Smart Phones, are they really Smart? [InfoSec Perspective]

It was a pleasant night, I was having dinner and I got call from my friend that she lost her Phone! If it was 2005-08 no body would have got panic but this is Droid Age! And I left my dinner half done, to search her lost phone.

How many of you use smart phones? Today you will rarely find some one who is not using Android/WP/Blackberry, smart isn't it? But it's correctly said, with great power comes great responsibility. In case of smart phones it's Responsibility of Protecting the data within them.

Let's take a scenario, when you buy a droid phone the very first step you do is 'Configure Google Account' with the device. By doing so you are downloading your email headers directly on phone, syncing Contacts with/out email IDs, mobile numbers and what not. What is it? It's a data, which holds tremendous value untapped (unless somebody sells it in market!). Most of the people don't realize it unless it falls in wrong hands.
Another scenario, you flaunt your Droid phone with 5/8/12 mega pixel camera with blah blah features and lens. And off course you click 1000s of pics, to hide some candid and *strictly private* photos you make Folders inside Folders and put it [General Case]. These smart phones gives you extra power of storing location of the photos that you have clicked! Great isn't it? But imagine if you lost your phone and somebody copy all your photos on computer and make Great use out of it!

So what to do? Come on I'm not going to suggest you not to use *Smart Phones* but all you need to do is be little smart in order to use one!

My suggestions:

Step 1: Use Invisible Pattern (1000 times better than visible patterns, protects you from shoulder surfing) or pass code to implement basic security to your smart phone.
Step 2: Go for free version Antiviruses that are available in market place, many of them have feature of *Theft Protection* The moment somebody takes out sim card from your mobile and puts another, presetted mobile numbers gets the alert about loss of your mobile, some of them also provides current location of phone!
Step 3: Now a days SD Card Locker apps are available in market for free, do use it. Most of the photos,messages and other app data are stored on SD card. If you apply another layer of security, it'll be hard to retrieve the data & false password try will eventually erase the data on SD Card.
Step 4: RemoteWipe - This is a part of Mobile Device Management (MDM), it's of great help which can erase your data remotely if you happen to loose your phone.

If preventive measures are taken already then it's most likely that you'll worry only about Mobile Device and not the data, if you lose your phone somewhere!

Smart Phones are not Smart without you being it first!

I don't want to claim that implementing above controls will make your phone Risk Free but it'll definitely make it less vulnerable to data theft/loss.

Is your Website Secured?

For the first time I started playing with HTML when I was in Junior College (Post School - 11th Standard). I learn HTML & basics of scripting - Java, asp, vb at that tender age, heh! In my educational life, I always loved programing languages even though I couldn't master any but I loved playing with them! I always loved creating simple websites, mostly static because I couldn't do much hands on when it comes to scripting. By the way I created a website for my Girl (back in 2008/09) with funky love songs running in the background, I ended up taking that website down when her mother saw it! Funny isn't it, well it wasn't! :-D

So since then whenever I come across any website I have a habit of looking at it's source code, just like that! And I still continued that habit ;-)

There are two recent incidents that happened because of which I thought to write this post. I being a student of MBA - IT Business Management with special interest and specialization in Information Security, I always try to find out vulnerabilities in everything around me, this includes people as well! Jokes apart, I came across two websites of Premier B-Schools from India. These B-Schools are very renowned and people from all around India participate in it. One of these comes in top 20 B-Schools of India *cough* *cough*

So when I heard about event arranged by this 'One of the Top 20 B-Schools of India' say College 'ABC_1', I came to my hostel and started browsing through it. Trust me the user experience was pathetic! And as usual I right clicked >> View Page Source. I noticed a strange thing in this website, there were couple of places where they had commented many things. Mostly images & links of sponsors. I felt bit unusual, I browsed more and finally I thought to check its directory listings. I expected it to be *Access Denied to Public* but to my surprise I could see www.ABC_1.com/images to be opened, exclusively for me may be ;-) And I tried hitting some common directory names but my bad, they didn't had any of those.

I again started going through the source code and I found out one director called /manage. And I realized that may be this the one which will be the gateway for the admin panel. And it worked, due to careless directory permissions I could see Admin Panel infront of my eyes! Very unprofessional web designing, by the way did I tell you this website is created by a Web Development company who is having around 10/15 clients. After seeing Admin Panel I thought I will have to use some SQL Injections but before that I thought to use some common ID/Password combinations and to my surprise with one very common combination I got through! *Yaaaayyy*

I got access to Admin section where I could manage photos and contents on the website. I could even see the list of registrations that are done for various competitions in that event. I could even change the passowrd and admin details.

But I have got my basics clear about Information Security, so I stopped myself and informed the respective people regarding this vulnerability. Following is the report that I sent to the B-School.

Website URL	Type of Website	Vulnerability	Risk	Counter measures
http://ABC_1.com	National  Level Event Website	Improper directory        permission (http://ABC_1.com/manage)              Poor authentication for Admin Panel	Website can be modified all together – loss of integrity.           If somebody puts up offensive content, it can degrade ABC's image & in turn University's.         If details of participants is leaked (Contact Numbers, Email IDs) it may result in loss of personal data.	Restrict permission to sub directories (http://ABC_1.com/manage)             Strong password policy to Admin Panel (Most IMP), even a newbie can get access to the Admin Panel very easily

 
After reporting this incident, the vulnerability got patched. Directory is no more accessible to public, I couldn't check admin panel though!

After this incident, I started looking carefully into other B-School's Event websites. Today when I was browsing through source code of another B-School, again it comes in Top 50 B-School's in India. I could exploit it's Vulnerability. Poor directory permissions and authentication is the reason behind it. I have reported it to the concern people, again!

There's another website that I recently observed, this belongs to investment consultants from Pune. This website was created in ASP.net while earlier two were coded in PHP. The Investment Consultant's website had a pathetic security mechanism when it comes to user authentication. 

I tried commonly used UserID/Password combinations but I failed, so I checked forgot password page. Surprisingly it was a worst password retrieval mechanism I have ever seen. You just need to put user-id, it asks you for Hint Question & Answer and if you guess it correct. Dialogue box is prompted with valid passoword, WORST isn't it?

So conclusion out of these three incident is no matter how much you invest in Technology, if your builders/architects are careless when it comes to Security. You are ultimately going to fail, BIG TIME.
If website developers take proper care, such vulnerabilities will never arise!

Do let me know your views/suggestions on my Risk Analysis ;-)

Facebook Photos, Privacy Breach?

Do you upload photos to facebook, create album and set privacy settings to it? I do it, but surprisingly today I found out that it may be hidden from people present on facebook but those personal photos/albums are not really protected.

To give you a demo[use Firefox], Open any of your album. Click on the photo, once opened right click on it and select View Image. Here try to notice the change in url or in more techie terms the connectionstring.

For instance STEP#1

I have opened one of my private album and opened the photo which is: https://www.facebook.com/photo.php?fbid=2495739472781&set=a.2495734472656.144476.1231669070&type=3&theater
If you copy and paste this url in browser, without or even by logging into facebook you won't see the picture. Ideally you'll get error as

This album is shared only with one person than me. So ideally no body else than her can see this photo/album.

STEP #2

If I right click and select view image I get a new connectionstring/url which is
https://fbcdn-sphotos-d-a.akamaihd.net/hphotos-ak-ash4/314985_2495739472781_50463433_n.jpg

Try copy/paste in browser and you'll clearly see the photo, even without logging into Facebook.

I feel if hackers will be able to decrypt the connection string and understand the pattern it might be easy to see all such photos which are shared privately on facebook, even without logging into it.

I would like to know your views/comments on this, prolly from Techie perspective!

Beware from Check in/geo tagging | Twitter | Foursquare | Flickr

I'm sure many people who know me personally or follow me on Twitter will be surprise to see Gaurav Thorat saying 'Beware from Check ins'! Well, I being a newbie product of Symbiosis's Information Security MBA happened to study a subject called, 'Vulnerability Analysis and Penetration Testing'. Sounds very techie isn't it? But frankly speaking this subject needs a lot of common sense along with good technical understanding of Networks and Information Systems.

Foursquare, as many of you must be knowing is a wonderful mobile application by which you can find near by places like hotels, malls, theaters and what not. It's like where ever you go, you just take out your phone and Check in to the place. Let's say I go to Esquare Multiplex in Pune to watch movie, so the moment I go there I'll take out my mobile. Open foursquare app, it'll find my current location with the help of GPS. It'll show me the nearby places along with Esquare Multiplex, I'll just Click on Equare and it'll notify my friends on Foursquare and Twitter/Facebook (if you have allowed foursquare and twitter/facebook integration). So whats the use of it? Well personally, I use Foursquare because It tells my friends about my where about. So if anybody is around me can just drop by for a quick meetup! Secondly, many a times merchants register with Foursquare and give away some really nice offers/discounts. So you check in to merchant's shop and you get discount on your shopping. More the check ins, you unlock Foursquare badges to flaunt within the community!

So whenever I used to Check in, it used to appear like this on twitter

As part of our VAPT subject's assignment we were told to search some security assessment tools and present it infront of students. I being more interested in Social Media, wanted to present a tool which is unique that no body else can think of! And just as I expected all the students choose hardcore technical tools like snort, sniffers and network analyzer. Nobody thought that something called as 'Social Engineering' should also be considered which is comparatively less technical but if used against the targets, can cause huge loss! I find people are still very ignorant about 'Social Engineering' which exploits the weakest link in security that is Human/User behavior.

Tool which I'm going to discuss over here is one, which can help hacker/cracker to perform passive type of Social Engineering attack which often seek to acquire seed information for further active social engineering or network-based attacks.
Active Social Engineering attacks are more of Direct kind which may involve direct interaction with target to obtain security relevant information, gain access privileges, persuade someone to commit a policy violation or act as a proxy on attacker’s behalf. While Passive as described earlier is more of Indirect type of attack which involves eavesdropping, observation and subsequent analysis of the results.
Tool which may allow an hacker/cracker in Passive Social Engineering attack is called Creepy Tool which is developed in python that allows you to gather geo location related information about users from social networking platforms and image hosting services.
Details
Website  : http://ilektrojohn.github.com/creepy/
Platforms  : Linux, Windows
License  : GPLv3
Author  : Yiannis Kakavas
Contact Email  : jkakavas@gmail.com

So what does application do?
If you Check in to Foursquare which redirects it to Twitter. Or if you take photos with geo tagging allowed in it, chipping in the data about where have you taken the pictures you are vulnerable for a passive Social Engineering attack with the help of Creepy tool.
Hacker/cracker all they need is your username on twitter/flickr and they can track you down. With the help of you check ins they can study the pattern/routine of your day like when do you leave from home to office, where is your home & office located. What do you generally do on weekends, which places to do you visit. Some people also supply information like what food/drink they love the most along with the Hotel's Check in. You may not realize that why would  somebody need and find this information important but let me remind you this why Social Engineering attacks are more risky and cause more damage than any other hacking attack because we are tend to be ignorant about Social Engineering attacks, most of us never worry about all these simple information.

So Creepy tool can integrate all these check in/ geo tagging related information at a one place, supplied with a map, google map! So hacker/cracker might not be knowing Pune city very well but with the help of Google maps within the Creepy tool can easily supply them with necessary information for a further strong Social Engineering attack.


If you see above image is Creepy's interface. I checked one user from flickr who has uploaded photos of Military aircrafts. All I did is put his username in Creepy and you can see where did he take that photo! This is passive social engineering, which a terrorist group may use for destructive and dangerous attack. I hope you are getting the seriousness and why I said Beware from Check ins and geo tagging.

Same is the case with Check ins which appear on Twitter, with all the aggregated information about your daily/weekend check ins hacker/cracker or any person with bad intention can plant more dangerous attack on you/your organization/home.

So how will you save yourself from such type of Passive Engineering attack?
1. Be aware, keep your eyes/ears open.
2. Common Sense
3. If not required disable Geo Tagging feature while you take photos from your smartphone/camera.
4. If you care then stop posting your Check ins on Twitter, you may want to continue using Foursquare but don't integrate it with Twitter.
 
That's all from me, I will be waiting to hear some comments from you!

Diwali Then & now!

One of the biggest festival which is celebrated all over India, right from Kashmir to Kanyakumari! The festival of light, crackers and last but not the least Sweets and namkeens. Hindu, muslim, Christan, Sikh each and every religion in India enjoy this wonderful festival!

I remember Diwali that I celebrated when I was a kid, I was more interested in cracker guns than crackers which makes noise. I always loved shopping cloths, right from my childhood and I still do! For me Diwali used to be about Holidays, lazy holidays. Lots of shopping - Cloths and Crackers. Meeting relatives, exchange of sweets/namkeens. And not to forget, our school used to give us homework that we had to complete before we step back into school.

Then School to College, transition! Interests/choices changed. Total cut off from crackers and mainly from relatives, spent most of the times with friends. Instead of mom's choice, I started buying branded clothes which were meant to flaunt nothing else :-) Unlike school, I never waited for holidays because I hardly cared about lectures. Every day in college was not less than a holiday itself!

Finally got to taste the real Life, when I started working! We used to get hardly 21 days holiday/year, damn it. Especially festival time, I hardly spent it with my friends/family. And no surprise, Diwali was not an exception :-)

Today, after working for almost two years I am back to study. But things have changed, while writing this blog post I'm thinking about the pending project that is opened one my desktop, book of IT Project Management opened right in front of me. Eating Diwali special sweets, listening to the noise that kids and crackers are making right out of the window. Thinking about somebody, dreaming about life :-)

So now what do I like about Diwali? Well shopping but now not just buying cloths but I also enjoy decorating the house (I mean I bring whatever I like, whatever mom/dad wants). I still love eating Diwali sweets/namkeen, but these days you get them in stores all the year so there's nothing called as 'Diwali Special'. I love going out early in the morning during Diwali time to Sarasbaug (Famous Garden) in Pune, India. Where people gather early in the morning, new cloths, fresh faces and fragrance. You get to meet many people, whom you might not have met in years! Everybody ignites diyas, click photos and then head to Vaishali/Vaadeshwar/Rupali for a special breakfast :-)

Wishing you and your family a prosperous Diwali!

Innovative Ideators, platform for B-School students to showcase their Talent!

When I first saw an email stating 'Need Campus Ambassador for Innovative Ideators' in my college's newly created email inbox, I was excited to know what the heck is this 'Innovative Ideators'?

Frankly I always look forward in participating for branding/marketing activities so whenever I see an opportunity to become Campus Ambassador, I jump into it. But this time it was different unlike my previous experience with Microsoft and Naukri.com. 'Innovative Ideators' is not about any product /service but a team of wonderful individuals who have created a platform for B-School students to participate in  management related competitions. Best thing about it is, it's not a one time competition but series of competitions all over the year!

'Innovative Ideators' help students to showcase their talent and at the same time provide amazing and fresh ideas to Corporate Houses. How? Let me give you the idea!
'Innovative Ideators' use a funda called 'Crowdsourcing' well not quite similar to outsourcing but they are similar in some aspects. Consider a Company, 'NeGa Technology' a pune based IT startup who wants to emerge as a Product Based company in near future but they lack in idea generation. They are clueless as in what product they should develop which will help to earn them reputation and revenue! Even being a start up they had angel investors who had faith in the founders, a team of three IT Professionals. So 'NeGa Technology' hired some creative heads to help the founders in developing that 'Unique' product. They launched a website which gives daily information of 'Events happening today in Colleges around Pune'. The website got huge success, NeGa Technology earned reputation as well as revenue but founders were still not satisfied. As they could target only college crowd, they needed something BIG from teenagers to oldies!
One of the founder read an article about 'Crowdsourcing', a new trend in Business World'. They found a money saving way to generate idea for their 'Unique' product!

So the very next day they gave an advertisement in Daily newspaper saying 'Do you have an 'e'-idea but unable to implement it? We'll show you the way! Mail/Call us NOW!'
From very next day, NeGa Technology received hundreds of emails and phone calls. Within a week they had 300 ideas out of which they shortlisted 80 which were unique! All of this with almost no or little money, the only cost was 'Advertisement in Daily'. They finally decided to merge five ideas into one and designed an innovative e-commerce portal. They offered some share of revenue earned in first year with the people whose ideas were used. While rest of the ideas were not scrapped but NeGa Technology informed other start ups that they have some ideas which can be implemented and shared the same to new start ups asking them to give some profit share to the idea generator if his/her idea is implemented. Win - Win situation isn't it?

Now how does 'Innovative Ideators' fit in this example? Well they arrange competitions which are based on the 'Live Case Study' or simply problems faced by the Corporate Houses for which they need help from a common man/consumer/crowd. In 'Innovative Ideators' case the ideas will be generated from talented and creative minds of students studying in prominent B-Schools! If the idea gets selected there are BIG Prizes and wonderful career opportunities that will be offered by the partner companies!

So why to think, just reach out to your 'Innovative Ideators' Campus Ambassador and get the more clear idea about the competitions!
 

MBA life-u- reverse gear -u- (Kolaveri Style)

I remember how happy I was on 16th May 2012, at around 12:30pm at Amdocs Office in Magarpatta, Pune. I eagerly opened http://scit.edu to check whether SCIT deserves me ;-) I can not explain that moment when I saw 'Congratulations you are Shortlisted for SCIT - MBA ITBM Program'.
I wanted to pursue my Masters from Symbiosis and that too from SCIT. I prepared well for my GD/PI and luck favored on me and I got into the 'Premier IT B-School' from Pune,India.

I remember my initial first two-three weeks at SCIT, very energetic me - study, extra-curricular (Innovative Ideators Program's Campus Ambassador at SCIT) I wanted to excel in everything, learn whatever I could.

But somehow my bad patch started from First week of July, yes just in 2nd month of my MBA program. Some things in life can really pull you down, very badly. And it happened with me! Somehow i couldn't come out of it till the month of September started! In the mean time I performed average in some subjects, poor in some. But last few days I realized the BIGGest Mistake of my Life and I'm happy that I could learn from it though I had to pay heftily for it.

And now I am out of it - the frustration, sorrows, depression and what not, getting ready for 'The' comeback with a bang! I can not spoil my ambitions, efforts, my parent's dreams just like that :-) This span was tough for me an ultimate disaster, now I wonder if I really need to attend the Integrated Disaster Management Program arranged by my college ;-)

MBA is a very costly and important affair of my Life and I'm up for it! All I can do now is look back and smile at 'poor & old me' thinking I learnt the BIGGest Lesson of my Life. Though I couldn't bring back the time I lost, the 'ME' lost but I'll make sure that I won't repeat this ever!

You can't expect Goody Goody posts from me every time, just want to scream out loud and tell - Your Life is precious, your time is costliest don't spoil it, don't waste it. I'll make sure that I'll complete my MBA the way I wanted to by learning and earning 'Once in a Lifetime Experience'. Though I won't ever forget the last two months of my life which taught me everything :-)

[I'll continue this post once October 2012 ends]