Monday, December 31, 2007

Leading Change

Hello All....

I have been taking a few lectures on 'Change Management in Enterprise' in one of the management institutes in Mumbai. We talked about McKinsey's Principles and Lewin's Principles for Change Management. Then I came across this wonderful piece on Leading Change from John Kotter.

John P. Kotter, a world-renowned expert on leadership at Harvard Business School, has been the premier voice on how the best organizations actually “do” change.

This is what he says...Hope people interested would enjoy as I did. In the world of IT, even inclining organizations to look into Security requires a 'Change'. Let us all try and achieve the BEST CHANGE. :)

Why do we need leaders?

Leadership is required for mobilising people to handle challenging times. In a world that has no challenges, things are fine and you don’t require leaders. In such a world, you don’t need to mobilise people for handling any crisis. But unfortunately, in our world, we a have huge number of challenges in the government, non-profit and business sectors; we have many challenges in the developing and the developed world. Hence, we require leadership in our world. In fact, in our world, the need for leadership is more now than ever before. In our current world of business, we cannot afford to restrict leadership to just the top management positions. Every employee, every engineer should rise to a leadership role. They should step in to solve customer problems; they should step in to solve internal company problems. The number of people that we need to provide leadership is huge now. The turbulences in life will never stabilise, and I see the demand for leaders going up steadily.

How are leaders different from managers?

Leaders mobilize people. Their role is to undertake challenging goals that involve change. Leaders focus on changing behaviour, while managers focus on existing circumstances. For example, if there is a DVD player that is built well, we don’t require a leader to press the on/off button, because there is no challenge in it and no change is involved. I am not saying that managers are not important. Of course, they are important since it is not just the story of one DVD player. It is the story of 100,000 DVD players in 20 different countries where things can get complicated. Managers are important in that they should manage all these different DVD players in different countries, and ensure that they play the right movies at the right time. But the role of leaders is different. They often create the systems that the managers manage. For example, initially, there was the VHS system and the tapes that we were used to. It took leadership to change the user habits into something better. In the case of the battle between Sony and VHS, the amount of leadership that was required initially to drive the battle was much greater than after they won. Leadership is important at times of change because most of the time, the systems are not in place and leaders drive change and face challenges that are humongous. In short, in the case of stable existing systems, you need managers, while in the case of new turbulent situations that require a change, you need leaders.

Do leaders always drive change?

Almost always, leadership produces change. Go back in history and read about the people who were great leaders, and you will see that they were always focused on change. They were always helping people to change their behaviour. They were always focused on changing systems. Look at Mahatma Gandhi — he induced change in Indian society: he mobilised Indians and changed the way they looked at their state of affairs.

Do leaders drive their selfish cause or altruistic cause?

More often, people are talking about the behaviour of people when they are talking about leadership. They think about the presidents or CEOs of companies when leaders are mentioned. That is not the right way. The belief is that people in those positions mobilize people. But, the reality is that most of the times they are just politicians, managers, or sometimes they are not good at any of these. That is not a good way of defining leadership.

Good leaders are always driving changes. They derive a sense of satisfaction out of the change they drive. Great leaders always do something for people. I call it altruistic because it is good for the people. They are progressing towards goals that the society needs.

almost.gif

What is India’s role in shaping effective future leaders?

India is becoming very important and has got a bigger role to play in the global economy. Offering services cheaper and better is not the end; it’s the beginning. You must lead the way. You need good leaders for that, but more often than not, you don’t get better leaders. Educational institutions should focus on mentoring good leadership.


Sunday, December 16, 2007

Google Hacking


Web Hacking : Select a site, find a vulnerability
Google Hacking : Select a vulnerability, find a site :)

Some trials:

1. Advanced Operator : filetype

Search for filetype:mdb with keywords as users, passwords, credit, etc. View funny results.

2. Advanced Operator : allinurl
Cross-Site Frame Vulnerability allinurl: "url=http" "frame"

3. Directory Traversal Vulnerability
filetype: pl inurl:cg-bin inurl: file inurl:html

4. Spam Engines
filetype: cgi send mail

Sunday, November 25, 2007

Is Software Security Testing Complicated?

Testing software for Security is something that can be quite complicated to do. Those that do test software are also those that have taken classes and know just what it is that they are doing.

If you are all into software, and are very familiar with it, as well as interested in testing it yourself, you are going to want to check out the software testing course that is held closest to you.
Many companies hire a 3rd party to give their employees a security testing course or build an in house team for providing this as a special service to teams across the organization.

I somehow believe that Security testing is something that comes a little easier to someone that understands or has written a software program before. If you have ever written a software application and are looking to get into testing, you are going to find that learning what you need to know to test will be easier for you than someone else.

Wednesday, November 14, 2007

Is virtual keyboard been considered?



Phishing is an attack where the attacker sends a mail making it look as if it has come from a bank or a financial institution and lures the victim into entering his sensitive information.

Image based keyboard (or virtual keyboards) were invented to make life harder for banking or phishing Trojan horses (specifically key-stroke loggers or key loggers), some even suggested they be used specifically to avoid these Trojan horses.

Tuesday, November 06, 2007

Clear Text Secrets

We often find applications storing secrets in a non-encrypted form which presents a severe security risk. If an attacker was able to retrieve & read the secrets, it could lead to compromise of the application, host or network, loss of revenue, loss of confidence of the user with the application.

"Sensitive"data like User Credentials, cryptographic keys must never be stored, cached, or sent unencrypted. For instance: logon passwords, PINs, credit card numbers, telephone calling card numbers, session ID that can be used to gain access to goods, services, or confidential information must always be stored and sent encrypted.

Avoid using proprietary encryption algorithms. Use trusted and proven standard algoriithms for encryption and have key lengths of at least 128 bits. Secure Socket Layer (SSL) must be configured to use at least a minimum of 128bit encryption and must not be allowed to fall back or accept weaker levels. Applications which use SSL must ensure that non-SSL connections are either denied or converted to SSL.

Thursday, November 01, 2007

Managing Account Lockout

User Accounts are vulnerable to dictionary attacks or brute force attacks. These attacks are ones where user credentials are deduced through successive attempts. Using tools or scripts enable the attacker to automate the process and establish a positive match more quickly and efficiently.

The "Good Practices" would be:
  1. Design usernames which are not predictable or guessable.
  2. Strong password policy.
  3. Disable user account after n failed login attempts which are successive.
  4. You could also consider locking out account for a specified amount of time. For e.g. 30 mins.
  5. Display generic error messages to user on failed login attempt. E.g. "Authentication Failed - Invalid Username / Invalid Password / Account Locked
  6. No automatic account lockouts for admin accounts
  7. Implement CAPTCHA's to prevent bots or automated username/password guessing.

Thursday, October 25, 2007

Mitigating XSS Attacks in ASP.NET Apps

Most of the security analyst must be finding it difficult to completely eradicate chances of Cross Site Scripting Attacks. As far as Microsoft ASP.NET platform goes, it does provide a directive called ValidateRequest to check for input containing malicious code.

This directive was present since .NET 1.1 version. However, I find several cases where the application team deviates from having this directive set to true for some business reasons. For eg. there is a rich text box in the web page which must allow any kind of input data. If ValidateRequest is configured for this web page or for the application as a whole, it will throw HttpRequestValidationException before the input is even processed by your code.

So we started recommending that you must use output validation i.e HTMLEncode all data echoed back on web page. You could also use the new Microsoft Anti-XSS library.

In conclusion, ValidateRequest should be turned on if it does not block valid user scenarios. However, even with ValidateRequest turned on, it MUST not be regarded as a full proof solution to mitigate XSS.

Useful resources:
http://msdn2.microsoft.com/en-us/library/ms998274.aspx
http://msdn2.microsoft.com/en-us/library/system.web.httprequestvalidationexception(vs.80).aspx
http://msdn2.microsoft.com/en-us/library/ms998274.aspx

Cheers.

Wednesday, October 24, 2007

PCI DSS Applicability Information



* These data elements must be protected if stored in conjunction with the PAN. This protection must be consistent with PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if PANs are not stored, processed, or transmitted.

** Sensitive authentication data must not be stored subsequent to authorization (even if encrypted).

Tuesday, October 23, 2007

SQL Injection in Stored Procedure : 2nd Case Study

Stored procedure with dynamic SQL and embedded parameters

The Stored Procedure

Create proc authenticate (@uid nvarchar(25),@pwd nvarchar(25))
as
DECLARE @uid VARCHAR(64)
DECLARE @pwd VARCHAR(64)
DECLARE @SQLString NVARCHAR(500)
DECLARE @ParmDefinition NVARCHAR(500)

/* Build the SQL string once.*/

SET @SQLString =
N'SELECT * FROM users WHERE userid = @uid AND password = @pwd'

SET @ParmDefinition = N'@login VARCHAR(64), @password VARCHAR(64)'


Server side code:

cmd.CommandText = "authenticate";
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add( "@uid", strUserName);
cmd.Paramerters.Add( “@pwd, strPassword);
con.Open();

string result = (string)cmd.ExecuteScalar();
oCon.Close();

In this case,bSQL Injection would NOT be possible. Hence what I would like to summarize is if at all we have to use dynamic SQL in stored procedure, always use embedded parameters in dynamic SQL

Friday, October 19, 2007

SQL Injection in Stored Procedure

Let us examine SQL Injection in Stored Procedure. This would be 1 of the vulnerable cases.

The Server Side Code would be something like:
oCmd.CommandText = "sp_login";
oCmd.CommandType = CommandType.StoredProcedure;
oCmd.Parameters.Add( "@loginId", strUserName);
oCmd.Paramerters.Add( “@password”, strPassword);
oCon.Open();
string result = (string)oCmd.ExecuteScalar();
oCon.Close();
====================================================================
The Stored Procedure would be:
CREATE PROC sp_login (@loginid nvarchar(25),@password)
AS
DECLARE @SQLString NVARCHAR(500)
DECLARE @loginid VARCHAR(64)
DECLARE @password VARCHAR(64)

/* Build the SQL string once.*/

SET @SQLString = 'SELECT * from cust_users WHERE login_id = '+ ''''+@loginid+'''' + 'AND password = '+ ''''+@password+''''

EXECUTE sp_executesql @SQLString

====================================================================

If the user input is as follows:
loginId = ' OR 1=1 --
password = junk

The above stored procedure will have an injection attack. The procedure executing will return all the rows because of the injected SQL.

Cheers.

Monday, October 15, 2007

HTTP Pipelines in ASP.NET

1. ASP.Net uses a pipeline model to process incoming requests and provide responses.
2. The steps in the pipeline are:
  • HTTP Runtime
  • HTTP Application Factory
  • HTTP Application
  • HTTP Handler Factory
  • HTTP Handler
3. When IIS receives a request, it checks the extension of the requested page.
4. If the extension is .aspx, then it invokes aspnet_isapi.dll and passes the request to it
5. The aspnet_isapi.dll calls the HTTP Runtime object in the ASP .Net worker process
6. The pipeline is implemented inside this worker process (Aspnet_wp.exe)
7. The HTTP Runtime passes the request to the HTTP Application Factory
8. The Application Factory creates an application object for the request (or reuses an existing one) by looking at which application should be invoked
9. Every virtual folder is a different “application” to IIS
10. The HTTP Application objects contains modules or filters
a. The filters can be used inspect and modify HTTP requests and responses
b. For eg, to cloak the banner of the response, or filter out HTML or script tags in the request
c. Web application firewalls will be implemented as filters
d. The filters that are active for each app can be configured in web.config
11. The HTTP Application Object uses the Handler Factory to create the appropriate Handler to pass on the request
12. The HTTP Handler is the endpoint in the pipeline. It calls the .aspx page/assembly
13. The Handler has a method called “processRequest” that is called by the Application object
14. Custom handlers can be configured in web.config
15. An IIS web server will have only one asp.net worker process at a time
16. Each worker process contains multiple app domains
17. App domains are light weight processes running inside the worker process
18. App domains are .net “processes”, different from the Windows processes
19. Each application runs on different app domains.
20. These app domains enforce isolation.
21. When multiple requests are made to the IIS server, all of them are serviced by the same HTTP runtime and the same Application Factory.
22. The Application Factory creates new app domains to service concurrent requests

References:
a. Security and HTTP Pipelines in ASP.NET:
http://msdn.microsoft.com/msdnmag/issues/02/09/HTTPPipelines/default.aspx

Friday, October 12, 2007

Thick Client Application Security

This article discusses the top vulnerabilities in a two tier thick client application.

Thick client is defined as an applicationclient that processes data in addition to rendering. An example of thick client application would be a VB.NET or Java Swing application that communicates with a database.

I have generally observed in these types of applications have weak access controls, weak authentication management, information disclosure, improper error handling or application crash.

It is interesting to note that most of the Open Web Application Security Project (OWASP) Top 10 vulnerabilities are as applicable to Thick Client applications as they are to web applications.

Let us map them for simplicity.

Sr

OWASP Top 10 (Web Apps)

Thick Client

1

Unvalidated Input

Unvalidated Input

2

Broken Access Control

Broken Access Control

3

Broken Authentication & Session Management

Weak Authentication & Session Management

4

Cross-Site Scripting Flaws

Not Applicable

5

Buffer Overflows

Buffer Overflows

6

Injection Flaws

Injection Flaws

7

Improper Error Handling

Improper Error Handling

8

Insecure Storage

Insecure Storage

9

Denial of Service

Denial of Service

10

Insecure Configuration Management

Insecure Configuration Management


Wednesday, October 10, 2007

PCI Compliance bothering???

Hi,

When I was reading thru PCI DSS standards, something that was bothering me was the following requirement:

Ensure that all web-facing applications are protected against known attacks by applying either of the following methods:

* Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security
* Installing an application layer firewall in front of web-facing applications.

This method is to be considered a best practice until June 30, 2008, after which it becomes a
requirement.

My confusion was whether I had to hire someone to go a code review or penetration testing or would other means work ?? Finally I could clear this by posting it to PCI and getting the answer.

What they mentioned was :
-----------------------------------------------

Using specialized 3rd-party tools that perform thorough analysis of applications to detect vulnerabilities and defects may well meet the intention and objectives of the source code review requirement in PCI Data Security Standard requirement 6.6, if the company using the 3rd-party tool also has the internal expertise to understand the findings and make appropriate changes.

The PCI Security Standards Council will look to clarify this section of the standard during the next revision, to include that testing of web-facing applications can be done via source code review or products that test the application thoroughly for defects and vulnerabilities (when internal staff have the skills to use the tool and fix defects). The PCI Security Standards Council will also consider including prescriptive requirements as to what both the application firewall and application analysis tool or process should test for.

-----------------------------------------------

Finally, I could settle for the confusion. I need not go for a 3rd party review to go through several lines of code or do it myself. I can very well use tools like WebInspect and AMP to complete this requirement.

Cheers,
Dharmesh.

Wednesday, October 03, 2007

Westside in Mumbai stores your credit card numbers..

Hi,

If you are a Mumbai local, I am sure you would have visited Westside - one of the famous retail shops. I happened to bump into their store in Andheri(W) Infinity Mall and to my surprise, when I gave my credit card for swipe, they swiped it twice. :(
- Once on the processing machine and second on his computer.

I asked the fellow, "Why are u swiping my card twice?"

He replies, "Sir, we need to store your card information for tallying it at the end of day."
I was really disturbed by this. They stored my name, card number and expiry date. Only thing remaining was the CCV number. Remember this is generally a 3 or 4 digit number usually at the back of the card.

I am surprised that these merchants are allowed to store credit card information. No PCI compliance required ??

I felt like calling up the media - Mumbai Mirror, DNA or Times and yelling them that see these guys....what are they upto ?? Why the hell are they storing credit card information and if they need it, why is is not encrypted??

A hacker's mind would surely think of compromising their database having thousands and thousands of credit card holders information.

To add to all my fuss that day, they gave me a printed receipt to sign off and that too printed my entire credit card number (none of the digits were masked) and even the expiry date.

I am sure there are many such places in mumbai where credit card information is stored and is highly likely for hackers to get inside them very easily. If the merchants or shop owners do not bother to care about the credit card information, they must be banned from handling these transactions.

I wanted to raise my voice for all the people who actually opt for credit card transactions. Please make sure and shout if you find they are storing your credit card information. If they are swiping the card twice for their sake. This is illegal.

Visa / Mastercard and other card issuers must look into this matter asap.

Please send in your comments and let's raise this to get in media of possible and spread awareness.

Thanks.

Dharmesh.

Monday, September 24, 2007

Oracle Default Passwords

Hi,

Beware of database Default Accounts before you ship your database to production.
I saw this screen while installing Oracle. I think this kind of screen should be shown in all database tools and also there should be a warning mentioning the harm of keeping the default accounts ON in the database.

For now, enjoy this screen... :)


Thursday, September 20, 2007

Introducing - TechTrails

Dear Software Professional ,

So the rupee’s rising. Now why’s that causing sleepless nights for some software exporters? And hey, what’s the net impact on you? . Does this rise of the rupee present a great opportunity that could have far-reaching positive consequences ? What is the future of Indian IT industry ? What will happen when other low cost destinations for outsourcing catch up with India ? Will India sustain it’s cost advantage ? These are questions that impact your career and you need an answer on how and what you need to do to get ready for the next wave of Indian IT .


www.techtrails.com
has the answers for you .


This is the only web portal of it’s kind that will help you as a IT professional or a student planning a career in IT to get ready for the future . Thought leadership articles , interviews with industry leaders , tips and tricks , white papers www.techtrails.com has it all . Besides you would get invited to free seminars and panel discussions on topics that would impact you .

Over time the www.techtrails.com would be a place for 3rd wave Indian IT professionals to hang out , exchange information , share links to their blogs , upload content that would be of benefit to all who are a part of this community .


Registration to www.techtrails.com is Free ! Rush and register yourself to www.techtrails.com Now !

Monday, September 10, 2007

App Security Testing Cheat Sheet

Hi,

I thought to prepare a brief cheat sheet for Application Security Testing.

Please have a look and drop in your views. In case you wish to use it for your testing, please drop me a mail at dharmeshmm at gmail dot com to notify me about it.

Authentication Checks

1. Login and Change Password pages on SSL?
2. All sensitive pages (accepting SSN, Credit Card) over SSL?
3. Strong Password Policy? (Joe Accounts/Blank Passwords/Max Password Age/Min Password Age, etc)
4. Is Forgot Password page secure?
5. Password Change forced on 1st login?
6. Re-authenticate before moving to sensitive pages (Edit Account Info?)
7. Prompts old password before changing password?
8. Has "Remember Me" feature? If so, how's password stored?
9. Warns before allowing "Remember Me"?
10. Has CAPTCHA to prevent password guessing?
11. Does show error msgs like "Invalid User/Invalid Password"?
12. Can auth. be by-passed for priviledged URL's?
13. Is AutoComplete set to OFF?
14. Is password re-submitted on 'Back/Refresh' of browser?
15. SQL Injection in login?

Session Management

1. Is session id random enough?
2. Session Timeout present?
3. Stored in what form? (persistent cookie/in-memory cookie)?
4. Session Id expires on request tampering?
5. Sensitive data in cookie?
6. Can you see X user's data with Y's session id?
7. Session expires at server-side on logout?
8. Can logged out user's session be re-used?
9. Is new session id generated on login?
10. Is cookie over-written on logout?

SQL Injection Checks

1. SQL Injection : '
2. SQL Injection : ' OR 1=1 --
3. SQL Injection : '; waitfor delay'00:00:05'--

XSS Checks

1. XSS Javascript
2. XSS Encoded
3. XSS Cookie
4. Is CSRF possible?

Input Validation Checks

1. Use proxy to by-pass client side validation?
2. Generate errors for information disclosure?
3. Web Page source reveals sensitive application information
4. HTTP Headers manipulation
5. Viewstate manipulation
6. GET and POST parameter manipulation

Secure Storage Checks

1. Are passwords stored in clear text?
2. Is sensitive information like Credit Card encrypted?
3. What encryption algo used? Standard or Proprietary?
4. Is connection string in clear text?
5. Any passwords hard-coded in application?

Browser Checks
1. Check browser history? Are sensitive pages cached?
2. Is data cached by search engines or desktop search engine?
3. Any hard-coded secrets in javascripts?
4. Web Page code reveals sensitive comments?

File Checks

1. Is file upload /download allowed?
2. Can files be downloaded directly from URL?
3. Can malicious files be uploaded?


Environment Checks

1. Are default apps installed?
2. Are default accounts enabled? Do they have strong passwords?
3. Is firewall deployed?
4. Is code obfuscated?
5. Can detect server details using banner grabbing?
6. Are forms bot resistant?

In case you have your views, please feel free to write here or mail me at dharmeshmm at gmail dot com

Cheers,
Dharmesh.


Get into pay sites for free as a Googlebot

Ever wondered why Google returned search results that lead to sites that require a registration? How did Google index the site without a registration? Many sites want their site indexed in Google to receive more hits, so they allow Googlebots in. Because of this reason we can take advantage of this. All we have to do is disguise ourself as a Googlebot and many sites will let us in without registration.

To do this we have to change the User Agent. The user agent defines the browser and what version you are using. For example if you go to this site it will tell you what browser you are using, and it finds this info out by the user agent.

Changing the user agent is easy, to do this in Opera you have to uses these settings:

User Agent: Googlebot/2.1 Compatible: http://www.googlebot.com/bot.html

Firefox users can use this extension and import this file (right click and save) that has a huge list of user agent settings including Googlebot/2.1 and many other spiders/bots.

Internet Explorer users you will need to change the registry entries, to do this open notepad and copy this into it:

Windows Registry Editor Version 5.00 [HKEYLOCALMACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet Settings5.0User Agent] @="Googlebot/2.1" "Compatible"="+http://www.googlebot.com/bot.html"

Then save it as ua.reg and double click on it.

To revert the changes back, you will need to do the same but this time copy this in:

Windows Registry Editor Version 5.00 [HKEYLOCALMACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet Settings5.0User Agent] @="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Save as oua.reg and double click.

To see if it has worked go here and your browser should now be Googlebot v2.1

Enjoy!

Sunday, September 09, 2007

Wednesday, August 08, 2007

OWASP Mumbai Meet : 6th September 2007

Mumbai Celebrates OWASP Day : OWASP Live 0

OWASP Day - Day of Worldwide OWASP One Day Conferences

Date: 6th September, 2007

Timing: 2:30 PM to 6:00 PM

Venue: HOTEL HEAVENS INDIA

Plot No A-1, Opposite SDF 4, SEEPZ, SEZ,

ANDHERI (E)- MUMBAI

Registrations - LIMITED SEATS !!!

The event is FREE to attend.

Event Agenda

2:30 PM - 3:00 PM Welcome Keynote : Dharmesh Mehta, Mastek Ltd.

3:00 PM - 4:00 PM Black Vector of Web Exploitation : Aditya Sood, Sec Niche

4:00 PM - 4:45 PM End User Privacy Breaches : Rishi Narang, ThirdBrigade

4:45 PM - 5:30 PM Advanced SQL Injections : Mastek Ltd

5:30 PM - 6:00 PM Snacks & Networking

Thursday, July 26, 2007

You can be arrested for using free Wi-Fi

A Michigan man has been arrested and will be prosecuted for using a cafe’s free Wi-Fi network from his car without buying anything.

According to reports, Sam Peterson says he didn’t realize he did anything illegal until he was cuffed (nor did the cafe owner or even the police officer).

Prosecutors believe him, so they’re letting him off easy with a $400.00 USD fine and 40 hours of community service.

So let me get this straight - $400.00 and 40 hours of community service is considered being let off easy?

Apparently under Michigan’s “Fraudulent access to computers, computer systems, and computer networks” law, Peterson’s actions could result in a five-year felony and a $10,000 fine, so I guess the answer is yes.

If the prosecutor and the cop believe him, they should just let the guy walk completely.

Moral of the story… if you plan on using the “free wireless internet” at your local Cafe Coffee Day, Cross Word Store or other favorite hangout, be sure to buy something before hand.

Sunday, June 10, 2007

Big B Watching or Is this Intrusion of Privacy?

I ain't talking about Big B - Amitabh Bachhan here....
This is about Big Brother - our own police force.

I read an article in Hindustan Times (April 30th, 2007). In first-of-its-kind intitative to tackle cyber-crime, the Nashik police is keeping an electronic eye on cyber cafe users. They aim to maintain real-time photo record of users at cyber cafes and the times spent surfing. This is all done using a software called Webcafe.

Hence if a user goes to a cyber cafe, his photo, name, address and identity proof gets recorded into the main server which would be connected to a central server located at police head quarters. So everytime a user logs on to a computer the details would be automatically transeferred to the police servers. I saw similar kind of photograph based logs in Hyderabad when I was touring. Now with these kind of systems coming in place, we would hope that cyber crimes would reduce atleast from cyber cafes as point of origin. I am still not seeing such measures from cyber crime cell in Mumbai though.

Let's see the other side of story. How many of us like to be photographed everytime you go to a cyber cafe? What is the guarantee that the cafe owners will not misuse the photographed data? Indian Penal Code asks cafe owners to keep a manual record of every user. I think this is really intrusion of one's privacy. If we see the real world attackers - the so called smart hackers will be doing away with all these measures either by using multiple proxy servers or spoofing IP addresses to cover their tracks. They have thousands of ways to find a victim for attack.

I do not say that we should not do anything. But should the measures be at cost of a general user's privacy? Do the police now storing these information now guarantee the safety of our data same way as our banks do for online transactions. Also one needs to wonder how secure are the central servers at police station. It surely has such large amount of personal data now. Are the softwares and servers tested for security before they store such data?

I think everybody should think about this. Feel free to share your comments here. You can mail me at dharmeshmm at gmail dot com

Thanks,

Dharmesh.

Tuesday, April 24, 2007

Security Concerns in Web 2.0

Hi,

I did get a chance to submit a paper on security concerns in Web 2.0
This paper has been published by OWASP now and is available at link below:

PDF version:
http://www.owasp.org/index.php/Category:OWASP_Papers

HTML version:
http://www.owasp.org/index.php/OWASP_Papers/Jeopardy_in_Web_2_0

Happy reading !!!
Please feel free to drop in your comments about the paper.
You can mail me at dharmeshmm_at_gmail_com

Wregs,
Dharmesh M Mehta
Mastek Ltd.

Saturday, March 31, 2007

Things to ponder for securing your UI

#1. Clearly describe how to set security

· Ensures that UI reduces the level of complexity in configuring and managing security
· Are there features to test roles?
· Will users understand how the test features work?
· What are Default Security Roles for New Objects
· When objects are created, what are the default security settings?
· Are users informed what the security settings are?
· Default Security Roles for Updated Objects
· What is the default security mode for updated (sub-) objects?
· Are users aware of the default security permissions?
· Is the security mode appropriate?
· When updating the object, will users think/be prompted to change the security?
· Are there Multiple Methods of Setting Security:
· Are there are multiple methods of setting security for an object?
· How are the methods different?
· Do users understand the key differences between the methods? (Will they be able to choose the appropriate method?)
· If a parent object rolls-up security state from its children, is the state accurately rolled up?
· Can I Bulk Edit Security Roles?
· Do users require bulk editing of security roles?
· Are bulk editing facilities provided?
#2. Does UI provide a means to quickly reset to a secure mode in case of a security lockdown?

• Provide a single place for users to turn off features in security lockdown.
• If clusters or a group of servers are used, provide a facility to bulk reset
#3. Does the UI imply security when system may not be secure

• Don’t give users a false sense of security: Users feel secure when they have set a password. Counter intuitively, if this password is weak, a blank password is in fact a stronger defense, since the system will restrict certain access if there is no password, but will not do this if there is a password is present.
• Giving partial or incomplete information can falsely imply security.
#4. Ensure that UI provide admins an overview of privilege granted to users

• Ensure that admins have a means to have a system overview of which user has what privileges.
• Excessive privileges granted are a major vulnerability. Ensure that UI allows admins to easily revoke granted privileges, and clearly see consequences.
#5. Does the UI actively promote security

• Ensure that your UI does everything it can to actively help the user secure their system.
• If a user must compromise their system’s security to perform a task, provide some way to automatically restore the system’s security later, or prompt the user to restore the setting when the user has completed the task.
• Make it clear to the user where they need to go to reestablish a secure configuration. Provide direct links wherever possible.
• Enable your feature to be updated easily if security issues appear after it ships using an automatic mechanism such as Windows Update.
• Make sure that the most secure option is the default. Explain to users the security issue that makes this is the recommended option.
• When the default option is not the most secure option (for reasons of product compatibility or some other intention), indicate visually which setting is the most secure.
• Provide an option to automatically secure system, such as to lock unattended machines
• Provide a simple means in the UI for users to determine if preventive measures such as virus signatures are up-to date
#6. Are security messages effective?

• Ensure that security messages are differentiated from other messages. Users are inundated with so many message boxes that they often breeze through these obstacles. Security messages look much like every other message, so users get a mixed message and tend to ignore them. In one usability study, 5 out of 8 clicked either Yes or No without reading the security dialog.
• Emphasize security by giving a visual clue that this is a different type of message. Even as users become familiar with the style and learn to click through without reading the text, we alert them to the fact that there is a security issue during the split second we have their attention. Used judiciously, users may even perceive them as infrequent enough and visually arresting enough to slow down and pay attention.
• Communicate the level of risk associated with any choice provided in security-related information. Users should be able to identify the severity of the problem, likelihood that it will affect them, and any necessary steps to correct the situation.
• A high risk warning would have more lasting impact if the frequency of other messages is low.
• Make information in the message box specific enough for the user to follow up after closing the box, such as searching for the terms in the message to find relevant Help content or links to security features.
#7. Are UI graphics appropriate to the severity of the message?

• Use graphics to reinforce, highlight or convey security information, but ensure that the graphics are appropriate and related to the content.
• Do not use the question mark message icon. This image does not clearly represent a specific type of message or could be misinterpreted as related to Help information.
• Avoid overusing the warning icon. Be sure that the content is truly a warning, and not simply an fyi or even more serious than a warning.
• Use graphics that look professional and consistent with the product’s look and feel so that the user feels they can trust the source of the message. Work with a designer to define the correct style for icons in your product.
#8. Does UI Help assist user to be secure?

• The Help topic should bridge the gap between the UI and real world usage. The Help topics can be the user’s last hope of understanding a concept or helping them make a decision. Often our Help topics are just as vague, technical and intimidating as the interface the user is trying to understand.
• Address common user scenarios.
• When the user experience is not great, explain how to understand the feature’s design and UI, not just the steps to use it. For example, if the settings for using a feature for a specific scenario are on a different tab or hidden behind a link to “advanced” features, explain that X users can find the settings they want there.
• Where a feature allows users to choose settings that affect the security of their system, explain the security consequences even if it makes it clear that they don’t get to have a perfect solution.
#9. Has the UI been designed to accommodate supplemental security?

• Design the product to anticipate security devices t such as smart cards, biometric product fingerprint, and retina scanners which are starting to be used to identify users to system.

Sunday, February 04, 2007

How do you get Web Testing the right way?

With the eminence of Internet in business and culture which has expanded the applications to evolve in complexity and scale, it has become very crucial for organizations to build webs for scalability and rigor. The webs with capability to withstand expected (and unexpected) spikes and peaks in load are in the insight.
As web applications are becoming increasingly mission-critical, errors can mean disastrous strikes to a company’s business and reputation, as well as exposure to potential legal and financial liability.

With global access to systems, nonfunctional requirements such as security, performance, scalability, and availability suddenly become strategic. Many Internet systems are tested for performance and scalability only after the bulk of the functionality is built.

Since companies now realize that errors in web application performance and
functionality can be insidious, occurring as a result of multiple causes, and risky and
costly to fix, they are becoming more proactive in their web testing. The question
then becomes not whether a website is tested, but how well was it done?

To assure confidence in application deployment, in shorter project timeframes, testers must take a realistic and an integrated approach to testing.

Start by simulating concurrent users as realistically as possible. For
example, a online shopping site should mix many prospective shoppers with some purchasers and a few administrators. Each role will stress the application differently, giving you a
realistic view of how your users will experience your application.

Automation tools can help you simulate real-world variables at run time, such as different levels of SSL encryption, multiple client types, variable “think” times or the effect of slow line speeds.

The advantages of testing with an integrated, flexible solution cannot be denied. It is possibly the best way to identify problems sooner, reproduce them faster, and resolve issues earlier.

While designing this series of realistic tests, we need to determine what are the crucial factors to be evaluated for the tests. For eg. What is the number of users to simulate, what is the expected Page Load time, what type of hardware is required for these scenario, what is the CPU utilization on the servers, the Memory consumption at peak load and much more. . Bear in mind that your performance testing, while it may be focused on the end user’s experience, needs to uncover problems further back in the system. It does no good if the system performs well, but uses so much server memory that it crashes your servers after a few days in production.

Performance is the speed at which a system responds to user actions. Scalability is the relative ability of a system to maintain its performance when under load. Load is measured by the number of simultaneous requests that are dispatched to a system.

Scalability testing is to verify your application’s data integrity while verifying its performance. Both should be validated under load for every individual user. After all, what good is a speedy response from your web server if it is only delivering a “busy” message back to the user – or, worse yet, delivering subtle data errors?

Tuesday, January 02, 2007

Security among The Hottest Skills for 2007

With fewer openings this year, expect these five premium skills to win the jobs

Top skills IT executives say they will hire for in 2007:

1. Programming/application development
2. Project management
3. IT/business analysis
4. Security
5. Help desk/technical support

Source: Computerworld's quarterly Vital Signs survey