Why hire, just pay Bounty?

Lets go five years back, year 2007-08 major news in Information Security industry were:

1. Estonia recovers from massive Denial of Service attack
2. Spear phishing attack at Office of the Secretary of Defense
3. United Nations website hacked
4. Trend Micro website hacked

Strange that even after having Top in Class IT Security infrastructure & talented resources from the area of Security, premier organizations got hacked! Does it mean the Infrastructure and/or 'Security' human resources are useless?

Lets come back to year 2012-13

Organizations like Facebook, Google, Microsoft, Paypal, ebay and many more are allowing hackers to hack their websites! Well there's no trap, you find vulnerabilities, exploit them, give proof of concept to Security teams of those organizations *that's it*

So your next question might be, whats next? Why would a hacker give POC to Facebook? Answer is simple, to earn Bug Bounties! I hate numbers but let me give you some statistics, as per one source Facebook itself paid 329 people across 51 countries total bounty amount that exceed $1 million!

Check out this website which gives a list of Organizations who have bug bounty program https://bugcrowd.com/list-of-bug-bounty-programs/

Just imagine, Facebook pays minimum $500 for a valid bug and there is no upper cap! Severe the vulnerability, the richer you become!

I'm sure you might be thinking, what should i do to be a Bounty Hunter? Well let me tell you, it's not difficult at all to find these bugs. The only thing you need is knowledge of how internet works , if you can play well with technology like - php, javascripts, asp.net, python, shell etc. the list goes on, another best thing is awareness about OWASP Top 10 vulnerabilities And last but not the least - Patience! You might just find a bug in your College's website within minutes, but it may take months to find out a bug in Facebook!

So my point is, even after having kick ass security professionals in your organization why do you still have to pay bounties? Aren't they effective in securing your organization's website? Why don't you just fire them and pay only bug bounties?

Well In my opinion it's difficult to 'Why hire, just pay Bounty', no one/no organization on this planet earth can claim to provide 100% security. Risk is uncertain, technology changes very often so there is absolutely no option than having dedicated security professionals to monitor, plan, act your organization's perimeter security! Lets talk about Java, one of the most widely used technology, platform. Lately Java has been in news, every now and then because of the vulnerability in the platform. So if Java Version XX is vulnerable to certain attack (know to public) and if your Application is built on Java Version XX then your application is vulnerable! Then Java releases an update, if your IT/security team fails to apply it to your application - possibly you'll get Royally Hacked even by a Script Kiddie.

I really liked the concept of Bug Bounty, it's more or less similar to crowd sourcing where in you openly ask general public to hack you! It may happen, you'll get tons of security bugs identified by kids which your 5yrs+ experienced Security Tester missed out very easily. So you pay the hacker, who are termed as White Hat Hackers and he spreads it on Social Network. Few more hackers read it & try hacking into your application, finding more bugs for you. In this way even after being in production, you application get tested by people every now and then. They contribute to your application making it more secured than earlier & in return they get paid for their efforts.

I would conclude by stating, our Ecosystem is becoming matured day by day and programs like Bug Bounties are helping organizations to strengthen their fences not by it's employees but by intruders itself!

NOTE: I'm strictly against differentiating hackers into White/Black, they are just 'hackers'. If a so called White Hat Hacker can't think like Black Hat Hacker (Cracker), he'll never be able to help you in protecting yourself from Black Hat Hackers(Cracker).  

Happy (bug) Hunting!

True Caller, breach of Privacy?

Me to Friend: "Hey I got a missed calls from this XXXXXX number, almost 10 times yesterday."
Friend to Me: "Give me 10 seconds & I'll find out who that is! I have True Caller App on my Android Phone"

Quite typical scenario, you may just feel - WoW that's awesome, very helpful app it is; But don't get too excited, there's a catch! Any unknown person can randomly search by a telephone number, that whom the number belongs to.

So what I did is, I changed last two digits of the ten digit mobile number series & I could get the name of the person to whom that number belongs. 

770 919 6001
770 919 6002
770 919 6003
770 919 6004
770 919 6005

I'm sure you might not be happy with this feature which you may call, 'search by Number'. TeleMarketing Companies must be making most use of this app, as they are getting 'Free' dump of potential leads all around the globe.

I don't want to touch any other Pros/Cons of True Caller, as I'm mainly interested in 'Search by Number' feature.

Let me give you an idea about, How True Caller gets you details?
Somebody who has your mobile number & name saved in his mobile number installs True Caller App. And he does nothing, his contact list gets sync with True Caller's Database! Basically you do not have the control on saving yourself from getting Listed in this Global Directory!

But don't get panic, True Caller offers you freedom to get unlisted from their Database/Global Directory. All you need to do is visit http://www.truecaller.com/unlist If you are very much concerned about your privacy, just unlist yourself!

True Caller in my view is 'New Generation Mobile Yellow Pages' which is being used all over the world. I often heard/saw people making Fuss about True Caller & breach of Privacy. But after reading http://www.truecaller.com/how-it-works/ one can understand why it's not really a 'Breach of Privacy'.

But there's still a catch, I'm unsure whether Unlisting from True Caller, really unlist you from True Caller's Database? They might be having a flag set next to every telephone number in their database which tells the app to show the number in search listing or not. So the number might not be actually deleted from True Caller's Database. In this case, yes this a MAJOR Privacy/Security breach. And I highly suspect that must be the case with True Caller.

Finally I would conclude, in this Digital & Connected world it is difficult to keep yourself 'Private'. The word Privacy holds literally no meaning, when you do not control the data/information that is flowing through web of interconnected electronic devices. If you want to hide yourself in the True Caller's Listing just Unlist yourself, but it might not actually Unlisting you from True Callers Database! So curse people for saving your telephone number in their Contact List, well that would be silly isn't it?

Compliance - The Dark Side

[Specific to Information Security]

Before touching main point, let me give you an idea about 'What exactly is Compliance'.

In simple words, compliance is nothing but Standard Rules that are accepted all over the world. Entities related with a particular industry has to comply to certain standards, to gain licenses/ customer trust in order to operate & generate cash flow.

For example, if you are an eCommerece Entrepreneur who deals heavily with Online Money  by using Third Party Payment solution which is PCI DSS compliant. If you want & if you have sufficient capability to operate Online Transaction on your own then you have to comply to PCI DSS standard, get your facility certified and you are ready to do business on your own!

Sounds simple, right? But this isn't simple at all!

Roughly I would say there are few steps

1. Identify your business vertical.
2. Find out different compliance/standards which may be mandate/help you to win customers! (Some of your customers may explicitly ask you to comply to certain standards like ISO 9001 - Quality, ISO 27001 - Information Security etc. before dealing with you)
3. Identify the scope for which you would like to go ahead and get certified. (Scope can be a department within the company or whole company)
4. Hire consultant, get the standard implemented & get it Certified from Certifying Authorities!

 Lets talk specifically about Information Security related compliance/standards like ISO 27001, PCI DSS etc.

Ideally once an organization get itself certified for the first time, it has to follow the guidelines/processes that are defined & then it has to undergo recertifications after stipulated time period, say after every 2 years. This ensures that organization comply with Industry best practices - standards.

But what exactly happens?

Case 1: XYZ, a software development firm contacts ABC, Information security consulting firm. Ask them to help them in getting ISO 27001 certified. ABC deploys it's resource on XYZ's premise and make sure all the processes are as per the required standard. Once implementation is done, Lead Auditor visits the firm, XYZ. Audits the processes with respect to ISO 27001 standard and eventually XYZ earns ISO 27001 Certification. Barely a month & they start operating how they used to do prior to earning the ISO 27001 certification. As if they have never heard of ISO 27001 compliance.
Meanwhile They keep winning customers by showing they comply to ISO 27001 & certified too!
Just before the Certification is expiring they contact XYZ & ask them to help in re certification. IT manager asks every Department head to make sure every body is following all the policies & again for a while the process document starts getting followed.

So why this *fuss* about Compliance? Organizations today worry about Compliance & not security but they forget, Merely getting a certificate to your organization doesn't guarantee you Security! Unless your people, your employee actually follow the processes religiously.

Hardening the servers, updating Log books just before Audit can fool the auditor but not the hackers. Today hackers are sophisticated, they do proper reconnaissance before attacking your organizations assets. They know your weak links, your people. It might be easy for you to Harden the Servers but it's a pain when it comes to Harden the People.

So how do you tackle this situation? A Surprise Audit, may be yes! This should be done by the Certifying Bodies (CBs) who gives out the Certification to Organizations. Once an Organization is Certified after some period CBs, should do a Surprise Audit to check if Organization is following the standard that is set! I have heard it from experts that - Audit's are never Surprise. But in my opinion there has to be a separate term called 'Surprise Audit' which should be done by the CBs in order to have certain discipline.

 In my opinion Flow should be as:
Compliance Implementation(Day 0 to Day 30) --> Internal Audit (Day 31) -->Patching of NCs(Day 32 to Day 36) --> Final Audit (Day 40) --> Surprise Audit (~ Day 110) 

Post Security Audit, CBs should produce NCs to Organization along with a Warning. Organization should patch the NCs and produce the report to CB. Any further NCs and Organization's Certificate should be revoked by the CB.

Though this will also not give guarantee of 100% security but it'll at least ensure things are more Harden than what they were earlier.This will help the overall Security Ecosystem.

*** IMPORTANT NOTE: THESE ARE MY PERSONAL VIEWS, THIS HAS NOTHING TO DO WITH ANY PARTICULAR ORGANIZATION THAT I WAS/AM ASSOCIATED WITH ***

Smart Phones, are they really Smart? [InfoSec Perspective]

It was a pleasant night, I was having dinner and I got call from my friend that she lost her Phone! If it was 2005-08 no body would have got panic but this is Droid Age! And I left my dinner half done, to search her lost phone.

How many of you use smart phones? Today you will rarely find some one who is not using Android/WP/Blackberry, smart isn't it? But it's correctly said, with great power comes great responsibility. In case of smart phones it's Responsibility of Protecting the data within them.

Let's take a scenario, when you buy a droid phone the very first step you do is 'Configure Google Account' with the device. By doing so you are downloading your email headers directly on phone, syncing Contacts with/out email IDs, mobile numbers and what not. What is it? It's a data, which holds tremendous value untapped (unless somebody sells it in market!). Most of the people don't realize it unless it falls in wrong hands.
Another scenario, you flaunt your Droid phone with 5/8/12 mega pixel camera with blah blah features and lens. And off course you click 1000s of pics, to hide some candid and *strictly private* photos you make Folders inside Folders and put it [General Case]. These smart phones gives you extra power of storing location of the photos that you have clicked! Great isn't it? But imagine if you lost your phone and somebody copy all your photos on computer and make Great use out of it!

So what to do? Come on I'm not going to suggest you not to use *Smart Phones* but all you need to do is be little smart in order to use one!

My suggestions:

Step 1: Use Invisible Pattern (1000 times better than visible patterns, protects you from shoulder surfing) or pass code to implement basic security to your smart phone.
Step 2: Go for free version Antiviruses that are available in market place, many of them have feature of *Theft Protection* The moment somebody takes out sim card from your mobile and puts another, presetted mobile numbers gets the alert about loss of your mobile, some of them also provides current location of phone!
Step 3: Now a days SD Card Locker apps are available in market for free, do use it. Most of the photos,messages and other app data are stored on SD card. If you apply another layer of security, it'll be hard to retrieve the data & false password try will eventually erase the data on SD Card.
Step 4: RemoteWipe - This is a part of Mobile Device Management (MDM), it's of great help which can erase your data remotely if you happen to loose your phone.

If preventive measures are taken already then it's most likely that you'll worry only about Mobile Device and not the data, if you lose your phone somewhere!

Smart Phones are not Smart without you being it first!

I don't want to claim that implementing above controls will make your phone Risk Free but it'll definitely make it less vulnerable to data theft/loss.

Is your Website Secured?

For the first time I started playing with HTML when I was in Junior College (Post School - 11th Standard). I learn HTML & basics of scripting - Java, asp, vb at that tender age, heh! In my educational life, I always loved programing languages even though I couldn't master any but I loved playing with them! I always loved creating simple websites, mostly static because I couldn't do much hands on when it comes to scripting. By the way I created a website for my Girl (back in 2008/09) with funky love songs running in the background, I ended up taking that website down when her mother saw it! Funny isn't it, well it wasn't! :-D

So since then whenever I come across any website I have a habit of looking at it's source code, just like that! And I still continued that habit ;-)

There are two recent incidents that happened because of which I thought to write this post. I being a student of MBA - IT Business Management with special interest and specialization in Information Security, I always try to find out vulnerabilities in everything around me, this includes people as well! Jokes apart, I came across two websites of Premier B-Schools from India. These B-Schools are very renowned and people from all around India participate in it. One of these comes in top 20 B-Schools of India *cough* *cough*

So when I heard about event arranged by this 'One of the Top 20 B-Schools of India' say College 'ABC_1', I came to my hostel and started browsing through it. Trust me the user experience was pathetic! And as usual I right clicked >> View Page Source. I noticed a strange thing in this website, there were couple of places where they had commented many things. Mostly images & links of sponsors. I felt bit unusual, I browsed more and finally I thought to check its directory listings. I expected it to be *Access Denied to Public* but to my surprise I could see www.ABC_1.com/images to be opened, exclusively for me may be ;-) And I tried hitting some common directory names but my bad, they didn't had any of those.

I again started going through the source code and I found out one director called /manage. And I realized that may be this the one which will be the gateway for the admin panel. And it worked, due to careless directory permissions I could see Admin Panel infront of my eyes! Very unprofessional web designing, by the way did I tell you this website is created by a Web Development company who is having around 10/15 clients. After seeing Admin Panel I thought I will have to use some SQL Injections but before that I thought to use some common ID/Password combinations and to my surprise with one very common combination I got through! *Yaaaayyy*

I got access to Admin section where I could manage photos and contents on the website. I could even see the list of registrations that are done for various competitions in that event. I could even change the passowrd and admin details.

But I have got my basics clear about Information Security, so I stopped myself and informed the respective people regarding this vulnerability. Following is the report that I sent to the B-School.

Website URL	Type of Website	Vulnerability	Risk	Counter measures
http://ABC_1.com	National  Level Event Website	Improper directory        permission (http://ABC_1.com/manage)              Poor authentication for Admin Panel	Website can be modified all together – loss of integrity.           If somebody puts up offensive content, it can degrade ABC's image & in turn University's.         If details of participants is leaked (Contact Numbers, Email IDs) it may result in loss of personal data.	Restrict permission to sub directories (http://ABC_1.com/manage)             Strong password policy to Admin Panel (Most IMP), even a newbie can get access to the Admin Panel very easily

 
After reporting this incident, the vulnerability got patched. Directory is no more accessible to public, I couldn't check admin panel though!

After this incident, I started looking carefully into other B-School's Event websites. Today when I was browsing through source code of another B-School, again it comes in Top 50 B-School's in India. I could exploit it's Vulnerability. Poor directory permissions and authentication is the reason behind it. I have reported it to the concern people, again!

There's another website that I recently observed, this belongs to investment consultants from Pune. This website was created in ASP.net while earlier two were coded in PHP. The Investment Consultant's website had a pathetic security mechanism when it comes to user authentication. 

I tried commonly used UserID/Password combinations but I failed, so I checked forgot password page. Surprisingly it was a worst password retrieval mechanism I have ever seen. You just need to put user-id, it asks you for Hint Question & Answer and if you guess it correct. Dialogue box is prompted with valid passoword, WORST isn't it?

So conclusion out of these three incident is no matter how much you invest in Technology, if your builders/architects are careless when it comes to Security. You are ultimately going to fail, BIG TIME.
If website developers take proper care, such vulnerabilities will never arise!

Do let me know your views/suggestions on my Risk Analysis ;-)