Category Archive Beginner

ByJayanthi

Tracking

As our dependence on electronic devices increases, from ordering food to paying bills and hailing cab services and making use of online maps to travel to different destinations,  the unseeing eyes are also following us everywhere tracking our every move.

We all know of GPS tracking when hailing a cab but did you know that you are being tracked at all times? By having the smartphone with you at all times, with the ‘Location’ being turned ‘on’, every move is being tracked. Some might not worry about this constant tracking by strange individuals, but I do think that it is necessary  to know all the possibilities that are present before forming our own conclusions about them.

It is quite a possibility that you will be using ‘Google maps’ for taking you to different places and you might be signed onto multiple devices using the same ‘gmail’ account. While, it looks perfectly harmless and seems that your life is getting simplified in every way in this electronic era – the reverse is unfortunately true.

How you are being tracked:

As an example, sign into your Google account and click on ‘Maps’ in the right hand corner. Once inside Google Maps, click on the menu and pick ‘Your timeline’. Now, you can see all the places you have visited in the last couple of years! You can also see the time of visit, the duration of visit,the latitude and longitude of the places that you visited! In addition, all these details are visible for a prolonged period of time too! 

You might have visited 100 places over a period of 5 years and chances are all of them might be listed right there on the screen! You may have forgotten where you went in October of 2017, but your device and ‘Location history’ does not forget!

So, what can be done?

If you would like to delete all of your location data and prevent your  location from being saved in the future, follow the steps below:

  1. After clicking on ‘Timeline’, click ‘Manage Location History’, disable ‘Location History’ under ‘Activity controls’. This makes sure that future Location tracking is disabled. 
  2. In order to delete previous ‘Locations’ go to ‘Timeline’ and under the settings tab click on ‘Delete all Location history’
timeline
Disabling Location history

Once this is completed, your Location history will neither be visible to you or anybody else(at,least for some time!) In today’s age, with so much information and power in our hands, it is up to us to do all the homework and control the data that is exposed to the outside world by disabling the various settings.

Jayanthi Manikandan has an undergraduate degree in Computer Science from India and a Master’s degree in Information systems with a specialization in Information security from Detroit, MI, USA.

She has been passionate about Information security and has several years of experience writing on various technical topics. Additionally, she loves to pen a few personal thoughts here as well! 🙂

ByJayanthi

Access control

It is a reality that the cyber security landscape is rapidly changing everyday. New threats emerge constantly and what was true 5 years ago might not be true today. In this reality, it is important to re-skill ourselves constantly.

Living in a hyper connected world, we are constantly signing into systems to access different types of information. Unauthorized individuals should never be able to access our resources.  How can this be done? By the very basic and fundamental concept in Information security – ‘access control’. 

What is Access control and what are the different types?

Access control ensures that only authorized individuals can access appropriate resources. Physical access control ensures that physical resources like specific rooms, buildings are accessed by appropriate people.Logical access control ensures that resources like networks, files are accessed by appropriate people. 

We observe the principles of ‘access control’ all around us unknowingly. When we share a post on social media platform, we set the permission to ‘public’ or ‘private’ or ‘Friends’ as the case may be. This makes sure that the post is visible only to necessary people and not all.

The simple example of checking email can also be mentioned here.  The correct combination of username and password authenticates the user to access his resources (email, in this case).

The different stages of access control are:

1.Identification

2. Authentication

3. Authorization

4. Accountability

‘Identification’ is done by providing the user with a unique id number, username or account number. ‘Authentication’ is done by providing the password or personal identification number. This correct combination of username and password reiterates the fact that the user is in fact “who he claims to be”. Once the user has been authenticated, the user next has to be authorized to access the resource. The ‘access control matrix’ is checked to make sure that if the user is the “person” authorized to access the requested resource. This is “authorization”. Finally the user is “accountable” for all the actions taken. To ensure accountability, user’s login information and subsequent actions are noted. 

Now that we have seen what is meant by ‘access control’ – we see the different access control models. There are three main types of access control models and they are discretionary access control, mandatory access control and role based access control. Every organization has different business objectives. The type of access control to be implemented is entirely dependent on its objectives as well the culture of the organization.

Discretionary access control:

Before we discuss the different access controls, we see what is meant by a “subject” and “object”. The “subject” is the one that is making the request for the resource and the “object” is the resource itself. In discretionary access control model, he who creates the information is the “owner”. The “owner” can decide who can access which data. Recall, that this is authorization. This is normally implemented by “access control lists” or ACLs. ACLs are specified by the system administrator and enforced by the operating system. The majority of the operating systems such as Windows, Linux and Macintosh systems are DAC based.

Mandatory Access Control:

The ‘mandatory access control’ is much more structured and organized than the DAC. In this type of access control, the operating system has the final say on who can access which resource. Users have security clearance (secret, top secret, confidential) and data is also classified in a similar way. The clearance and classification are stored as ‘security labels’.  When a user makes a request for a resource, it is dependent on the clearance of the individual, the classification of the data and the security policy of the system. This is enforced by the security officer and implemented by the operating system. This type of access control is used where security is of utmost importance. Normal DAC systems will not be suitable when the need is to classify data of special security clearance. We need MAC systems with special operating systems to enforce the rules.

Role based Access Control:

Role based access control or RBAC is also known as ‘non-discretionary access control’. In Role based access control, access to a particular resource is governed by the “role” an employee is mapped to. This type of access control is tougher to configure as the organizational policies have to be translated to roles. For example, an employee in “HR” does not need access to resources in “payroll”. RBAC is easy to configure when the employee turnover is high. When “Sam” from “Finance” leaves the organization and “Wendy” joins, “Wendy” is just mapped to “Finance” and she takes the same roles and responsibilities as the previous employee. There is no additional configuration needed here.

Access control is the basis of many topics and the RBAC model forms the basis of many identity management solutions.

We saw a very small portion of a fundamental concept in Information security. Join me as I uncover more!

Bibliography

Harris, S. All in one CISSP. In S. Harris.

Jayanthi Manikandan has an undergraduate degree in Computer Science from India and a Master’s degree in Information systems with a specialization in Information security from Detroit, MI, USA.

She has been passionate about Information security and has several years of experience writing on various technical topics. Additionally, she loves to pen a few personal thoughts here as well! 🙂

ByJayanthi

Single sign on

In the wake of the Facebook data breach that supposedly compromised 50 million accounts and other personal data last week,  it is but imperative to look at yet another aspect of ‘Information security’ – ‘Single sign on’.

What is ‘Single sign on’?

Remember, the time when you discovered a new website or app ? You had to register to get into the site. You were presented with these options:

                ‘Continue with Google’

                 ‘Continue with Facebook’

in addition to a lengthy sign up process. In a hurry to understand what the new craze was, you just signed in with your ‘Facebook’ or Google account information instead of going through the whole signing up rigmarole. This is ‘Single sign on’ wherein by just signing into Facebook or Google, you can access many other apps and sites with ease.

data breach

What is the downside of ‘Single sign on’?

It seems to be such an easy thing to do – just sign in with one account and we can access so many other sites with ease. So, what is exactly the problem? If you have signed into multiple accounts using Facebook or Google, when the main ‘sign on’  site gets hacked, it is quite a possibility that the other apps that use ‘Single sign’ on method of being authenticated would have their data breached too. 

So in essence, you are exposing the data related to all other apps to the hackers too!

How do we ensure the safety of our data in the wake of the breach?

Since there is nothing that is simple and easy in this world, single sign on comes with its own troubles. In case of the Facebook data breach, you would have definitely received appropriate messages and notifications if, your account was indeed hacked. In addition,it is  good to always:

  1. Check ‘Settings’  in ‘Facebook’ and check the devices and locations where you are logged in from. Logout from all of them and re-login with a new password.
  2. It is also good to login to each site/app with a separate login and password henceforth and give your memory a good workout! 🙂 (Seriously though, a password manager might be a good option to consider since it is difficult to remember multiple logins and passwords)
  3. It is better to try two factor authentication to prevent further data loss.

These security tips will hold good for some time before the next breach occurs!

Jayanthi Manikandan has an undergraduate degree in Computer Science from India and a Master’s degree in Information systems with a specialization in Information security from Detroit, MI, USA.

She has been passionate about Information security and has several years of experience writing on various technical topics. Additionally, she loves to pen a few personal thoughts here as well! 🙂

ByJayanthi

‘Minimum online presence’

No sooner had I written about maintaining a ‘minimum online presence’ on my Hacking post, I had several comments relating to that(either, ‘it was not possible’ or ‘how do we that’) While it is next to impossible to grow a business or forge business relationships without a good social media presence, it is also imperative to reveal only what is needed.  In this post I will discuss what I meant by ‘minimum online presence’:

  • It is unnecessary to reveal location information all the time. It is pretty exciting to tell our social media world the smallest details relating to our current location/life – but it is good information for a hacker or anybody of malicious intent.  Occasionally, revealing is fine but we do not have to feed all the social media giants with our data all the time!  ‘Location’ is needed only for food delivery apps and Uber/Ola booking services.
Cyber security
  • Posting of children’s pictures is also absolutely unnecessary. Children’s pictures can also be stolen and used for malicious purposes. You don’t want strangers leering at your child’s picture, do you? But again, posting once in a while will not do any major harm. 
  • It is also good to not divulge bank account numbers, passwords, phone numbers,credit card numbers and other personal numbers in public conversations without appropriate encryption.Why? – because, once that information is received by hackers,  your bank balance will be reduced to zero! 
  • It is a better idea to change your profile picture occasionally on different social media platforms than changing it frequently
  •    It is also good to never go overboard with excessive personal information(whether pictures, conversations, or any other data) Balance is always the key!

Going to an online world is just like going to work – if we will not reveal everything about ourselves to everyone at our work place – we should not reveal everything about our self in the online world too! It is best for your  business to thrive but not at the cost of your kids/personal safety or your financial information. 

For any other information that has to be shared, visit the person, call or private message the person. It builds good business/personal relationships too! 🙂

This is my eighth post for #MyFriendAlexa by @Blogchatter

Jayanthi Manikandan has an undergraduate degree in Computer Science from India and a Master’s degree in Information systems with a specialization in Information security from Detroit, MI, USA.

She has been passionate about Information security and has several years of experience writing on various technical topics. Additionally, she loves to pen a few personal thoughts here as well! 🙂

ByJayanthi

Black Widow

The Information security world is a deep one and sometimes it is quite shocking to know the things that can be done. Did you know that ‘Black widow’ is not just the name of a spider…but it is a actual software that is used for ‘reconnaissance’ too(Of course, InfoSec professionals will know :))

‘Reconnaissance’ is the ability to obtain freely available information about a website. Vocabulary.com defines “Reconnoitering as checking something out, but in a sneaky way!”

Once this information is obtained one can seal the extra unwanted information that is unintentionally creeping out(for example, maybe passwords and employee details are visible with the reconnaissance tools) One of the ways that a site can be ripped is by employing website downloaders like ‘Black Widow’, Website downloader  and Httrack.

Most of these tools will allow you to download the entire website and the directory structure, external links, bad links and email addresses. The picture below shows a screen shot of the ‘Black Widow’ software…

The details provided above are for informational purposes only! Please do not use it in any inappropriate way!

This is my fifth post for #MyFriendAlexa by @Blogchatter!

Liked this post? Please comment and share! 🙂

Jayanthi Manikandan has an undergraduate degree in Computer Science from India and a Master’s degree in Information systems with a specialization in Information security from Detroit, MI, USA.

She has been passionate about Information security and has several years of experience writing on various technical topics. Additionally, she loves to pen a few personal thoughts here as well! 🙂

ByJayanthi

Pharming

The online world unfortunately is not a fun place as it seems. There are other types of people around too seeking to grab credit card numbers, bank account numbers, steal pictures of children and/or any personal data that is floating around. 

Let us assume that you would like to visit a website, www.abac.com (a fictitional website) What happens when you visit www.abac.com and do a bit shopping and submit your bank account details or any other personal details only to realize after a day – that the website that you visited was actually a fake one? 

This type of attack is known as ‘Pharming’. ‘Pharming’ is done by modifying the victim’s file or by a more complicated technique known as ‘DNS poisoning’. 

To protect oneself:

The best way to protect oneself from ‘Pharming’ attacks is to:

  1. install the latest version of anti-virus software
  2. Apply the patches as and when posted
  3. Associating one-self with a good ISP
  4. When making payments ensure that SSL(secure sockets layer) is enabled for the website
  5. Keeping with the latest in the security field(where are the breaches, what was stolen, what is the newest type of attack)
  6. And keeping ears and eyes open! 🙂

We have seen yet another concept of ‘Information security’ in this post.

This is the third post for ‘MyFriendAlexa’ by @Blogchatter!

Jayanthi Manikandan has an undergraduate degree in Computer Science from India and a Master’s degree in Information systems with a specialization in Information security from Detroit, MI, USA.

She has been passionate about Information security and has several years of experience writing on various technical topics. Additionally, she loves to pen a few personal thoughts here as well! 🙂

ByJayanthi

Hacking

While ‘Information security’ always gives us images of breaches, hacks, stolen credit card numbers and bank account numbers, my blog has always been associated with the concepts of ‘Information security’ or the many defenses that are there to keep your information safe.

In this post, I will like to delve into the reality of letting off the ‘Information security’defenses down. Apart from the breaches and hacks, what are the other ugly things that are possible?  While this may be common knowledge to those in InfoSec domain – it may not be known to every one. It is always a common thought – “it will not happen to me” – it is a reality that it does happen quite frequently and everybody gets affected at some point or other!

  1. Remotely controlling  Android/Apple device 

                There are a variety of ways in which one can remotely control another person’s Android or Apple device.  There are plenty of apps that allow you to control an Android device from a PC, via an another Android device, via WiFi, via Bluetooth and really the possibilities are endless!  

I am sure most of you remember the time when Saket Modi, the co-founder and CEO of Lucideus hacked the phone of a person sitting in the audience. Through this hacking, he was able to procure the subject’s SMSes, contacts, call logs, GPS locations and more! (Source: https://www.youtube.com/watch?v=3fT6pUQrY6M)

2. Hacking cars?

Is this even possible? Yes – maybe in the future! Researchers have shown that hackers can remotely kill your engine, lock the doors to your car, put the car in reverse gear without your permission and many other frightening moves! 

Automotive hacking may be a distinct possibility as the years roll by!

hacker

3. ATM skimming

Many people are sure to have fallen to this type of hack. A small skimmer is attached to the ATM machine by means of which bank details are retrieved.  The numbers are then transferred to blank ATM cards and money and data are stolen! 

4. Keylogger

‘Keylogger’ is a type of surveillance software which when installed on your system, can monitor every key stroke, record passwords, captures screenshots and more. It can be run in invisible mode and thereby the user will have no clue of its presence. This is commonly used by employers to keep tabs on their employees. 

In addition to all this, the devious mind can find ways to see your private Facebook picture, Instagram pictures and any other private information. In short, the more you want to keep it private online, the more someone is eager to see it! 🙂

This is just the tip of the wild side of security hacks… anything is possible  for a determined mind! 

How do we protect ourselves from all this?

Maintain a minimal online presence.  And it is good to keep up with all security updates and install all patches and upgrades as and when posted.

This is my first post for #MyFriendAlexa. I am taking my Alexa rank to the next level with #Blogchatter

Jayanthi Manikandan has an undergraduate degree in Computer Science from India and a Master’s degree in Information systems with a specialization in Information security from Detroit, MI, USA.

She has been passionate about Information security and has several years of experience writing on various technical topics. Additionally, she loves to pen a few personal thoughts here as well! 🙂

ByJayanthi

Young India!

As India celebrates her 72nd Independance day, I was mulling one important aspect of India that can easily stand out from other countries. This was the fundamental aspect that really stood out when we moved back 8 years ago…what was it? read on to find out more…

Youth:

The world all around me was/is very young (initially, I thought it was because I had returned from the US after 14 years  – that I had aged and the next generation had emerged! :))  But while that may have been one reason, India itself had gotten the title of being the “youngest country in the world”. According to Wikipedia, “50% of India is below the age of 25 and 65% of India is below the age of 35”!! Additionally, according to another report from ‘The Guardian’, India has 600 million people who are under the age of 25!! Cool, statistic don’t you think?! 🙂  It is hard to believe this statistic unless you live in a country with such a young population.

Every side and every corner you turn, you will only bump into teenagers, singles and young couples! 🙂 There hardly seem to be many with 2 kids tagging along like us! (ok, a bit of an exaggeration there – but you get the point,right – India is very “youthy”?! :))

How does it affect you?

It definitely rubs you the right way. You feel young and energized and can totally appreciate all the new and latest brain storms. In all my remote work experiences, I have always worked with people younger than me!  While I thought it was initially a one time thing or an occasional happening…it happens all the time – (while, what they think of me is for another blog post :)) –   and I am sure that is true for most of us from my generation…

Startups:

India and particularly Bangalore or Bengaluru is home to a number of ‘startups’. Makemytrip, Flipkart, Snapdeal, Ola cabs, Zomato, redBus and many more organizations are all shining examples of Indian startups. According to this report from Bangalore Mirror, the average age of startup founders is under 36! (Superb, don’t you think?) 

There are still a huge number of startups that are mushrooming at a rapid pace with extremely bright ideas. Now, how long these organizations last and whether all of them do well in the long run, is anybody’s guess – but the feeling of entrepreneurship and moving from the tag of “employee” to “employer” is strong in India! So much so, that many start their own companies after a few years of corporate experience!

Here is to a young India making a positive difference to life in the world…

Happy Independence day to all!! 🙂

Jayanthi Manikandan has an undergraduate degree in Computer Science from India and a Master’s degree in Information systems with a specialization in Information security from Detroit, MI, USA.

She has been passionate about Information security and has several years of experience writing on various technical topics. Additionally, she loves to pen a few personal thoughts here as well! 🙂

ByJayanthi

What are Smart Contracts?

‘Smart Contracts’ is a term that is often used in the Blockchain world. ‘Smart Contracts are similar to legal contracts but are encoded in the ‘Blockchain’ . ‘Ethereum’, the public blockchain is the most popular way to create smart contracts.

We encounter physical ‘contracts’ throughout our life. Contracts are present when we start a new job(detailing the job details and the date of salary payments)  , when we buy a new house(detailing our mortgage payments and the corresponding dates , when we buy a new vehicle(detailing loan payments)

Home loans, car loans and most other critical dealings come with contracts. ‘Contracts’ enable the buyer and seller to keep their word. In a home buying scenario, once the buyer completes all his mortgage payments, the loaner company should release the title and deed and all appropriate paperwork to the buyer. There are lengthy clauses which cover every aspect of our business dealings.

An example of a legal statement might be as follows: ‘If the bill is not paid by a certain due date, then add a corresponding late fee or revoke the license’. 

What if this could be automated and enforced without any manual intervention? Is this possible? yes – by means of smart contracts. 

In a ‘smart contract’ the contract itself is coded and it is further stored and monitored by the Blockchain network.  Once a condition is met, the contract executes automatically. This ensures transparency along with elimination of middlemen.

‘Smart Contracts’ are mostly written in the ‘Solidity’ programming language.

This is just a short glimpse into the world of ‘smart contracts’. Join me as I uncover more technical topics about the ‘Blockchain’ world  in subsequent posts…

 

 

smart contracts

Jayanthi Manikandan has an undergraduate degree in Computer Science from India and a Master’s degree in Information systems with a specialization in Information security from Detroit, MI, USA.

She has been passionate about Information security and has several years of experience writing on various technical topics. Additionally, she loves to pen a few personal thoughts here as well! 🙂

ByJayanthi

Wireshark

For those who would like to look deep into their networks and not just on the outside, “Wireshark – the network protocol analyzer,” is the way to go!  We will understand what is meant by “sniffing”, why it is used and how the Wireshark network protocol analyzer works in this post.

What are sniffers?

While social media rages on one side giving rise to new professions, there is another equally quiet but stealthy profession too – monitoring other people’s networks and activities by means of “sniffing”. Since a firewall cannot detect all malicious traffic we use “sniffers” to monitor the traffic across the network.  As with everything else in security, “sniffers” can be used in a positive and negative way either by employers monitoring their employees or by scrupulous individuals trying to hack systems.

Read More

Jayanthi Manikandan has an undergraduate degree in Computer Science from India and a Master’s degree in Information systems with a specialization in Information security from Detroit, MI, USA.

She has been passionate about Information security and has several years of experience writing on various technical topics. Additionally, she loves to pen a few personal thoughts here as well! 🙂