Wednesday, September 28, 2011

What do you say? Yes / No / Don't Care

Mobile or Immobile

Wednesday, July 27, 2011

7 UID bogus centers shut down

In what comes as an addition to fraud incidents in the city, seven Unique Identification Centers were shut down by the civic corporation on Monday. The Thane Municipal Corporation (TMC) closed down these seven bogus UID centers where several citizens have already got their UID forms enrolled.

However, the process will be declared as void as these centers are not legal. The seven mentioned centers were operating without any permission from the authorities since the past few months. Two centers in Panchpakhadi, Lokmanya Nagar and Khopat each and one center in Vrindavan society were shut down by the municipal corporation. The TMC has made it clear that citizens who enrolled themselves in these centers will not get their UID cards and will have to enroll themselves all over again at an authorised centre in the city.
Informed sources from TMC maintained that Vakhrangee Software Ltd. was using a bank's name to provide UID cards to citizens and some Maharashtra Navnirman Sena activists were believed to be running the bogus centers. It is learnt that a corporator informed the civic body about the bogus centers following which the TMC took a stern action and Additional Commissioner of TMC, L R Gupta, summoned Rahul Devpal, the owner of the software agency. During interrogation, it was revealed that these centers were bogus.
Many citizens have already enrolled themselves for the scheme but will again have to redo the process. A woman requesting anonymity said, "My son went to the center at Vrindavan Society and waited there for around four hours to get himself enrolled. All those efforts have proved futile. The civic body had opened 40 such centers in the city this year and each center enrolls 50 person's UID forms each day. The government had allotted the work to authorised banks, government undertaking organisations and others. The central government started the UID scheme which is also known as Aadhar to provide citizens a 12-digit identification number under the Unique Identification Authority of India.

Tuesday, July 26, 2011

Mobile Apps Security – Are you worried?

Smart Mobile devices are now increasingly been adopted by the consumers and in the enterprise leading to a number of organizations interested in custom development of mobile applications. Software vendors developing mobile applications are on most occasions feeling enormous pressure to meet extremely tight Go to Market timelines. This often leaves security neglected or compromised.

The trends already mention mobile apps taking a plight in the financial sector, with online banking, online trading apps. Security, although a prime driver for custom development, is one of the hardest aspects to get right. The industry is starting to see the security & privacy concerns in developing mobile applications. Initiatives and best practices are been released by groups like OWASP that have been addressing mobile security in a big way. There is a need to leverage the native security APIs of the platform, handle sensitive data with care, and choose the right data protection classes for the mobile application architecture. Let us make an attempt to look at few critical weaknesses you should be worried about while developing mobile applications.

Data Stored on Mobile Devices
In most mobile application designs, it is observed that the mobile device stores or caches some information. Due to limited constraints on the space availability on today's mobile devices architects go ahead and exercise this option. People often default to storing the sensitive information too in clear text. Mobile platforms like Android and iOS are susceptible to rooting or jail breaking, which gives users unrestricted access to the underlying file system. Using this root level access, malicious users or malicious applications can easily retrieve the sensitive information stored on the device.

Weak Cryptography
Data security is another concern when in transit or stored. While choosing to store sensitive data on mobile devices, designers often employ encryption techniques. Few platforms like iOS do provide API's to encrypt data; however, these platforms are yet to get a strong key management technique or protocol. Android too provides APIs for cryptographic primitives, but no built-in protocol for key management. Designers may find themselves having to make decisions about what to use to generate keys, how to use them, and where to store them. Often they end up selecting a strong encryption algorithm, but choose a poor key management protocols. When you have weak cryptography design and keys are stored on the device, shared between users, or hardcoded, they do not provide adequate protection to the data.

Moving Substantial Business Logic Client Side
Designers tend to move a substantial amount of business logic to mobile devices unaware of it implications. When developing rich client applications, users are given direct access to a particular service, while maintaining a simple and attractive user experience. Incorporating business logic such as password re-verification can often lead to unexpected security issues. Like web based attacks, a malicious attacker could use a simple HTTP proxy that captures requests and responses and alter the response from the server to bypass security controls built in by the application’s logic.

Relying on Client Side Data Validation
In current business scenarios, users need to access enterprise applications both from the web and the mobile devices. Attackers have been abusing the weakness of client-side data validation in web since long time now. Data validation weakness has crept into application development in the mobile application space. Hackers can easily bypass client side data validation by using a proxy between the mobile app and the server.

There’s the old joke about two hunters running from a lion, and the one runner says to the other: we can’t outrun the lion. And his buddy replied, “I don’t have to outrun the lion, I only have to outrun you.” Many, over the years, have applied the same logic to application security: If their software is ‘secure enough’ attackers will move on to easier targets. Mobile application security is an easy target for attackers currently and you need to address security on priority.

Thursday, March 17, 2011

Simple Autocomplete

IRCTC - India's Rail Ticket Booking Website which is sought to be a secure platform for the citizens booking their tickets has few simple security configurations missing.

An example is the auto-complete not set to off on their payments page - a practice which most of the secure web applications follow for sensitive pages right from login page. Below is a snapshot.

Tuesday, March 15, 2011

Past few months


For the past few months or rather lemme say a year, I haven't been actively writing out here. I have been spending my time on other security aspects of my life. I secured myself from being a bachelor (got married :D), secured my Post Graduation (completed my Executive Management from IITB) and secured my job too. :)

Interestingly am back into security work doing a product development in space of data privacy. There have been many trends that I have been watching and techniques which I have learnt. Will be sharing via blog posts often now.