Monday 27 October 2014

Is our Data being Protected by Service Providers?

Nearly 7 million Dropbox usernames and passwords have been reportedly hacked, apparently from third-party apps that allowed users of app to access their accounts. The leak was sighted on a site called “Pastebin, where hackers have already leaked about 400 accounts site address http://pastebin.com/NtgwpfVm. The hackers promised to release more accounts in return for “Bitcoin” donations. The hackers claim to have over 6.9 million email addresses and passwords belonging to Dropbox users.

In a statement Dropbox denied that it was hacked: This is not very Surprising………

Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We'd previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have expired as well.

Does it sound familiar? It's a similar response to the one Snapchat had provided when hackers were able to obtain about 100,000 photos from the service through a third-party apps. This establishes that the fact: the mobile app's core feature - delivering photos and videos that vanish seconds after viewing - is flawed. Snapchat then claimed that its servers weren't hacked, but the servers of a third-party app designed to save Snapchat photos.
The real problem in both cases appears to be the way popular services allow third-party apps to use their platform. Even though Dropbox's own servers weren't hacked, the service still allows third-parties access, which has become the target for hackers to obtain personal information. Dropbox is sending affected users emails encouraging them to reset their passwords.
This is an alarming situation. Services like Dropbox, Snapchat, and Apple have pushed blame on users and other third parties following recent reported hacking attempts when it's clear they're not doing enough to scrutinize the kinds of apps that have access to their platforms.


This brings me to an important question, are we safe while using such services. Is our data and identity being protected by service provider? Can the regulators help us by framing appropriate laws that will ensure accelerated usage of such services?

Tuesday 14 October 2014

Application Security- Have you plugged the risks in your Plug-ins?

Like all competitive businesses, application developers and operation teams are constantly under pressure to move applications to production environment quickly. Everybody wants their application security efforts to be effective, but only if they don’t unduly impede workflow, impact timelines or drive up costs. It is extremely difficult to balance these potentially-competing objectives.
When web applications are breached, enormous amounts of sensitive business data can be lost. According to Verizon’s 2014 Data Breach Investigations Report, web application attacks more than doubled in 2013 to become the number one cause of security incidents. These types of attacks can occur at organizations of all sizes and levels of IT sophistication, and can affect tremendous amounts of data. Web applications are popular targets as they are accessible to almost anybody in the world, they are a conduit to an enormous amount of valuable data and they are commonly riddled with weaknesses. The financial impact of such exploits is substantial. According to the Ponemon Institute’s 2013 Cost of a Data Breach Study, U.S. breaches cost $188 per record stolen, with an average total cost of $5.4 million per incident.

Fortunately, most web application attacks follow a small number of patterns. Like other application flaws, web application security defects arise during software development. Cross-Site Scripting (XSS) is one of the most widely-found and dangerous vulnerabilities in web apps. XSS can have a big impact on your organization because it enables attackers to send untrusted code to users’ web browsers under the guise of your business’s legitimate app. This enables attackers to execute scripts in victims’ browsers to hijack a session or download malware to take full control of their system.
The second type of Vulnerability is injection attacks that come in many different flavors, including: SQL injection and command injection (inserting system commands into a form field). SQL injection attacks are among the most widely known. Attackers send malformed inputs to your application (for example adding extra characters to the ends of a type-in field), which then gets passed to a database. The maliciously-formatted input tricks the database into returning excess information or performing unwanted actions.
Fortunately, you can combat these and other vulnerabilities by following a few straightforward best practices and employing new automated technologies.


  •    Collaborative Approach: Web application security requires ongoing collaboration among the involved teams: business leaders, IT leaders, development, operations, and security groups. Having demonstrable leadership backing makes it easier to put that collaboration in place and obtain necessary resources.
  •   Development Discipline: Application security cannot be implemented as an afterthought. It has to be finely ingrained into the development process and enforced at major milestones. Security should be explicitly considered when the technical requirements of the application are being defined, during coding, during testing, in the QA phase, and when applications are put into production.
  •    Training for all Stakeholders: Secure coding is a skill unto itself that requires developer training. When developers, server admins, and others build and deploy applications, it’s essential that they be aware of where security flaws can come from. Making applications resilient to attack is tough if you do not know what to look for, even if you’re equipped with the right tools.
  •      Threat simulation: Before you can protect your applications, data and other IT assets, you have to understand the fundamentals behind a potential attack. In particular, it’s critical think about who might have the motive, opportunity, and means to attack.
  •     Automated Testing: While many problems can be avoided by focusing on security during development, some vulnerability will inevitably sneak in. This is where having the right application security tools and technology makes a huge difference.
  •     Changes to Applications: In the ideal world, applications would always be perfectly secure; realistically, bugs happen or changes are requested and that is when vulnerabilities inevitably appear. But fixing and deploying changes to applications takes time and security considerations are not kept in mind. This needs to change and it needs to follow regular development process.


How to Secure Mobile Devices – Right way to implement BYOD

Corporate users are taking to smartphones and tablets in a big way: they appreciate the intuitive and user-friendly way these advanced mobile devices deliver access to the Corporate information, Web, communications and entertainment services. For many people, it’s now hard to imagine life without the instant access to enterprise Information, personal communications, social networking and media sharing sites that such devices provide. When these users go to work, they increasingly want to use these ever more powerful and capable devices for business applications too, and this presents a challenge for information security Professionals. Each of the corporate users has their own preference in terms of Smart Phones and Tablets. Hence standardization of these consumer devices is becoming a big challenge for CIOs. In addition most of the corporate users would not like to compromise on access to private data while in office. Hence implementing stringent security policies is becoming a nightmare for Chief Information Security Officers.

In addition, many of the most popular mobile devices were not designed from the start as business tools, and do not offer levels of security comparable to current desktop and laptop computers. What is more, the way these devices are used blurs the line between personal and business usage and behavior. The potential risks include misuse of the device itself, outside exploitation of software vulnerabilities and the deployment of poorly tested, unreliable business apps and most importantly leakage of corporate data. The question of who owns the device can also have legal ramifications on mobile device management and the remote wiping of devices should the need arise.
 By putting in place the right working practices, usage policies and management tools, your organization can benefit from the advantages that these devices can bring to the workplace while minimizing exposure to the potential risks.
Our end-to-end solution maps out how you can respond to the ‘consumerisation’ challenge today – whatever stage you are at – based on current efforts to formulate good practice. It offers independent guidance on how to plan your security response not only in terms of how your employees use consumer devices, but also in terms of protection solutions, provisioning and support, and meeting statutory requirements.

Email: enquiry@allieddigital.net
Website: www.allieddigital.net

Big data- Big Security Challenge

Big data, a general term for the massive amount of digital data being collected from all sorts of sources, is too large, raw, or unstructured for analysis through conventional relational database techniques. Almost 90% of the world's data today was generated during the past two years, with 2.5 quintillion bytes of data added each day. Moreover, approximately 90% of it is unstructured. Still, the overwhelming amount of big data from the Web and the cloud offers new opportunities for discovery, value creation, and rich business intelligence for decision support in any organization. Big data also means new challenges involving complexity, security, and risks to privacy, as well as a need for new technology and human skills. Big data is redefining the landscape of data management, from extract, transform, and load, or ETL, processes to new technologies (such as Hadoop) for cleansing and organizing unstructured data in big-data applications.
Although the business sector is leading big-data-application development, the public sector has begun to derive insight to help support decision making in real time from fast-growing in-motion data from multiple sources, including the Web, biological and industrial sensors, video, email, and social communications. Many white papers, journal articles, and business reports have proposed ways governments can use big data to help them serve their citizens and overcome national challenges (such as rising health care costs, job creation, natural disasters, and terrorism). There is also some skepticism as to whether it can actually improve government operations, as governments must develop new capabilities and adopt new technologies (such as Hadoop and NoSQL) to transform it into information through data organization and analytics. An additional big data security challenge is that big data programming tools, including Hadoop and NoSQL databases, were not originally designed with security in mind. For example, Hadoop originally didn’t authenticate services or users, and didn’t encrypt data that’s transmitted between nodes in the environment. This creates vulnerabilities for authentication and network security. NoSQL databases lack some of the security features provided by traditional databases, such as role-based access control. The advantage of NoSQL is that it allows for the flexibility to include new data types on the fly, but defining security policies for this new data is not straightforward with these technologies. So what can be done to help bring the security of traditional database management to big data? Several organizations describe and define different security controls.

How to Secure Big Data 

Application Software Security. Use secure versions of open-source software. As described above, big data technologies weren’t originally designed with security in mind. Using open-source technologies like Apache, Accumulo or the .20.20x version of Hadoop or above can help address this challenge. In addition, proprietary technologies like Cloudera Sentry or DataStax Enterprise offer enhanced security at the application layer. Specifically, Sentry and Accumulo also support role-based access control to enhance security for NoSQL databases.

Maintenance, Monitoring, and Analysis of Audit Logs. Implement audit logging technologies to understand and monitor big data clusters. Technologies like Apache Oozie can help implement this feature. Keep in mind that security engineers in the organization need to be tasked with examining and monitoring these files. It’s important to ensure that auditing, maintaining, and analyzing logs are done consistently across the enterprise.

Secure Configurations for Hardware and Software. Build servers based on secure images for all systems in your organization’s big data architecture. Ensure patching is up to date on these machines and that administrative privileges are limited to a small number of users. Use automation frameworks, like Puppet, to automate system configuration and ensure that all big data servers in the enterprise are uniform and secure.

Account Monitoring and Control. Manage accounts for big data users. Require strong passwords, deactivate inactive accounts, and impose a maximum permitted number of failed log-in attempts to help stop attacks from getting access to a cluster. It’s important to note that the enemy isn’t always outside of the organization. Monitoring account access can help reduce the probability of a successful compromise from the inside.

Organizations that are serious about big data security should consider these first steps. Cyber criminals are never going to stop being on the offensive, and with such a big target to protect, it is prudent for any enterprise utilizing big data technologies to be as proactive as possible in securing its data.


What is Phishing?

Phishing is online identity theft in which fraud actors trick unsuspecting Internet users into submitting personal information to illegitimate web sites. Phishing scams are usually presented in the form of spam e-mails or pop-ups and are often difficult to detect. Once the fraudsters obtain your personal information, they can use it for all types of identity theft, putting your good reputation, credit and good name at risk. Because phishing is one of the most devious forms of identity theft, it is important to become familiar with various types of phishing scams as well as to learn how to guard against them.
There are multiple ways to avoid identity theft and thus prevent Phishing attacks. To help you protect yourself from phishing, we offer the following information. Please note that these are some of the indications that we are presenting. However fraud actors are always innovating probably at a faster pace than us to trick unsuspecting users.


1. Guard against spam. Be especially cautious of emails that:
  •  Come from unrecognized senders.
  •  Ask you to confirm personal or financial information over the Internet and/or make  urgent requests for this information.
  •  Are not personalized.
  •  Try to upset you into acting quickly by threatening you with frightening information.
2.  Communicate personal information only via phone or secure web sites:

     When conducting online transactions, look for a sign that the site is secure such as a lock icon on the browser’s status bar or a “https:” URL whereby the “s” stands for “secure” rather than a “http:”. Also, beware of phone phishing schemes. Do not divulge personal information over the phone unless you initiate the call. Be cautious of emails that ask you to call a phone number to update your account information as well.

3.  Do not click on links, download files or open attachments:
  •  Most fraudsters send emails that contain links which point you to a phishing site.    Refrain from clicking on such links.
  •  It is best to open attachments only when you are expecting them and know what they  contain, even if you know the sender.
4.  Never email personal or financial information:

 There have been occasions when emails of a person close to you have been impersonated  and sent to you. In such cases also do not disclose any of your personal information even if  you are close with the recipient. You never know who may gain access to your email  account, or to the person’s account to whom you are emailing.

5.   Beware of pop-ups:
  •   Never enter personal information in a pop-up screen.
  •   Do not click on links in a pop-up screen.
  •   Do not copy web addresses into your browser from pop-ups.
  •   Legitimate enterprises would never ask you to submit personal information in pop-up   screens, so don’t do it.
6.   Protect your computer:

Each desktop/Laptop should be protected with a firewall, anti-spam filters, anti-virus and anti-spyware and anti-malware software. Do some research to ensure you are getting the most up-to-date software, and update them all regularly to ensure that you are blocking from new viruses and spyware.

7.    Check your online accounts and bank statements regularly to ensure that no                     unauthorized transactions have been made.

We have solutions for protecting your end-user devices like Laptops, Desktops etc. We have partnerships with leading providers of Anti-Virus, Anti-Malware, Anti-Spyware, Anti-Spam software. In addition we know how best to implement it, define policies around it and last but  not the least keep them updated so that you get unlimited protection against Phishing attacks.