Wednesday, December 6, 2017

What is DMZ or Demilitarized Zone ?

If not redirected, please click here

What is DMZ or Demilitarized Zone ?

In computer security, DMZ or Demilitarized Zone is a physical or logical subnetwork that separates an organization’s internal network (LAN) from an untrusted network, usually the Internet. Usually the servers that can be accessed from the external network, like web servers, mail servers, DNS, FTP etc are placed in the DMZ and the DMZ is separated from the rest of the internal network using firewalls. The name is derived from the term demilitarized zone which is an area between nation states where no military operations are permitted. It is also called perimeter network.

Why do we use DMZ ?

Servers that are accessible from the external network are most vulnerable to cyber attacks. So, the rest of the internal network of an enterprise should be protected from those servers, so that even if the security of those servers get compromised, the rest of the internal network remains protected. So, publicly accessible servers of an enterprise like web servers, mail servers, DNS etc are placed in DMZ and the rest of the internal network is protected from those servers. Usually the DMZ is separated from the rest of the internal network using firewall and the communication between the DMZ and the internal network is restricted. Also, the communications between two hosts in the DMZ as well as between the DMZ and the external network are restricted.

What all servers are placed in the DMZ ?

Any servers that provide services to users in the external network can be placed in the DMZ. Some most common examples can be:

  • Web servers
  • Mail servers
  • FTP servers
  • DNS
  • VoIP servers
  • Proxy servers

Web servers can communicate with the database servers. They can do it so through Web Application Firewall (What is a Web Application Firewall ?) for security. Web servers can be placed in the DMZ and the database server can be in the internal network, depending on sensitiveness of the data in the database.

Similarly, mail servers can be placed in the DMZ while the database containing sensitive email messages and user data can be placed in the internal network and not accessible to the external network.

Organizations can also include proxy servers in the DMZ (What are proxy servers and how do they work ?). These proxy servers can be both Forward Proxy Servers and Reverse Proxy Servers. Forward Proxy Servers can intercept requests originated from the internal network of the organization requesting an external resource. They can monitor the web contents and filter it accordingly for security purposes. Reverse Proxy Servers on the other hand can intercept requests coming from the external network requesting for a resource in a server internal to the network and filter it accordingly to reduce security threats. As these proxy servers are accessible to the external network, placing them in the DMZ can reinforce security.

How to implement DMZ ?

DMZ can be implemented in mainly two different ways – using a single firewall and using dual firewall.

DMZ using single firewall

A single firewall with three network interfaces can be used in this method. The first interface can be connected to the external network. The second interface can be connected to the DMZ and the third interface can be connected to the internal network. In this case, as a single firewall is used, the firewall should be able to handle all traffic going to the DMZ as well as the traffic from the internal network and it can also become a single point of failure.

DMZ using dual firewall

In this case, two different firewalls are used. The first firewall is placed between the external network and the DMZ. It can monitor all traffic between the external network and the DMZ and filter them accordingly. The second firewall can be placed between the DMZ and the internal network and monitor and filter traffic between the DMZ and the internal network. In this method, as two firewalls are used, this is more secure than the single firewall method. Also, two firewalls used should be from two different vendors, so that both of them do not contain the same security vulnerabilities and it becomes more difficult for the attackers to bypass both the firewall to access the internal network.

Monday, October 23, 2017

Data Loss Prevention

If not redirected, please click here

An organization needs to make sure sensitive data like company confidential information or data collected from customers do not get shared outside the internal network without legitimate reasons. Sometimes sensitive data get shared outside the company network purposefully because of internal threats. And, sometimes it happens accidentally by ignorant employees. A company needs to prevent its employees from sharing sensitive data accidentally or purposefully. Data Loss Prevention is a solution or process that is used for that purpose.

What is Data Loss Prevention ?

Data Loss Prevention or DLP is a strategy to make sure that end users do not send sensitive data or critical information outside the corporate network intentionally or accidentally. Sensitive data may include confidential data like Intellectual Property or corporate data like financial documents, strategic planning document, employee information and customer data like Social Security Number, credit card number, medical records etc.

DLP can be effectively used to prevent insider threats as well as to comply with rigorous state privacy laws.

How is Data Loss Prevention done ?

Data loss can be prevented in various ways. Standard security measures include firewalls, IDPS and anti-virus solutions. They are commercially available products that can prevent insider threats and outsider attacks.

Advanced measures may include using Machine Learning to detect and prevent abnormal access of sensitive data. Honeypots (What is a Honeypot ?) and user activity monitoring solutions also can be used for that purpose.

Often designated Data Loss Prevention systems are used to detect and prevent data loss. These DLP solutions use mechanisms like data matching, data fingerpriting, statistical methods etc to prevent unauthorized sharing of sensitive data whether done accidentally or purposefully.

Sensitive data can reside on various computing devices like physical servers, virtual servers, databases, file servers or endpoint devices like computers, POS devices etc. It can also move through various network access points like wireless, VPNs etc. Thus a variety of solutions can be used to prevent data loss, data leaks and data recovery.

Data Loss Prevention solution can identify confidential data, track the data as it moves outside the enterprise network and prevent unauthorized disclosure using disclosure policies. It uses business rules to classify and protect sensitive data.

How does Data Loss Prevention solution identify sensitive data ?

A DLP solution has to first identify sensitive data in order to prevent data losses. This can be done using various techniques.

Sensitive data in fact can be of two types – structured and unstructured. Structured data are data that exist in specific formats. Credit card data, Social Security Number, date of birth, email address etc are examples of structured sensitive data. Regular expressions can effectively used to detect structured sensitive data. Data Loss Prevention solutions in fact use a number of predefined policies that have rules to identify structured sensitive data. Regular expressions are widely used for that purpose. Sometimes data is matched against context also so that sensitivity of data can be identified in a better way. For example, if an employee from payroll department looks into some other employee’s remuneration package, it is usual. But, if someone from sales department does the same, DLP solution should be able to raise a flag and report it.

Unstructured data on the other hand does not have any specific formats. Source code, media files etc are examples of unstructured sensitive data. Without analyzing the contents it is difficult to detect whether it contains any sensitive data. Data Loss Prevention solutions often use fingerprinting for this purpose. Fingerprints of unstructured sensitive data are made using cryptographic hashes and saved in databases. Later, these fingerprints are used to identify sensitive data elsewhere.

Types of DLP Solutions

Data Loss Prevention solutions prevent data breaches by monitoring sensitive data while the data is in-use in endpoint devices, in-motion in network or at-rest in data storage.

Network Based Data Loss Prevention Solution

DLP solution can prevent data loss for data in-motion by monitoring all traffic leaving the internal network. Monitored data may include all data transferred using multiple protocols like HTTP, FTP, IM, P2P, SMTP etc. For example, all files transferred outside the company network using FTP protocol or all emails sent outside the enterprise network can be monitored.

Datacenter or Storage Based Data Loss Prevention Solution

DLP solution can protect data at rest stored within an organization’s datacenter infrastructure like file servers, SharePoint and databases. It can determine where the sensitive data resides and whether it is stored securely. Protecting data at-rest may involve methods such as access control, data encryption and data retention policies.

Endpoint Based Data Loss Prevention Solution

Data Loss Prevention solution may also include agent based solution that sits on end user workstations and laptops and monitors data leaving the endpoint. It can control communication via email, instant messengers etc and can control access to physical devices and block attempted transmission of sensitive data. These solutions must be installed on every endpoint devices.

Data Loss Prevention Solution Vendors

There are quite a number of vendors that provide good Data Loss Prevention solutions. Some reputed ones are mentioned below :

  1. McAfee Total Protection for Data Loss Prevention
  2. Check Point Data Loss Prevention
  3. Digital Guardian Data Loss Prevention
  4. CA Data Protection
  5. Forcepoint DLP

Read More

What is Next Generation Firewall (NGFW) ?

How are malware detected by traditional anti-virus solutions & how is NGAV different from them ?

What is Deep Packet Inspection ?

What is a Honeypot ?

What is Intrusion Detection System & how does it work ?

How can AI, Machine Learning & Deep Learning be used to improve cyber security ?

What is Access Control ?

Tuesday, October 10, 2017

What is Access Control ?

What is Access Control ?

All users may not have permission to access all the resources in a system or network. A system should be able to allow or deny access to certain resources based on identity or role of the user or the group the user belongs to. This can be managed using access control. Access control is the selective restriction of access to a resource based on authenticated identity of the user or the properties of the request.

Access control deals with controlling the access to a resource after a user has provided his credentials and the identity is verified. To give an example, a user or a group of users may have permission to access only a certain set of resources and may be restricted from the rest. It can be managed using access control.

Access Control Models

Access to resources can be enforced through many types of controls :

  • Mandatory Access Control or MAC
  • Discretionary Access Control or DAC
  • Role Based Access Control or RBAC
  • Rule Based Access Control or RAC
  • Attribute Based Access Control or ABAC
  • History Based Access Control or HBAC
  • Identity Based Access Control or IBAC

Mandatory Access Control or MAC

In Mandatory Access Control or MAC, all access to resources are strictly controlled by the Operating System based on settings provided by the system administrator. In this type of access control, security labels are assigned to each resource on a system. This security labels can contain information on classification of the resource (top secret, confidential, public etc) and to whom the resource is available. Similarly, each user is also associated with a classification based on his role, identity, group etc and a set of resources available to him. When an authenticated user requests to access a resource, the Operating System checks the security labels of the resource and the classification of the user and decides whether the request should be allowed or denied.

MAC provides a very secure access control environment and traditionally it has been associated with Govt. System and specialized military systems. Recently, MAC is also implemented in SELinux and AppArmor for Linux and Mandatory Integrity Control for Windows.

Discretionary Access Control or DAC

In Mandatory Access Control, access to resources is controlled by the Operating System using settings provided by the system administrator. But, in Discretionary Access Control or DAC the owner of the resource controls which user or group should be able to access the resource.

In this type of access control, each resource typically has one Access Control List associated with it which specifies which user or group will have access to the resource and what all permissions will be granted. For example, a user may create a confidential file and provide read-only access to only those who belong to the same group as the user and restrict the rest.

Please note that, in DAC a user can control access to resources which he/she owns. User X cannot control access to resource which belongs to User Y.

A system can implement both MAC and DAC, in which case the Operating System can control what all resources an authenticated user can access using MAC and the user can control what all resources owned by him/her can be accessed by others using DAC.

Role Based Access Control or RBAC

Role Based Access Control or RBAC is a non-discretionary access control in which a user is given permission to access a resource based on his/her role in the organization. For example, a system may provide access to certain resources to the Accountant role, in which case all accountants in the organization would be able to access the resources. Similarly, a manager may be assigned to a manager role and a software engineer may be assigned a developer role and they can have permission to access resources based on their roles.

Please note that, a role assigned to a user is not same as a group. A user can belong to different groups, but he/she would have a single role in the organization.

Rule Based Access Control or RAC

In Rule Based Access Control or RAC, when a request is made to access a resource, the properties of the request is checked against a predefined set of rules to decide whether the request can be allowed or should be denied. For example, a firewall can use Rule Based Access Control. When a request is made to access a device or network, the properties of the request like IP address, port, application etc are analyzed and checked against a pre-defined set of rules to decide whether to block or allow the request.

So, in Role Based Access Control or RBAC access request is permitted based on role of the user requesting the resource and in Rule Based Access Control or RAC a request to access a resource is allowed or denied based on properties of the request and a set of predefined rules.

Rule Based Access Controls are commonly used to permit access to certain resources to certain users or group during certain hours of a day or certain days in a week. For example, Rule Based Access Control can be used to permit students to access resources during 9 am to 5 pm from Monday to Friday.

Attribute Based Access Control or ABAC


Attribute Based Access Control or ABAC uses a set of attributes as building blocks to define access control rules of a resource.

Attributes are sets of labels or properties that can be used to describe the resource. Fr example, when a user wants to access a resource in a given context, the request can contain the following building blocks :

  • Subject – The user who is requesting the resource. Common attributes are user ID, group, role etc.
  • Action – The action the user wants to perform. Common attributes are permission to read, write execute, edit etc.
  • Resource – The resource the user wants to access.
  • Environment – The context in which the access is requested. Common attributes include timestamp of the request, location of the user, protocol used in the request, encryption strength etc.

Typically each attribute consists of a key = value pair like role = manager. These attributes are used in a structured language to define an access rule or describe a request. For example, permit managers to have read-only access to employee data if the employee belongs to the same department as the manager.

The main difference between Attribute Based Access Control and Role Based Access Control is that unlike Role Based Access Control, Attribute Based Access Control can use complex Boolean rule sets to evaluate many different attributes at a time and grant access based on that. Structured language like XACML or eXtensible Access Control Markup Language is often used for that purpose.

ABAC is also considered the “next-generation” authorization model as it can provide dynamic, context-aware and risk-intelligent access control to allow access to resources. Policy Based Access Control or PBAC and Claims Based Access Control or CBAC are Microsoft specific terms for ABAC.

Identity Based Access Control or IBAC

In Identity Based Access Control or IBAC, access to resources are controlled based on identity of the authenticated user. For example, Cyberoam offers a network security system in which a user’s identity can be used as a part of the firewall rule matching criteria. In this case, a user’s identity is treated as the 8th Layer in the network protocol stack and is used while authenticating, authorizing and auditing the network. This in turn allows an organization to create security policies based on users and groups rather than on IP addresses. Identity Based Access Control gives more precise control over who can access the network and what they can access.

History Based Access Control or HBAC

In History Based Access Control or HBAC, access to a resource is granted or denied based on the history of activities of the request. Past behavior, access patterns, time between requests, contents requested etc are usually used in History Based Access Control or HBAC. For example, a user can be denied to access a resource if the number of requests per second exceeds a certain threshold or any past abusive access pattern is detected.

What is the difference between Access Control and Identity Management ?

Identity Management covers a whole range of functions like access control, user provisioning, privileged account management, directory services, account auditing, role and group management, Single Sign On or SSO etc. Access control is only a subset of Identity Management.

Vendors like Oracle, Microsoft, IBM, Novell etc provide Identity Management suites that include identity administration, identity infrastructure, access management and auditing.

In short, identity administration sets up user roles and groups that allow access only to authorized systems. Identity infrastructure holds information on user accounts and user identity, such as LDAP. Access management sets up user accounts with user Ids, passwords, smart cards, biometrics etc. And, auditing deals with reporting on accounts.

On the other hand, access control is concerned with providing users with access based on their authenticated identity. It is not concerned with proving their identity. While Identity Management can use multiple pieces of proofs to verify the identity of a user, access control focuses on providing users with access to resources once their identity is verified.

Monday, July 31, 2017

What is Click Fraud ?

If not redirected, please click here

What is Click Fraud ?

In online advertising, advertisers often use ad-networks to place a clickable advertisement on a publisher’s website. A user interested in the advertisement clicks on it to get more information. The advertiser then pays a predetermined amount of money to the publisher through the ad-network. This type of advertising is also called Pay Per Click advertising or PPC advertising, as the money as advertiser pays to the publisher is directly related to the number of clicks generated from the website of the publisher. Click fraud is a type of fraud where a fraudulent person himself or by using some automated scripts imitates a legitimate user and generates lots of clicks on an advertisement without having any actual interest in the advertisement. It is often done with the purpose of making the advertiser lose lots of money.

What is the purpose of Click Fraud ?

Perpetrators may have several purposes behind click fraud.

  • To cause the advertiser financial loss – Perpetrators often use click fraud to cause financial harm to the advertiser. It may be done by a competitor who advertises in the same market. The perpetrators may not directly profit from the click fraud, but they can force the advertiser to pay large amount of money for irrelevant clicks and thereby weaken or eliminate the source of competition.
  • To frame a publisher – The perpetrators may do click fraud to look as if the publisher is clicking on the advertisements of his own website for his own financial gains. The advertising network may then terminate the relation with the publisher. If the publisher relies heavily on advertising for revenues, the click fraud may cost him heavily.
  • To cause the publisher financial gains – Sometimes supporters of a publisher like his friends, family, fans or political party supporters perpetrate click fraud as they think that would cause financial gains to the publisher. But, it gets backfired instead, once it gets detected and causes harm to the publisher instead.
  • Other malicious intentions – Sometimes the perpetrators may have other motives other than causing harm to the publisher or the advertiser. The perpetrators may have political or personal vendettas. These causes are very difficult to track down and it becomes quite difficult to take proper legal actions against the perpetrators.

How to detect Click Fraud ?

Many ad-networks use several techniques to detect click fraud.

  • Automatic Filter – Sometimes ad-networks use automatic filters to filter out invalid clicks in real time.
  • Manual Analysis – Sometimes ad-networks use manual analysis to investigate anomalies and fluctuations on clicks and remove invalid clicks once detected.

Anytime an invalid click is detected by an ad-network, credits are issued to the corresponding account.

But, techniques used by the ad-networks may not be enough always. So, it is always good for the advertisers to monitor the clicks on the advertisements and do their own analysis to detect click fraud.

There can be several signs that may indicate a click fraud :

  • Number of times the advertisement shows on a search page increases unusually.
  • There are unusual number of clicks on the advertisements.
  • There is no significant increase in the number of conversions even when there is an unusual increase in the number of clicks on the advertisements.
  • The average number of pages visited per visitor drops.
  • The bounce rate becomes high.

An advertiser should always look for these warning signs and report it to the ad-network after doing own analysis.

Click fraud can be analyzed by the advertiser using various techniques. Whenever there is a click on an advertisement and the user arrives at the advertiser’s website, it is always good for the advertiser to collect a few data and do his own analysis. For example, information on the following can always help :

  • IP address of the user who clicks on the advertisement
  • Click timestamp and action timestamp
  • User agent

Information on IP address – If there is a huge number of clicks from a particular IP, then there is a possibility that it may be a click fraud. But, it is always good to collect some more information on the suspicious IP address before deciding anything. It may not be a click fraud if the IP address is of a proxy server serving many Internet users.

Click timestamp and Action timestamp – Click timestamp is the time when a user clicks on an advertisement and visits the advertiser’s website. Action timestamp is the time when the user performs the intended action on the website. If there is a huge number of clicks with click timestamp and no action timestamp, then it is likely to be a click fraud.

Information on User Agent – Information on User Agent is helpful in detecting whether clicks from a particular IP is from a single person. Information on the device being used, browser, software etc also help as they can identify whether two people using the same IP are the same person or not.

So, to summarize, advertisers should detect click fraud using the following steps :

  • Identify metrics to audit the clicks on the advertisement
  • Use a specialized software to track these metrics
  • Audit metric values to create a benchmark
  • Review current metric values against benchmark values
  • Take proper actions when benchmark thresholds are exceeded.

How to prevent Click Fraud ?

Advertisers should take the following actions to prevent click fraud.

  • Instead of relying on the ad-network alone, the advertisers should do their own analysis to detect click fraud as explained above.
  • If a IP address is associated with fraudulent clicks, the IP address can be blocked from displaying the advertisement.
  • Advertisers can use remarketing to display advertisements to those who have visited and shown genuine interest in the advertiser’s website.
  • If a competitor is suspected to commit click fraud, one can always block his IP, zip code or city from displaying the advertisement.
  • If most of the clicks from a particular city or region are click fraud, one can always exclude the region from showing the advertisements. But, one should also make sure not too many good traffic are eliminated.

Click fraud is a serious problem. But, with proper approach this problem can be dealt with. So, keep updated about click fraud and stay safe, stay secured.

Tuesday, June 13, 2017

What is Tabnabbing ?

If not redirected, please click here

What is Tabnabbing ?

Tabnabbing is a technique which is often used by attackers for phishing attacks. The attack takes advantage of a user’s trust and inattention while opening multiple tabs in a browser and can deceive the victim in submitting sensitive credentials or other sensitive data.

The attack was first described by Mozilla Firefox creative lead Aza Raskin and is often used by attackers as a phishing technique.

How does Tabnabbing work ?

Tabnabbing usually works in the following way:

  • A user opens a malicious website along with multiple other tabs in the browser.
  • The malicious website uses some malicious scripts to detect the tab is idle and inactive. This usually happens when the user is inattentive and the webpage is left unattended for some time.
  • Once the above condition is met, the malicious script executes itself and rewrites the whole webpage in the tab where the malicious webpage was opened.
  • To give an example, the webpage can rewrite itself completely and open instead a fake webpage which looks identical to facebook login page.
  • To evade detection, the scripts can even change the title of the webpage shown in the tab along with the favicon which is displayed as an image on the left side of the webpage title.
  • When the user comes back to his open browser, he usually relies on the favicon and the webpage title to know what all tabs he had opened.
  • In our case, when the user comes back and looks at his browser, he would see facebook login page is opened in one of the tabs. He may rely on the title and favicon and fail to notice other signs of this phishing attack.
  • If the user now provides his credentials to the fake facebook page, the credentials and other sensitive personal data will be stolen by the criminals.

Why do attackers use Tabnabbing ?

Traditional phishing techniques largely relies on a phishing link or a malicious attachment. And, if the user is educated enough or becomes suspicious and alerted, the attack fails. For example, a user may not open an attachment sent by an unknown sender or open any untrusted links or respond to an email requesting sensitive personal data. And, to counter those attackers often use Tabnabbing which is much more stealthy and difficult to detect.

How to prevent Tabnabbing ?

Tabnabbing is no doubt very stealthy, but with proper precautions we can always safeguard ourselves from this attack.

  • Before logging in to any website or providing sensitive data to any website, look at the address bar of the browser. Make sure the URL is proper and the website uses HTTPS with a proper digital certificate. You can click on the lock icon on the left side of a URL in the address bar to get more information on the ownership of the website and the digital certificate used.
  • Do not allow scripts on a webpage if the webpage is not trusted. You can use several browser plugins for that purpose. For example, NoScript is a Firefox extension which can be effective in preventing Tabnabbing. It can prevent javascript from running in an untrusted website and prevents certain scriptless attacks based on meta refresh also.

Monday, April 10, 2017

What is Pharming ?

Pharming is a scamming technique in which attackers redirect traffic of a legitimate website to another fraudulent website with the purpose of spreading malware or stealing sensitive data from victims. A typical example of pharming will be – a user types in the URL bar, but gets redirected to a fraudulent website which looks identical to Amazon website. And, when the user types in his credentials or banking details, the information directly goes to the attackers. Attackers often use several techniques to make it possible.

Pharming vs Phishing

In phishing, attackers typically send a victim an email or SMS containing a link or tricks the victim into clicking on a malicious link in some other way. The malicious link may point to a website which looks quite identical to some legitimate website. If the victim does not understand the trickery and ends up giving sensitive details like credentials or banking information, the information directly goes to the attackers. So, in other words, in a phishing scam, attackers may use an identical looking website, but URL of the website will be different from the actual one, though a victim may not notice the difference and fall prey.

In pharming, on the other hand, a victim types the correct URL of a legitimate website, yet he gets redirected to an identical looking fraudulent website. Attackers often use techniques like DNS Cache Poisoning or compromise host file in a computer to make it possible.

So, in other words, phishing typically uses a bait in the form of a phony email, link or attachment to redirect a user to a fraudulent website, whereas pharming can automatically redirect a user to a fraudulent website, even though the user has typed in the correct URL in the address bar.

How is Pharming done ?

Two major techniques used by attackers in pharming are host file modification and DNS Cache Poisoning. Let’s understand in more detail how these two methods are actually used in pharming.

Pharming using host file modification

When we type a URL in the address bar of a browser, the URL gets converted into a IP address and the IP address is then used to access the actual website. A computer often uses a host file to map IP addresses. A host file is an operating system file that maps hostnames to IP addresses. Attackers often use malware to compromise the host file in a computer, so that when a user types in a legitimate website in the address bar of a browser, the browser gets the IP address of the fraudulent website instead and the user gets redirected to the malicious website, though he typed in the correct URL.

Pharming using DNS Cache Poisoning

When we type a URL of a website in the address bar of the browser, our computer contacts the Domain Name Servers or DNS Servers to resolve the IP address of the website. Now, the Internet does not have a single DNS Server, because that would be very inefficient. Instead, our ISP runs its own DNS Servers, which cache information from other DNS Servers. Our home router has its own DNS Server, which caches information from ISP's DNS Servers. And, our computer has a local DNS cache, which stores responses of previous DNS queries made by the computer.

The function of DNS cache is to store responses of previously made DNS queries, so that next time the same DNS query is made, it doesn't have to contact the DNS Servers again. Instead, it can retrieve the IP address from its cache.

DNS Cache is said to be poisoned when stores a malicious entry instead of a valid one. For example, if we type, for the first time our computer will make a DNS query to appropriate DNS Server and once it gets a response, it will store the IP address of in its DNS Cache, with a timestamp up to which the entry remains valid. Within that time, if we type again, our computer will look at its DNS Cache for the entry.

Suppose, our computer has made a DNS query and waiting for a response from the DNS Servers. But, instead of an authentic response it gets a response containing IP address of the attacker's website. So, its DNS Cache will be poisoned and next time onwards whenever the computer will try to resolve the IP address of the same URL, it will end up being to the attacker's website.

In similar way, DNS Cache of any DNS Server also may get poisoned. Because, ISP's DNS Server gets response from other DNS Servers and it stores the responses in its cache. If that cache is poisoned, the same poisoned entry will spread to all home routers and from them to all computers.

Attackers often use DNS Cache Poisoning for the purpose of pharming. They poison the DNS Cache to store IP address of their malicious website, so that even though a user types in the correct URL, the browser gets IP address of the fraudulent website and the user gets redirected to the attackers’ website even though he typed in the correct URL.

How to prevent Pharming ?

We can always take a couple of steps to protect ourselves in a better way.

  • ISPs can do much to prevent pharming. They can filter out malicious redirects up to a great extent. So, use a trusted ISP. Rigorous security at the ISP level can be a good first line of defense against pharming.
  • It is always a good practice to look at the address bar of a browser and check whether there is any spelling mistakes in the URL before providing any credentials to the website.
  • Pharmers often target banking and ecommerce websites. So, before typing in any financial details, it is always a good practice to verify whether HTTPS is being used. No legitimate website will transfer any sensitive information without using HTTPS.
  • It is always a good practice to verify the digital certificate of a website when you have any doubt. You can go to browser properties menu and click on the “Certificate” tab to verify whether the website is using a secure certificate from its legitimate owner.
  • Look at the padlock of the address bar of a browser to verify whether the connection is secure. An unlocked padlock indicates an unsecured connection.
  • Use anti-malware programs from trusted sources and keep them updated regularly. Some anti-malware programs can detect pharming.
  • Keep your Operating System and browser updated with recent security patches. Attackers often exploit security vulnerabilities present in a system to infect the system. More updated a software is, lesser are its security vulnerabilities.

What is Smishing ?

We often get spam SMS’s. They are not only annoying, sometimes they can be dangerous too. Attackers often harvest phone numbers of potential victims and send them malicious SMS typically containing a link or a number to call back to. When a user clicks on the link or calls the number provided, he falls prey of the scam. This type of scams are called smishing.

A typical example of smishing will be an SMS like this :

We’re confirming you’ve signed up for our dating service. You will be charged $2/day unless you cancel your order clicking on the link

If a victim clicks on the link, he may get redirected to a malicious website spreading malware or even he may end up being in a fraudulent website looking identical to some legitimate website and end up compromising sensitive credentials or other personal details.

Smishing is a type of phishing scam in which attackers use SMS or Short Message Service to deceive users. Attackers often use smishing to steal sensitive information from users or to spread malware.

The term “smishing” is derived from two words “SMS” and “phishing”. An SMS is typically used in this type of scams and hence the name.

Some real life examples of Smishing

Amazon Phishing Scam

This smishing scam appeared in January, 2017. In this scam, a victim typically gets an SMS as mentioned below:

Order Confirmation (#101-2341765-1192723)

Order total: 70$

If you did not authorize this purchase, click to Cancel and Refund.

As usual the link points to some fraudulent website that looks quite identical to Amazon website and asks for sensitive credentials from the victim. The fake website even asks for entering credit card numbers to the victims. No doubt on providing such sensitive details the victims’s Amazon account as well as financial details get compromised.

However, if you look carefully, you can notice some pointers that indicate the SMS is not legitimate.

  • It should have been written as $70 and not 70$. A legitimate communication should not have this mistake.
  • It is unlikely that Amazon will send a link using such URL shortening service.

However, if a user gets any such unexpected text, the best way to deal with it would be not to visit the provided link, but to login in legitimate Amazon website and verify the active orders. The user can also call the Amazon customer care and clarify.

Apple Phishing Scam

This smishing scam appeared in 2016. A victim typically gets an SMS as mentioned below:

Your Apple ID has been locked for invalid details and is pending termination. Confirm your details at http://somesmishinglink Apple.

In this case also, if a victim clicks on the link, he gets redirected to a fraudulent website which looks identical to legitimate Apple’s website and it asks for sensitive credentials from the victim.

However, if any user gets any such SMS, the best response would be not to visit the link, but to login in the legitimate website of Apple and check whether there is any such notification or to call Apple customer care directly to verify.

Netflix Phishing Scam

This smishing scam also appeared in 2016. The scam mainly targeted Australian Netflix users.

Update your Netflix Account so you can continue enjoying your Netflix service. http://somesmishinglink

This link also points to a fraudulent website looking identical to legitimate Netflix website and asks for sensitive credentials. A user receiving any such SMS, however, should verify the information going to legitimate Netflix website instead of clicking on the link or call customer care of Netflix and report it.

How to prevent Smishing ?

We can always take a couple of steps from our side to protect ourselves in a better way.

  • Never ever share your financial information via SMS, call or email. A bank will never ask for that to any of its customers.
  • Do not follow instructions on an SMS sent by an unknown sender. Delete such SMS instantly.
  • Please be alert to the fact that an SMS claiming to be from your bank may not be genuine.
  • Do not click on any link of an SMS sent by an unknown sender.
  • If you get an unexpected SMS asking for providing any sensitive information quickly, be careful. Attackers often use social engineering to create a sense of urgency to the victims and ask for a quick response, so that victims do not get much time to think and reveals all the requested sensitive information instead.
  • It is always good to block unwanted numbers from sending texts or calls.
  • If an SMS sent by some unknown sender asks for calling a number, do not do that.
  • If anything looks suspicious, do your research before responding. Sometimes a simple google search reveals a lot.
  • Use your common sense and caution and make sure you do not fall victim of identity theft.
  • Beware of messages that come from numbers that do not look like phone numbers, for example 5000 numbers. These messages are actually sent by email-to-text services. Attackers often use these services to mask their identity.
  • Never reply to any suspicious messages hurriedly. If your bank is to cancel your credit card, you should be able to call your bank customer care and discuss the matter with them.

Read More

Infographic : How to prevent Phishing ?

Infographic : How to prevent malware ?

What is Vishing ?

What is Pharming ?

What is Social Engineering and how to safeguard oneself ?

What is 2 Factor Authentication and why should we always enable it if possible ?

How to safeguard oneself from Evil Twin ?

What is Vishing ?

Vishing is the practice of using social engineering over telephone system with the purpose of stealing sensitive financial information or other sensitive personal data from a victim. Vishing is one of the most serious threats today and is widely perpetrated by criminals.

The word “vishing” is a combination of two words “voice” and “phishing”. In this technique, attackers use telephone system to do phishing and hence the name.

Vishing is typically used by criminals to steal sensitive banking information like account number, PIN, password, OTP and credit card numbers or to steal other personal details of users that the attackers can exploit to perpetrate identity theft.

Attackers often use VoIP and automated system like IVR to perpetrate vishing. They may even use techniques like War Dialing and Caller ID Spoofing to serve their purpose.

What is War Dialing ?

Attackers often use war dialing to harvest phone numbers of potential victims. It is a technique to automatically scan a list of telephone numbers in a particular region. Attackers often use a dedicated software to dial all numbers in a local area one by one. As soon as they get a response from any number, they simply note it down, so that they can later use it for vishing.

What is Caller ID Spoofing ?

Attackers often use Caller ID Spoofing to deceive a victim in vishing. They mask the actual caller telephone number and a different deceiving number appears in the receiver of the victim.

Attackers can use a variety of methods and different technologies for that purpose. In the past, Caller ID Spoofing would require an advanced knowledge, but nowadays attackers often use VoIP or PRI lines to do that easily. For example, some VoIP providers give a user the option to configure the displayed number. This has lots of legitimate uses also. For example, a doctor may want to answer a patient from his home, but may not want to reveal his home phone number at the same time. But, attackers often use this technique to hide their identity and impersonate others.

How does Vishing work ?

Attackers may perpetrate vishing as mentioned below.

  • Criminals first harvest phone numbers of potential victims. They may use several techniques for that purpose. They may steal phone numbers from an institution or they may use war dialing to find out valid phone numbers.
  • The criminals then start making calls to potential victims. They usually use Caller ID Spoofing to deceive the victims and hide their identity.
  • In a vishing call, the attackers may trick a user in revealing sensitive financial details. They may say the call is from a bank and there is a problem with the user’s bank account or credit/debit card and the user needs to give his financial details to the caller in order to address the problem. The attackers may also use automated instructions to ask the victim to type in his credit card number, account number or PIN on the keypad. And, in some cases, the attackers ask the victim for his personal details that the attackers can later use to impersonate the victim for fraudulent purposes.

A real life example of Vishing

A widely perpetrated vishing scam is Microsoft tech support scam. In this scam, the attackers typically call a victim posing as a member of Microsoft technical support and inform the victim that his computer is infected with malware which is generating all sort of errors. The attackers can then ask for remote access of the victim’s computer or ask the victim to download some software or fake anti-malware programs to solve the victim’s problem. Some attackers may even deceive a victim to reveal his bank account information to make a payment. In other words, the goal of this vishing scam is to infect the victim’s computer with malware or to steal sensitive financial details from the victims.

How to prevent Vishing ?

Vishing is very difficult for legal authorities to monitor or trace. But, we can always take a couple of steps to protect ourselves up to a significant extent.

  • Never ever provide your financial details over phone. A bank will never ask for your account number, credit card number, password or PIN over phone.
  • If someone is asking for any OTP or One Time Password over phone, be sure it is a scam. OTPs are meant for users only and no legitimate authority will ever ask for any OTP from any user.
  • Do not reveal any personal details or personally identifiable information over phone. If you have any doubts, you can politely inform the caller that you are going to call back and then call the authentic number of the website/provider/institution to verify about the call. It is always better to be safe than sorry.
  • If you get a call informing any of your web account is having some problem, please do not reveal any information immediately. You can always login to your account visiting the legitimate website and verify whether there is any such notification or you can call the legitimate customer care numbers and clarify.
  • Get your number registered on the National Do Not Call Registry to block automated calls. It may not stop vishing, but you would get far fewer automated calls than you are used to.
  • Do not trust the caller ID of a phone call. As said above, attackers can very easily spoof that.
  • If you think you have fallen victim of vishing and your financial information are compromised, immediately call the bank and report the incident. Verify whether there is any unauthorized transaction. Also, immediately change your IPIN, password, ATM PIN or other credentials that may have been compromised.
  • It is always good to report vishing incidents to appropriate legal authority. It often helps a lot in catching the actual criminals.

So, to summarize, never ever reveal any financial information or any personally identifiable information over phone. It is always good to verify the authenticity of a call before responding. Be informed about various security threats and stay safe and stay secure.

Read More

How to prevent Phishing ?

What is Smishing ?

Infographic : How to prevent malware ?

What is Social Engineering ?

How to safeguard oneself from Evil Twin ?

What is Pharming ?