Monday, November 01, 2010

OTP adoption from India to the US?

One Time Password (OTP) is a password that is valid for only one login session. It is a popular authentication mechanism in India. It is essentially in use with Banking and Stock Broking Apps to do a two-factor authentication. SMSes on your registered mobile phone is been predominantly used as a medium to accomplish this second factor of authentication.

Recently, Facebook announced to users that they now have the option of texting "otp" to 32665 from any U.S. mobile phone to receive an OTP via SMS that is good for 20 minutes of log-in time to their Facebook account.

Nice to see Facebook working on the security front for once rather than endless feature updates. It has had its fair share of security woes so it’s nice to see they are doing something which I think may be genuinely useful for it’s burgeoning user base.

In India, a lot of banks use a similar way called Transaction Authorization Code. A OTP when you want to carry out a transaction which involves moving money out from your account (bill payment, fund transfers etc).

This method can provide security but it will not eliminate hackers from getting access to Facebook account. Using non secured network without encryption and other security measures will get the situation back to square one.

It would be also nice if you had security like GMail account security feature, which provides the information if there is a connection opened on my account from another location and monitor all latest ip’s logged into the session.

Monday, June 28, 2010

Getting Hands Dirty with Ettercap Tool

Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

Over last few weeks, I have been fiddling around with this tool to test one of the applications. I found the tool has some real good capabilities. Sniffing over a switched network is not easy. However, using Ettercap, I managed it quite nicely.

In an Ethernet network computers communicate with each other via Ethernet MAC addresses. So, there is a mechanism needed for matching of IP addresses with the addresses in an ethernet network. The mechanism is called ARP (Address Resolution Protocol).

What ARP does is exactly what most people do, when they have to find Mr. X in a crowd of people - they shout loud enough, so that everyone can hear them and expect Mr. X to answer, if he is there. When he answers, we will know who is he. When ARP wants to know whats the Ethernet address matching a given IP address it uses an Ethernet technic, called BROADCASTING, with which the datagram is addressed to all the workstations in the network. The broadcast-datagram sent by ARP contains a request for the IP address. Every computer, received that request compares the requested address with its own IP address and if they match, it sends an ARP reply back to the asking computer. After rreceiving the reply, the asking computer can get the Ethernet address of the computer it is looking for, from his reply. After the computer finds an Ethernet address, he stores it in its ARP cache (ARP table), so he won't need to look for it the next time he wants to send a datagram to the same address. However, it is not good this information to be stored forever (the Ethernet adapter of the other host may be replaced for some reasonm and the entry for the computer's IP in the ARP cache will become invalid). So the entries in the ARP cache expire after a period of time.  Most operating systems will replace an entry in their ARP cache even if they haven't sent and ARP request before. That allows a MITM (Man-In-The-Middle) attack to be performed.

Wednesday, March 10, 2010

About the 'Rugged' Initiative

As most of the readers on my blog would be knowing, the Security experts in February launched a new effort to ensure software is written from the ground up with security in mind -- a philosophy and message they're aiming at people outside of the security industry.

The Rugged Software Development initiative is basically a foundation for creating resilient software that can stand up to attackers while performing its business or other functions.

"It's more of "a value system" for writing secure software, versus a compliance program, according to its founders,who hope to incorporate the tenets of rugged code development into computer science programs at universities."

A couple of years back, I remember posting a blog article, if basic security mantras could be incorporated in the Computer Science & IT Courses in Universities. Here is the link to the same: http://smartsecurity.blogspot.com/2008/04/can-security-be-incorporated-in.html . I was happy that to learn that 'Rugged' did have this as a part of its initiative. Question is, "When will Indian Universities understand and incorporate the same?" The Indian IT industry spends so much on training costs, as more than 70% of fresh graduates are not employable/productive right away.

This isn't the first industry effort to push developers to bake security into their code. There have been several before like: Homeland Security's Build Security In guidelines, Microsoft's Software Development Lifecycle (SDLC) framework and tools, Building Security In Maturity Model (BSIMM), where financial services firms are comparing notes and sharing their secure coding strategies and experiences and OpenSAMM (Software Assurance Maturity Model), an open-source model aimed at becoming an industry standard for secure software development.

Rugged doesn't include any new frameworks for secure coding, however, and instead will serve as an "on-ramp" for secure software development, Rugged is different because it's aimed at people outside of the security realm. Rugged is specifically targeted at people out of the security context.

Getting the secure software development message to the masses won't be easy, and the plan is to get some initial support and momentum from the application security industry.

Unfortunately, most developers don't know what it means to write secure code, and worse they think they already write secure code if they write high quality code. Software security practitioners have struggled to get past this mindset.

Rugged code is a way of breaking through and instilling a mindset that secure code should be a pride-of-ownership issue just as much as elegant, high performing, and high quality code is.

Tuesday, January 26, 2010

Plenty of (IN)Secure Broadband Routers

SShh.....The Problem of Default Passwords for the Wireless Routers still exists in most parts of the country. The Mumbai terror attacks did bring in a concern for people using Wireless Networks and not have secured them. However, time and again I have been still snooping into the so-called 'Secured' Wireless Networks because the routers admin password is still set to default. Crazy !!




BSNL, the most widespread broadband provider, supplies its own ADSL Router which is been configured by the BSNL line-man. Since most of the broadband customers are not so tech-savy, they understand very little about the technical configuration done in the Wireless Routers.

YOU and I know that default configuration of the broadband router is insecure. We may be good guys, may be the bad guys too. The default login to the router's admin console via username: admin and password admin is very silly to get into the broadband connection. The encryption security or the password key provided has not much of security to be provided now.

3 things that I see from this point:
a) Can the end-users be educated about the 'french-latin' of router security?
I assume Success Rate as very low
b) Can the Internet Service Provider person configure a 'lockdown' version of Secure Routers?
I assume Success Rate as low to moderate
c) Can the router device manufacturers start providing warning messages if their devices are running on default passwords?
I assume Success Rate as moderate

Any comments are welcome !!

Mumbai to Host India’s First e-Crime Forum













On the 23rd and 24th February, a leading cyber crime security event, e-Crime India, will be staged in Mumbai for the first time. With the support of OWASP India, Data Security CounciI of India (DSCI) and The Institution of Electronics and Telecommunication Engineers (IETE), the forum will be hosted at Hotel Novotel, Juhu Beach, Mumbai.

India’s foremost cyber crime experts and IT security professionals will convene to address the key challenges faced by the people whose job it is to tackle e-crime in India and issues connected with electronic risk. Internationally renowned Cyberlaw expert, Mr. Paven Duggal, will deliver a special address to the forum. Chief information security officers from leading banks, including Bank of India, ICICI, State Bank of India, Standard Chartered and HSBC, and global corporations such as Vodafone, Walt Disney, and Reliance Life, will join him on the podium. The forum will also hear presentations from leading academics and high-ranking law enforcement officials, including the senior inspector of police at Mumbai’s cyber police station.
Over 250 senior decision makers from business, government, and law enforcement are expected to attend the event, which is being sponsored by organisations including HDFC Bank and Websense.

As one of the most rapidly developing countries in the world, India has seen an enormous increase in internet users in recent years and accordingly e-crime in India has grown at an increasingly alarming rate, costing the Indian economy an estimated $50 billion annually.
e-Crime India is a major initiative and is the newest member of the e-Crime Congress family of events following e-Crime Middle East, which was hosted in Abu Dhabi, December 2009. The e-Crime Congress, hosted annually in London attracting over 550 professionals from over 40 countries, recognises the need for international cooperation. Peter Brady, Business Development Manager of AKJ Associates, who organise the forum, says: ‘we are very happy to be coming to India, because cyber crime is a truly worldwide problem that is of concern to everyone. The e-Crime Congress has established a global reputation over the past eight years for its cutting edge agendas that deliver key information on the latest e-crime threats and practical guidance for overcoming them. We take pride in bringing together the right people to share information and combat cyber crime around the world collectively.’ Manoj Saha, Managing Editor of Dickenson Intellinetics, who are partnering AKJ Associates for e-Crime India, added: ‘as an organisation deeply involved with events related to financial markets, private equity and investment banking, e-crime India is a natural value adder to professionals in the Indian banking, corporate and financial markets - we are delighted to partner with AKJ Associates in making e-crime India the destination event that no security professional should miss.”

Click Here For Complete Details of Event: http://www.e-crimecongress.org/india/