Category Archive Information Security

ByJayanthi

Identity chaos

Reading Time: 2 minutes

As I was toying with my next topic for my technical post in Information security, I bumped into this concept called ‘Identity chaos’ – my curiosity was piqued and well, I wrote about it instantly! 🙂 So, here goes:

As reminded by several security professionals, a good password is one that has a combination of:

  1. Upper case letters
  2. Lower case letters
  3. Numerals
  4. Special characters
  5. Be a minimum of 8 characters in length

All security practitioners constantly remind you to follow these tips diligently to protect yourself from hacks and breaches. Now when users finally condescend and start following these rules, each of the websites they visit must be given a new password.

Next comes the real test. They have to remember the password the very next day or so.

Now assume they visit website1 and begin typing the password:  xyZ123! and success! – they have logged in!

                                     They visit website2 and type the password:  XyZ324! and success again and they are logged in again !

                                     They visit website3 and try typing the password….only to realise that they have forgotten the password :

“Was it xyZ123 that was the password?” OR

“Was it XYZ!123 that was the password?!!” OR

“Was it an entirely different combination?!!” 

They are totally confused and frantically try the different password combinations….till they get locked out!! 

    Sounds familiar? This is “identity chaos” or “password fatigue“!!

When a user tries to remember the different password combinations for different website logins when they forget it, is known as “identity chaos” or “password fatigue”!!

This post for alphabet ‘I’ of the #BlogchatterA2Z challenge. The previous post can be found here.

 

 

 

ByJayanthi

GIAC certifications

Reading Time: 2 minutes

‘Information security’ and certifications go hand in hand.  The more certifications you have, the more renowned you are in the InfoSec domain. Information security certifications are offered by many organizations such as (ISC)2 (CISSP and CCSP), EC-Council (CEH – ‘Certified Ethical hacker’), ISACA (CISM, CISA, CRISC) and also by SANS (GIAC certifications) We will see the various GIAC certifications in this post…

 

 

GIAC certifications:

The SANS institute was established in 1989 and it offers various certifications and training programs. SANS offers GIAC (Global Information Assurance Certification ) certifications suited to every InfoSec professional and category. The SANS institute offers classroom trainings, online trainings and mentored trainings. The different certification categories are Cyber defense, pen testing, incident response and forensics, management, audit and legal. 

Here is a partial list of the different certifications:

  1. GSEC – GIAC security essentials
  2. GCIH: GIAC Certified Incident Handler
  3. GCFA: GIAC Certified Forensic Analyst
  4. GPEN: GIAC Penetration Tester
  5. GISF: GIAC Information Security Fundamentals

Notes about GIAC exams:

  1. All GIAC exams are open book which means you can get any number of books and printed material to the exam. However, you cannot access the Internet for any purposes.
  2. All certifications are valid for four years after which it has to be renewed.
  3. All exams must be taken at a proctored testing center.
  4. Each exam will also have different set of questions, time limit and passing grade
  5. GIAC exams can be attempted without formal SANS training. The prices can be found here

What is your preferred certification? Have you got any of the above certifications? How has your experience been?

The post is for alphabet ‘G’ for the #BlogchatterA2Z challenge. The previous post can be found here

ByJayanthi

Everyday ‘security’!

Reading Time: 2 minutes

This is one of the interesting and common questions  that I have encountered on Quora – “How do we implement security in everyday life?(without any technical background)”

1.We do not have to share our location all the time. Agreed, it is fun to share every once in a while, but sharing regularly, definitely might put you on a malicious person’s radar. So, it is good not to share location on social media. It is also good to turn off ‘location’ on your phone except when using ride-sharing services or food ordering services(or similar to those options)

          LOCATION SHARING SHOULD BE TURNED OFF UNLESS NEEDED!!

2. It is also wise not to share personal pics on social media too frequently. If we have to share, it is imperative to set the option to ‘private’.

           SHARING OF PERSONAL PICS SHOULD BE SET TO ‘PRIVATE’ OR LOWEST LEVEL

3. It is good to put a profile picture that does not reveal too much of your personal life. India runs on Whatsapp groups – but did you know, Whatsapp profile pics can be downloaded to your phone?  In that regard, it is always wise to set Whatsapp profile pic visibility to ‘My contacts’ only.

          SET NEUTRAL PROFILE PICS OR PROFILE PICS THAT DO NOT REVEAL YOUR WHOLE LIFE!

4. It is good to not accept stranger requests on social media. It might be good for business purposes but if you are going to be divulging any personal information avoid it all costs. Cyber-stalking is very easy to do – just following you around on different social media channels can help anybody to create a whole persona of you!!

            DON’T ACCEPT STRANGER REQUESTS ON SOCIAL MEDIA

Other common security information:

5. Please do not share any of your passwords or PINs of your bank accounts or financial accounts to anybody on the phone.

6. Set a screen lock for your smartphone( for both Android or iPhones)

7. Do not click on unknown links in emails(anything that says “You are a millionaire” or “You have won the lottery” is definitely fake and is definitely a trap to part with your personal information)

7. For all types of devices and social media – go to the ‘Security’ configuration and configure it appropriately

8. Do not share credit card information if SSL is not enabled(SSL is the green padlock on the top left side of screen)

These are all the things that I can think of for now… have I missed anything? ‘Everyday security’ is omnipresent, isn’t it? 🙂

This post is for alphabet ‘E’ for  #BlogchatterA2Z. The previous post can be found here.

ByJayanthi

Digital forensics

Reading Time: 2 minutes

Forensics is identifying, investigating and collecting evidence in a scene of crime. The information collected is then used for legal purposes. We extend this to ‘Digital forensics’ which again deals with identifying and investigating information but is now related to digital media. Professionals who are engaged in the ‘digital forensics’ field, recover information collected from digital devices such as pen drives, laptops, mobile phones which can be used to solve various crimes.

Thus,  ‘Digital Forensics’ is the art of identifying, collecting and studying digital and computer evidence which can be used in the court of law. Forensics is related to law and therefore ‘Digital Forensics’ is related to analyzing digital data and presenting them as evidence in legal matters. There are several sub-disciplines within ‘Digital forensics’ namely computer forensics, network forensics, mobile device forensics and more.

‘Digital Forensics’ may be used in cases where there are issues related to copyright infringement, piracy, destruction of information and fraud.  In India – there is always the case of question paper leak before any major exam and it is possible that ‘digital forensics’ can be used to find the source of the paper leak!

Skills required to get into the ‘digital forensics’ domain:

Along with basic communication skills, analytical skills, and a Bachelor’s degree in Computer Science or Information security will always be good starting point. In addition, it would be good to acquire one or more of the following certifications:

  1. GCFA (GIAC Certified Forensic Analyst)
  2. GCFE (GIAC Certified Forensic Examiner)
  3. CHFI (EC-Council Computer Hacking Forensic Investigator

This post is for alphabet ‘D’ of #BlogchatterA2Z. The previous post can be found here.

 

ByJayanthi

Cyber-bullying

Reading Time: 3 minutes

The Internet and social media have a very powerful grip on most of us today. Bill payment, shopping, connecting via social media, chatting, gaming –  more and more things are being done online now. Combine the Internet with the use of mobile devices and we are forever hooked onto those devices! 🙁

Although most users of the Internet are adults who are above the age of 18, there are also several underage social media users since it is easy to get into any social media platform by the mere click of a mouse(with or without parents knowledge/consent! :))

Underage social media users might find the Internet truly mesmerizing. They visit gaming chat rooms, interact with strangers online, give away many of their personal details just by sitting right next to you! (and you might be totally oblivious to it!)  Most social media platforms require you to be at least 18 years of age to begin using their site – but there is no concrete way to enforce this. This in effect brings several young, nubile users to the social media scene.

The young cyber users might be spending more time online and foraying into newer websites and before they know it – they might slowly start getting “picked on” or made to feel bad. They may not even realize that they are getting “cyber-bullied” because unlike, physical bullies – “cyber bullies” are invisible and most of the activities are happening online.

What is “Cyber bullying”?

As with traditional bullying, scrupulous elements resort to malicious ways to make the innocent children feel bad. “Cyber-bullying” is making use of digital means(SMS, chat messages, various social media platforms) to mentally harass a teenager or a young individual. The anonymous nature of the Internet fuels cyber-bullying even more. As an underage child/teenager sits glued to the electronic devices, they are harassed and tortured mentally and might not be aware of it too. These are some ways that cyber bullying can happen:

  1. Posting distasteful pictures(without the person’s consent)
  2. Posting rude or untrue comments 
  3. Online threats
  4. Faking an online identity
  5. Harassing a person online(“Do this for me or I will shame in front of your friends”)
  6. Driving a person to suicide(example, “Blue Whale challenge”)

What are some signs that a child is being “cyber bullied”?

  1. Keeping to themselves
  2. Withdrawal from social activities
  3. Mood changes
  4. Acting different

How do we help a child who is being cyber bullied?

  1. Detection and acknowledgement is always the first cure. It is essential for parents to have all communication channels open with their children.
  2. Children should be given adequate knowledge about the pros and cons of the Internet and “cyber bullying”.
  3. Parents should also be keep up with the latest technological trends and stay in the digital “loop”(you have to keep tabs on them without being excessively “nosey”!! :))
  4. Once it is detected that a teenager is being bullied online, good to “block” the person on different social media channels
  5. Everything should be reported ASAP to parents or an appropriate person (if anything happens)
  6. If necessary, the matter should be reported to the appropriate social media providers
  7. In extreme cases, law enforcement may also have to be involved.

This post is the alphabet ‘C’ of the #BlogchatterA2Z challenge. The previous post can be found here

 

ByJayanthi

Authentication

Reading Time: 2 minutes

The month of April has arrived and #BlogchatterA2Z has begun!! I will be participating again this year and hope to write and write about my favorite topic – Information security and will squeeze some famous proverbs too! Shower my blog with love as I sail through April!! Let’s begin….

We all have a life outside Facebook, Whatsapp, and Twitter – but we have forgotten the password for it’! 🙂 goes the latest security quote that shows the importance of passwords and authentication.

We live in a world where we are authenticating ourselves all the time! Did you know? You enter the ‘username’ and ‘password’ and boom! you are inside a particular website. So, now what is authentication exactly? ‘Authentication’ is proving who you are to the system to access the appropriate resources. The most popular way to authenticate yourself is through the classic ‘username and password’ combination. As an example, in order to access any social media site you enter your ‘username’ and ‘password’. The ‘username’ and ‘password’ are compared against an existing database and once they match, the username is allowed to access the resources. This is a simplified process of authentication.

Three factors that influence ‘authentication’:

There are three factors that ‘authentication’ is based on – something that you have(smartphone or laptop or tablet), what you know(password) and what you are(biometrics) 

Strong authentication makes use of two factors . The username-password combination makes use of – something that you have(namely laptop or smartphone) and something that you know(password)

Biometrics:

Since the classic username and password combination might be fraught with different types of difficulties, authentication of a user can also be established by making use of ‘biometrics’. ‘Biometrics’ makes use of the physical features of a person(like fingerprint, retina) to perform authentication.

But it must be noted that ‘biometrics’ alone cannot be used to validate a user – it has to be coupled with another factor of authentication to validate the user.

We saw the concept of ‘authentication’ in this post…stay tuned for alphabet ‘B’ tomorrow…

 

 

ByJayanthi

Kerberos Authentication protocol

Reading Time: 3 minutes

We have already discussed about Cryptography and Caesar cipher‘. In this post we will explore more about Cryptography by discussing the application of Cryptography – ‘Kerberos authentication protocol’. In today’s insecure online and distributed environment we need stronger authentication mechanism than the classic username/password combination. 

Introduction:

‘Kerberos’ was developed in MIT as part of a project named ‘Athena’. Kerberos is a three headed dog in Greek mythology which was used to guard the underworld. The electronic version of Kerberos or the Kerberos authentication protocol is used to guard user’s online data and keep hackers at bay. The Internet being a place which does not hold the three tenets of Information Security – Confidentiality, Integrity and Availability – needed stronger cryptographic algorithms to ensure user’s online privacy. The Kerberos network authentication protocol was created to uphold the three tenets by making use of symmetric key cryptography. Recall: In Symmetric key cryptography, the same key that is used to encrypt data is used to decrypt data as well. 

The Kerberos authentication protocol is used to prove your identity in a client/server interaction by making use of “tickets”. Kerberos version 4 was created by Steve Miller and Clifford Neuman. Version 5 release 1.16.3 is the latest version  It was created by John Kohl and Clifford Neuman. Kerberos is freely downloadable from the MIT website under copyright permissions. It is also available as a professional product by many vendors. Kerberos is based on the Needham-Schroedar protocol.

 

Necessity of Kerberos:

Kerberos was created to overcome the following threats in an open distributed network environment:

  1. A user may masquerade as another user and access the privileges and rights on the new user’s workstation
  2. A user can change, modify and alter the network address of other workstations
  3. A user can also “snoop” and overhear conversations and gain an entry into servers(Stallings)

Description:

Here is an extremely high level working of the Kerberos authentication protocol ….the important terms to be aware of before we start discussing the working of Kerberos:

KDC – Key distribution center

TGS – Ticket Granting Service

  1. A user logs onto a client machine, enters his credentials and requests some services. Now, the username alone is transmitted to the  KDC server(the password is transformed into the key of a symmetric cipher and kept at the user’s machine) After matching username with the KDC database, the KDC server creates the TGT (Ticket Granting Ticket – which is encrypted by the user’s key)

     2.  The client receives the encrypted TGT.  Recall that Kerberos makes use of symmetric key cryptography. Hence, the encrypted TGT that is received is decrypted using the user’s key(the user’s key is stored in the user’s machine)

      3. The TGT stored on the machine will enable a session with the server for a specified amount of time

      4. In order to communicate with the server and request more services, the client will use the TGT and ask for a specific service from the KDC server

Conclusion:

This is just a simplified version of the Kerberos authentication protocol. It can be inferred from the above description of the Kerberos authentication protocol that the entire functioning is based on “tickets” and encryption and decryption using symmetric key cryptography. No passwords were sent in the entire client/server interaction. It is hoped that stronger authentication standards will be adopted by the industry.

Bibliography:

Kerberos. (n.d.). Retrieved May 7, 2014, from Wikipedia.org: http://en.wikipedia.org/wiki/Kerberos_(protocol)#Further_reading

Cryptography and Network Security. In W. Stallings.

What is kerberos and how does kerberos work, from https://www.slashroot.in/what-is-kerberos-and-how-does-kerberos-work

 

 

 

 

 

ByBala Manikandan

Network and System Security

Reading Time: 4 minutes

Network and System Security means protecting your system from different kinds of attacks by unauthorized users. With the development of the Internet and the World Wide Web, it is a field that is gaining a lot of importance. In this post, we will discuss various threats to network security and how to protect our system from such threats.

1.      Worms

A worm is a program which simply creates copies of itself until the entire disk space in your system is filled up.

2.      Trojan Horses

These are harmless-looking applications such as text editors which actually perform malicious functions without your knowledge (for example, deleting/modifying other existing files)

3.      Spyware

This is a kind of software which may get installed on your PC without your consent, tracks your activity and reports this information to people who are willing to pay for it. Spyware mostly finds its way to a PC by getting downloaded along with another file, or from the Internet when you visit a webpage.

4.      Adware

Adware is a software that causes your computer to display unwanted pop-up ads. It reduces the performance of your computer, and is similar to spyware, with the difference that it may be installed with your consent. So it is important to go over the terms and conditions before you install any software on your PC.

5.      Spamming

This is a term used to describe the sending of e-mail in bulk by a known or unknown person. Spamming can also reduce system performance, and can even be used to spread computer viruses.

6.      Phishing and Pharming

These methods of attack rely on tricking users rather than using sophisticated technology.

  1. Phishing: In this attack, an unidentified person uses an authentic-looking e-mail or website to extract sensitive personal information from another user. For example, you may receive an e-mail which seems to be from your bank, asking you to fill up your personal details by clicking on a link. But the link may take you to a fake website where all your details are obtained and later used for malicious purposes.
  2. Pharming: This attack involves redirecting a website’s traffic to another authentic-looking, but bogus, website. The attacker convinces you that the site is real and then obtains all the information you provide to it.

7.      Snooping and Eavesdropping

  1. Snooping: It refers to the unauthorized access of someone else’s information. It may or may not involve using sophisticated snooping software. Examples are monitoring of keystrokes pressed, secretly observing someone else’s computer activity and directly capturing his/her login ID and password.
  2. Eavesdropping: Eavesdropping involves intercepting someone else’s data as it passes from one place to another. For example, intercepting someone else’s credit card number as it passes from the user’s system to the web server that requested it.

8.      Denial of Service (DoS) Attacks

In this kind of attack, the legitimate users are not allowed to use the resources, information or capabilities of the system. This attack, however, generally does not allow the attacker to access or modify data. For example, an attacker may flood the targeted system with a barrage of requests.

9.      Cookies

These are messages (pieces of information) sent by a web server to a web browser so that the web server can track users’ activity on a webpage. They can help webpages load faster, and can customize the page for users who have already visited them. As they are merely text files, they cannot act maliciously on systems. However, any information you provide freely to a website (including sensitive personal information) will most likely be stored in a cookie, unless you disable the cookie feature in your browser. If someone found out the encryption key to your cookies, he/she could get your personal details. Cookies a threat to security this way.

Preventive Measures

Having discussed about various threats to network and system security, the question arises as to how we deal with these threats. There are different methods to deal with different kinds of attacks, some of which are listed below:

General solutions:

  • Be careful when downloading files on the Internet.
  • Use a different way of writing e-mail addresses on the web. (For example, instead of “abc@xyz.com” you could write “abc AT xyz DOT com” or “abc    AT    xyz    DOT    com” with extra spaces.)
  • Instead of clicking links in e-mails, type the URL of the concerned website in your web browser (the link may direct you to a bogus website).
  • Disconnect from the Internet when away from home. Staying on the Internet increases the risk of certain infections and intrusions.

Solutions to Viruses, Adware, Spyware

  1. Use antivirus and anti-spyware software.
  2. Keep your system up-to-date.

   Solutions to Spam

  1. Use anti-spam software.
  2. Keep your e-mail address private.

 Solutions to Phishing and Pharming

  1. Avoid opening e-mails from unknown sources.
  2. Check the security guidelines of websites you often visit (so you can distinguish between legitimate and fake e-mails).

Solutions to Snooping, Eavesdropping and DoS attacks

1.   Protect your system by asking the user for a valid user-ID (authorization) and a valid password (authentication). Keep the passwords strong so that they cannot be easily guessed.

2. Install a firewall on your system. A firewall is a system (hardware or software) designed to prevent unauthorized access to or from a private network.

Solution to threats caused by Cookies:

  1. Turn off the cookie feature in your web browser, to ensure the safety of your personal information when not needed. 

We saw a few ways in which a system may be compromised actively or passively and the way to counter them. Join me as I uncover more topics on yet another post on Information security!

 

 

 

 

ByJayanthi

What is Cryptojacking?

Reading Time: 2 minutes

It just feels like we hear something new about  cryptocurrencies everyday, but let us delve into the concept of ‘Cryptojacking’ in this post.  Having blogged about cryptocurrencies and blockchain before, here are a few facts about them:

  1. ‘Bitcoin’ and ‘Blockchain’ are two entirely different concepts
  2. ‘Bitcoin’ is a cryptocurrency while ‘blockchain’ is the underlying technology powering cryptocurrencies like Bitcoin 
  3. Blockchain is a distributed, immutable and shared ledger
  4. Transactions on a blockchain cannot be edited
  5.  ‘Bitcoin’ is one of the more popular cryptocurrencies based on the ‘Blockchain’ concept. 

Bitcoin’s energy consumption:

Since bitcoin is based on the blockchain concept, where there is no central authority directing the stakeholders(or miners in Blockchain/Bitcoin lingo), the only way a new block(FYI – a ‘block’ is where transactions are recorded) can be created and agreed upon is by means by of mathematics. This is called ‘mining’, which uses humongous amount of energy. Bitcoin mining can be done by simple software and specialized hardware.

Bitcoin’s current electricity consumption is 46.74 TWh!!(Terawatt hours) (Source: https://digiconomist.net/bitcoin-energy-consumption) To put this into perspective, according to one study in April 2018, Bitcoin’s energy consumption numbers were equal to the energy consumption of an entire country like Switzerland! (Source: https://www.forbes.com/sites/shermanlee/2018/04/19/bitcoins-energy-consumption-can-power-an-entire-country-but-eos-is-trying-to-fix-that/#116123d81bc8)

Having understood that bitcoin mining is heavily energy intensive, we can understand that cyber criminals will look for alternate means to mine cryptocurrencies.

Cryptojacking:

This alternate and malicious way to mine cryptocurrencies is by means of a concept known as ‘Cryptojacking’. ‘Cryptojacking’ unsuspectingly makes use of an innocent person’s computer, tablet, phone or any other connected device to mine cryptocurrencies. The innocent individual is lured by means of suspicious email links or online ads which then runs the mining code in the background and drains your energy for wrong purposes.

The unsuspecting user continues to use his computer/connected without knowing that his connected device is being used for malicious purposes.

What do criminals gain from this?

They get bitcoins or any other cryptocurrency with minimal effort and electricity usage on their side. They can then use these cryptocurrencies to buy things that they wish.

How do we detect that cryptomining code is running on your computer:

The only way that we can detect if the cryptomining code is running on our computer is when the computer gets slow or gets heated up. 

How do we prevent cryptojacking?

We can prevent ‘cryptojacking’ by installing ad-blocking and anti-cryptomining extensions. Users should also turn off Javascript in the browser and be wary of phishing emails. It is also necessary to keep up with the latest in the security realm and install all patches as and when they are released. 

Future of cryptojacking:

The current damage caused by ‘Cryptojacking’ may only be slowing down of the device but this malicious attack may evolve further with time and pose a risk to personal and financial information. According to this report from eset.com, cryptojacking may not be slowing in 2019. So, it is necessary to take note of this attack and be knowledgeable about it and guard against it.

 

ByJayanthi

What is ‘Steemit’?

Reading Time: 2 minutes

Do blogging/writing and blockchain have anything in common? Yes – with ”Steemit’. What is ‘Steemit’? It is a blockchain based blogging platform. Imagine writing a blogpost and it being stored on a Blockchain namely the ‘Steem’ blockchain… so, next what is a ‘Blockchain’? To refresh, Blockchain‘ is a distributed ledger of information with no central authority(decentralized) The most popular application of Blockchain is of course, the ‘Bitcoin’. 

We have all heard about ‘Blockchain’ being used for the mortgage industry, car auction industry – but for blogging and writing content? yes, it is true – bloggers can write their content which will be  posted on the ‘Steem’ blockchain  and you ‘may’ even get paid for it. The ‘Steem’ blockchain is used for other decentralized applications as well like DTube (decentralized video platform), eSteem (Steem based mobile app)

‘Steemit’:

‘Steemit’ is a ‘Dapp’ or ‘Decentralized application’ which was started in 2016.One can upvote, downvote,comment on other’s posts (similar to other communities but with a difference , you get paid for it and it is on a blockchain)

Depending on the number of upvotes you get, you get paid in the form of digital tokens called ‘STEEM’. Everyday, STEEM tokens are mined on the ‘Steem’ blockchain and this can be used as rewards to different users.

 

 

Other points about ‘Steemit’:

  1. Users can earn money by creating content and if it receives generous upvotes – one can earn enough ‘STEEM’ tokens
  2. Users will also a receive a reward in another way. If they upvote another post and that post becomes popular later, they get rewarded with STEEM tokens too
  3. Unlike regular blogging sites, if an user loses his/her password/owner key, it cannot be reset! Hence, it is recommended for users to store an offline copy of the same. There are a number of keys too – such as owner, active, posting and memo. Since each account contains funds, it is critical for owners to safeguard their keys appropriately.
  4. Another interesting point about ‘Steemit’ is that since the content is stored on the ‘Steem’ blockchain – it cannot be deleted(though a blank page can be shown for the time the post is active) Since one important property of a blockchain is immutability(changes made to a block cannot be altered)   – all edits, comments are stored on the ‘Steem’ blockchain permanently.

Can ‘Steem’ be converted?

Yes, ‘Steem’ digital tokens can be converted to Bitcoin or to a country’s native currency or your local bank account. You can also convert it into other cryptocurrencies.

We saw the concept of ‘writing and blockchain’ merging in this post by means of the ‘Steemit’ blockchain…join me as I uncover most interesting topics…

Disclaimer: This article is to be used for informational purposes only. With cryptocurrencies being banned in many countries including India – it is up to the user to research and make decisions on the same.