Wednesday, 4 April 2018

Information Security Basis in Simple terms.

Cross Post : https://medium.com/@gokulraj/information-security-basis-in-simple-terms-81c2814730b2

What is Data?
Data is collection of facts, numbers, text and etc.
What is information?
Data when arrange in a convenient form. Credit Card Number, password and so on.
Types of Data
  • Public available data.
  • Job Notice, Insurance Policy details.
  • Confidential Data
  • Organisational data, companies forecast data, Bank customer details.
  • Restricted Data.
  • Company System Design, PIN number, password, medical reports of a permission.
What is Information Security?
Information Security is the means of defending Information or Data stored either physically or digitally.
Vulnerability
When Information is not guarded and available to everyone, this weakness is allows intruder or attacker to gain access the system and information. This is known as vulnerability.
In another terms it is flaw in the system.
Exploits
When the intruder uses a vulnerability to get sensitive data from system is known as exploits.
Threat
Threat is harm to a system and it has no control over it.
Threat can be intentional(man made threats), accidental or natural disaster.
Reasons for Intentional threat or Attack
Political
  • Destroying target system by posting wrong information. People doing this will call hacktivist. E.g. cybercrime.
Economical
  • Aim to earning money by stealing information or to make that information inaccessible. E.g. Ransomware.
Social-Culture
  • Personal motivation to attack an individual.


Thursday, 15 December 2016

Yahoo Data Breach


Yahoo disclosed that data breach on their User Accounts. This data breach contains several users personal information. 

Yahoo's Chief Information Security officer Bob Lard says

The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers. The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected

The affected user should change their passwords and security question. 

More Details : https://yahoo.tumblr.com/post/154479236569/important-security-information-for-yahoo-users


Wednesday, 14 December 2016

Security Testing and/or Reviewing Techniques

Testing Techniques

The following techniques are used in security testing. No single technique can be covered most of the security issue. The balanced approach, that include several testing from manual to penetration will help to find most of the security issue.These techniques are suggested from OWSAP. We security team following balanced approach for security testing/reviewing.
  • Manual Inspections & Reviews
  • Threat Modeling
  • Code Review
  • Penetration Testing
Manual Inspections & Reviews
The concept of manual inspections and human reviews is simple and it is powerful and effective technique. By asking someone how something works and why it was implemented in a specific way, the tester can quickly determine if any security concerns are likely to be evident. Manual inspections and reviews are one of the few ways to test the software development life-cycle process itself and to ensure that there is an adequate policy or skill set in place. Manual reviews helps to understand the security process. 

Advantages
 
  • Requires no supporting technology 
  • Can be applied to a variety of situations 
  • Flexible 
  • Promotes teamwork 
  • Early in the SDLC
Disadvantages  
  • Can be time consuming 
  • Supporting material not always available 
  • Requires significant human thought and skill to be effective 
Threat Modeling
Threat modeling is an approach for analyzing the security of an application. It is a structured approach to identify, quantify and address the security risks associated with an application. Modern threat modeling looks at a system from attacker's perspective.
The threat modeling process can be decomposed into few high level steps.
  • Decomposing the application – use a process of manual inspection to understand how the application works, its assets, functionality, and connectivity.
  • Defining and classifying the assets – classify the assets into tangible and intangible assets and rank them according to business importance.
  • Exploring potential vulnerabilities - whether technical, operational,or management.
  • Exploring potential threats – develop a realistic view of potential attack vectors from an attacker’s perspective, by using threat scenarios or attack trees.
  • Creating mitigation strategies – develop mitigating controls for each of the threats deemed to be realistic.
Advantages 
  • Practical attacker’s view of the system
  • Flexible
  • Early in the SDLC 
Disadvantages 
  • Relatively new technique
  • Good threat models don’t automatically mean good software

Source Code Review

Source code review is the process of manually checking the source code of a web application for security issues. Many serious security vulnerabilities cannot be detected with any other form of analysis or testing. As the popular saying goes “if you want to know what’s really going on, go straight to the source.” Almost all security experts agree that there is no substitute for actually looking at the code. All the information for identifying security problems is there in the code somewhere. Unlike testing third party closed software such as operating systems, when testing web applications especially if they have been developed in-house) the source code should be made available for testing purposes.
Examples of issues that are particularly conducive to being found through source code reviews include concurrency problems, flawed business logic, access control problems, and cryptographic weaknesses as well as backdoors, Trojans, Easter eggs, time bombs, logic bombs, and other forms of malicious code.

Advantages
  • Completeness and effectiveness
  • Accuracy
  • Fast (for competent reviewers)
Disadvantages
  • Requires highly skilled security developers
  • Can miss issues in compiled libraries
  • Cannot detect run-time errors easily
  • The source code actually deployed might differ from the one being analyzed
Penetration Testing

Penetration testing is also know as black box testing or ethical hacking. In penetration testing we can find security vulnerabilities without knowing the inner working of application.
Penetration tester would have access to an application as if they were users. The tester act like an attacker and attempts to find vulnerabilities. Many people's primary testing technique is web application penetration testing.

Advantages
  • Can be fast (and therefore cheap)
  • Requires a relatively lower skill-set than source code review
  • Tests the code that is actually being exposed
Disadvantages
  • Too late in the SDLC
  • Front impact testing only.

- Gokul

P.S Some of contents are taken from OWSAP guide.

Tuesday, 22 April 2014

Optimize a website few Points

  1. Minimize/Reduce HTTP Request.
  2. Minify/Merge JS and CSS files to reduce file size to be downloaded. 
  3. Use Content Delivery Network.  
  4. Put <script> tags at the bottom of the HTML.
  5. put CSS link on top of the HTML.
  6. JavaScript and CSS should be external.
  7. Reduce DOM elements
  8. Enable gzip compression.
  9. Use SVG sprite instead of separate images for icons to reduce HTTP requests 
  10. Remove unused scripts and CSS styles.
Evernote helps you remember everything and get organized effortlessly. Download Evernote.

Monday, 27 January 2014

IE 11


In HTML 5 era, our product also starts supports HTML 5. While start supporting HTML 5, few items, that doesn't work with IE 11. 
  1. IE Detection. 
  2. Plug-in Detection.
IE Detection

In our code, we detect IE, by obtaining "MSIE" string from user-agent. In IE 11, this will not work.  IE 11 has been removed the MSIE string, instead of it added the "rv" and "like Gecko" strings. Using with that we changed our code to detect IE 11.

Sample UA : "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko"

Plug-in Detection

We were using window.ActiveXObject property to detect the IE plug-in for our Mail Merge feature. But it no longer supports in IE 11. This causes the problem in Mail Merge. Problem is window.ActiveXObject  property is no longer supports in IE 11 but it still supports the ActiveXObject.

Code Before

if (window.ActiveXObject){
     plugin = new ActiveXObject("pluginname")
}

Code After

var plugin = navigator.plugins["pluginname"];
if(!plugin){
     plugin = new plugin("pluginname");
}








Evernote helps you remember everything and get organized effortlessly. Download Evernote.

Friday, 19 July 2013

Back to Traditional Software Installation from SaaS

cross posted from http://bygokul.blogspot.in

Back to Traditional Software Installation from SaaS 

I am wondering the traditional Installation is back with use of Smart Phone.


In old days (not too much old), we used installable and it makes the hardest part to install the patch for a fix or install new version. When someone discovered the cloud computing, we got relief from the new installation and/or a patch fix.


Hmm, Now again, I have the same problem in a different way. Yes, it is from the smart phone. I am using smart phone very recently. I faced two main problems. 


First, when I faced a touch problem on my phone, I did a factory reset. I knew that, I will lose all of my data and apps. But I had no choice. Anyhow, I have my backup for all apps and data. After fixing the touch problem. I reset it with the backup. But It took much time reset the apps and data. One of the apps didn't pick the data from the backup. I restored it from my cloud backup. But I lost a small amount offline data. That is not affected me, but I am worrying about the future. 


Second, I got an issue with an app (I am really don't want to tell which app it was). When I contact the support for that app, they said, they will fix and update. So, now I am waiting for the update. It reminds me the traditional software.


But one advantage of a smart phone app update is, I am really no need to download and install it manually. It will automatically download and install the new version. I think I am back to the traditional installation with use of a smart phone.

-Gokul

Friday, 12 July 2013

How to get complete exception trace as a String ?

Cross posted from http://santoshsarmajv.blogspot.in/

By using below method you can get complete exception stack trace as a String.


public static String stackTraceToString(Throwable e) 
{
  String retValue = null;
  StringWriter sw = null;
  PrintWriter pw = null;
  try {
                  sw = new StringWriter();
                  pw = new PrintWriter(sw);
                  e.printStackTrace(pw);
                retValue = sw.toString();
  } 
               finally 
               {
           try {
                       if(pw != null) { pw.close();}
                       if(sw != null) { sw.close();}
               } 
                       catch (IOException ignore) {
    ignore.printStackTrace();
             }
      }
 return retValue+" \n ";
}

Wednesday, 10 July 2013

Version Unknown / Unhandled Exception Occurs in

It is an usual strange story with developers those who are working on windows application. The application will always work perfectly(in any situation) in my machine. But in a customer's/deployment machines, It will act strange.

The above situation is not only with apps, also it will happen while working with Visual Studio(any version). If It will work properly in your machine, sure you may face some problems with build machine.

I am sure the following problem will face by VS developers.

The problem was, a project is compiling without problem in my machine but not in a build machine. The error from the build machine was "An unhandled win32 exception occurred in regcap.exe[processid]".

Figure 1 : Exception snap from Windows XP.

Figure 2 : Exception snap from Window 7.


Figure 1

Figure 2


What I did wrong, I don't know. So Googled with search term An unhandled win32 exception occurred in regcap.exe[processid]. The search results ask me to do 2 things.

1. Disable to Just-In-Time Debugger. 
2. regcap.exe file is not compatible and make it compatible. 

I tried to disable JIT debugger and I got the same exception in a different dialog window(figure 3).

Figure 3


OK, let's make regcap.exe file to compatible. And how to do that. 

1. Right click on that file select Compatibility-->Run as Administrator
2. Right click on that file select Compatibility-->Compatibility Mode-->Windows Vista SP2 or Windows XP SP3.(Figure 4).

Anyway either steps are not worked.



Figure 4




I started feel that, the problem is neither with Visual studio settings nor Windows compatibility. It might be with some file(s) in the solution. I have three projects and each project has countable amount of files and which one causes this ?

I forgot to tell something, yes, the application which I am working. I should give an intro for my application. It is Microsoft Outlook Plug-in using Add-in Express. As I already told, I have three projects in that solution. One of the project is some pre-installation settings. The another one is the main project, It is "Extensibility Add-In Express" project. Third one is MSI setup project.

The compilation of the whole solution breaks somewhere at middle. Instead of compiling whole solution, I want to try individual project. That may take me to exact place of the issue. Yes it does.

First two project do not have any problem in compiling. But the setup project has ! Now I exclude all files in the setup project and tried compilation, it works. So I include files one by one and tried the compilation. It breaks at including the file AddinExpress.mso.2005.tlb. When I check with my machine, the file is not present in my setup project. This is because of different versions of Add-in Express. The build machine has higher version(6.6). It automatically includes the file AddinExpress.mso.2005.tlb. But in my machine it does not include that file(Add-in Express 6.4). And there is no problem with compilation after exclude the file( We can exclude that file : from Add-In Express ).

The lesson I have learned from this debugging is, Versions compatibility check is one of high priority in debugging.

The lesson I need to know is, why the file AddinExpress.mso.2005.tlb is not present in lower version(6.4).

Tuesday, 25 June 2013

Primitive Data Type

Intro

The amount of value that can hold by a variable is know as data types. There are two main types in programming language. 

1. Primitive Data Type.
2. User Defined Data Type.

Here some introduction about Java language primitive data type. Java programming language supports 8 primitive data types. A primitive type is named by a reserved keyword. Primitive values do not share state with other primitive values.

byte

The byte data type is an 8-bit signed two’s complement (http://en.wikipedia.org/wiki/Two's_complement) integer. The byte data type can be useful for saving memory in large arrays.

byte Range ::: minimum value : -128 , maximum value : 127
Default Value : 0

short

The short data type is a 16-bit signed two’s complement (http://en.wikipedia.org/wiki/Two's_complement) integer. You can use a short to save memory in large arrays. 

short Range ::: minimum value : -32,768, maximum value : 32,767
Default Value : 0

int 

The int data type is a 32-bit signed two’s complement integer. It has a minimum value of
-2,147,483,648 and a maximum value of 2,147,483,647.

int Range ::: minimum value : -2,147,483,648, maximum value : 2,147,483,647
Default Value : 0

long

The long data type is a 64-bit signed two’s complement (http://en.wikipedia.org/wiki/Two's_complement) integer.

long Range ::: minimum value : -9,223,372,036,854,775,808, maximum value :
9,223,372,036,854,775,807
Default Value : 0L

float 

The float data type is a single-precision (http://en.wikipedia.org/wiki/Single_precision_floatingpoint_
format) 32-bit IEEE 754 (http://en.wikipedia.org/wiki/IEEE_754-2008) floating point.

Default Value : 0.0f

double

The double data type is a double-precision (http://en.wikipedia.org/wiki/Double_precision_floatingpoint_
format) 64-bit IEEE 754 (http://en.wikipedia.org/wiki/IEEE_754-2008) floating point

Default Value : 0.0f

boolean

The boolean data type has only two possible values: true and false.

Default Value : 0.0d

char

The char data type is a single 16-bit Unicode character (http://en.wikipedia.org/wiki/Unicode).
char Range ::: minimum value : ‘\u0000', maximum value : ‘\uffff’

Default Value : ‘\u0000’

Friday, 21 June 2013

Java Class Loader

Intro

  • Java class loader is part of Java Runtime Environment(JRE) that dynamically loads java class into Java Virtual Memory(JVM).
  • JRE doesn't need to know about files and file system, because classloader take care of this.
  • Java platform uses Delegation model for loading class.
  • The classloader is responsible for locating libraries, reading their content and loading the classes contained within the libraries.
  • Each Java Class must be loaded by class loader.
  • When JVM started three class loaders are used.
    • Bootstrap Class Loader.
    • Extension Class Loader.
    • System Class Loader.

Bootstrap Class Loader


  • The bootstrap classloader loads the runtime classes from rt.jar files and others.
  • Runtime classes can be located in the <JAVA_HOME>/jre/lib folder.
  • It is virtual machine built in class loader.
  • It doesn't have parent class loader, but it may server as parent of class loader.

Extension Class Loader.

  • The extension class loader loads the libraries in the extension folder.
  • Extension folder located in <JAVA_HOME>/lib/ext or any other directory specified in the java.ext.dirs System  Property.
  • It is implemented by the sun.misc.Launcher$ExtClassLoader

System Class Loader 

  • Loads the class include the JAR files specified by the system property java.class.path.
  • If a JAR file on the class path has a manifest with attribute Class-Path, JAR files specified by the Class-Path attribute will be also searched.
  • By default java.class.path property's values is .(dot) the current directory.

  • It can be changed using command line option -classpath or -cp or setting CLASSPATH environment variable .
  • The command line option overrides setting of the CLASSPATH environment variable.

XSS - Cross Site Scripting

  • Cross Site Scripting, better know as XSS, a subset of HTML injection.
  • XSS is most prevalent and pernicious security issue.
  • XSS flaws occur whenever  on web application takes data that originated from user and sends it to browser without validating.
  • XSS allows attackers to execute script in  the victim's browser, which can hijack user sessions, deface website, insert hostile content, conduct phishing attacks, and take over the user's browser using scripting malware.
  • The malicious script is usually JavaScript, but any scripting language the supported by victim's browser is potential target for this attack.
  • There are three types in XSS.

Three types of XSS

  • Reflected.
  • Stored.
  • DOM Injection.

Reflected ???

  • Reflected XSS is easiest to exploit.
  • A page will be reflect user supplied data directly back to the user.

Stored

  • Stored XSS takes hostile data and store it in a file, a database, or other backend system and then at a later stage displays the data to user , unfiltered.
  • This is extremely dangerous in systems such as CMS, blogs, or forums where a large numbers users will sees input from other individuals.

DOM Injection

  • With DOM based XSS attacks, the site's JavaScript code and variables are manipulated rather then HTML element.


  • XSS attack can be blend or hybrid of all three types.
  • Non standard or un expected browser behaviors  can introduce subtle attack vectors.
  • XSS also potentially reachable through any components that the browser uses.


Thursday, 20 June 2013

Web.xml or Deployment Descriptor

  • Central configuration file of all web applications.
  • Defines servlets, servlet filters.

From Servlet Spec

  • The DD conveys the elements and configuration information of a web application between Application Developers, Application assemblers and Deployers.
  • The following type of configuration and deployment information are required to be supported by a web application DD for all servlet container.
    • ServletContext Init Parameters
    • Session configuration
    • Servlet declaration
    • Servlet mappings.
    • Application LifeCycle Listener class.
    • Filter definition and filter mappings
    • MIME type mappings
    • Welcome file list
    • Error page
    • Locale and Encoding mappings
    • Security Configurations, including login-config, security-constraint, security-role, security-role-ref, run-as.


web-app  Element

  • Web-app is the root deployment descriptor for a web application.
  • The element has a required attribute version to specify to which version of the schema the deployment descriptor conforms.

description Element

  • This element is to provide text describing the parent element.
  • This element occurs under other multiple elements.
  • This element has optional attribute xml:lang to indicate which language is used in description.
  • The default value of the attribute is English("en")

display-name Element

  • This element contains short name that intended to be displayed by tools.
  • The element has optional attribute xml:lang to indicate language.

icon Element

  • The icon contains small-icon and large-icon element that specifies the filename for small and large GIF and JPEG images used to represent the parent element in GUI tool.

distributable Element

  • The distributable element indicates that this Web application is programmed appropriately to deployed in distributed servlet container.

context-param Element

  • The context-param contains the declaration of the Web application's servlet context initialization parameters.

filter Element

  • The filter declares a filter in Web application.
  • The filter is either mapped to servlet or URL pattern in the filter-mapping element, using the filter-name value to reference.
  • Filter can access the initialization parameter declared in DD at runtime via FilterConfig Interface.
  • The filter-name is logical name for filter, it must be unique within the web application. It must not be empty.
  • The filter-class is fully qualified class name of the filter.
  • The init-param element contains name value pair as an initialization parameter of this filter.
  • The optional async-supported element, when specified, indicates that the filter supports asynchronous request processing.

filter-mapping Element

  • The filter-mapping is used by the container to decide which filter to apply to a request in what order.
  • The value of the filter-name must be one of the filter declaration in DD.
  • The matching request can be URL pattern or servlet-name.

listener-class Element

  • The listener indicates the deployment properties for the application bean.
  • The sub element listener-class declares that a class in application must be registered as web application listener bean.

servlet  Element

  • The servlet element is used to declare a servlet.
  • It contains declarative data of servlet.
  • The servlet-name element contains canonical name of the servlet, each servlet name is unique within the application. The servlet-name must not be empty.
  • The servlet-class contains fully qualified class name.
  • The run-as element specifies the identity to be used for the execution of a command.
  • The element load-on-startup indicates that this servlet should be loaded on startup of the web application. The element content must be integer indicating the order in which servlet should be load. If the value is negative ,  or the element is not present, the container is free to load servlet whenever to choose. If the value is positive or 0, the container must load and initialize servlet as the application is deployed. The container must guarantee the servlet marked lower integers are loaded before servlet marked as higher integers. The container may choose the order of loading of servlet with load-on-startup value.


mulitpart-config

  • If the servlet supports file upload and processing of mime-multipart request, the configuration for the same can be provided by multipart-config element, this element can be used to specify location where the file can be stored, maximum size of the file, maximum request size and size threshold.
  •  

servelet-mapping

  • Defines mapping between servlet and URL pattern.

session-config

  • The element defines session configuration for this web application.
  • The session-timeout sub element specifies timeout interval for all session created in this web application.
  • The specified timeout can be whole number of minutes.
  • If the timeout is 0 or less, the default behavior of session never time out.

mime-mapping

  • It defines mapping between extension and mime type. The extension element contains a string description an extension, such as txt.

welcome-file-list

  • Contains ordered list of welcome files. The sub element welcome-file contains name of the file. Default welcome is index.html

error-page Element

  • Error page element contains mapping between error code or an extension type to the path of resource in the web application. The sup element extension type contains fully qualified class name of a Java extension type. The sub element location element contains the location of the resource in the web application relative of the web application.