|Virus Bulletin Ltd.||(http://www.virusbtn.com/)|
Yes. Consider the application has a login page that sends the username and password as a POST request to the server. If a user clicks refresh on the second page (the page after login), the same request including the username and password in the POST will be sent again. Now suppose a valid user browses through our application and logs out, but does not close the window. The attackers come along and click the back button of the browser till they reach the second page. They only have to do a refresh and since the username and password are resubmitted and revalidated, the attackers can login as the user. Now let's assume the application has a login page which takes the user to an intermediate page for authentication. Once authenticated, the user is redirected to the second page with a session token. In this case, even if the attackers reach the second page and do a refresh, the username and password will not be resubmitted. This is so because the request that will be submitted is the one for the second page which does not contain the username and password. Therefore, it is always better to redirect the user.
The Forgot Password feature is implemented in a number of different ways. One common way is to ask the user a hint question for which the user has submitted the answer during registration. These are questions like What is your favorite color? or What is your favorite pastime? If the answer is correct, either the original password is displayed or a temporary password is displayed which can be used to log in. In this method, an attacker trying to steal the password of a user may be able to guess the correct answer of the hint question and even reset the password.
If the old password is displayed on the screen, it can be seen by shoulder surfers. So it is a good idea not to display the password and let the user change to a new one. Moreover, displaying the password means it has to be stored in a recoverable form in the database which is not a good practice. If the password is stored as a one way hash in the database, the only way Forgot Password can be implemented is by letting the user reset the old password. So, it is always better to force the users reset their passwords when they forget their passwords. (A one way hash is the result obtained when we pass a string to a one way hash function. The result is such that it is impossible to get back the original value from it. Passwords are best stored as non-recoverable hashes in the database.)
Emailing the actual password in clear text can be risky as an attacker can obtain it by sniffing. Also the mail containing the password might have a long life time and could be viewed by an attacker while it is lying in the mailbox of the user.
Apart form the above threats, a malicious user can do shoulder-surfing to view the password or login credentials.
We should first ask the user to supply some details like personal details or ask a hint question. Then we should send a mail to the users authorized mail id with a link which will take the user to a page for resetting the password. This link should be active for only a short time, and should be SSL- enabled. This way the actual password is never seen. The security benefits of this method are: the password is not sent in the mail; since the link is active for a short time, there is no harm even if the mail remains in the mailbox for a long time.
Password guessing with automated tools is a serious problem since there are a number of tools available for this purpose. These tools essentially keep trying out different passwords till one matches. Locking out the account after 5 failed attempts is a good defense against these tools. However, the important point then is how long you lock out the account for. If it is for too long, service to valid users might be denied as the attackers repeatedly lock out your users. If the time is too short say about 1-2 minutes, the tool could start again after the timeout. So the best method would be to insist on human intervention after a few failed attempts. A method used by a number of sites these days is to have the user read and enter a random word that appears in an image on the page. Since this cannot be done by a tool, we can thwart automated password guessing.
Keystroke loggers on the end users machines can sometimes ruin all our efforts of securely transmitting and storing the passwords. The users themselves may not be aware that a key logger has been installed on their machines and records each key pressed. Since the highest risk is with the password, if we can authenticate the users without having them use the keyboard, or reveal the entire password, we solve the problem. The different ways of doing this are:
If the application will be accessed from publicly shared computers such as libraries, the following may protect its security.
SQL Injection is a technique by which attackers can execute SQL statements of their choice on the backend database by manipulating the input to the application. Let's understand SQL Injection through the example of a login page in a web application where the database is SQL Server. The user needs to input Username and Password in the text boxes in Login.asp page. Suppose the user enters the following: Username : Obelix and Password : Dogmatix This input is then used to build a query dynamically which would be something like: SELECT * FROM Users WHERE username= 'Obelix' and password='Dogmatix' This query would return to the application a row from the database with the given values. The user is considered authenticated if the database returns one or more rows to the application. Now, suppose an attacker enters the following input in the login page: Username : ' or 1=1-- The query built will look like this: SELECT * FROM Users WHERE username= or 1=1-- and password= -- in SQL Server is used to comment out the rest of the line. So, our query is now effectively: SELECT * FROM Users WHERE username= or 1=1 This query will look in the database for a row where either username is blank or the condition 1=1 is met. Since the latter always evaluates to true, the query will return all rows of the Users table and the user is authenticated. The attacker has been successful in logging into the application without a username and password.
Almost all platforms are vulnerable to SQL Injection. Inadequate checking of user input and the use of dynamic SQL queries are what make an application vulnerable to these attacks. The syntax of the input entered for SQL Injection will depend on the database being used. During our application security audits we have found many applications using other databases to be vulnerable. The above example would work on SQL Server, Oracle and MySQL. This shows that the problem is with the inadequate checking of user input and the use of dynamic SQL and not the underlying database.
Any input field that makes up the where clause of a database query is a candidate for SQL Injection, eg. account numbers, and credit card numbers in the case of an online banking application. In addition to form fields, an attacker can use hidden fields and query strings also for injecting commands.
Apart from input fields, URL parameters are also vulnerable to SQL Injection as well as other input based attacks.
It is quite simple to prevent SQL injection while developing the application. You need to check all input coming from the client before building a SQL query. The best method is to remove all unwanted input and accept only expected input. While server side input validation is the most effective method of preventing SQL Injection, the other method of prevention is not using dynamic SQL queries. This can be achieved by using stored procedures or bind variables in databases that support these features. For applications written in Java, CallableStatements and PreparedStatements can be used. For ASP applications, ADO Command Objects can be used.
Maybe, but probably no. Using stored procedures can prevent SQL Injection because the user input is no longer used to build the query dynamically. Since a stored procedure is a group of precompiled SQL statements and the procedure accepts input as parameters, a dynamic query is avoided. Although input is put into the precompiled query as is, since the query itself is in a different format, it does not have the effect of changing the query as expected. By using stored procedures we are letting the database handle the execution of the query instead of asking it to execute a query we have built. The exception to this is where the stored procedure takes a string as input and uses this string to build the query without validating it. While this is more difficult to exploit, this scenario still often leads to successful SQL Injection.
Yes, they are if the user input is not checked properly, and if they build SQL queries dynamically. But Java servlets also have certain features that prevent SQL Injection like CallableStatements and PreparedStatements. Like stored procedures and bind variables, they avoid the need of dynamic SQL statements.
Sometimes yes, sometimes no. Whether a scanner can discover SQL injection or not depends on a variety of factors: the discovery technique used, the response from the application when a malformed SQL snippet is added, and some luck. Specifically, scanners that use Blind SQL Injection are most likely to detect SQL Injection. Scanners that claim hundreds of test cases for SQL Injection are misleading.
There are chances that the information is modified before it reaches the server. Attackers browsing the site can manipulate the information in a GET or POST request. There are a number of HTTP/HTTPS proxy tools like Achilles, Paros, WebScarab, etc which are capable of intercepting all this information and allow the attacker running the tool to modify it. Also, the information that the user sees or provides on a web page has to travel through the internet before it reaches the server. Although the client and the server may be trusted, we cannot be sure that the information is not modified after it leaves the browser. Attackers can capture the information on the way and manipulate it.
Manipulating the variables in the URL is simple. But attackers can also manipulate almost all information going from the client to the server like form fields, hidden fields, content-length, session-id and http methods.
For manipulating any information, including form fields, hidden variables and cookies, attackers use tools known as HTTP/HTTPS proxy tools. Once the browser's proxy settings are configured to go through the HTTP/HTTPS proxy, the tool can see all information flowing between the client and the server; it even allows the attacker to modify any part of the request before sending it.
Although SSL provides a lot of security, SSL alone is not enough to prevent variable manipulation attacks. SSL was supposed to prevent against Man in the Middle attacks but it is vulnerable to it. To successfully carry out the MITM attack, first the attacker has to divert the victim's requests to his machine i.e. redirecting the packets meant for the server to himself. He can do this by ARP poisoning / DNS Cache poisoning. Once he is able to redirect, he can see all the requests the victim is trying to make. Now when the victim tries to establish an SSL connection with a legitimate server, he gets connected to the attacker. The attacker, during the SSL Handshaking, provides a fake certificate to the victim, which the victim accepts even though the browser warns him. Thus, the victim establishes an SSL connection with the attacker instead of the server. The attacker establishes a different SSL connection with that legitimate server, which the victim was trying to connect. Now all data flow between the victim and the server will be routed through the attacker and the attacker can see all data the victim (as well as the server) sends. This is because the victim will encrypt all data with the attacker's public key, which the attacker can decrypt with his private key. The attacker can then manipulate all data that is passing through his machine.
The main threat these proxy tools pose is editing the information sent from the client to the server. One way to prevent it is to sign the message sent from the client with a Java Applet downloaded onto the client machine. Since the applet we developed will be the one validating the certificate and not the browser, a proxy tool will not be able to get in between the client and the server with a fake certificate. The applet will reject the fake certificate. The public key of this certificate can then be used to digitally sign each message sent between the client and the server. An attacker would then have to replace the embedded certificate in the applet with a fake certificate to succeed - that raises the barrier for the attacker.
The browser has a capability to temporarily store some of the pages browsed. These cached files are stored in a folder, like the Temporary Internet Files folder in the case of Internet Explorer. When we ask for these pages again, the browser displays them from its cache. This is much faster than downloading the page from the server. Let's consider the particular scenario where a user has logged in to an application with username and password. The user browses the different pages which contain sensitive information. Let's suppose a page with the user's credit card information gets cached in the browser and the user logs out of the application. Now suppose the attackers access the same machine and searches through the Temporary Internet Files, they will get the credit card details. The attackers do not need to know the username and password of the user to steal the information.
The response header sent from the server has some cache control directives that can be set from your code. These directives control the caching of content on any cache. The directives to be set are Cache-Control : no-cache, no-store and Expires: 0. But since legacy HTTP 1.0 servers do not support the Cache-Control headers, universally, Pragma: no-cache header should be used, too.
The no-cache directive in a response indicates that the response must not be used to serve a subsequent request i.e. the cache must not display a response that has this directive set in the header but must let the server serve the request. The no-cache directive can include some field names; in which case the response can be shown from the cache except for the field names specified which should be served from the server. The no-store directive applies to the entire message and indicates that the cache must not store any part of the response or any request that asked for it.
No. But generally, use both Cache-Control: no-cache, no-store and Pragma: no-cache, in addition to Expires: 0 (or a sufficiently backdated GMT date such as the UNIX epoch). Non-html content types like pdf, word documents, excel spreadsheets, etc often get cached even when the above cache control directives are set (although this varies by version and additional use of must-revalidate, pre-check=0, post-check=0, max-age=0, and s-maxage=0 in practice can sometimes result at least in file deletion upon browser closure in some cases due to browser quirks and HTTP implementations). Also, 'Autocomplete' feature allows a browser to cache whatever the user types in an input field of a form. To check this, the form tag or the individual input tags should include 'Autocomplete="Off" ' attribute. However, it should be noted that this attribute is non-standard (although it is supported by the major browsers) so it will break XHTML validation.
The attackers can steal the session ID of a valid user using XSS. The session ID is very valuable because it is the secret token that the user presents after login as proof of identity until logout. If the session ID is stored in a cookie, the attackers can write a script which will run on the user's browser, query the value in the cookie and send it to the attackers. The attackers can then use the valid session ID to browse the site without logging in. The script could also collect other information from the page, including the entire contents of the page.
Yes, there are other methods. Let's take the example of a bulletin board application that has a page where data entered by one user can be viewed by other users. The attackers enter a script into this page. When a valid user tries to view the page, the script gets executed on the user's browser. It will send the user's information to the attackers.
XSS can be prevented while coding the application. You should be validating all input and output to and from the application and escape all special characters that may be used in a script. If the code replaces the special characters by the following before displaying the output, XSS can be prevented to some extent.
|Special Character||Escape Sequence|
There is a method that requires minimal coding as compared to performing input, output validation to prevent the stealing of cookies by XSS. Internet Explorer 6 has an attribute called HTTP Only that can be set for cookies. Using this attribute makes sure that the cookie can not be accessed by any scripts.
Identifying the application running on a remote web server is known as fingerprinting the server. The simplest way to do this is to send a request to the server and see the banner sent in the response. Banners will generally have the server name and the version number in it. We can address this problem by either configuring the server not to display the banner at all or by changing it to make the server look like something else.
There are a number of tools that help in faking the banners. URLScan is a tool that can change the banner of an IIS web server. mod_security has a feature for changing the identity of the Apache web server. Servermask for faking banners of IIS.
Yes. Unfortunately there are tools that fingerprint the web server without relying on the banners. Different web servers may implement features not specified in HTTP RFCs differently. Suppose we make a database of these special requests and the responses of each web server. We can now send these requests to the web server we want to fingerprint and compare the responses with the database. This is the technique used by tools like Fire & Water.
A web server generally needs to be accessed by a lot of people on the internet. Since it normally runs on port 80 and all browsers are configured to access port 80 of the web server, users are able to browse the site. If we change the port, the users will have to specify the port in addition to the domain name. But this is a good idea for an intranet application where all users know where to connect. It is more secure since the web server will not be targeted by automated attacks like worms that scan port 80 and other standard ports.
Yes you should take precaution against fingerprinting as correctly identiying the web server maybe the first step in a more dangerous attack. Once attackers have found out that the web server is say IIS 5, they will search for known vulnerabilities for IIS 5. If the web server is not patched for all known vulnerabilities or the attackers find one for which a patch has not been released yet, there is nothing to stop them from attacking it. Also automated tools and worms can be fooled by changing the version information. Some determined and focused attackers might go to additional lengths to identify the server but the hurdles that the attackers have to overcome have increased when it's more difficult to fingerprint the web server name and version.
Yes, there are several tools that allow proxy chaining. Some of these are: WebScarab, Exodus, Odysseus.
There are tools that scan applications for security flaws. But these tools can only look for a limited number of vulnerabilities, and do not find all the problems in the application. Moreover, a lot of attacks require understanding of the business context of the application to decide on the variables to manipulate in a particular request, which a tool is incapable of doing.
Some tools for automated scanning are: SpikeProxy, WebInspect
Rough Auditing Tool for Security (RATS) is a tool that scans the source code for security flaws in C, C++, Python, Perl and PHP programs. FX Cop is to check for the .NET Frame work guidelines which include security. Prexis is a commercial source code and run-time analyzer. Flawfinder is a static source code analyzer. Compaq ESC is a run-time analyzer for Java. Parasoft AEP is a commercial source code analyzer for Java. Fortify SCA from Fortify Software is another source code analyzer that supports mixed language analysis of C, C++, C#, ASP.NET, Java, JSP, PL/SQL, VB.NET, XML, etc. Secure Coding plugins are also available. Similar source code analyzers are Klocwork K7 for C, C++ and Java; Coverity Prevent for detecting security violations and defects in code; Ounce Solutions for C, C++, C#, ASP.NET, Java and JSP.
Yes, Interactive TCP Replay is a tool that acts as a proxy for non-HTTP applications and also allows modifying the traffic. It allows editing of the messages in a hex editor. ITR also logs all the messages passing between the client and the server. It can use different types of character encoding like ASCII or EBCDIC for editing and logging.
Secure Socket Layer (SSL) gives us assurance of two things. Firstly when a client connects to a web server, the client can be sure that it is talking to the right server by checking the certificate the server sends it. Secondly, SSL assures you of the confidentiality of the data, as the client and the server exchange encrypted messages that cannot be understood by anybody else. This is how SSL works: When the client requests for a SSL page, the server sends a certificate that it has obtained from a trusted certificate authority. This certificate contains the public key of the server. After satisfying itself that the certificate is correct and the server is a genuine one, the client generates one random number, the session key. This key is encrypted by the public key of the server and sent across. The server decrypts the message with its private key. Now both sides have a session key known only to the two of them. All communication to and fro is encrypted and decrypted with the session key.
There are 2 strengths in SSL - 40-bit and 128-bit. These refer to the length of the secret key used for encrypting the session. This key is generated for every SSL session and is used to encrypt the rest of the session. The longer the key the more difficult it is to break the encrypted data. So, 128-bit encryption is much more secure than 40-bit. Most browsers today support 128-bit encryption. There are a few countries which have browsers with only 40-bit support. In case you are using 40-bit SSL, you may need to take further precautions to protect sensitive data. Salted hash for transmitting passwords is a good technique. This ensures that the password can not be stolen even if the SSL key is broken.
40-bit SSL is not really unsafe. It's just that it is computationally feasible to break the key used in 40-bit but not the key used in 128-bit. Even though 40-bit can be broken, it takes a fairly large number of computers to break it. Nobody would even attempt to do that for a credit card number or the like. But there are claims of breaking the 40-bit RC4 key in a few hours. So depending on the data your application deals with, you can decide on the SSL strength. Using 128-bit is definitely safer.
With home computers gtting faster day by day, a dedicated, expensive and very fast computer can break 40-bit encryption in few minutes (ideally testing a million keys per second). On the other hand, 128-bit encryotion will have about 339,000,000,000,000,000,000,000,000,000,000,000 (Couple of Trillions or 2^128) possible key combinations and it will take around 1000 Years to break 128-bit encryptions with the help of a cluster of very fast computers.
After the initial SSL negotiation is done and the connection is on HTTPS, everything is encrypted including the page request. So any data sent in the query string will also be encrypted.
SSL supports a number of cryptographic algorithms. During the initial "handshaking" phase, it uses the RSA public key algorithm. For encrypting the data with the session key the following algorithms are used - RC2, RC4, IDEA, DES, triple-DES and MD5 message digest algorithm.
There are several Certificate Authorities that you can buy a SSL certificate from. Whichever CA you choose, the basic procedure will be as follows -
The first two steps are done from the web server. All servers have these features. While installing the certificate issued by the CA, you will have to specify which web pages are to be on SSL.
Persistent cookies are data that a web site places on the user's hard drive (or equivalent) for maintaining information over more than one browser session. This data will stay in the user's system and can be accessed by the site the next time the user browses the site. Non-persistent cookies on the other hand are those that are used only in the browser session that creates it. They stay only in the memory of the machine and are not persisted on the hard disk. The security risk with persistent cookies is that they are generally stored in a text file on the client and an attacker with access to the victim's machine can steal this information.
No, it is not possible for a website to access another site's cookies. Cookies have a domain attribute associated with them. Only a request coming from the domain specified in the attribute can access the cookie. This attribute can have only one value.
Transmitting session IDs in the URL can lead to several risks. Shoulder surfers can see the session ID; if the URL gets cached on the client system, the session ID will also be stored; the session ID will get stored in the referrer logs of other sites. Hidden variables are not always practical as every request might not be a POST. Cookies are the safest method as cookies do not get cached, are not visible in the W3C or referrer logs, and most users anyway accept cookies.
A cookie can be marked as "secure" which ensures the cookie is used only over SSL sessions. If "secure" is not specified, the cookie will be sent unencrypted over non-SSL channels. Sensitive cookies like session tokens should be marked as secure if all pages in the web site requiring session tokens are SSL-enabled. One thing to keep in mind here is that images are generally not downloaded over SSL and they usually don't require a session token to be presented. By setting the session cookie to be secure, we ensure that the browser does not send the cookie while downloading the image over the non-SSL connection.
An attacker can hijack another user's session by stealing the session token. Methods have been suggested to prevent the session from being hijacked even if the session token is stolen. For instance, using a session token that is a function of the user's IP address. In this approach, even if the attacker stole the token, he would need the same IP address as the user to successfully hijack a session. However, session hijacking can still be possible. Suppose the attacker is on the same LAN as the user and uses the same Proxy IP as the user to access the web site. The attacker can still steal the session if he is able to sniff the session token. It may also be not possible to implement this if the IP of the client changes during a session, making the session invalid if the token is tied to the initial IP address. This may happen if the client is coming from behind a bank of proxy servers.
Encrypting just the session ID over a non-SSL connection will not serve any purpose. Since the session ID will be encrypted once and the same value will be sent back and forth each time, an attacker can use the encrypted value to hijack the session.
A Session ID or token has the lifetime of a session and is tied to the logged in user. A page ID or token has a lifetime of a page and is tied to a page that is served. It is a unique token given when a page is downloaded and is presented by the user when accessing the next page. The server expects a particular value for the user to access the next page. Only if the token submitted matches what the server is expecting is the next page served. An application can use this to ensure that a user accesses pages only in the sequence determined by the application. The user cannot paste a deep URL in the browser and skip pages just because he has a session token, as the page token would not be authorized to access the deeper URL directly.
W3C is a logging format used for Web server log files. W3C logs record access details of each request: the timestamp, source IP, page requested, the method used, http protocol version, browser type, the referrer page, the response code etc. Note that these are access logs, and so a separate record is maintained for each request. When a page with multiple gif files is downloaded, it would be recorded as multiple entries in the W3C log; so, W3C logs tend to be voluminous.
Yes, it's important that your application maintains "application level" logs even when W3C logging is used. As W3C logs contain records for every http request, it is difficult (and, at times impossible) to extract a higher level meaning from these logs. For instance, the W3C logs are cumbersome to identify a specific session of user and the activities that the user performed. It's better that the application keeps a trail of important activities, rather than decode it from W3C logs.
Keep an audit trail of activity that you might want to review while troubleshooting or conducting forensic analysis. Please note that it is inadvisable to keep sensitive business information itself in these logs, as administrators have access to these logs for troubleshooting. Activities commonly kept track of are:
The data that is logged for each of these activities usually include:
Encryption is required when information has to be protected from being read by unauthorized users. Yes, encryption does take a performance hit, so if your logs do not contain sensitive information you might want to forego encryption. However, we strongly urge that you protect your logs from being tampered by using digital signatures. Digital signatures are less processor intensive than encryption and ensure that your logs are not tampered.
A bad guy who wants to hide his actual IP address might use a service like anonymizer, or use open HTTP relays. [HTTP open relays are improperly configured web servers on the web that are used as a HTTP proxy to connect to other sites.] In such cases, the IP address you see in your log files will be those of these services or the open relay that is being used. So, the IP address you see in your log files might not always be trustworthy.
CERT-IN is an acronym for "Indian Computer Emergency Response Team". CERT-INis the National Incident Response centre for major security incidents in its constituency i.e. Indian Cyber Community.
All users,systems administrators of indian cyber community
Users and System Administrators can report computer security incidents and vulnerabilities to CERT-IN.
You can report an incident to CERT-IN by filling up the form on our website,electronic mail,telephone hotline or by fax.
A vulnerability can be reported to CERT-IN by filling up the Vulnerability Reporting Form provided on the site. The information about a particular vulnerability can also be sent to CERT-IN by Fax or email: firstname.lastname@example.org
A computer security incident is any real or suspected adverse event in relation to the security of computer systems or networks. It is an act of violating explicit or implied security policy resulting in, unauthorised access, denial of service/disruption, unauthorised use of a system for processing or storage of data or changes to system software,hardware, firmware characteristics without the owner knowledge.
A vulnerability is the existence of a flaw or weakness in hardware or software that can beexploited resulting in a violating of an implicitly or explicit security policy.
CERT-In has prepared best practices and system specific security guidelines to help theIndian cyber community enhance security of their systems and networks.
An incident note is the information provided to its constituents by CERT-In in response to wide spread exploitation of a specific vulnerability, which is based on statistical analysis ofincidents reported to CERT-In and our observations thereof.
An advisory is the information provided by CERT-In in response to a critical vulnerability,affecting or potential to affect a large number of systems or networks in its constituency.
CERT-In will provide assistance to System Administrators in handling computer security incidents by providing advice and support in recovering from an incident, and containing the damage, restoring system to operation.
We will keep any information specific to your site confidential unless you give us permission to release that information. We distribute only composite, sanitized information.The CERT-In policy is to not release any information about a site involvement in an incident, without the sites explicit permission to do so.While this policy ensures that youcan report intruder activity to us in confidence, it also hinders our ability to put you in contact with other sites involved in the same or similar incident.
Make sure that all usage of Pen Drives/ External Hard Disks on the infected computer should be immediately deactivated. Remove the sharing of infected computer.
Do not, under any circumstances, use the computer to make online transactions or purchases or to access sites containing confidential information about you as long as the virus has not been removed.
Important: It is possible that your antivirus software may not detect the virus on your computer as new vriuses come up daily. Try updating your antivirus software with the latest patch. Do not share any crucial information with anybody nor respond to any mail asking for your financial details.
In order for your computer to be infected by a virus, you must have downloaded the file which contains it.
Probably, your computer might be running an outdated version of Antivirus, or malware signature database might be outdated. Hence, it is advised to check for the latest update for the installed antivirus solution and then scan the infected computer for any possible sign of infections.
Worms travel without any help from users and lodge themselves in your computer’s random access memory (RAM). Worms replicate and spread from computer to computer in the same network or to computers via e-mail. Worms usually send out copies of itself to all the addresses in the infected computer’s e-mail address book.
To keep your computer from being infected by a worm:
Install an antivirus program and a firewall that are automatically updated.
To avoid system compromises, it is advised to make use of licensed and genuine software, keep your system updated with latest security patches, install and maintain updated antimalware solutions, disable Autoplay /Autorun for removable drives etc.
The people who create adware do so in order to make money. Plain and simple. While legitimate software applications do use online advertising, the ads are typically bundled within the program and designed and displayed in ways that the developer specified.
Adware can be good or can be bad. Good adware only installs itself on your system if you give it permission to do so. Bad adware installs itself without your permission.
First, practice safe browsing habits. Avoid torrent sites, illegal downloads, and pay close attention to any software that you download. In addition, beware of opening applications from unknown—or even known—sources. Use Anti-adware or anti-malware program for your PC.
Spyware often arrives via an automatic download from a website you are surfing. If you download freeware or shareware software, spyware can be embedded in the installation process. Spyware can also download on to your computer through email attachments.
Typical symptoms of spyware include a slower computer than normal. If your computer suddenly starts to run really slow, when it never used to, then it may be infected with spyware. Spyware often hogs system resources including the memory and hard disk space, so your computer slows down. Another symptom is if you get popups on sites where you didn't get them before. To find out, do a Google search. If you get a pop up then you probably have adware or spyware because Google does not have popups. Another symptom is when your web browser's homepage is hijacked when you go online. If your browser is suddenly redirected to a strange website, it's most likely spyware.
Spyware can compromise your privacy and provide others with information about you and your computer habits without your knowledge. Few spyware capture your keystrokes and send it to a third party. This could expose your user IDs and passwords to thieves. Other spyware include trojans which allow someone to log into your computer remotely and use it to send spam or launch malicious attacks on other computers on the Internet, making it look like you are at fault.
If a spyware program is very obvious, for example; if it adds itself to your menu bar and be found listed in your Add/Remove Programs list in the Windows Control Panel. Click START, then Control Panel, then Add/Remove Programs and look for a program that you don't recognize. Sometimes it is obvious....such as "XXX dialer." Simply use the Add/Remove Programs feature to remove it.
Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.
Your computer has been infected with a virus. Click here to resolve the issue.”
Your computer was used to visit websites with illegal content. To unlock your computer, you must pay money.
All files on your computer have been encrypted. You must pay this ransom within 72 hours to regain access to your data. and this instill fear and panic into their victims
Employ a data backup and recovery plan for all critical information.
Keep your operating system and software up-to-date with the latest patches. Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.Avoid enabling macros from email attachments. Do not follow unsolicited Web links in emails.
A bot (short for "robot") is an automated program that runs over the Internet. Some bots run automatically, while others only execute commands when they receive specific input. There are many different types of bots, but some common examples include web crawlers, chat room bots, and malicious bots.
If the user witness any unusual behavior such as an unknown communication sent by the system, unidentified data consumption, self-installed application/software, etc. the computer / device should be scanned immediately with AntiVirus Scanners or Rescue disks provided freely or commercially by different antivirus vendors to detect malware/botnet infections.
Rootkits generally means that allow someone to obtain root/admin-level access to the computer by executing the programs in the kit — all of which is done without end-user consent or knowledge
The best way to determine if a PC is infected with a rootkit is to run a rootkit scanner.In fact, all major antimalware vendors, from Avast (or the equally capable and free Malwarebytes) to Symantec (Norton Power Eraser) to Kaspersky offer rootkit scanning facilities to subscribers or users. There are also many third-party rootkit scanners available, some free, some not.
Our personal choice is GMER, a freeware application from well-known antimalware company Avast. It is a relatively lightweight and robust rootkit detection tool. At just 372KB in size, it does not require system restart or an alternative, trusted OS boot to run.
Trojan horses at first glance appear to be legitimate programs but do annoying or malicious damage to your computer. To be infected with a Trojan horse, the program must have been installed by the user. Beware of files that have two extensions, (e.g., photo-album.jpg.exe), which lead you to believe it includes photos but is actually an executable program (.exe).
Phishing is a common type of scam used to elicit confidential, lucrative, and/or sensitive information. Most often, phishing comes in the form of emails appearing to be sent from a trustworthy company or person but containing malicious links, requests for information, or harmful attachments. Some links in phishing emails contain malware which, if clicked, will install malware onto your device that can monitor your computer’s keyboard. These recordings capture information such as passwords or credit card numbers and then relay that data to identity thieves.
If you receive a request in which you are asked for confidential information, do not reply or click links or attachments.Never provide confidential information or documents through email. Always call or provide this type of information in person, when possible.If in doubt about an email, call the company/individual directly to verify. Be sure to call the phone number listed publicly online (if applicable). Do not use any phone numbers listed in messages sent to you.
SQL injection is a type of security exploit in which the attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to resources or make changes to data. An SQL query is a request for some action to be performed on a database.
Trust no-one: Assume all user-submitted data is evil and validate and sanitize everything. Don't use dynamic SQL when it can be avoided: used prepared statements, parameterized queries or stored procedures instead whenever possible.Consider a web application firewall (WAF) – either software or appliance based – to help filter out malicious data. Use appropriate privilleges and keeps your secrets secret.
IP spoofing is the crafting of Internet Protocol (IP) packets with a source IP address that has been modified to impersonate another computer system, or to hide the identity of the sender, or both. In IP spoofing, the header field for the source IP address contains an address that is different from the actual source IP address.
IP spoofing is a technique often used by hackers to launch distributed denial-of-service (DDoS) attacks and man-in-the-middle (MITM) attacks against targeted devices or the surrounding infrastructures. The goal of the DDoS attack is to overwhelm a target with traffic while hiding the identity of the malicious source, preventing mitigation efforts.
In IP spoofing, the attacker modifies the source address in the outgoing packet header, so that the destination computer treats the packet as if it is coming from a trusted source, e.g., a computer on an enterprise network, and the destination computer will accept it. As the IP spoofing activity is carried out at the network level, there aren't any external signs of tampering.IP spoofing is commonly used in DDoS attacks, when hackers use spoofed IP addresses to overwhelm computer servers with volumes of packets large enough to cause them to become unusable by legitimate users. Often, spoofed IP packets are sent by botnets that are dispersed geographically. Large botnets may contain tens of thousands of computers, each of which can spoof multiple source IP addresses at the same time. Consequently, this automated attack is hard to trace.
Organizations can take measures to stop spoofed packets from infiltrating their networks, including:• Monitoring networks for atypical activity.• Deploying packet filtering systems capable of detecting inconsistencies, such as outgoing packets with source IP addresses that don't match those on the company's network.• Using robust verification methods for all remote access, including for systems on the enterprise intranet to prevent accepting spoofed packets from an attacker who has already breached another system on the enterprise network.• Authenticating IP addresses of inbound IP packets.• Using a network attack blocker.Firewalls are an important tool for blocking IP packets with spoofed addresses, and all enterprise routers should be configured with an eye to rejecting packets with spoofed addresses.
ISMO is an acronym for 'Information Security Management Office'. ISMO is positioned as an independent agency under the State eGovernance Society, progressively capable of supporting all Departments and Agencies of the Government
ISMO has initiated its two programs called Continuous Vulnerabilities Management (CVM) and Continuous Security Monitoring (CSM) in line with the preventive, detective and reactive approach. ISMO has started its operations by identifying and implementing Open Source tools and processes helping in threat identification, prompt detection of an incident and respond to the incident to prevent an attack.
ISMO, Haryana has been established as a part of the Society for IT Initiative Fund for e-Governance, with a duty to give periodic reports and recommendations to the State IT PRISM – while reporting to the Principal Secretary, IT for all day-to-day matters and guidance.
Users and System Administrators can report computer security incidents and vulnerability to ISMO.
You can report an incident to ISMO by electronic mail or telephone hotline.
A computer security incident is any real or suspected adverse event in relation to the security of computer systems or networks. It is an act of violating explicit or implied security policy resulting in, unauthorised access, denial of service/disruption, unauthorised use of a system for processing or storage of data or changes to system software,hardware, firmware characteristics without the owner knowledge
ISMO will provide assistance to System Administrators in handling computer security incidents by providing advice and support in recovering from an incident, and containing the damage, restoring system to operation
Section 43 of the Act identifies ten different circumstances of causing damage to computer, computer system or computer network. It primarily takes into account all such contraventions resulting from unauthorized access to computer, computer system, computer network or computer resources. These are being referred under section 43(a) to section 43(j) in the following manner:
Any person who commits any of the contraventions as referred in section 43(a)-section 43(j) is liable to pay compensation upto five crore rupees to the person so affected.
If unwanted software has been found on your device, you may be asked to choose what to do next. When this happens you will see a message in the bottom corner of your screen, where you can choose to select Clean computer or Show details.
If you choose Clean computer, the file is removed.
The Show details button lets you choose to either remove, quarantine, or allow the file.
Every threat is given an alert level to help you decide what to do.
This depends on how much you know about the file that has been detected.
If you allow a file you won’t get any more alerts about it. Only allow a file if you trust the software and the software publisher.
A threat’s alert level can help you decide what to do.
Most files detected by Microsoft security software are quarantined. This means the file is moved and stopped from running or doing anything to your PC.
A quarantined file does not pose any risk to your PC. You can leave a file in quarantine for as long as you like.
Test basic connectivity with ping, Check with nmap if the ports are open (20 and 21). Check if a firewall is restricting traffic to the server.
Ping the DNS server and check the response. Check with wireshark if DNS request and response packets are being sent and received.
Check the connectivity with the default gateway. Check if the DNS server is configured on the PC. Check if the appropriate port number is active using nmap on the DNS server.
Check the IP connectivity with the DHCP server from a system configured on the network. Test if the DHCP client and server service is started on the DHCP server and the client. Test if the DHCP server service is reachable using nmap.
Check the IP connectivity using ping. Check if port 23 is open on the router using nmap.
The DNS server can be a public server or the gateway address. If it is the gateway address, the DNS server address should be configured on the gateway. The DNS server should also be configured on the users TCP/IP adapter.
The theoretical length is 100 meters but after 80 meters you may see drop in speed due to loss of signal.
IPCONFIG command is used to display the IP information assigned to a computer.
From the output we can find out the IP address, DNS IP address, gateway IP address assigned to that computer.
When DHCP server is not available the Windows client computer assignes an automatic IP address to itself so that it can communicate with the network computers. This ip address is called APIPA. ITs in the range of 169.254.0.0 to 169.254.255.255
Alert levels help you choose what to do when unwanted software is found on your PC.
Alert levels help you understand how dangerous a threat could be and decide what to do next.
You can choose to exclude files from scanning if you know they are completely safe. You should only do this for files you know are absolutely clean—if you are getting repeated warnings about a threat, first you should update your security software, and then check for any other important information about it in the malware encyclopedia.
Be careful—any files that you exclude will not be scanned, which could leave you open to infection. Only exclude files if you are absolutely sure they are not infected.
Partially removed means we were able to clean some of the malware files that were found on your PC.
We'll do our best to clean your PC as much as we can, but with some difficult malware you might need to take some additional steps:
Next, restart your PC and then manually install the latest updates.
Always install and enable anti-virus software or malicious code detection and repair tools. You can also consider similar products that work against spyware and adware. You should enable and configure the live update feature of your virus signature and malicious code definition files, if available, setting the frequency to update daily. If automatic update is not possible, manual updates should be conducted at least once a week.
If you suspect your computer is infected, you should stop using it, because that may spread the computer virus or malicious code further. If it is your office computer or mobile device, you should report the incident to the management and LAN/System Administrator immediately.
While you can use anti-virus software to clean malicious code, it may not be possible to fully recover infected files. You should replace any infected files with original copies from your backup systems. After recovery, a complete scan of your PC and other removable storage media is vital to ensure everything is now free of viruses or malicious code.
The MpCmdRun function of WD provides the ability to gather the following information/logs and packages them together in a compressed file in the support directory. This information includes:
To run this tool, go to the StartScreen, right-click and select All Apps. Under the Windows System group, right-click on Command Prompt, and select Run as Administrator. Click YES at the UAC prompt.
Then, from the Command Prompt window, enter the following commands:
At this point, logs will be collected and placed in a cab file. This process can take several minutes. When the process is complete, you will find the collected information here:
C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab Now, close the Command Prompt window. Then, using Windows Explorer, navigate to the above folder and extract the logs from the cab file to a location of your choice. Then, usingNotepad, browse, examine, and peruse the logs and information.
Also, review the system event log for more information regarding WD events and the following event codes. These events are found in Event Viewer (Local), Applications and Services, Microsoft, Windows, Windows Defender, Operational:
Always install and enable anti-virus software or malicious code detection and repair tools. You can also consider similar products that work against spyware and adware. You should enable and configure the live update feature of your virus signature and malicious code definition files, if available, setting the frequency to update daily. If automatic update is not possible, manual updates should be conducted at least once a week.
You may also want to explore the use of a third-party backup solution, or storing your data on some other cloud solution.
You can use press Ctrl+Shift+Esc to bring up Task Manager and use STARTUP tab to disable those programs you do not need.
Examine the necessity of the number of startup programs you have. To examine your startup programs, use the Task Manager. To do this, press Ctrl+Shift+Esc to bring up Task Manager and use STARTUP tab to disable those programs you do not need. Which startup programs should you keep, and which should you disable?
If you clicked on it, or even if you simply closed the pop-up, you are likely infected and need to go into virus removal mode.
If you have not touched anything on the screen since the pop-up, you may be able to avoid being infected. The following assumes you are using Internet Explorer and WD. If not, adapt this procedure for the browser and anti-malware product you are using. Whenever you encounter one of these pop-ups while browsing, immediately do either of the following:
LAN/System administrators should install anti-virus software or malicious code detection and repair software on all servers and workstations, and configure the updating of virus signatures and malicious code definitions to be automatic, preferably on a daily basis. If automatic updating is not possible, manual updates should be conducted at least once a week. The following should also be considered:
In addition, administrators should keep abreast of the latest security advisories by, for example, subscribing to online security notifications and advisories. They should quickly disseminate critical and major computer virus alerts to all end-users, educate users about the impact of massive malicious code attacks, and ensure users follow best practices to protect their workstations against computer viruses and malicious code.