True Caller, breach of Privacy?

Me to Friend: "Hey I got a missed calls from this XXXXXX number, almost 10 times yesterday."
Friend to Me: "Give me 10 seconds & I'll find out who that is! I have True Caller App on my Android Phone"

Quite typical scenario, you may just feel - WoW that's awesome, very helpful app it is; But don't get too excited, there's a catch! Any unknown person can randomly search by a telephone number, that whom the number belongs to.

So what I did is, I changed last two digits of the ten digit mobile number series & I could get the name of the person to whom that number belongs. 

770 919 6001
770 919 6002
770 919 6003
770 919 6004
770 919 6005

I'm sure you might not be happy with this feature which you may call, 'search by Number'. TeleMarketing Companies must be making most use of this app, as they are getting 'Free' dump of potential leads all around the globe.

I don't want to touch any other Pros/Cons of True Caller, as I'm mainly interested in 'Search by Number' feature.

Let me give you an idea about, How True Caller gets you details?
Somebody who has your mobile number & name saved in his mobile number installs True Caller App. And he does nothing, his contact list gets sync with True Caller's Database! Basically you do not have the control on saving yourself from getting Listed in this Global Directory!

But don't get panic, True Caller offers you freedom to get unlisted from their Database/Global Directory. All you need to do is visit http://www.truecaller.com/unlist If you are very much concerned about your privacy, just unlist yourself!

True Caller in my view is 'New Generation Mobile Yellow Pages' which is being used all over the world. I often heard/saw people making Fuss about True Caller & breach of Privacy. But after reading http://www.truecaller.com/how-it-works/ one can understand why it's not really a 'Breach of Privacy'.

But there's still a catch, I'm unsure whether Unlisting from True Caller, really unlist you from True Caller's Database? They might be having a flag set next to every telephone number in their database which tells the app to show the number in search listing or not. So the number might not be actually deleted from True Caller's Database. In this case, yes this a MAJOR Privacy/Security breach. And I highly suspect that must be the case with True Caller.

Finally I would conclude, in this Digital & Connected world it is difficult to keep yourself 'Private'. The word Privacy holds literally no meaning, when you do not control the data/information that is flowing through web of interconnected electronic devices. If you want to hide yourself in the True Caller's Listing just Unlist yourself, but it might not actually Unlisting you from True Callers Database! So curse people for saving your telephone number in their Contact List, well that would be silly isn't it?

Compliance - The Dark Side

[Specific to Information Security]

Before touching main point, let me give you an idea about 'What exactly is Compliance'.

In simple words, compliance is nothing but Standard Rules that are accepted all over the world. Entities related with a particular industry has to comply to certain standards, to gain licenses/ customer trust in order to operate & generate cash flow.

For example, if you are an eCommerece Entrepreneur who deals heavily with Online Money  by using Third Party Payment solution which is PCI DSS compliant. If you want & if you have sufficient capability to operate Online Transaction on your own then you have to comply to PCI DSS standard, get your facility certified and you are ready to do business on your own!

Sounds simple, right? But this isn't simple at all!

Roughly I would say there are few steps

1. Identify your business vertical.
2. Find out different compliance/standards which may be mandate/help you to win customers! (Some of your customers may explicitly ask you to comply to certain standards like ISO 9001 - Quality, ISO 27001 - Information Security etc. before dealing with you)
3. Identify the scope for which you would like to go ahead and get certified. (Scope can be a department within the company or whole company)
4. Hire consultant, get the standard implemented & get it Certified from Certifying Authorities!

 Lets talk specifically about Information Security related compliance/standards like ISO 27001, PCI DSS etc.

Ideally once an organization get itself certified for the first time, it has to follow the guidelines/processes that are defined & then it has to undergo recertifications after stipulated time period, say after every 2 years. This ensures that organization comply with Industry best practices - standards.

But what exactly happens?

Case 1: XYZ, a software development firm contacts ABC, Information security consulting firm. Ask them to help them in getting ISO 27001 certified. ABC deploys it's resource on XYZ's premise and make sure all the processes are as per the required standard. Once implementation is done, Lead Auditor visits the firm, XYZ. Audits the processes with respect to ISO 27001 standard and eventually XYZ earns ISO 27001 Certification. Barely a month & they start operating how they used to do prior to earning the ISO 27001 certification. As if they have never heard of ISO 27001 compliance.
Meanwhile They keep winning customers by showing they comply to ISO 27001 & certified too!
Just before the Certification is expiring they contact XYZ & ask them to help in re certification. IT manager asks every Department head to make sure every body is following all the policies & again for a while the process document starts getting followed.

So why this *fuss* about Compliance? Organizations today worry about Compliance & not security but they forget, Merely getting a certificate to your organization doesn't guarantee you Security! Unless your people, your employee actually follow the processes religiously.

Hardening the servers, updating Log books just before Audit can fool the auditor but not the hackers. Today hackers are sophisticated, they do proper reconnaissance before attacking your organizations assets. They know your weak links, your people. It might be easy for you to Harden the Servers but it's a pain when it comes to Harden the People.

So how do you tackle this situation? A Surprise Audit, may be yes! This should be done by the Certifying Bodies (CBs) who gives out the Certification to Organizations. Once an Organization is Certified after some period CBs, should do a Surprise Audit to check if Organization is following the standard that is set! I have heard it from experts that - Audit's are never Surprise. But in my opinion there has to be a separate term called 'Surprise Audit' which should be done by the CBs in order to have certain discipline.

 In my opinion Flow should be as:
Compliance Implementation(Day 0 to Day 30) --> Internal Audit (Day 31) -->Patching of NCs(Day 32 to Day 36) --> Final Audit (Day 40) --> Surprise Audit (~ Day 110) 

Post Security Audit, CBs should produce NCs to Organization along with a Warning. Organization should patch the NCs and produce the report to CB. Any further NCs and Organization's Certificate should be revoked by the CB.

Though this will also not give guarantee of 100% security but it'll at least ensure things are more Harden than what they were earlier.This will help the overall Security Ecosystem.

*** IMPORTANT NOTE: THESE ARE MY PERSONAL VIEWS, THIS HAS NOTHING TO DO WITH ANY PARTICULAR ORGANIZATION THAT I WAS/AM ASSOCIATED WITH ***

Smart Phones, are they really Smart? [InfoSec Perspective]

It was a pleasant night, I was having dinner and I got call from my friend that she lost her Phone! If it was 2005-08 no body would have got panic but this is Droid Age! And I left my dinner half done, to search her lost phone.

How many of you use smart phones? Today you will rarely find some one who is not using Android/WP/Blackberry, smart isn't it? But it's correctly said, with great power comes great responsibility. In case of smart phones it's Responsibility of Protecting the data within them.

Let's take a scenario, when you buy a droid phone the very first step you do is 'Configure Google Account' with the device. By doing so you are downloading your email headers directly on phone, syncing Contacts with/out email IDs, mobile numbers and what not. What is it? It's a data, which holds tremendous value untapped (unless somebody sells it in market!). Most of the people don't realize it unless it falls in wrong hands.
Another scenario, you flaunt your Droid phone with 5/8/12 mega pixel camera with blah blah features and lens. And off course you click 1000s of pics, to hide some candid and *strictly private* photos you make Folders inside Folders and put it [General Case]. These smart phones gives you extra power of storing location of the photos that you have clicked! Great isn't it? But imagine if you lost your phone and somebody copy all your photos on computer and make Great use out of it!

So what to do? Come on I'm not going to suggest you not to use *Smart Phones* but all you need to do is be little smart in order to use one!

My suggestions:

Step 1: Use Invisible Pattern (1000 times better than visible patterns, protects you from shoulder surfing) or pass code to implement basic security to your smart phone.
Step 2: Go for free version Antiviruses that are available in market place, many of them have feature of *Theft Protection* The moment somebody takes out sim card from your mobile and puts another, presetted mobile numbers gets the alert about loss of your mobile, some of them also provides current location of phone!
Step 3: Now a days SD Card Locker apps are available in market for free, do use it. Most of the photos,messages and other app data are stored on SD card. If you apply another layer of security, it'll be hard to retrieve the data & false password try will eventually erase the data on SD Card.
Step 4: RemoteWipe - This is a part of Mobile Device Management (MDM), it's of great help which can erase your data remotely if you happen to loose your phone.

If preventive measures are taken already then it's most likely that you'll worry only about Mobile Device and not the data, if you lose your phone somewhere!

Smart Phones are not Smart without you being it first!

I don't want to claim that implementing above controls will make your phone Risk Free but it'll definitely make it less vulnerable to data theft/loss.

Is your Website Secured?

For the first time I started playing with HTML when I was in Junior College (Post School - 11th Standard). I learn HTML & basics of scripting - Java, asp, vb at that tender age, heh! In my educational life, I always loved programing languages even though I couldn't master any but I loved playing with them! I always loved creating simple websites, mostly static because I couldn't do much hands on when it comes to scripting. By the way I created a website for my Girl (back in 2008/09) with funky love songs running in the background, I ended up taking that website down when her mother saw it! Funny isn't it, well it wasn't! :-D

So since then whenever I come across any website I have a habit of looking at it's source code, just like that! And I still continued that habit ;-)

There are two recent incidents that happened because of which I thought to write this post. I being a student of MBA - IT Business Management with special interest and specialization in Information Security, I always try to find out vulnerabilities in everything around me, this includes people as well! Jokes apart, I came across two websites of Premier B-Schools from India. These B-Schools are very renowned and people from all around India participate in it. One of these comes in top 20 B-Schools of India *cough* *cough*

So when I heard about event arranged by this 'One of the Top 20 B-Schools of India' say College 'ABC_1', I came to my hostel and started browsing through it. Trust me the user experience was pathetic! And as usual I right clicked >> View Page Source. I noticed a strange thing in this website, there were couple of places where they had commented many things. Mostly images & links of sponsors. I felt bit unusual, I browsed more and finally I thought to check its directory listings. I expected it to be *Access Denied to Public* but to my surprise I could see www.ABC_1.com/images to be opened, exclusively for me may be ;-) And I tried hitting some common directory names but my bad, they didn't had any of those.

I again started going through the source code and I found out one director called /manage. And I realized that may be this the one which will be the gateway for the admin panel. And it worked, due to careless directory permissions I could see Admin Panel infront of my eyes! Very unprofessional web designing, by the way did I tell you this website is created by a Web Development company who is having around 10/15 clients. After seeing Admin Panel I thought I will have to use some SQL Injections but before that I thought to use some common ID/Password combinations and to my surprise with one very common combination I got through! *Yaaaayyy*

I got access to Admin section where I could manage photos and contents on the website. I could even see the list of registrations that are done for various competitions in that event. I could even change the passowrd and admin details.

But I have got my basics clear about Information Security, so I stopped myself and informed the respective people regarding this vulnerability. Following is the report that I sent to the B-School.

Website URL	Type of Website	Vulnerability	Risk	Counter measures
http://ABC_1.com	National  Level Event Website	Improper directory        permission (http://ABC_1.com/manage)              Poor authentication for Admin Panel	Website can be modified all together – loss of integrity.           If somebody puts up offensive content, it can degrade ABC's image & in turn University's.         If details of participants is leaked (Contact Numbers, Email IDs) it may result in loss of personal data.	Restrict permission to sub directories (http://ABC_1.com/manage)             Strong password policy to Admin Panel (Most IMP), even a newbie can get access to the Admin Panel very easily

 
After reporting this incident, the vulnerability got patched. Directory is no more accessible to public, I couldn't check admin panel though!

After this incident, I started looking carefully into other B-School's Event websites. Today when I was browsing through source code of another B-School, again it comes in Top 50 B-School's in India. I could exploit it's Vulnerability. Poor directory permissions and authentication is the reason behind it. I have reported it to the concern people, again!

There's another website that I recently observed, this belongs to investment consultants from Pune. This website was created in ASP.net while earlier two were coded in PHP. The Investment Consultant's website had a pathetic security mechanism when it comes to user authentication. 

I tried commonly used UserID/Password combinations but I failed, so I checked forgot password page. Surprisingly it was a worst password retrieval mechanism I have ever seen. You just need to put user-id, it asks you for Hint Question & Answer and if you guess it correct. Dialogue box is prompted with valid passoword, WORST isn't it?

So conclusion out of these three incident is no matter how much you invest in Technology, if your builders/architects are careless when it comes to Security. You are ultimately going to fail, BIG TIME.
If website developers take proper care, such vulnerabilities will never arise!

Do let me know your views/suggestions on my Risk Analysis ;-)

Facebook Photos, Privacy Breach?

Do you upload photos to facebook, create album and set privacy settings to it? I do it, but surprisingly today I found out that it may be hidden from people present on facebook but those personal photos/albums are not really protected.

To give you a demo[use Firefox], Open any of your album. Click on the photo, once opened right click on it and select View Image. Here try to notice the change in url or in more techie terms the connectionstring.

For instance STEP#1

I have opened one of my private album and opened the photo which is: https://www.facebook.com/photo.php?fbid=2495739472781&set=a.2495734472656.144476.1231669070&type=3&theater
If you copy and paste this url in browser, without or even by logging into facebook you won't see the picture. Ideally you'll get error as

This album is shared only with one person than me. So ideally no body else than her can see this photo/album.

STEP #2

If I right click and select view image I get a new connectionstring/url which is
https://fbcdn-sphotos-d-a.akamaihd.net/hphotos-ak-ash4/314985_2495739472781_50463433_n.jpg

Try copy/paste in browser and you'll clearly see the photo, even without logging into Facebook.

I feel if hackers will be able to decrypt the connection string and understand the pattern it might be easy to see all such photos which are shared privately on facebook, even without logging into it.

I would like to know your views/comments on this, prolly from Techie perspective!

Beware from Check in/geo tagging | Twitter | Foursquare | Flickr

I'm sure many people who know me personally or follow me on Twitter will be surprise to see Gaurav Thorat saying 'Beware from Check ins'! Well, I being a newbie product of Symbiosis's Information Security MBA happened to study a subject called, 'Vulnerability Analysis and Penetration Testing'. Sounds very techie isn't it? But frankly speaking this subject needs a lot of common sense along with good technical understanding of Networks and Information Systems.

Foursquare, as many of you must be knowing is a wonderful mobile application by which you can find near by places like hotels, malls, theaters and what not. It's like where ever you go, you just take out your phone and Check in to the place. Let's say I go to Esquare Multiplex in Pune to watch movie, so the moment I go there I'll take out my mobile. Open foursquare app, it'll find my current location with the help of GPS. It'll show me the nearby places along with Esquare Multiplex, I'll just Click on Equare and it'll notify my friends on Foursquare and Twitter/Facebook (if you have allowed foursquare and twitter/facebook integration). So whats the use of it? Well personally, I use Foursquare because It tells my friends about my where about. So if anybody is around me can just drop by for a quick meetup! Secondly, many a times merchants register with Foursquare and give away some really nice offers/discounts. So you check in to merchant's shop and you get discount on your shopping. More the check ins, you unlock Foursquare badges to flaunt within the community!

So whenever I used to Check in, it used to appear like this on twitter

As part of our VAPT subject's assignment we were told to search some security assessment tools and present it infront of students. I being more interested in Social Media, wanted to present a tool which is unique that no body else can think of! And just as I expected all the students choose hardcore technical tools like snort, sniffers and network analyzer. Nobody thought that something called as 'Social Engineering' should also be considered which is comparatively less technical but if used against the targets, can cause huge loss! I find people are still very ignorant about 'Social Engineering' which exploits the weakest link in security that is Human/User behavior.

Tool which I'm going to discuss over here is one, which can help hacker/cracker to perform passive type of Social Engineering attack which often seek to acquire seed information for further active social engineering or network-based attacks.
Active Social Engineering attacks are more of Direct kind which may involve direct interaction with target to obtain security relevant information, gain access privileges, persuade someone to commit a policy violation or act as a proxy on attacker’s behalf. While Passive as described earlier is more of Indirect type of attack which involves eavesdropping, observation and subsequent analysis of the results.
Tool which may allow an hacker/cracker in Passive Social Engineering attack is called Creepy Tool which is developed in python that allows you to gather geo location related information about users from social networking platforms and image hosting services.
Details
Website  : http://ilektrojohn.github.com/creepy/
Platforms  : Linux, Windows
License  : GPLv3
Author  : Yiannis Kakavas
Contact Email  : jkakavas@gmail.com

So what does application do?
If you Check in to Foursquare which redirects it to Twitter. Or if you take photos with geo tagging allowed in it, chipping in the data about where have you taken the pictures you are vulnerable for a passive Social Engineering attack with the help of Creepy tool.
Hacker/cracker all they need is your username on twitter/flickr and they can track you down. With the help of you check ins they can study the pattern/routine of your day like when do you leave from home to office, where is your home & office located. What do you generally do on weekends, which places to do you visit. Some people also supply information like what food/drink they love the most along with the Hotel's Check in. You may not realize that why would  somebody need and find this information important but let me remind you this why Social Engineering attacks are more risky and cause more damage than any other hacking attack because we are tend to be ignorant about Social Engineering attacks, most of us never worry about all these simple information.

So Creepy tool can integrate all these check in/ geo tagging related information at a one place, supplied with a map, google map! So hacker/cracker might not be knowing Pune city very well but with the help of Google maps within the Creepy tool can easily supply them with necessary information for a further strong Social Engineering attack.


If you see above image is Creepy's interface. I checked one user from flickr who has uploaded photos of Military aircrafts. All I did is put his username in Creepy and you can see where did he take that photo! This is passive social engineering, which a terrorist group may use for destructive and dangerous attack. I hope you are getting the seriousness and why I said Beware from Check ins and geo tagging.

Same is the case with Check ins which appear on Twitter, with all the aggregated information about your daily/weekend check ins hacker/cracker or any person with bad intention can plant more dangerous attack on you/your organization/home.

So how will you save yourself from such type of Passive Engineering attack?
1. Be aware, keep your eyes/ears open.
2. Common Sense
3. If not required disable Geo Tagging feature while you take photos from your smartphone/camera.
4. If you care then stop posting your Check ins on Twitter, you may want to continue using Foursquare but don't integrate it with Twitter.
 
That's all from me, I will be waiting to hear some comments from you!

Diwali Then & now!

One of the biggest festival which is celebrated all over India, right from Kashmir to Kanyakumari! The festival of light, crackers and last but not the least Sweets and namkeens. Hindu, muslim, Christan, Sikh each and every religion in India enjoy this wonderful festival!

I remember Diwali that I celebrated when I was a kid, I was more interested in cracker guns than crackers which makes noise. I always loved shopping cloths, right from my childhood and I still do! For me Diwali used to be about Holidays, lazy holidays. Lots of shopping - Cloths and Crackers. Meeting relatives, exchange of sweets/namkeens. And not to forget, our school used to give us homework that we had to complete before we step back into school.

Then School to College, transition! Interests/choices changed. Total cut off from crackers and mainly from relatives, spent most of the times with friends. Instead of mom's choice, I started buying branded clothes which were meant to flaunt nothing else :-) Unlike school, I never waited for holidays because I hardly cared about lectures. Every day in college was not less than a holiday itself!

Finally got to taste the real Life, when I started working! We used to get hardly 21 days holiday/year, damn it. Especially festival time, I hardly spent it with my friends/family. And no surprise, Diwali was not an exception :-)

Today, after working for almost two years I am back to study. But things have changed, while writing this blog post I'm thinking about the pending project that is opened one my desktop, book of IT Project Management opened right in front of me. Eating Diwali special sweets, listening to the noise that kids and crackers are making right out of the window. Thinking about somebody, dreaming about life :-)

So now what do I like about Diwali? Well shopping but now not just buying cloths but I also enjoy decorating the house (I mean I bring whatever I like, whatever mom/dad wants). I still love eating Diwali sweets/namkeen, but these days you get them in stores all the year so there's nothing called as 'Diwali Special'. I love going out early in the morning during Diwali time to Sarasbaug (Famous Garden) in Pune, India. Where people gather early in the morning, new cloths, fresh faces and fragrance. You get to meet many people, whom you might not have met in years! Everybody ignites diyas, click photos and then head to Vaishali/Vaadeshwar/Rupali for a special breakfast :-)

Wishing you and your family a prosperous Diwali!