Wednesday, 25 March 2015

Android Security: A Big Concern go Unnoticed by Smartphone Users

As we all know, we are in the world of Internet. Whoever don't have access to Internet or WWW is looked up as orphan in this digitized world. With kids growing up with high-end tech, the penetration of Smartphones is inevitable. The vast majority of smartphone comes loaded with most popular Open Source Operating System, Android, owned and developed by Google. A desktop Operating System tweaked to fit hand-held device. Good and sweet to carry a PC power in pockets. But any tech will come with its own cost.

Rooting your Android Device:

Well! The huge buzz about the Android OS is level of customization. When Android raced with IOS, the Android won users with option to customize the Android experience ( I don't wish to start war of word with which is best?). Android OS customization and tweaking to adapt to users requirements has earned its market share.

One of most popular method to unlock the potential of Android OS is to Root your Device to get Admin privileges as we do in Linux system. It would help to hibernate apps, uninstall bloatwares which comes loaded with your phone, to create swap partition, and etc. Many loved to root the Android Devices. Yet it had its own disadvantage.

Once rooted, any app which request for root permission could sniff out confidential data. Even sensitive information could be compromised. Yet, advocates of Android would state that the app need permissions from the users. So it is user who must act responsibly. But the talk does not end with apps which we grant SuperUser privilege. The Apps which we download from Google Play Store might deduct rooted devices and sniff out data as most users grant permission to those apps. The situation is users can't miss a particular app from his Smartphone. So the permissions are forced upon the users by Software Vendors.

And the apps which we use to root our device might compromise our data. Who knows whats been taken out of  your device, the application got its right to work with your device! So beware, whenever you install an app that too not from Google Play Store, know that you risk your device and sensitive data.

Whatsapp Calling:

People who use popular messaging application Whatsapp would have received links from friends and unknown person to install a software to their Smartphones to enable "Whatsapp Calling feature". I wonder some tried it without realizing that such feature could be added by Facebook with an update from Play Store. It was too late. Most of them lost sensitive information from their smartphones. It stole sensitive information from users to be stored in third party server.

Remember, not only Whatsapp, all such apps are vulnerable to such hacking attempts. With Android users added exponentially, the hackers have found pasture in this field. From PC attack, the mode has be switched to mobile attacks.

Malicious App from Play Store:

The recent revelation that Facebook private pictures could be sniffed out of your Smartphone has raised alarm among Security Researcher who work on Smartphone security.  With unlimited privileges any of your favorite app could gain access to your Smartphone temple. One such example was the Facebook private picture leak.

But not all app would be stealing data. In Play Store, we found many responsible developers who explains the need of such permission when posed with a question. Some open comments could draw developers voice in to Play Store Market. Yet, few grey developers try to sniff out data from app users.

Beware of the purpose of Smartphone:

Last but not the least, make yourself sure about the purpose of your Smartphone. Limit the number of Apps. It might have a potential of PC, yet it is phone. With access to mic, sdcard storage, call information, any app could record your voice calls and upload them when ever you get connected to Internet. Judicious use would fetch more benefits. Beware of what you use and how you use. 

Sunday, 22 March 2015

Google Stops Security Support For Android 4.3 and Earlier!

Google has stopped security support for Android devices which run 4.3 or earlier version. The default internet browser vulnerability unearthed recently could bug almost more than half of the Android devices. The move signals that the Google is planning to concentrate on the current software and focus more on future products than hogging its mind on outdated issues and problems.

Google which is well known for it security as well as encryption of email has recently took cognizance of the security flaw reported in the old default web browsers of the Android which was fixed by September, 2014. Later another bug was discovered which was reported for patch to Google. But Google turned down the bug stating that "we generally do not develop patches ourselves for web browser in Android 4.3 or earlier". However, it did not rule out the possibility of patches by other developers.

Google's decision to abandon older versions of Android has left many devices at lurch. It will increase the risk for exploitation by hackers. Since most people use old devices, the reported bug will increase the security risk of smartphone users.

Android need to move for Long Term Support (LTS)

Android which has created huge buzz when it comes to mobile computing has brought wide sweep to the mobile market culture. The one who doesn't own a smartphone is considered as serious identity crisis. But these developments has brought inherit security risk which each Operating system pose to its users.

With Android release on the way, the new devices are brought down to the category of old devices in the market. With more and more new releases, it would be stuck in recursive loop of development rather than providing support to the users. 

Time has arrived for Google to reconsider the Android Strategy. Instead of short new releases, Google must provide a Long Term Support for new Android releases. Any new development will come with its own bugs and so the security risks. In order to avoid exposing users to such risk, Google might chart out a strategic plan for the next release of android with Long Term Support to patch security risk and flaw which would help in improving Android User experience and also will help to create next version Android free of bugs. The present strategy to abandon older version will make dent on Android.

Mobile Security: Hackers Steal Mobile Payment data In China

China, one of largest market in the world, home to 649 million Internet users with millions of users being added every month. With high Smartphone penetration into the life of people, the money transactions through mobile payment services are inevitable. Comparing the internet payments, mobile payments may surpass in next 2 years. It was evident from the growth of Smartphone market.

While any benefit technology brings home will not come free of its own shortcomings. The days when the computers were target by hackers to steal confidential information were the past. With advent of mobile Operating Systems (OS), most of the human internet life is spent on Smartphone than on the PC. The convenience, portability and accessibility has lured users to adapt Smartphone while neglecting the risk associated with them. Here are few ways the hackers try to steal mobile payment data from your Smartphone.

Fraudulent Wifi


The most common trick the hackers tend to employ is setting up a free Wifi network. Chinese Internet users tend to make payments and bank transfers on-the-go via public Wifi networks. The reason is obvious. The Wifi is free to use and available when ever needed. Hackers started placing Fraudulent Wifi connection in the Shopping malls, multiplex entertainment centers.

When any person connects to such fraudulent Wifi network, all personal information from the Smartphone are sniffed out. The worst is when user make any purchase, hackers can steal the account data. Any Sniffers with promiscuous mode would suit the job to extract personal information that are travelling through Wifi network.

QR Codes with Virus


It is wildly used in Chinese Internet users to find friends, make payments, exchange information, redeem coupons. Hackers have started embed a virus to QR codes so that anyone scanning them will automatically download a virus to their smartphones. Personal information from phone numbers, contacts, mailing addresses to banking details and passwords would be stolen in seconds once the virus sits on the Smartphones. Any message or email stating to scan a QR code must be done with caution. The source of such message must be known before scanning them.

Phishing Website Attack


Most popular method among hackers, employed to steal confidential information from the users. The fake website which would appear as if the original website, will be presented to the end-user either through an email or a link. The user will be lured to enter confidential information to find oneself that the hackers have tricked them to disclose sensitive data. These fraud is commonly used against Internet banking users. Though, security agencies have beefed up security measures to counter the phishing threat, it still pose a serious threat. The customer who are unaware of the internet security usually end-up with phishing websites.

Firefox, Chrome, Safari, IE exploited


Firefox, Safari, Chrome and Internet Explorer all fell within than a second

Security Vulnerabilities in every one of the four big browsers were exploited in a Hacking Contest to remotely execute arbitrary code on Windows PC.

But the vulnerabilities were never made public. It was disclosed privately to the concerned parties mostly the software makers to release patches as soon as possible. In the interest of public at large, the details were not disclosed.

South Korean Security Researcher Jung Hoon Lee, who ised the handle "lokihardt" won a hooping $225,000 who left Vancouver with huge bank balance.

The time-of-check to time-of-use (TOCTOU) vulnerability and a sandbox escape through privileged Javascript injection to get past Windows Security Software and pull of medium-integrity remote code execution with the same privileges as logged-in user. 

Further, the buffer overflow bug of stable and beta versions of Google Chrome were used to execute full system level remote code execution.

Later, the finale Apple's Safari was pawned. With use-after-free(UAF) vulnerability using a uninitialized stack pointer to perform remote code execution on OS X won him the contest.

The Mozilla Firefox was compromised with in a second. The out-of-bounds read/write vulnerability leading to medium-integrity code execution in the browser.

The contest was a win-win situation for the hackers and the software vendors. The people who cracked earned a decent cash while the software vendors gained by knowing the vulnerability so they can release patches for the end-user.

Saturday, 21 March 2015

Text that Crash Google Chrome browser in Mac

If you are using Mac, then beware that Google Chrome Web browser will crash the moment it try to render special character. Here is the link for the error, open bug ticket on the Chromium product which details the issue.

The issue rose up when Google Chrome on Mac crashed trying to render obscure language. Hence, if you open any blog post, twitter or email with those obscure characters, you end up crashing the Chrome. But this bug is limited to Chrome on Mac. The users has reported that such obscure character didn't bother when rendered through Apple Safari. Instead of those special characters, boxes ([]) were displayed for the page title and text.

The windows version of Google Chrome were fine with the obscure characters. Those who use Chrome on Mac reported the issue. Hope, it is fixed soon.

GitLab acquires Gitorious

GitLab, rival of GitHub, acquires Gitorious

GitLab has acquired Gitorious, a repository management system which would leverage GitLab to compete against other commerical and propriety repository management system. The acquisition has knocked the strong hold of GitHub which is the most popular among the collaborative code repositories.

The acquisition not only leveraged the GitLab resourced but also added the huge user base. Now, GitLab has close to one million users. Those users include open source projects such as Opensuse and AT&T and Expedia, etc.

The exact figures for which the deal was done is yet to be known. So the existing Gitorious will shut down by June and its customers can migrate to GitLab. As well the staff currently working on Gitorious won't be joining GitLab, although GitLab expects to collaborate with them.

Cyanogen Teams with Qualcomm and Alcatel

Cyanogen partners Qualcomm and Alcatel


Earlier this year, Cyanogen, developers of Cyanogen OS, a free smartphone operating system based on Android, broke up with handset maker OnePlus. While many believed that this was a blow to the Cyanogen, to our surprise, it recovered by inking a good deal with popular chip maker Qualcomm, the famous smartphone device chip maker.

The deal will pave way for select features and UI elements from Cyanogen OS to be installed on Qualcomm's upcoming reference designs powered by QualComm's Snap Dragon 200, 400 and 600 processors. The reference designs are a way for smaller companies to pick up smartphone templates and release then under their own brand.

Further, Cyanogen teamed up with handset maker Alcatel to install Cyanogen OS on Hero 2+ smartphones that will be made available in the U.S market this spring. The trend of Cyanogen OS getting moment with various handset manufacturers experimenting them at production level. If such trend continue, the prominence of Android will take a deep dent in the smartphone market. The local smartphone makers are keen on improvising smartphone user experience which lead to installation of Cyanogen OS at production level. The level of customization has attracted Android users towards Cyanogen smartphones.

Friday, 20 March 2015

4 Amazing Open Source Alternative Browsers For Linux Users

Here is the list of browsers which can be highly useful alternatives to the major ones.

For all of us, the internet world starts with Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Apple Safari or the famous Opera. Yet there are lot of interesting alternative browsers exist in the PC world which require attention now. It would be good practice to use different browser for personal, work, social media or networking. While it comes to open source web browsers, the level of excitement would surpass next level. Here are some ideal open source web browsers.

1.Fifth:

Fifth is an open source web browser. The beauty is in its compatibility. It is exclusive to Linux operating system filled with vast features from Opera web browser. The most prominent feature is in its exclusivity when it comes to features. For people who don't need heavy tax on system memory could opt for Fifth browser. Highly customize able thus user have full control over the browser. Hat off to the privacy. It will not leak information. Only drawback is it lack native video playback feature.

2.Dooscape:
An open source web browser based on WebKit engine and Qt framework. When it comes to exclusivity it provide unique features, appearance, interface. Unique feature of high customization and simple layout make it stand out the crowd. It can also take screenshots and provide a lock mode too.

3.GNU Emacs:
It is an extensible text editor which is highly customizable and self documented. It is an advanced text editor which could be customized to act as complete development environment. The editing commands in this browser are applied as characters, words, lines & sentences, paragraphs and pages. The w3m.el interface is complete Emac web browser. It supports graphics, frames and w3 support.

4. Breach:
A web browser entirely written in Javascript and offers interchangeable modules. The internal functions are yet to be revealed. API can be added for developers which allows building modules which can be added, removed and interchanged too. The navigation is also built upon javascript and HTML5.

Facebook found leaking private photos

Creepy iOS, Android apps could gain access to the pictures.



Bug Hunter Laxman Muthiyah has reported a Facebook vulnerability that exposes private photos to potentially malicious applications.

The hacker received US $10,000 from Menlo Park for reporting the bug in Facebook Photo sync and an API that allows third party apps to gain access to private pictures.

The "user_photos" permission could gain access to your private pictures prior to the patch.

"A Malicious app which you are using can read all of your private photos in few seconds", Muthiyah says. "After few minutes of testing, I realised that vaultimages endpoint is vulnerable".

The Facebook covered up the bug in 30 minutes by whitelisting official applications. It is unknown how many non-whitelisted apps now sport broken photo synchronisation features.

It is the second vulnerability that Muthiayah has reported to Facebook this year. Last month the hacker took US $12,500 for disclosing a method to delete photo albums from the site using Facebook Graph API and a mobile token.

Thursday, 19 March 2015

LightEater Attack: Popular Bios Security flaw

The security researchers have found that most popular Bios of hardware vendors are vulnerable to attacks. Considering the stealth, privilege and persistence most attacker prefer a low level attack. The most popular of them is Basic Input output System been one of them. The LightEater attack targets world most popular bios vendors.

"Because almost no one patches their BIOSes, almost every BIOS in the wild is affected by at least one vulnerability, and can be infected, Kopvah, LegbaCore researcher stated.

"The high amount of code reuse across UEFI BIOSes means that BIOS infection can be automatic and reliable."

"The point is less about how vendors don't fix the problems and more how the vendors' fixes are going un-applied by users, corporations and governments."

The security researchers stress on the responsibility of the system administrators to apply vendor patches, something which is not being done. And further they warned about how simple to launch attack on victims whose BIOS are vulnerable to such attacks.

The security experts have conveyed the concern that most of the BIOS are insecure and provide undue advantage to the attackers. Even a person who don't possess special skill or knowledge about security and hacking would be able to launch attack against victims. All the attacker need is a few minutes of access to the victims computer to implant the bug.

The security researchers stated that they would soon release a automated script to BIOS vendors to test for vulnerability against reading and writing to all system memory. Almost 80% of the world computer is vulnerable to BIOS attack as most vendors use almost same code when it comes to BIOS except for few modifications depending upon the vendors.

The BIOS implant surfaced recently to the research community on the cue of Snowden documents which state that National Security Agency (NSA) which exploited this vector to spy on targets.

To patch up BIOS, it is recommended to install vendor patches to the respective BIOS. It would be better than to feel sorry tomorrow.

The Security experts who exposed the vulnerability are advocating for patch as early as possible. As the revelation has made the implant public which could be used against victims by anybody even they are not savvy about working of computer or how to launch an cyber attack on victims.

There is a huge buzz over the Snowden reports on how NSA spied over others. The report not only expose the vulnerability but also the extend through which NSA implanted spying bugs on targets. More to follow....

Now Google Drive support ODF (Open Document format)

It is good news to hear that Google Drive support .odt (open document file format) format. Previously, the users have to convert the documents into the most popular .docx file format that take advantages of other services comes with Google Drive. Now, the google has announced that Google Drive will support the .odt format which was in high demand among the cloud service community.

As the reach of open source get bigger day by day, Google has responded positively by adding the .odt among the supported file formats of Google Drive. Thanks for the move that dependence on the premium software get reduced to nil. With Google opening its doors to the .odt, any open source word processor such as abi word, open office, libre office user could take full advantage of the Google Drive cloud storage service.

"We've been listening to your feedback, and we're happy to say that we now offer support for importing all three major ODF file formats: .odt for documents, .ods for spreadsheets, and .odp for presentation." - Google. Google added the support since yesterday. Yet the support for mobile apps need some wait.

The reason behind such move was cited as UK Government policy to use ODF as default file format for government related works. And other European nations exhibit great zeal for the adaptation of open source document format as default file format in government related activities.

Not only the governments but also the open source community and people who prefer such tools over commercial office suites benefit at large.

Wednesday, 4 February 2015

Wi-Fi Router: protect wifi from hackers

IEEE 802.11 which denotes present day Wi-Fi communication mode is getting predominant importance. From complex wired local area network to Wi-Fi network, the complexities of installation and maintenance were reduced greatly. But such growth has its own inherit disadvantages. With Wi-Fi routers or Wi-Fi modems which stand as access points are susceptible to various challenges. With a simple Wi-Fi antenna and a network sniffer our present day Wi-Fi connections are vulnerable to attacks. The technology has developed to the extent that we can setup a simple Wi-Fi connection by turning USB Wi-Fi adapters as Wi-Fi access points. Hence, we have to adapt ourselves to present day security challenges.

Basic: 

First and foremost rule when it comes to Wi-Fi security is “No foolproof method” exists. When it comes to information security, no expert would guarantee with 100% safety. The modern day challenges not only rattle small and medium enterprises but also pull the pillars of multi-national companies. Recent attack on Sony over filming the movie “The Interview” is quite example of what present day information security has to transform.

With the advent of Wi-Fi compatible devices such as printers, scanners, fax machines, etc. we need to do a lot than to feel relax of the comfort the Wi-Fi connections provide. For instance, we have a Wi-Fi enabled security Camera in our apartment to monitor our rooms. A good attacker will have all eyes on our home if our Wi-Fi connections are compromised. The very security camera will pose imminent danger to us. It would have been a better scenario without the Wi-Fi security camera.

With more and more devices adapting to Wi-Fi integration, the need of security of our network started resonating vibrantly. If no foolproof method exists, better make it complicated for the dedicated hackers to gain access into our wireless networks.

Open Wi-Fi connections: 

With modern day computing, every home started adapting to Wi-Fi connections than the traditional wired connections. Even though, the internet access is provided with fiber optic cables, the internet connection is shared with multiple home computers through a Wi-Fi router. The ease of use and hassle free operation makes the Wi-Fi the preferred choice over the wired LAN.

The awful part of the story is people need comfort at the cost of security. The networking ignorant people put the Wi-Fi connection without any protections. An open Wi-Fi connection is walk in the park, even to a kid, to gain access to your network. So it would be wise to place encryption key in our Wi-Fi connection which will be cover in detail later.

Wi-Fi Router: 

Next common syndrome with Wi-Fi users is they never change username and password which come with router manual. The default user name & password of our Wi-Fi router to well known to the world. So anyone who knows the make and model can directly login into our Wi-Fi router configuration page. That’s enough to play havoc!
With access to heart of our Wi-Fi router they can sniff out any information which traverses through that router. Keep in mind; one can set a custom route to direct traffic from our network to the attacker sniffers to extract username and password, bank credentials and all.  So, the first part is to change the default username and password of the Wi-Fi router or modem whichever is in use.

Case Study: 

I was recently asked to inspect the network security of a company. The company was not too big but contained decent number of staff to run the business. The network consists of Wi-Fi router secured with encryption. The primary purpose of the Wi-Fi router is to transfer files between the server and work desk. The major complaint was the internet is unusually slow. The major part of employee work depends upon internet to send and receive classified accounts.

At inspection, nothing was unusual inside the network. Local file transfers were fine. But internet access was choked. On analysis, one unknown computer was connected through Wi-Fi which was downloading torrent files. On further study, the network was encrypted with weak password. A brute force dictionary attack was good enough to crack it. Then I tried to login to the Wi-Fi router, the pathetic router not even had a password to gain access to configuration pages. Such type of network little difficult to crack.

Encryption: 

It is always safe to ensure wireless communication is encrypted to avoid eavesdropping. And for good never prefer the obsolete WEP method. WEP were most susceptible to exploitation. It is wise choice to avoid the method in any part of the network.
The wise choice would be depend on the WPA-PSK if the Wi-Fi to be decided to use for personal networking. Keep a strong passphrase to avoid another intrusion. The best part of the network security is there is no foolproof method to protect the network. So, it is wise to make it difficult to get past the network authentication than to simply letting in the eavesdropper.

MAC address authentication: 

For modern day computing, MAC address authentication does much bad than good. It is one of the easiest ways to limit the number of connections to the Wi-Fi network. By creating a list of trusted stations, we can avoid other stations getting network access. But such method has its own limitation. Anybody who knows the MAC addresses of the trusted station, then the attacker could easily spoof the MAC to gain access to the network as trusted station. These kind of intrusion are least detected.


The other methods to safe guard Wi-Fi connections will be continued in other post.

Sunday, 25 January 2015

5 Ways to Protect Your Password

The below mentioned methods & procedure are basic ways to protect your password against being stolen by hawkers.

1.Golden rule: Never share your passwords

First and foremost thing, even a present generation kid would advise others when it comes to ways to protect your password is not to share them with anybody. A user credential/password is for a particular users and it must be personal at any cost. What is the use of letting it known to others! It would have been better without passwords than sharing passwords. Even if you have to show them an email for a discussion, just forward them the email or provide a hard copy of the email. Sharing password will make you equally liable for any mischief done by others. So remember the golden rule. “Never share your password”. Even you may share a good relationship with others or it might be a family member; it is ill-advised to share user credentials.
You might ask “What’s problem with my wife? She won’t turn against me.” It is not about the veracity of your family members. But what precautions they follow will compromise your password with someone ignorantly. What if your family members respond to a spam emails which likely appears to be from your banker asking you to reset your login credential from the below mentioned link in that email stating a reason that a someone tried to open your account with wrong email address? Not everybody from your family will understand the difference between spam and real banking emails. Your banking password will end up with the fraudster who tricked your wife or children to login to the fake site which logged your login credentials. Even though many organization campaign against such fraudsters still many fall to the trap of such spam emails. They social engineered your family to give away your banking password in this circumstance. The above scenario might make you think how vulnerable you are when you share your password with others.

2. Don’t keep a simple password

The next most common vulnerability is nature of your password. Most user computer passwords are vulnerable to cracking or password recovery tools. Users ignorant of need of strong passwords usually keep the password short. The advantage of short passwords is easy to remember but at the expense of security. Almost all passwords are guessable due to weak password. Many of us use just our name along with birth year as password. For instance, your name is Mary and date of birth is 14th January 1981. Then the person who tries to steal your password has vital lead to crack your password. Just a word-merge website will create all possible combinations. Sadly, one among that combination will be your user password. A fully automated software will complete the whole operation is no time. So, don’t make your password guessable. Any combinations of your name, family-name, date of birth, pet name, school, college, university, and your work are easy to steal.
Your password strength highly depends on how difficult to guess it. Try to add symbols & numerals. Keep a good length to the password you create. Just a four letters password even with symbols &numerals are walk in the park for the password hawkers. Try to create a lengthy password. A standard would be to create a 15 letter password. Most casual hacker who doesn’t invest in serious hacking will relent with your 14th letter.

3. Never say password in phone calls/text messages/emails

The easiest trick is to make you give away your username and password is simple. Just call your phone number and ask for it. You will provide it without hesitation. Anyone can call your phone number and claim that he is a customer care executive of internet service provider or as a desktop customer care executive who is going to run official update to your devices. They request for the username and password so that they can finish the job from remote place.
Sometimes, when you hesitate to provide username and password, they will insist on visiting your home to install those fake updates on-site. Even though, you may not provide them the password when they visit your home, they will install the update on your system and go away. But the update would be nothing but a key-logger or malware to spook your security. Either way, they gain access to devices with or without your password. It would be always wise to check the identity who visits your home.
As a rule of thumb, don’t provide your password through phone calls or text messages to anyone. If the person calling insists on visiting your home, just call the official customer care help-line to confirm it from the company. Know the name, designation and purpose of the visit of executive if the company actually sends someone to fix the problem. Never leave him alone with your computers and network hardware. Don’t hesitate to question him about his business with your hardware. Know everything technical that you need to know from that executive since they will always demand administrative privileges to your hardware.

4. Spam links

Spamming, old school method of getting user credentials from others. Despite spam filters, we may find unwanted links finding its way to inbox. The most common way is the hawker would send email to all email contacts found on forum we use regularly. Not only they advertise products and services but also try to steal critical information about your computers. All the will do is run a browser script to fish information out of your system. Some trick you to enter your password with phrase “Login with Google”. Don’t fall for the trap. Even though with advanced tech, spam were reduced to ground. Compared to 50 to 100 emails per day, we started receiving a maximum of 10 per month. Still, the possible to get your password through spams are high.  The old school lesson is not to follow spams unless you know who sent it.

Did You Know: Spams too contribute Global warming!

5. Don’t save passwords in text files

Alright, now you might question, “A password which is difficult to guess is difficult to remember. So what to do”? A simple solution that might tick in your creativity is to store password in file. Please, don’t follow this method. It is most vulnerable method to store the passwords.  The most common mistake is to store password in password protected excel sheets which are cracked opened in no time. Next worse mistake will be writing down in sticky notes and placing it near desktop. If you decide to write down passwords, write down and keep it in safe location.
The best method is to use a password manager which stores login credentials securely. For anybody, who feel cost involved in the password manager, they can opt for open source password managers. But download the password managers only from trusted sources, especially with open source password managers. Don’t feel lazy to check md5 and checksum of the download file with the official websites of the open source password manager. Md5 and checksum ensure that source package is trustable and does not contain any harmful injected codes.

The methods provided above are basic steps that one must follow to keep oneself secure. There are further steps involved to completely secure your systems from attacks which you can follow future blogpost.


Subscribe via email or follow on twitter for updates.

Saturday, 24 January 2015

Tutorial: Use Google Doc Offline

Requirement:
The following are the basic requirements to setup Google Doc offline.
·        Latest Chrome Browser
·        Google Account
·        New Google drive Chrome App
·        Minimum of 5 GB HDD Storage space(Recommended)

Step 1: Open your Google Chrome web browser. Type “drive.google.com” in the address bar. It will open the Google Drive. Login with your Google account.


Step 2:  Now on the right side of the screen, select “settings” as shows above. On the pop up screen, select “Sync Google Docs, Sheets, Slides & Drawings flies to this computer…” as shown in the below fig. Select Done! Now you can get a system tray notification for Google Drive.

Step 3: To test it go offline, Open your Chrome web browser. Select Google Drive icon from the Chrome web browser. And try to edit or create any Google doc. It should save offline.

That’s it! Google Docs offline setup completed. Whenever your computer connects to internet the documents created or edited offline will save or update automatically to your Google Drive.

Subscribe via Email or follow on Twitter for updates.


Friday, 23 January 2015

Infosec: 5 Ways to protect your passwords

The below mentioned methods & procedure are basic ways to protect your password against being stolen by hawkers.
5 Ways to protect your passwords:

1.     Golden rule: Never share your passwords

First and foremost thing, even a present generation kid would advise others when it comes to password are not to share them with anybody. A user credential is for a particular users and it must be personal at any cost. What is the use of letting it known to others! It would have been better without passwords than sharing passwords. Even if you have to show them an email for a discussion, just forward them the email or provide a hard copy of the email. Sharing password will make you equally liable for any mischief done by others. So remember the golden rule. “Never share your password”. Even you may share a good relationship with others or it might be a family member; it is ill-advised to share user credentials.

You might ask “What’s problem with my wife? She won’t turn against me.” It is not about the veracity of your family members. But what precautions they follow will compromise your password with someone ignorantly. What if your family members respond to a spam emails which likely appears to be from your banker asking you to reset your login credential from the below mentioned link in that email stating a reason that a someone tried to open your account with wrong email address? Not everybody from your family will understand the difference between spam and real banking emails. Your banking password will end up with the fraudster who tricked your wife or children to login to the fake site which logged your login credentials. Even though many organization campaign against such fraudsters still many fall to the trap of such spam emails. They social engineered your family to give away your banking password in this circumstance. The above scenario might make you think how vulnerable you are when you share your password with others.

2.     Don’t keep a simple password

The next most common vulnerability is nature of your password. Most user computer passwords are vulnerable to cracking or password recovery tools. Users ignorant of need of strong passwords usually keep the password short. The advantage of short passwords is easy to remember but at the expense of security. Almost all passwords are guessable due to weak password. Many of us use just our name along with birth year as password. For instance, your name is Mary and date of birth is 14th January 1981. Then the person who tries to steal your password has vital lead to crack your password. Just a word-merge website will create all possible combinations. Sadly, one among that combination will be your user password. A fully automated software will complete the whole operation is no time. So, don’t make your password guessable. Any combinations of your name, family-name, date of birth, pet name, school, college, university, and your work are easy to steal.

Your password strength highly depends on how difficult to guess it. Try to add symbols & numerals. Keep a good length to the password you create. Just a four letters password even with symbols &numerals are walk in the park for the password hawkers. Try to create a lengthy password. A standard would be to create a 15 letter password. Most casual hacker who doesn’t invest in serious hacking will relent with your 14th letter.

3.     Never say password in phone calls/text messages/emails

The easiest trick is to make you give away your username and password is simple. Just call your phone number and ask for it. You will provide it without hesitation. Anyone can call your phone number and claim that he is a customer care executive of internet service provider or as a desktop customer care executive who is going to run official update to your devices. They request for the username and password so that they can finish the job from remote place.

Sometimes, when you hesitate to provide username and password, they will insist on visiting your home to install those fake updates on-site. Even though, you may not provide them the password when they visit your home, they will install the update on your system and go away. But the update would be nothing but a key-logger or malware to spook your security. Either way, they gain access to devices with or without your password. It would be always wise to check the identity who visits your home.

As a rule of thumb, don’t provide your password through phone calls or text messages to anyone. If the person calling insists on visiting your home, just call the official customer care help-line to confirm it from the company. Know the name, designation and purpose of the visit of executive if the company actually sends someone to fix the problem. Never leave him alone with your computers and network hardware. Don’t hesitate to question him about his business with your hardware. Know everything technical that you need to know from that executive since they will always demand administrative privileges to your hardware.

4.     Spam links

Spamming, old school method of getting user credentials from others. Despite spam filters, we may find unwanted links finding its way to inbox. The most common way is the hawker would send email to all email contacts found on forum we use regularly. Not only they advertise products and services but also try to steal critical information about your computers. All the will do is run a browser script to fish information out of your system. Some trick you to enter your password with phrase “Login with Google”. Don’t fall for the trap. Even though with advanced tech, spam were reduced to ground. Compared to 50 to 100 emails per day, we started receiving a maximum of 10 per month. Still, the possibility to get your password through spams are high.  The old school lesson is not to follow spams unless you know who sent it.
DYK: Spams too contribute Global warming.

5.     Don’t save passwords in text files

Alright, now you might question, “A password which is difficult to guess is difficult to remember. So what to do”? A simple solution that might tick in your creativity is to store password in file. Please, don’t follow this method. It is most vulnerable method to store the passwords.  The most common mistake is to store password in password protected excel sheets which are cracked opened in no time. Next worse mistake will be writing down in sticky notes and placing it near desktop. If you decide to write down passwords, write down and keep it in safe location.

The best method is to use a password manager which stores login credentials securely. For anybody, who feel cost involved in the password manager, they can opt for open source password managers. But download the password managers only from trusted sources, especially with open source password managers. Don’t feel lazy to check md5 and checksum of the download file with the official websites of the open source password manager. Md5 and checksum ensure that source package is trustable and does not contain any harmful injected codes.

The methods provided above are basic steps that one must follow to keep oneself secure. There are further steps involved to completely secure your systems from attacks which you can follow future blogpost.


Subscribe via email or follow on twitter for updates.

Saturday, 17 January 2015

Infosec: Insiders Job

Your security systems assume programmed logic and programmed decisions unlike humans. How good may be your security infrastructure, you don't meet the ends of security unless you educate your employees about your security policy. Whenever, news breaks open that reputed company systems are hacked, you would wonder how attackers did that?! There exists a high probable chance of insider job behind these attacks. "The attackers gained access to database server!" Now the question is how did they get the password? How did they get to know about the security systems in place inside the company?  How good are the small & medium companies when securing information?

Now, think who gave those passwords. It would be none other than who knows it, your employee. Not every employee would ends up providing passwords to the attackers. A disgruntled employee who started envying his boss will provide passwords for 95% of chances. Not only passwords but also the how good the physical security elements are in place! So how do far could you trust your employees when it comes to information security? Almost all employees will be discontent at some point. So it's up to your Information Technology team to decide how to handle critical business information.

Classified Assets:

A common phenomenon would be is to classify employees based on the importance of the work. Example, we can classify then as critical and non-critical assets. Critical assets are employees who work on classified information. A unique security guideline including social interactions when it comes to business must be placed. And liability for non-compliance of guidelines. A Unique password for each critical asset to interact with critical information. Avoid common security credentials for all employees. Providing unique security credentials will help in identifying the mole in the organization.

Firewall, Filters:

Also it is well advised to place good firewall, email filters policies to avoid data being sniffed out of your company. It may sound like old-school methods of securing information. But it is wise to invest on firewall to know the type of traffic and request which were turned down by your servers. They help in identifying the possible methods and protocols attackers trying to explore with your information infrastructure. 

When it comes to email filters, huge cry would be infringement on privacy of your employees. Most of them envy email filters as it will not spare even personal emails. But you will not regret placing such filters to identify what kinds of information are sent to outsiders from employee desk. Consider, an employee emails a spreadsheet which has crucial information about the business target of present fiscal year. If no filters were in place, respecting the privacy of the workers, then you will face a huge public embarrassment. Email filters will block such emails which are crucial to your business. Even the person states that he will work on the data from home. The company must take serious decision especially on "weather the person need that data? And what he is trying to do with that? Do he really have any useful business with the data?" A rational decision would save the day for your company future. For information security is all about being proactive. Once, the information goes out of company LAN then in no way you would be able to recover it.

Actually placing a working email filter is not spying technically. Educate your employees about the email filters and discourage them to use personal emails during work hours. This would be commendable as those using personal emails have high potential to infect the company networks with malwares and spywares.

Storage Policies:
Now, the way through email was blocked. Next best method for grabbing crucial information is through portable storage devices. Most common is Pen drive and USB sticks. First, question yourself, who need access to the USB and why do they need them? Not all employees need access to store information to a USB sticks. So create a storage policy that prohibits usage of external storage devices. But a general ban on USB external storage will hurt some business very bad.

So those systems through which external storage devices could be accessed must have record of people who use them. The activity log must be collected to analysis for any activity against the company policies. 

Assessments:

Last but not the least, test the integrity. You must conduct periodic test against your information infrastructure, especially, on the social interaction front of critical assets. Hire security experts and create a plan for the attack emulation. Work with experts and test against your assets and infrastructure. Find the vulnerabilities before the attackers get head-start. Find out how easy for outsiders to get information about your company.
Analyze your vulnerabilities and educate your employees about the importance of the role they play. Assess them periodically and under pressure. One who keeps up with the change will win the race. Don't relent and be complacent with information security. Being in the information era, investing in information security infrastructure worth every penny.


Friday, 16 January 2015

Infosec: Waste Paper & Document management

Is your company invest heavily on Information Security? But still you find leaked critical information out of your database! Despite your investments and firewall, crackers play havoc on your business? Now, its time to think how you manage files and documents that are be disposed.

Welcome people, its time to manage your method of disposing waste paper that might contain potential information. A dedicated hacker(cracker) will not relent until he made it through your information security systems. The potential information about your infrastructure and security might end up in trash one day. Example, think about your customer database printout which were used for business analysis finds place in trash. Bravo! the attacker who sniffs for a breakthrough around your company might find this treasure. Unfortunately, you comprise your customer identity. The attacker would make good money out of the information from your trash at loss of your business.

The above illustration is just a tip of the iceberg. Think about copy of your security blueprints leading to server, hand written passwords, placement of security elements, contractors hired by you, employee details, etc in your trash. So don't neglect the safe disposal guideline to manage the waste. The best solution is to create a security policy for your company and educate all employees about the importance of waste management. Especially for the people who have hands on critical information. Any lapse will cost the company future.

Most effective way to prevent attack is to use a shredder. But not a normal shredder. Install a cross shredder so that the information on the papers shredded is unrecoverable. A dedicated attacker will not stop even after finding paper bits in the trash can. An hour or two  and a tape are enough to get the pieces of paper together. It might find crazy at first. But its always better to prepare for the worst. So install a cross shredder and make your company security policy strictly enforce  cross shredding all the papers, especially of the critical assets.

Even if you have contract with incinerating facilities, it is well advised to cross shred the documents and papers before loading it for transport. Trust no outsiders when it comes to information security. So make sure your security policy reflect this practice.

Keysweeper: USB Charger which can decrypt Wireless Keyboard Information


Wireless Keyboard
Samy Kamkar, Poland based security researcher, released a device which can sniff, decrypt, log and reprot back keystrokes for wireless keyboards. The device resembles a large USB wall charger and it tracks everything you type on wireless keyboard.

The device Keysweeper could record everything and capable of sending text message to the hacker if certain key combinations are pressed. The device is fitted with internal battery for recording keystrokes even if it is unplugged from wall plug.

The device is capable of recording from 20 feet. The most vulnerable wireless keyboards are from Microsoft. The test were conducted on Microsoft keyboards. The device is capable of sending alert to the attacker if certain keywords are used. Example: icici, boi, etc. As the device simply looks like USB charger, it may turn as a potential device to spy on anybody. Most important is the device is not for sale.

source: DNA