking techniques hackers use.

We'll also provide real-world examples of password-cracking attacks and their impact and recommendations for enhancing password security.

Whether you're a seasoned IT professional or just getting started, you need to understand these password cracking techniques to help better secure your organization's data.

What Goes Into Cracking a Password
Many users may have seen password cracking portrayed in movies as a quick and impressive feat. But, it is far less flashy and potentially much more time-consuming, according to this 2022 Hive report. Password cracking typically involves brute-forcing a password using various methods.

To understand password cracking, you must first understand how passwords are stored. There are two primary ways to store passwords: encryption and hashing.

Encryption transforms plaintext into reversible ciphertext, which allows password managers to store and display the original plaintext password.

On the other hand, hashing is the typical method used for storing passwords for online services.

Since service operators don't need to reverse passwords, only to verify they are correct, passwords are hashed. Hash algorithms convert plaintext values into ciphertext in a one-way process.

Before attempting to crack a password, an attacker must retrieve the ciphertext value, often through man-in-the-middle attacks, hacked credential databases, or phishing attempts.

Ultimately, the attacker can begin their work once the ciphertext value has been obtained, typically as a hash value.

Password Cracking Techniques & Tools of the Trade
Once an attacker has obtained the hash, the next step is to crack the password. Most password-cracking techniques involve brute-forcing the password, but there are ways to make this process more efficient and straightforward.

Brute Forcing
Sometimes, the only way to find a password is to attempt every possible combination of letters, numbers, and symbols. If the password is random, many other techniques to make the job easier may not work.

This approach is the least efficient, but it may be the only option when all else fails.

An attacker may use a computer or a cluster of computers to attempt every possible variation. The longer the password, the more difficult and time-consuming the cracking process becomes.

As an example of times, here are some recent findings from the 2023 Hive report on how long, passwords with lowercase and uppercase letters verses more complex passwords (i.e., numbers, upper and lowercase letters, and symbols in an MD5 hash) take to crack.

Characters

Lower & Uppercase Letters

Complex Passwords

8 Characters

22 minutes

8 hours

9 Characters

19 hours

3 weeks

10 Characters

1 month

5 years

11 Characters

5 years

500 years

12 Characters

300 years

34k years

Rainbow Table
Since hashing algorithms are publicly known, it is possible to create massive lists of pre-computed password hashes that a stolen hash can be compared against. Instead of generating a new hash for every variation, look up the stolen hash against a table to see if it matches.

There are many different hash methods and near-infinite password variations, which can quickly make managing and storing tables like this very difficult. There is another technique known as password salting that can also throw a wrench in this technique. If the server adds random values to the front and end of a hash (values known only to the server), then the resulting hashes won’t match known values anymore.

Dictionary Attack
To make brute-forcing a password easier, attackers can use dictionaries of common words and phrases and company names, sports teams, etc. This narrows down the list of potential password choices.

In the past, users were recommended to change their password often (e.g., every 90 days) and to use complex passwords.

But, this led to users choosing passwords like !yoda2023#, which makes the job of a password cracker easier. Once the base word, yoda, is guessed through a dictionary attack, trying a few different symbols and numbers can quickly crack the password.

In the image below you can see the top 5 Star Wars themed base terms that are used in compromised passwords.

A more advanced form of a dictionary attack is the Markov chain attack. This involves a statistical analysis of a list of words stored in a table and used to calculate the probability of character placement in a brute-force attack.

Credential Stuffing
Users commonly use the same root password across multiple services. If one password is broken on a service, an attacker can quickly try that same password or variations on other services to which the user may have access.

Known as credential stuffing, attackers will try the cracked password on multiple services to try different passwords on the same service. This can result in all of the user's services being compromised.

Weak (Insecure) Password Hashes
Of course, not all password hashing schemes are created equal. As technology evolves, what was once considered secure may no longer be so. This is true for hash algorithms like MD5 or SHA-1, which can be cracked quickly.

A system that stores user password hashes with one of these algorithms could have its entire database cracked quickly.

Modern systems recommend more secure algorithms, such as bcrypt, which uses salted password hashes.

Password Cracking Tools
Though the techniques themselves are essential to know, many password crackers rely on readily available tools.

Though three standard tools are listed below, many more are available. All of the below are open-source and community-developed, which means they are ever-evolving.

John the Ripper - Supports hundreds of hash types across many applications and is available on multiple platforms.
Hashcat - Works with the CPU and GPU to provide a high-speed command-line password-cracking tool supporting many hash types.
Ophcrack - A tool based around rainbow tables focused on LM and NTLM passwords used in Windows environments.
Though these tools make it far easier to crack retrieved hashes, plenty of custom tools can be tailored to individual organizations. A robust and up-to-date password policy is vital to protecting an organization.

How Users Should Protect Themselves
With all the talk of password cracking, what should a user do to protect themselves? Modern security organizations such as NIST, though their 800-63B guidelines, now recommend the following:

Ditch the regular password change requirements. Only change passwords if requested explicitly by a user or if a password has been breached.
Decrease the arbitrary need for password complexity and focus on overall password length, such as a minimum of 12 characters.
All new passwords must be compared against commonly used or previously compromised passwords.
Do not reuse passwords across different services to avoid attacks such as credential stuffing.
Increased hash security means that even shorter passwords take far longer to crack, such as MD5 vs. PBKDF2.

Protecting Organizations Against Password Cracking
With the many tools and techniques available to password crackers, it’s no wonder that password breaches are regular occurrences.

Improve your security with tools such as Specops Password Policy and ensure your organization and users don’t fall victim to the many threat actors out there.

Stay ahead of the bad guys with securely designed password policies and root out previously cracked passwords with breached password detection!

How to Set Up a Threat Hunting and Threat Intelligence Program

gen2soulk — Tue, 09 May 2023 08:56:56 +0000

Users of Advanced Custom Fields plugin for WordPress are being urged to update version 6.1.6 following the discovery of a security flaw.

The issue, assigned the identifier CVE-2023-30777, relates to a case of reflected cross-site scripting (XSS) that could be abused to inject arbitrary executable scripts into otherwise benign websites.

The plugin, which is available both as a free and pro version, has over two million active installations. The issue was discovered and reported to the maintainers on May 2, 2023.

"This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path," Patchstack researcher Rafie Muhammad said.

Reflected XSS attacks usually occur when victims are tricked into clicking on a bogus link sent via email or another route, causing the malicious code to be sent to the vulnerable website, which reflects the attack back to the user's browser.

This element of social engineering means that reflected XSS does not have the same reach and scale as stored XSS attacks, prompting threat actors to distribute the malicious link to as many victims as possible.

"[A reflected XSS attack] is typically a result of incoming requests not being sufficiently sanitized, which allows for the manipulation of a web application's functions and the activation of malicious scripts," Imperva notes.

It's worth noting that CVE-2023-30777 can be activated on a default installation or configuration of Advanced Custom Fields, although it's also possible to do so from logged-in users who have access to the plugin.

The development comes as Craft CMS patched two medium-severity XSS flaws (CVE-2023-30177 and CVE-2023-31144) that could be exploited by a threat actor to serve malicious payloads.

It also follows the disclosure of another XSS flaw in the cPanel product (CVE-2023-29489, CVSS score: 6.1) that could be exploited without any authentication to run arbitrary JavaScript.

"An attacker can not only attack the management ports of cPanel but also the applications that are running on port 80 and 443," Assetnote's Shubham Shah said, adding it could enable an adversary to hijack a valid user's cPanel session.

"Once acting on behalf of an authenticated user of cPanel, it is usually trivial to upload a web shell and gain command execution."

ChatGPT Security: OpenAI's Bug Bounty Program Offers Up to $20,000 Prizes

gen2soulk — Thu, 13 Apr 2023 08:11:26 +0000

OpenAI, the company behind the massively popular ChatGPT AI chatbot, has launched a bug bounty program in an attempt to ensure its systems are "safe and secure."

To that end, it has partnered with the crowdsourced security platform Bugcrowd for independent researchers to report vulnerabilities discovered in its product in exchange for rewards ranging from "$200 for low-severity findings to up to $20,000 for exceptional discoveries."

It's worth noting that the program does not cover model safety or hallucination issues, wherein the chatbot is prompted to generate malicious code or other faulty outputs. The company noted that "addressing these issues often involves substantial research and a broader approach."

Other prohibited categories are denial-of-service (DoS) attacks, brute-forcing OpenAI APIs, and demonstrations that aim to destroy data or gain unauthorized access to sensitive information.

"Please note that authorized testing does not exempt you from all of OpenAI's terms of service," the company cautioned. "Abusing the service may result in rate limiting, blocking, or banning."

What's in scope, however, are defects in OpenAI APIs, ChatGPT (including plugins), third-party integrations, public exposure of OpenAI API keys, and any of the domains operated by the company.

The development comes in response to OpenAI patching account takeover and data exposure flaws in the platform, prompting Italian data protection regulators to take a closer look at the platform.

Italian Data Protection Authority Proposes Measures to Lift ChatGPT Ban#
The Garante, which imposed a temporary ban on ChatGPT on March 31, 2023, has since outlined a set of measures the Microsoft-backed firm will have to agree to implement by the end of the month in order for the suspension to be lifted.

"OpenAI will have to draft and make available, on its website, an information notice describing the arrangements and logic of the data processing required for the operation of ChatGPT along with the rights afforded to data subjects," the Garante said.

Additionally, the information notice should be readily available for Italian users before signing up for the service. Users will also need to be required to declare they are over the age of 18.

OpenAI has also been ordered to implement an age verification system by September 30, 2023, to filter out users aged below 13 and have provisions in place to seek parental consent for users aged 13 to 18. The company has been given time till May 31 to submit a plan for the age-gating system.

As part of efforts to exercise data rights, both users and non-users of the service can request for "rectification of their personal data" in cases where it's incorrectly generated by the service, or alternatively, erase the data if corrections are technically infeasible.

Non-users, per the Garante, should further be provided with easily accessible tools to object to their personal data being processed by OpenAI's algorithms. The company is also expected to run an advertising campaign by May 15, 2023, to "inform individuals on use of their personal data for training algorithms."

How to Teach Your Child Coding: A Gift for Their Digital Future

gen2soulk — Wed, 05 Apr 2023 08:48:20 +0000

As we progress through the digital age, coding is rapidly gaining traction as a logic-based skill that can fuel creativity in both kids and teens. Another beauty of technology is that children have access to an array of resources, such as coding apps, websites, online courses, games, and more.

However, teaching coding to kids and teens using traditional methods can be quite challenging. Parents and educators are increasingly opting for age-appropriate, engaging, and enjoyable ways to teach coding.

This approach helps young learners develop the skills required in the programming world. Keep reading this post to discover five exciting ideas to make coding fun for kids and teens.

*Innovative Approaches to Teach Coding to Kids
*
Many programming concepts will be entirely new to young learners. As such, it’s essential to introduce each concept incrementally. Recent research indicates that students across all age groups retain information more effectively when they learn in a fun and engaging manner. This insight opens the door to discovering new methods for teaching coding to children.

If the learning process becomes dull, it can quickly dampen the student’s interest, regardless of the subject matter. Before teaching coding, convey to your child the excitement and enjoyment they may find in programming.

The prospect of building websites, games, animations, apps, and more will pique their curiosity about coding. Here are some tips to make learning coding a fun and immersive experience for kids and teens:

*1. Leverage Toys for Skill Development
*
One of the most effective ways to enhance kids’ creativity is by introducing them to toys like Legos, Mechanix, and others. Depending on the child’s age, you can engage them in the design and creation process of these toys. This approach will bolster their logical, observational, creative, and reasoning abilities, paving the way for learning the basics of programming.

*2. Explore Coding through Minecraft
*
Getting kids and teens involved in Minecraft serves as an excellent motivator for learning to code. Widely accessible on gaming consoles and desktops, Minecraft introduces young learners to various coding elements in an enjoyable manner. The game employs a straightforward structure to craft objects, making it an engaging learning tool.

3. Utilize Websites and Apps for Coding Instruction
Presently, numerous websites and applications offer block-based coding lessons to kids and teenagers. Popular platforms like Thunkable and code.org provide tailored learning experiences, allowing you to select the most suitable resource for your needs.
These websites are specifically designed to teach children by integrating visual code blocks into entertaining projects. The combination of vibrant graphics and block code helps make the coding process more approachable and less daunting.

*4. Utilize Engaging Media Resources
*
There are numerous resources available today for teaching children coding, such as YouTube, TikTok, and online communities. Streaming programming videos on YouTube prompts the algorithm to suggest related coding videos for both you and your child. YouTube offers a wealth of information tailored to various learning styles for coding.

Choose the right YouTube video to help kids and teenagers grasp binary code. Videos, especially animated ones, can simplify complex coding concepts and make them enjoyable. For offline education, parents can turn to books or magazines featuring engaging imagery that sparks interest and motivates children and teens to delve into coding studies.

*5. Embrace Learning from Children
*
Recent research suggests that learning by teaching is an effective strategy for deepening one’s understanding of a concept. If your child is learning to code, encourage them to share their knowledge with someone else. You can participate by providing an opportunity for them to teach you a new coding concept. Asking questions about these concepts helps reinforce their learning and motivates them to continue learning.

The Benefits of Learning to Code for Kids and Teenagers
Coding involves giving instructions to a computer to perform specific tasks. By learning coding through resources like the CodeMonkey course, your children can secure a brighter future.
They’ll develop logic and computational thinking skills to tackle various challenges in life. Additionally, coding fosters persistence, collaboration, and communication skills. Let’s explore how kids can benefit from learning to code:

*1. Developing Crucial Skills
*
One of the major advantages of learning to code is the enhancement of problem-solving, creativity, and logical thinking abilities. Children are provided with numerous opportunities to practice and refine these skills, which are essential for both personal growth and professional success.

*2. Building Confidence
*
As kids and teenagers learn to articulate their ideas and grasp fundamental concepts, their confidence increases. This newfound confidence enables them to develop websites and applications more effectively.

**3. Discovering New Concepts
**Coding offers a hands-on learning approach that encourages kids and teenagers to explore and interact with their environment. This method helps them learn from their mistakes and experiment with various solutions to find the most appropriate one.

*4. Enhancing Communication Skills
*
Coding requires breaking down complex ideas into simpler forms and effectively communicating them to computers. For a computer to execute a specific task, the message must be clear and precise.
As a result, not only do children’s computer communication skills improve, but their verbal and written abilities also see growth. Strong communication skills are essential for success in life.
Closing Thoughts

This article aims to guide you in discovering engaging methods for teaching your child coding. By making learning enjoyable, children are more likely to retain concepts for longer periods and apply them effectively.

In today’s world, coding is a crucial aspect of childhood education. Learning to code prepares kids and teenagers for success in future careers while enhancing problem-solving capabilities and creativity.

Through coding skills, individuals can create computer software, apps, websites, games, and more. It’s vital to introduce these future skills to your child to help them stand out in a competitive environment.

Moonpreneur recognizes the demands and needs that our rapidly evolving technological landscape presents for our children. As a result, we’re on a mission to educate and inspire entrepreneurship through our comprehensive online STEM programs, which help kids master futuristic sciences such as robotics, game development, app development, advanced math, and more! Sign up for a free 60-minute robotics and coding class today!

What is Security Awareness Training?

gen2soulk — Fri, 24 Mar 2023 09:17:49 +0000

Let’s start with a clear understanding of the three different types of learning activities that organizations use, whether for information security or for any other purpose:

Education: The overall goal of education is to help learners improve their understanding of these ideas and their ability to relate them to their own experiences and apply that learning in useful ways.
Training: Focuses on building proficiency in a specific set of skills or actions, including sharpening the perception and judgment needed to make decisions as to which skill to use, when to use it and how to apply it. Training can focus on low-level skills, an entire task or complex workflows consisting of many tasks.
Awareness: These are activities that attract and engage the learner’s attention by acquainting them with aspects of an issue, concern, problem or need.
You’ll notice that none of these have an expressed or implied degree of formality, location or target audience. (Think of a newly hired senior executive with little or no exposure to the specific compliance needs your organization faces; first, someone has to get their attention and make them aware of the need to understand. The rest can follow.)

Understanding Zero Trust Networks

gen2soulk — Wed, 22 Mar 2023 15:50:23 +0000

Zero Trust networks are often micro-segmented networks, with firewalls at nearly every connecting point. Zero trust encapsulates information assets, the services that apply to them, and their security properties. This concept recognizes that once inside a trust-but-verify environment, a user has perhaps unlimited capabilities to roam around, identify assets and systems and potentially find exploitable vulnerabilities. Placing a greater number of firewalls or other security boundary control devices throughout the network increases the number of opportunities to detect a troublemaker before harm is done. Many enterprise architectures are pushing this to the extreme of micro-segmenting their internal networks, which enforces frequent re-authentication of a user ID, as depicted in this image.

Consider a rock music concert. By traditional perimeter controls, such as firewalls, you would show your ticket at the gate and have free access to the venue, including backstage where the real rock stars are. In a zero-trust environment, additional checkpoints are added. Your identity (ticket) is validated to access the floor level seats, and again to access the backstage area. Your credentials must be valid at all 3 levels to meet the stars of the show.

Zero trust is an evolving design approach which recognizes that even the most robust access control systems have their weaknesses. It adds defenses at the user, asset and data level, rather than relying on perimeter defense. In the extreme, it insists that every process or action a user attempts to take must be authenticated and authorized; the window of trust becomes vanishingly small.

What is Defense in Depth?

gen2soulk — Wed, 22 Mar 2023 15:39:07 +0000

Defense in depth uses a layered approach when designing the security posture of an organization. Think about a castle that holds the crown jewels. The jewels will be placed in a vaulted chamber in a central location guarded by security guards. The castle is built around the vault with additional layers of security—soldiers, walls, a moat. The same approach is true when designing the logical security of a facility or system. Using layers of security will deter many attackers and encourage them to focus on other, easier targets.

Defense in depth provides more of a starting point for considering all types of controls—administrative, technological, and physical—that empower insiders and operators to work together to protect their organization and its systems.

Here are some examples that further explain the concept of defense in depth:

Data: Controls that protect the actual data with technologies such as encryption, data leak prevention, identity and access management and data controls.
Application: Controls that protect the application itself with technologies such as data leak prevention, application firewalls and database monitors.
Host: Every control that is placed at the endpoint level, such as antivirus, endpoint firewall, configuration and patch management.
Internal network: Controls that are in place to protect uncontrolled data flow and user access across the organizational network. Relevant technologies include intrusion detection systems, intrusion prevention systems, internal firewalls and network access controls.
Perimeter: Controls that protect against unauthorized access to the network. This level includes the use of technologies such as gateway firewalls, honeypots, malware analysis and secure demilitarized zones (DMZs).
Physical: Controls that provide a physical barrier, such as locks, walls or access control.
Policies, procedures and awareness: Administrative controls that reduce insider threats (intentional and unintentional) and identify risks as soon as they appear.