A couple of months back, my friend and I spoke at a Conference on Software Testing held at Bangalore on Web Application Security. It was a just few days after one of the famous Indian bank's E-Banking website was attacked. The attacker launched the attack from Asia and the news came in almost all popular dailies.
Roughly after six months, today, I happened to read an article on Phishing which says that Phishing is very active and more than 150 banks globally are targeted. Phishing is at six month high. I am sure the list will contain the bank where I hold an account. There are many fraudulent companies which setup web site simple for grab the data and before the world identifies that it is phishing, the attacker would have stolen enough. However, the security agencies need to protect others from falling prey further.
Though the way the software is built itself is an issue, we cannot the entire blame on the software developers :-(. Each one of us, as the users should have security awareness. But the important thing is that we, the normal human being (layman) never try to understand the techniques used by attackers and we don't even care thinking that the probability being stolen due to phishing is very less. You are absolutely right, the probability is less and not zero. We never really care about the current trends in web attacks and certain basic security awareness is very much crucial.
Here are some of the points that one needs to care
1. Try to avoid logging from public systems like Internet cafe
2. Whenever you log off, delete all the history and cookies
3. Don't not click the images in the web banking sites
4. Do not launch your e-Banking website through a hyper link from an external website.
5. Take time to read the address in the address bar. Check whether the address exactly matches the address of your bank's website. Make sure that first part of the address, the protocol, is "https". These days none of the banks and commercial websites use "http".
6. Do not save passwords in the browser and do not be lazy to key in your password everytime.
7. Periodically, change your passwords and use strong passwords (with alphabets, numbers, special characters)
8. Since most of the phishing takes place through fraudulent emails, ensure that you different between the emails from your bank and the attacker. You can find some ways of identifying phishing email in one of my previous blogs.
9. Above all, if you happen to receive any phishing email, report to your bank as they can sensitize other account holders.
And now, if you have time and energy, just go and read about security and phishing especially. :-)
Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts
Sunday, July 13, 2008
Tuesday, October 16, 2007
Are Viruses and Botnets Same – Not Really
Have you heard about Virus? Let me put the term properly, “Computer Virus”. Most probably, if you are running a licensed Windows operating system and most probably, you will be running a anti-virus software from well known vendor which comes to you for free while you purchase the computer (desktop or laptop). What is the purpose of the AV software? It helps you to defend from Virus and
Think about a weird computer connected to Internet through his broadband and scrapping his head and orkut with no reasons. Suddenly, he gets a sweet email and within seconds he installs software which is tiny. As soon as the software was installed, CPU utilization goes up momentarily. What could be the reason?
The weird computer user is a victim of a “Botnet”. What is Botnet and is it another fancy term? Mind it…It may seem to be a fancy term with a devastating character. As soon as they get installed, they spread the bad news quite faster. Botnet are nothing but tiny software that is installed in a system (Windows, these days) and take control of your network. How it does that?
It’s simple. Botnets does one thing and does it fine. As soon as the tiny software is installed, an IRC connection is made to a malicious IRC Server. This malicious IRC server has hell a lot of features. All the exploits will be there as tiny modules and the modules get downloaded to the box based on the vulnerability. The beauty is that the clients keep on downloading the malicious module and shortly after that the way is over.
So next time, we an email comes to you, be sure that you really want to install the software. Prevention is better than cure. No AV to date can cease the activity of Botnets. Only solution is to reimage the system. But feel free to reimage the systems even if you are 1% sure that you are infected with Botnets. I am not exaggerating as they effects are devastating. In short Botnets are not viruses, but they are Virus of Viruses…
Monday, September 24, 2007
How to Escape from Phishing
Just few minutes back, I received an email from a popular bank in America America
For me it was funny as I did not have an account and so I was able to come to a conclusion. Think about people who have an account and the email was delivered to account holders. If the users are not security literate, this can possibly lead to monetary losses. What one needs to do when such an email comes in.
- First, take the email and do not read in a hurry
- Spend few minutes to read and re-read, re-read, re-read carefully.
- If you are good in English (any language) grammatically and syntactically, you will find hell a lot of mistakes. This is enough to confirm phishing as banks never make these silly mistakes in simple English. Also you can find a lot of punctuation errors. This is common mistakes one can find in fake sites.
- Check the origin email account. Usually, the banks will send emails from their domain name.
- Follow the link and check the address bar. Verify the website. It should resemble your bank website. But you will find mistakes.
- The email will also have a sense of urgency. For example, take action in next 24 hours.
- Once you doubt an email, notify the bank (just forward the email you received).
- Login to the bank account by typing the bank url (if you need) and not by clicking a link in the email. You can notify your friends, a social service
The following snapshot is a phishing mail. Check out for errors.
After Two Days
It is in fact, a phishing. I confirmed it after two days the site was blocked and the server was down. The following is the snapshot I took 2 minutes back.
After Two DaysIt is in fact, a phishing. I confirmed it after two days the site was blocked and the server was down. The following is the snapshot I took 2 minutes back.
Saturday, September 22, 2007
STEP Auto - Another STEP in my career to cherish
It was my third experience presenting a paper in an International Conference and the Second STEP Auto. I should say, this time they made a tremendous job and improved a lot when compared the one happened early this year. I happen to witness a keynote address and few best practice papers. The keynote address was fine and best practices papers are equally good. But some of the papers delve deep into test management which are not so relevant to me at this point of time, so I choose to skip those sessions.
Our talk was scheduled as last slot in the best practices but does that mean the audiences were in the mood to leave for the day. Not absolutely. The audiences were wonderful with sparkle in the eyes, eager and welcoming thoughts from all the speakers. We were just preparing to make our speech in a different way and at the same time we wanted to put our thoughts on Web Application Security. It was our undoubted thought that anything is a character and done with a Passion becomes an Art. Especially, the web application security as there is no silver bullets and attacking them is pretty easy. Our thoughts are mainly focused on the words Art, Passion and Character and the rest of the technical details revolved around these foundations.
We had a sweet surprise to us even before our talk. The shock was that the last two talks had to be done in 20 minutes instead of allocated 35 minutes. The person who presented before us literally found hard to put his thought and he was asking for more time (literally). It is not fair in the part of the conference people to get the time from the speakers. So we had some time (20 minutes) to think and we did not speak with each other. But we had clear plan which was not trying to cover entire slides but covering few slides in depth.
We stepped in and as expected, we were requested (asked) to complete the talk in 20 minutes. We assured that we would stick with time (we tried to be gentlemen.. but really aren’t). My friend started off the presentation and he progressed through slides. I didn’t see the watch but he would have taken 12-15 minutes. He talked about web application evolution, threat classification, “panic and patch” and patch management process. I took over and talked on Security in SDLC followed by penetration testing. Finally, we wrapped up the talk with a “Take away” and “What it takes to follow”.
I wasn’t aware about the response from the audiences. Here and there we had an unusual (usual) pun. We spoke for 35 minutes and we got a nice comment from the conference chairman that people would like our talk even if we speak for 45 minutes. What a comment? I was craving and aiming for comments like those and made public speaking, a passion. We do receive similar response from one of the participants. Overall, it was great feeling. Technically, I have a long way to go and this is just a starting.
I aspire to write similar blogs in future quite consistently.
Saturday, September 1, 2007
Security - Now the programmers panorama
The days of access list, VPNs, IDS/IPS and Firewalls are gone. Dont get me wrong. Those are still great technologies to protect you assets but the world now moves towards another cycle. It goes to the place where it started. Thanks to Web 2.0 adoption. People collaborate using Internet for many things. Just like this blog. Web application deployment is marching much faster than the expectation and almost we are in the verge of IP Address depletion. Without Internet, the world may stop for a while (and every software engineer need to relearn problem solving and need to take an elective on how to work without search engines. Some will end up doing a PHD on this)
Web applications, a little door to a mighty businesses, now gaining attention from attackers. It is not only due to value of the asset or amount of profitability. It is very very simple to attack a web application. I have recently went through couple of books on Web Application security. Though I did not go through it in detail, the methods and tools are simple to use and you need to be a geek to do all the fancy stuff.
Oh God. Some of the web application security forums say "90% of web sites have vulnerabilities". It is true to a major extent. For the past two weeks, I have been trying to find a web site that is doing one thing, yes it is just one thing better. I am taking about Input Validation. If you need a single toolkit to safeguard you blog, orkut, bank account just try to find whether the input validation is done properly. It is the worst culprit than CSS, SQL Injection and authentication.
There are few great books on Software Security and I particularly enjoyed reading the book "Web Application Hacking Exposed". You may need to check amazon reviews before buying one and investing time. After reading the book, you find that the best way to defend against attackers is to write a solid code, to follow software engineering best practices, to do code review, to run static analysis, to do pen.test. Sometimes, you ll also feel like hacking your application to keep attackers under your toe.
Yes, it is your feeling, action and passion makes a better software and not the tools. Tools just help you to achieve your destiny fast.
Web applications, a little door to a mighty businesses, now gaining attention from attackers. It is not only due to value of the asset or amount of profitability. It is very very simple to attack a web application. I have recently went through couple of books on Web Application security. Though I did not go through it in detail, the methods and tools are simple to use and you need to be a geek to do all the fancy stuff.
Oh God. Some of the web application security forums say "90% of web sites have vulnerabilities". It is true to a major extent. For the past two weeks, I have been trying to find a web site that is doing one thing, yes it is just one thing better. I am taking about Input Validation. If you need a single toolkit to safeguard you blog, orkut, bank account just try to find whether the input validation is done properly. It is the worst culprit than CSS, SQL Injection and authentication.
There are few great books on Software Security and I particularly enjoyed reading the book "Web Application Hacking Exposed". You may need to check amazon reviews before buying one and investing time. After reading the book, you find that the best way to defend against attackers is to write a solid code, to follow software engineering best practices, to do code review, to run static analysis, to do pen.test. Sometimes, you ll also feel like hacking your application to keep attackers under your toe.
Yes, it is your feeling, action and passion makes a better software and not the tools. Tools just help you to achieve your destiny fast.
Wednesday, August 29, 2007
OS Fingerprinting - Most Fulfilling Talk
Today, Rajkumar and I gave a talk on Operating System Fingerprinting. Rajkumar, the main speaker of the talk started and talked about security mind set. He narrated various reconnaissance attacks. He then explained about OS Fingerprinting and active fingerprinting. During his speech he talked about TCP/IP implementation differences in many popular and infamous operating systems like Windows XP, Linux and Solaris. He also demonstrated active OS fingerprinting with NMAP.
The second part of the session, I started with an overview on Buffer overflow to emphasis why OS Fingerprinting is essential. Then explained POSFP with a real incident took place in this world. We also discussed positive aspects of OSFP like Network Auditing.
That was one of our most fulfilling talks in Network Security. The audience were great and totally it was wonderful feeling.
Tuesday, August 28, 2007
Security - Art, Passion and Character
Having Worked in Network Security for three years, I got addicted to attacks and VD. Though not a veteran, I would proudly say that I am Security Enthusiast. For studying or mastering security one needs to know internals of how things work. Security is not a technology or a silver bullet. In a broader perspective, security is way of life, place that cannot be achieved in this Information/Internet era.
Whenever, I get a chance to get connected with security aspects of life, I tuned myself. Rajkumar (colleague of mine) and I were browsing through some websites. Most of the websites have logic bombs in them. As far as a web application is concerned, it needs to take one thing seriously. Linux geeks used to say “Do onething. Do it well” and it greatly applies to Web. For web application, the quote should be “Do validation properly. Do it well”. Coming to back those web applications, they did something fundamentally wrong. We never tried XSS, SQL Injection and stuff like that. We simply played with input fields. Havoc…
Based on that we came out with a paper that talks about web application security. Personally, we don’t prefer to preach others. This paper is just a guideline for make better software. The time has come to build security in the product. No more, the security is a plug-in.
We will be presenting our paper in “Step Auto”, an International Conference on Software Testing, Process and Automation. More in the conference.
Subscribe to:
Posts (Atom)
