REDBACK COUNCIL - RISC

Android Phones Now Harder To Hack Than iPhones | RISC

2020-03-02T12:13:00.001+05:30

While governments and law enforcement agencies continue to push device makers to create backdoors, there is always a workaround that lets them crack open devices on there own in the name of investigation.

In this regard, companies like Cellebrite and Greyshift have turned out to be very helpful, as they provide solutions to break into almost any device.

Back in 2016, we saw a major controversy involving Apple and the FBI when Apple refused to unlock the iPhone of the shooter involved in the San Bernardino case.

It’s a different story that recently Apple faced criticism for not encrypting iPhone backup data on iCloud, thereby leaving scope for government access.

iPhone more hackable than Android

Anyway, when it comes to cracking smartphones, iPhones are assumed to be superior to Android in terms of privacy and security.

However, the story has taken a u-turn, and Android phones have become harder to crack than iPhones. That’s according to a forensic detective Rex Kiser who works with the Fort Worth Police Department.

“Right now, we’re getting into iPhones. A year ago we couldn’t get into iPhones, but we could get into all the Androids. Now we can’t get into a lot of the Androids,” Kiser told Vice.

Kiser suggests that it has now become tougher to extract data from newer operating systems. Probably, they are “trying to make it harder for law enforcement to get data from these phones, under the guise of consumer privacy.”

During a test conducted by NIST, Cellebrite’s UFED InFeild Kiosk tool couldn’t efficiently harvest browsing activity, GPS data, or app data from social media apps like Facebook, Instagram, Twitter, etc., when trying to get inside Google Pixel 2 and Galaxy S9.

Surprisingly, the tool returned empty-handed in the case of Huawei P20 Pro. As per the test report, the tool (version v7.5.0.875) supports over 15,000 types of devices on paper, including Android, iOS, and feature phones.

On the other hand, the UFED tool could suck in a lot more when tested on iPhone X.

Overall, it’s evident that OEM encryption backdoors could be helpful, but law enforcement agencies aren’t relying on them entirely. Instead, they’re trying to create backdoors on their own by reverse engineering.

So, technically, it’s possible to get inside a smartphone as new as iPhone 11 Pro Max; it will just take time, patience, and resources.

However, one thing to note here is that breaking a smartphone’s encryption isn’t the end of the road, according to former FBI agent Bob Osgood.

Beyond that, forensic detectives need to decipher millions of lines code inside apps containing complex data structures that constantly change with software updates. That’s where companies like Greyshift, Cellebrite, and MSAB jump into the game with their magic wands.

Why 2020 is a turning point for Cyber Security | Redback Cyber Security Council - RISC

2020-02-29T13:20:00.001+05:30

The world is more connected than ever. We are becoming more technologically advanced, markets are stronger, and central technologies that encompass our daily actions are constantly emerging.

These technological advances are based on seamless connectivity. As our digital transformation continues, we continue to build a more cohesive and connected society. Our data is now shared and used by more platforms than ever – in the datacentre, on the cloud and event on internet of things (IoT) devices, for example - and this trend will only increase. But this huge benefit comes with a cost. The more connected we become, the more vulnerable our data is.

By looking at security developments over the past couple of years, it is possible to forecast what is likely to happen in the cyber landscape over the next 12 months. Forewarned is forearmed. These are what I believe will be the main trends of cybersecurity in 2020:

1) The ‘cyber cold war’ intensifies

A new cyber 'cold war' is taking place online as Western and Eastern powers increasingly separate their technologies and intelligence. The ongoing trade feud between the US and China, and the decoupling of these two huge economies, is a clear sign. Cyberattacks will increasingly be used as proxy conflicts between smaller countries, funded and enabled by larger nations looking to consolidate and extend their respective spheres of influence.

2) The rise of artificial intelligence (AI)

The US elections in 2016 saw the beginning of AI-based propagation of fake news. Political campaigns devoted resources to creating special teams that orchestrated and spread false stories to undermine their opponents. As we prepare for major elections worldwide in 2020, we can expect to see these activities in full effect once again.

As AI continues to be used as a proxy for crime, it will also be used to accelerate security responses. Most security solutions are based on detection engines built on human-made logic, but keeping this up-to-date against the latest threats and across new technologies and devices is impossible to do manually. AI dramatically accelerates the identification of new threats and responses to them, helping to block attacks before they can spread widely. However, cybercriminals are also starting to take advantage of the same techniques to help them probe networks, find vulnerabilities and develop more evasive malware.

3) Our means of communication will become more weaponized

The notion that connectivity creates new combat landscapes is proven by the developing spheres of today’s and tomorrow’s cyberattacks. In the first half of 2019 we saw a 50% increase in mobile banking malware compared with last year, which means that our payment data, credentials and funds are handed over to cyberattackers in the innocent click of a button on our mobile devices. The attempts of cybercriminals to trick consumers to hand out their personal data through their most common means of communications will intensify and will range from email to SMS texting attacks, social media posts and gaming platforms. Whatever we use most frequently can become a more popular attack surface.

4) 5G development and adoption of IoT devices increase vulnerability

As 5G networks roll out, the use of connected IoT devices will accelerate dramatically, massively increasing networks’ vulnerability to large scale, multi-vector 5th generation cyberattacks. IoT devices and their connections to networks and clouds are still a weak link in security. This ever-growing volume of personal data will need securing against breaches and theft. We need a more holistic approach to IoT security, combining traditional and new controls to protect these ever-growing networks across all industry and business sectors.

5) Enterprises will rethink their cloud approach

Detection is no longer enough to ensure protection, and prevention is now the key to being secure.

Organizations already run a majority of their workloads in the cloud, but the level of understanding about security in the cloud remains low; in fact it is often an afterthought in cloud deployments. Security solutions need to evolve to new, flexible, cloud-based architectures that deliver scalable protection at speed.

Understanding what is coming towards us will help us to better prepare. Some paradigms will need to shift. The enormous spread of technologies and solutions will force all of us to think about how to consolidate. In 2020 more than ever, cyber-attacks are no longer a question of if, but of how and when. This is a concern that applies to us all.

Private WhatsApp Groups Exposed On Google Search, But It’s A Feature [Update]

2020-02-28T17:25:00.000+05:30

Don't share WhatsApp Group invite links on public platforms.

Update (24/02/2020, 7:00 PM IST): Initially, it seemed that WhatsApp didn’t give users even a single ray of hope after their private chats ended up on Google Search and on other search engines as well.

But according to an update posted by Jane Wong, the company was working quietly behind the curtain. Now, making a search for the said private chat invite links on Google brings nothing but an error message. Whatsapp has delisted the invitation links from Google by including the “noindex” meta tag.

The original post continues from here.

Google is indexing the invitations to the WhatsApp Group chats, including the links to join private groups as reported by Vice. As a result, the links are available for people all around the globe to join any discoverable group.

Multimedia journalist Jordan Wildon tweeted and raised a question over WhatsApp’s security. He said that WhatsApp’s ‘Invite to Group via Link’ feature permits Google to index groups, which then become available all over the internet for everyone to join.

Vice discovered several private groups with the help of specific search queries. The result page consisted of a lot of groups meant for porn sharing. Once anyone joins the group, they have permission to view all the participants and their phone numbers.

Popular reverse engineering enthusiast Jane Manchun Wong said in her tweet that a misconfiguration from WhatsApp is allowing Google to index group invite links. She suggested that there are ways to deindex the invite links from Search.

A WhatsApp spokesperson said that group admins can invite any user to join their group by sharing the invite link. Like all other content available on the open web, invite links posted on public platforms are also searchable. He concluded his statement by saying that admins should make sure that they share the group link with trusted people only.

Google’s Take

Google refused to comment on the scenario going on. However, Google official Danny Sullivan tweeted that search engines like Google index pages from the open web. The same thing happened in the case of invite links to WhatsApp groups.

He concluded by saying that WhatsApp as a website has allowed listing the invite links publically. Sullivan also added a link in his tweet, which redirected people to the Help Center to block content to be displayed from the Google search results.

So, it seems that things are designed this way, even if they pose a threat to users’ privacy. Users are advised not to share personal WhatsApp group links on public platforms until WhatsApp announces any under-the-hood changes.

10 Tips for Mitigating Cyber Risk in the Manufacturing Industry

2018-04-23T15:43:00.002+05:30

This is in terms of financing, labor, industry regulation and numerous other factors. However, the growing reliance on information technology including machine learning, robotics, the Internet of Things and big data, has made cybersecurity one of the industry’s biggest risk factors.

The motivation for cyberattacks on manufacturers are varied. They range from financial fraud to industrial espionage (an example of espionage would be the theft of detailed product or equipment plans to be fed to a pressure die casting machine).

The following tips can help manufacturers reduce the likelihood of a successful attack.

1. Start at the Top

Like any other company initiative, successful cybersecurity is dependent on management buy-in. If the people at the top of the organization do not set the right tone in word and deed, it becomes harder to motivate staff lower down the hierarchy to do the right thing.

Cybersecurity cannot be left to the CIO or the technology department alone. In fact, communication on cyber matters should occasionally come from the CEO’s office. That will get employees to see the seriousness of the issue and align their behavior accordingly.

2. Perform a Broad Risk Assessment

Conduct an exhaustive cyber risk assessment that covers the industrial control systems, ERP systems and any standalone systems. The assessment should be done at least once every six months in order to capture vulnerabilities that have been introduced by changes to the operating environment.

The risk assessment should not only cover traditional cyber risks like password management and firewall configuration but should delve into more manufacturing-related risks such as IP protection.

3. Circulate Cyber Risk Reports

A cyber risk assessment report is of no use if it all it does is gather dust on an office shelf. Instead, enterprise risk reports including remedial action roadmaps should be shared with the board and executive leadership.

There should be a high level discussion of the key sticking points with a view to demonstrating impact and identifying areas of priority in resource allocation. Decisions can then be made that take cognizance of the manufacturer’s risk posture and risk tolerance goals.

4. Built-in Security

All new manufacturing equipment, software and connected products must be evaluated for compliance and coherence with the company’s cyber risk program. Since the acquisition and deployment of major equipment and software will usually be done by a special project team, always confirm that there’s the requisite cyber security talent in this team.

This will ensure security considerations are a decisive factor in the acquisition from the get go.

5. Recognize Data as an Asset

The importance of cyber security can be harder to sell to the management of manufacturing companies than to leaders of service-oriented industries such as banking. Manufacturers are used to dealing with a tangible product built by tangible equipment and may thus not readily see data as a critical business asset.

Yet, treating data as an indispensable asset is at the heart of any successful enterprise-wide cyber security campaign. Making sure management and staff see the business value of data and why it needs to be protected will inform the adoption of best practice on where the data is stored, how it is accessed and who can access or modify it.

6. Assess Third-Party Risk

The success of a manufacturing operation is dependent on the reliable partners including suppliers and service providers. In order to do business seamlessly, such third parties will sometimes need access to enterprise systems or facilities. This introduces a potential loophole for a data leak.

Manufacturers must perform thorough background checks on the third parties they work with and clearly define the rules of engagement including outlining what is off limits. Third parties should be given physical access only to the areas of the facility that they need to do their work.

7. Vigilant Monitoring

Good organizational policies, procedures and action plans are only as good as their implementation. Create checklists, reporting procedures and escalation mechanisms that ensure existing and emerging cyber threats are caught before they spiral out of control.

Regular scheduled monitoring creates an avenue for identifying loopholes that had fallen through the cracks and amend policies and procedures to mitigate against these risks.

8. Recovery Planning

Some of the companies that have suffered massive cyberattacks were doing the right thing and checking all the right cyber risk boxes at the time. A robust cyber security plan is no guarantee that an attack will not occur or that systems will not fail.

A detailed recovery plan is required that includes what actions to take in the event that a cyberattack is suspected to have taken place. Manufacturers can increase their resiliency through war-gaming or table top simulations that envisage the worst case scenario.

9. Clarify Responsibilities

Many organization problems can be attributed to the absence of a specific person assuming full responsibility for a process. It should be clear who is tasked with each component of the cyber risk program including at department level.

Ideally, there should be a cybersecurity champion within each department who’ll ask all the important questions whenever a new project or product is planned.

10. Drive Awareness

Most cybersecurity breaches are less to do with technology failures and more to do with deliberate or accidental human actions. Employees must be regularly sensitized on what their individual responsibilities are in mitigating non-technical cyber risks such as social engineering, phishing and identity theft.

They should also be provided with a clear reporting path whenever they notice suspicious or unusual activity.

These tips can help manufacturers deeply embed cyber risk management, identify areas of improvement and chart a road map towards a more vigilant, secure and resilient work environment.

Are Your WhatsApp Encrypted Group Chats Exposed To Strangers?

2018-01-12T21:35:00.000+05:30

A team of security researchers from the Ruhr University of Bochum, Germany has revealed a series of vulnerabilities in the popular instant messaging app WhatsApp.

According to a Wired report, the flaws allow a person with the control of WhatsApp’s servers to add anyone to a WhatsApp group without admin permission.

Once added to a group, the respective encryption keys of all the group members get shared automatically with the new user. So, a newly added eavesdropper can easily read all the new end-to-end encrypted messages exchanged between the members. But not the older messages and the ones for which the stranger doesn’t have the end-to-end encryption key.

The report was quick to ring the bell at the house of WhatsApp’s daddy Facebook. Its chief security officer Alex Stamos made multiple tweets as a response to Wired’s report.

“Read the Wired article today about WhatsApp – scary headline! But there is no a secret way into WhatsApp groups chats. The article makes a few key points.”

“Everyone in the group would see a message that a new member had joined,” he argued. But should that be considered as a safety measure, relying on the alertness of the members to make sure some eavesdropper has not entered their WhatsApp group?

“WhatsApp is built so group messages cannot be send to hidden users and provides multiple ways for users to confirm who receives a message prior to it being sent.”

Stamos said that WhatsApp has seen the researchers’ findings. But preventing a possible attack would require to let go of a popular feature called “group invite links” which allows anyone with a link to join a WhatsApp group. “There may be a way to provide this functionality with more protections, but it’s not clear cut.”

Even if such an attack could be performed, how many people would have access to WhatsApp’s servers except their employees and governments wanting to conduct surveillance? An experienced hacker would first have to compromise the servers before adding an eavesdropper to the group.

According to Maxie Marlinspike, who developed the Signal protocol, it’s not possible to suppress the alerts sent when someone joins the group, contrary to the researchers’ claim. It turns out, it’s not possible for someone to snoop into group chats and hacking the servers is not that easy.

Commenting on the report, Mike said that the article is a better example of the problems associated with security industry and how research is done today. “I think the lesson to anyone watching is clear: don’t build security into your products, because that makes you a target for researchers, even if you make the right decisions,” he wrote.

“There Is Basically No Dark Web. It’s Only A Few Webpages” — Tor Co-founder

2017-08-08T21:25:00.004+05:30

Talking at the DEF CON convention in Las Vegas, the Tor Project co-founder Roger Dingledine said that the dark web doesn’t exist and it’s just a few web pages. He added that media has wrongly labeled it as a heaven for illegal activities. Also, only 3% of Tor users connect to a hidden .onion website.

You might have come across numerous articles outlining the massive size of dark web and how it’s used by criminals to perform illegal activities and trade. However, who’d know the dark web in a better manner than a Tor co-founder?

At the DEF CON convention in Las Vegas, on Friday, Roger Dingledine, one of the three Tor Project founders, said that there are tons of misconceptions about the same. According to The Register, Dingledine bashed the journalists for giving a bad name to the Tor network by calling it a heaven for pedophiles and terrorists.

“There is basically no dark web. It doesn’t exist. It’s only a very few webpages,” he told.

If you’re interested in numbers, only 3% of Tor users connect to a hidden .onion website, said Dingledine. This means that majority of users are using it for simply analyzing their activities on the indexed web. They are, most probably, using it for stopping the website owners from tracking them.

According to his data, surprisingly, Facebook is the most popular website visited by Tor users. Today, more than a million people visit Facebook using Tor browser, thanks to the network’s hidden service launched in 2014.

Dingledine also made attempts to calm down those who feared that different intelligence agencies have already cracked Tor and compromised the integrity. “Intelligence agencies didn’t need to set up their own stepping-stone nodes he said, since they could – if they wanted to – just monitor those who did run them,” as reported by The Register.

7 Worst Cyberattacks in Recent History

2017-07-27T20:48:00.001+05:30

Malware and hacking tactics are becoming more advanced, and users need to be prepared against attack

It’s one thing to click the wrong link and accidentally download some annoying adware on your personal 7 Worst Cyberattacks in Recent Historydevice. It’s another thing to watch as hospitals, train stations, nuclear power plants, and private businesses fall victim to a devastating cyber attack that obliterates their networks and decimates their data.

While viruses and worms of the ‘90s and early ‘00s might be memorable, the malware of the past few years have been unbelievably destructive. Because the internet is everywhere these days, hackers are finding it easier than ever to spread malicious software and gain access to highly sensitive information. If you need more proof that recent cyber attacks are some of the worst in history, the following devastating attacks should be evidence enough.

WannaCry

While a spate of similar malware programs has spread in its wake, WannaCry is certainly the most talked-about attack this year. Using a vulnerability developed by none-other than the U.S. National Security Agency, WannaCry was able to infiltrate computer networks running outdated operating systems, taking them and their data hostage. As a result, more than 230,000 machines in more than 150 countries fell victim to the attack, including dozens of hospitals and care centers in the U.K., a train system in Germany, and a telecommunications provider in Spain. Fortunately, most home users can stay safe from WannaCry by updating their software whenever there is an update and by installing strong internet security software.

Shamoon or Disttrack

A computer virus that targeted devices linked to the energy sector, Shamoon was developed in 2012 by a hacker group known as “Cutting Swords of Justice.” The group’s goal was to destabilize Saudi Amarco Company, an energy giant in the Middle East – and it was somewhat successful. More than 30,000 workstations were impacted by the virus, which prevented machines from connecting to the web and communicating with each other. Also affected were Qatari RasGas Company and LNG Company, though it’s unknown whether they were additional targets of the attack.

Operation Olympic Games or Stuxnet

At the end of President Bush’s administration, the U.S. government attempted to disrupt and sabotage Iranian nuclear facilities with a concentrated cyberattack. Working in conjunction with Israel, the U.S. developed a worm, named Stuxnet, that could take command of devices and use them to control machinery connected to them. Stuxnet was ruthless in its attack, incapacitating over 1,000 centrifuges in just one Iranian nuclear plant; it is a powerful digital weapon, and security experts believe it is being traded around black hat hacker circles – which means the most physically damaging cyber attack is likely on the horizon.

Operation Shady RAT

Operation Shady RATAs you read, a cyber attack is being waged. In 2008, a cybersecurity professional uncovered a series of similar attacks, which he dubbed Operation Shady RAT, launched against government institutions and private agencies in 14 different countries. Though investigations have yet to determine the source of the extensive attack, many analysts believe the operation is sponsored by the Chinese government.

Titan Rain

In the early 2000s, American computer systems experienced an onslaught of epic proportions. Contractors working with the Department of Defense, to include dozens of private businesses like Lockheed Martin and Redstone Arsenal, lost an inordinate amount of sensitive information to attackers, who most security professionals believe were working for China. The attacks continued for three full years before cybersecurity received enough funding to build proper digital defenses. The British Ministry of Defense endured similar attacks, though on a smaller scale.

OpIsrael

Beginning on Holocaust Remembrance Day in 2013, a series of cyber attacks coordinated by anti-Israeli groups and individuals began taking down Israeli websites. The hacks ranged from annoying defacements to disruptive database hijacking and devastating leaks. Unfortunately, the attack debilitated schools, newspapers, small businesses, nonprofit groups, and banks – many of which were not Israeli in origin, effectively working counter to the attackers’ main goal of showing discontent with Israel.

July 2009 Cyberattacks

Though they still lack a flashy name, these attacks propagated against South Korea and the U.S. affected more than 100,000 computers. It seems that attackers targeted governmental websites, including the South Korean National Assembly, the White House, and the Pentagon, as well as a handful of media outlets. To this day, the source and intention of the attacks are unknown, though many experts believe the North Korean telecommunications ministry is to blame..

What is Tabnapping? Protection & Prevention Techniques

2017-07-11T23:41:00.001+05:30

The word ‘Tab Napping’ comes from the combination of ‘tab’ and ‘kidnapping’ used by clever phishers, scammers, and hackers. Tabnapping is an interesting, tricky, clever, and smart hacking technique for phishing and scamming.

Through this, attackers take advantage and control a victim’s unattended browser tabs by hijacking and redirecting him to malicious URLs where they can perform a phishing attack and execute scripts and data URIS.

For example:

You are already logged in to your Facebook account and suddenly you see an interesting post with a web link. After clicking on the link, a new tab opens. Now, you are visiting an interesting post link on the new tab and unknowingly your previous tab will change to a fake Facebook login page. When you go back to the previous tab to log in to Facebook, your login information will be sent to the attacker and your successful login to Facebook because you never logged out.

Protect Yourself From Tab Napping:

Always check the URL in the address bar and ensure that it is using secure protocol HTTPS

Most web developers use target=”_blank” only to open links in new tab. If you use target=”_blank” only to open links in a new tab, then it is vulnerable to an attacker. When you open a link in a new tab ( target=”_blank” ), the page that opens in a new tab can access the initial tab and change its location using the window.opener property.

javascript code:

window.opener.location.replace(malicious URL)

Prevention:

rel=”nofollow noopener noreferrer”

"Cyber world is hitting by Tabnapping. Many sites like Google and Facebook is affected by Tabnapping. Many of us is unaware about this hacking technique, so hackers are targeting us, using this attack "

Important Note:

It is just for educational purpose only.

How to Know if a Cyber Security Engineering Degree is Right for You

2017-01-06T16:25:00.000+05:30

To get a job in the cyber security field, or more specifically in cyber security engineering, you’re going to need education, likely a cyber security engineering degree, and experience paired with the right skill set.

This isn’t a field you can just jump into without the right qualifications and skills. So what exactly do you need to get accepted into a master’s program and then consequently work in the field? And how do you know if a career in cyber security engineering is right for you? Read on to find out!

Your Education and Experience

In order to gain the qualifications necessary to land a job as a cyber security engineer, many obtain a master’s degree in the field. A master’s degree is beneficial to those looking to enter or advance in the field of cyber security because it offers a truly specialized approach. But to get accepted into a master’s program it is essential to have a background that has prepared you adequately. That means that you should have an undergraduate degree in engineering or computer science and/or currently work in one of these areas.

It is important for cyber security engineers to have a technical background (including areas such as configuration and testing) and a deep breadth of knowledge around the different concepts and tools used to fight cyber crime. In order to design and innovate new security solutions as well as troubleshoot current systems, this knowledge and understanding is essential.

Your Strengths and Skills

Engineers design, invent and innovate. In order to be successful in the field these are passions you must possess. As Fred Kerby instructor at the SANS Institute and formerly an information assurance manager at the Naval Surface Warfare Center said in an article by The Business of Federal Technology, “You have to have a passion for what you’re doing. You have to have that natural sense of curiosity about how things work. It’s not something you can just get a certificate for and check that box on your resume.”

Most successful cyber security engineers share the following traits and skills:

A natural curiosity about the way things work
A desire to break things down, getting to the nuts and bolts of something
Mathematical and science minded
Detail oriented
Methodical
Collaborative
Ability to handle stress and fluid situations
Willingness to work on-call 24hrs/day

Does this sound like you? If so, cyber security engineering may be a great career path for you. And your timing couldn’t be any better to enter the field, as cyber security workers are now commanding a 9% salary premium over other IT workers and cyber security job postings have grown 91% from 2010-2014, according to Burning Glass Technologies.

How to Choose a Program

There are a few different paths available to you if you feel that cyber security engineering is a good fit and you meet the above criteria in experience, education and skill strengths. Depending on your specific goals combined with your background and financial situation you can decide which option is best for you.

Most of the time, the best choice for those who know they want to work in the field of cyber security engineering is to obtain a Master’s Degree in Cyber Security Engineering. An advanced degree in this field is highly sought and frequently required. By getting a degree in cyber security engineering you are gaining a holistic and focused education in a specialized field, which is looked upon very favorably by employers.

If you are comparing master’s programs be sure to evaluate the strength of the curriculum, the organization of the program, the faculty make-up and how well the program format lends itself to working professionals. Beware of computer science master degree programs with a specialization in cyber security. Unless you want a broad computer science degree, this option typically only gives you a few classes in cyber security and is not nearly as focused as a degree in cyber security engineering.

If you aren’t yet ready for a master’s degree there are a plethora of certifications you can rack up while you determine if a degree program is right for you. Certifications can really enhance your resume and are a great way to keep current and hone your skills.

There is currently a huge shortage of talent in the cyber security field, which has created an enormous opportunity for those looking to enter or advance their careers in this discipline.

At USD we offer a Master of Science in Cyber Security Engineering that focuses on the engineering aspects of software and hardware security and can be completed in as little as 20 months. To learn more about our nationally accredited program visit the program page.

Stratgies to Stay Safe from Cyber Attacks

2016-09-15T15:13:00.003+05:30

Cyber security is vital for businesses, especially small and medium sized ones. Why? Because they often don’t have the cyber security infrastructure or staff that large companies have to ensure that files and bank accounts aren’t left susceptible to being compromised.

At first, for anyone, cyber security can feel very complex – and it is! But to make is easier, here are three proven strategies that companies of all sizes can implement to make sure they are keeping themselves safe from cyber-attacks.

Use these tips to educate yourself and others on what is necessary to stay safe and, for some businesses, compliant with regulation, with sensitive information.

Use a layered defensive security approach.
- Using software or other solutions at different points in and around a given network.
- Layered defenses are important because they can often (depending on the amount of layers) prevent a breach from happening at all.
Train employees (not just lower level employees, but employers and management as well).
- Employees are most often the weakest link in any business’ security.
- This is the easiest way for attackers to bypass many or all of the technical procedures put in place.
Monitor and maintain network security all the time (24/7).
- Trouble never sleeps, and there is always someone in the world who will want to attack your company or personal information.

New Malware Allows Full Access to Mac Systems

2016-07-19T15:30:00.000+05:30

Recently the internet security software company Bitdefender found that Apple computer systems, Mac OS X, faces a new threat that allows attackers to take full control of the system imperceptibly and collect all the sensitive information from the infected computers.

New Malware Allows Full Access to Mac Systems

Recently Bitdefender found a new malware that installs backdoors into the Mac operating system which grants attackers full access to Mac Systems. The malware has been called “Backdoor.MAC.Elanor” and has been discovered by researchers at Bitdefender security.

As we have already mentioned that we are dedicated to installing backdoors in the operating system so that the attackers may have full access, including user data or can take control of the webcam, execute arbitrary code and much more.

As a means of distribution used a false file conversion application known as EasyDoc Converter.app, which can be found in places widely used by Mac users when seeking applications to install, according to the Bitdefender security.

Initially, the researchers found it difficult to accurately determine the means by which infection occurs. Most likely, the backdoor is distributed via spam messages, but it can also get on the system through applications downloaded from untrusted sources. As explained by the experts, one of the loader components distributed via ZIP-file.

As the ZIP-file contains the executable file in the Mach-O format, which disguised as a text or JPEG-file. However, at the end of the expansion, there is a space, when you double click on the “ZIP-file” the file opens it in the Terminal, and not in TextEdit or Preview as regular files. Since the Finder file manager identifies the icon of the executable file as a JPEG or TXT, the user is unlikely to suspect that something was wrong and are likely to open it.

The backdoor, packed with a modified version of the UPX, seeking persistence on the system, setting PLIST-file in the “/Library/LaunchAgents/(if available superuser) or $ USER” and “/Library/ LaunchAgents/ (without root access)”. The Icloudsyncd executable file is stored in the “Library/Application Support/com.apple.iCloud.sync.daemon directory”.

However, the Mac have an increased security step known as “Gatekeeper”, which is located in the System Preferences under Security & Privacy. By default, it prevents running any unsigned applications from the unidentified sources or developers. So, if you download an unsigned application from any unidentified source then the Mac App Store will try to run it, but, ultimately you will get a message that “stating the application cannot be opened”. Hence, the Gatekeeper would have blocked the malware, if it is enabled.

Hackers Show How To Hack Anyone’s Facebook Account Just By Knowing Phone Number

2016-06-16T17:53:00.000+05:30

By exploiting the SS7 flaw, a hacker can hack someone’s Facebook account just by knowing the associated phone number. This flaw allows a hacker to divert the OTP code to his/her own phone and use it to access the victim’s Facebook account. The security researchers, who have explained the hack in a video, advise the users to avoid adding their phone numbers to the public services.

Facebook hacking is also one of the most commonly searched terms on the internet. However, very often people become a victim of malware while searching for Facebook hacking tools.

As we continue to deploy new safety measures to secure our online accounts, hackers and security researchers continue to find new ways to control Facebook accounts.

Recently, we told you how an Indian security researcher spotted a bug in the Facebook website and got $15,000 bug bounty.

Today, we are going to tell you how hackers can hack any Facebook account just by knowing the associated phone number and exploiting an issue with SS7 network.

For those who don’t know, SS7 network (Signalling System Number 7) is a communication protocol that’s used worldwide by the cellphone carriers.

Using a flaw in SS7, hackers can divert the text messages and calls to their own devices. This hacking technique has been shared as a proof-of-concept video by the security researchers from Positive Technologies.

How To Facebook Account By Knowing Phone Number (Video):

This flaw affects all Facebook users who have associated a phone number with their Facebook accounts.

https://www.youtube.com/watch?v=wc72mmsR6bM

In the demonstration video, the security researchers show that as the first step of the hack, the attacker needs to click on the “Forgot account?” button on Facebook.com website’s homepage.

When Facebook prompts the hacker to enter an email address or phone number, he/she should enter the correct number associated with the account.

By exploiting the SS7 flaw, the hacker is able to divert the OTP message from Facebook to his/her own computer and use it to login to the victim’s Facebook.

The researchers list some measures that a user can take to secure his/her Facebook account. They advise people to avoid adding their phone numbers to public services and rely on email for recovery purposes.

The users are also advised to use 2-factor authentication methods that don’t use SMS texts for sending OTP.

Ethical Hacking Course in Vellore

2016-05-23T09:44:00.001+05:30

Ethical Hacking Course in Vellore | Kanchipuram | Gudiyatham

Ethical Hacking! An action performed by a hacker to malfunction a system or an entire network with an intention to interrupt or crash the framework bypassing all the security issues such as a strong password set by the owner of the Network. Whereas a company look into this technique in a different way i.e; the companies uses these strategies in order to increase their security in a hacker point of view. This is what you will be learning at our ethical hacking course in Vellore. The training offered here will make you face the obstacles that are posted in the real time hacking industries.

According to an old saying “Be a roman, when you are in roman”, to become an ethical hacker you should turn in to one. The demand for ethical hacker is increasing worldwide, though it is the highest paid job in India as well as abroad. Unhappily there are less number of ethical hackers are available to fill out the opened positions in leading companies in the world. Our ethical hacking course would act as a gateway for you to enter in to a reputed concern. For this all you have to do is to join Redback Academy and pursue your ethical hacking training.

Our procedure lies in training our students in all the perspective that a professional hacker would thick. Since our trainers are present employees of foremost hacking companies, they would give you real time training on how to hack tiny network. Through which you will be gaining the knowledge of how to face an actual work environment. This includes, understanding the tools required for hacking and pace of environment where all the action will be held. These are our talent that we are implementing in teaching hacking course in Vellore for a long time.

Our teaching would be completely a practical one, with minimal number of theory classes. Students are allowed to take advantage of our Lab facility at the time we are opened. We do provide an International certification to our students on successful completion of the training and that would be from EC council. You can contact us at any time for a free demo class to get an in depth knowledge about the course that you are about to learn. We are ready to help you with all our effort to make you a ethical hacker as soon as possible. Don’t just wait anymore, call us now to enroll for the course.

Ethical Hacking Course Syllabus:

Introduction to Ethical Hacking
Footprinting and Reconnaissance
Scanning Networks
Enumeration
System Hacking
Trojans and Backdoors
Viruses and Worms
Sniffers
Social Engineering
Denial of Service
Session Hijacking
Hacking Webservers
Hacking Web Applications
SQL Injection
Hacking Wireless Networks
Hacking Mobile Platforms
Evading IDS, Firewalls, and Honeypots
Buffer Overflow
Cryptography
Penetration Testing

Why Ethical Hacking Course in Vellore at Redbakacademy?

We provide innovative and practical teaching methods in attempt to make learning more interactive.
We are open 7 days a week. You can enjoy the flexibility of weekday and weekend schedules based on your convenience.
At the end of the course, each student will be assigned with mini project. In addition, we also give the opportunity of working in real time projects based on their ability.
Our training institute is facilitated with high-end infrastructure and lab facility.
Intensive training through certified by ethical hackers working in leading MNCs
In depth subject coverage and excellent training
We also offer 100% placement assistance to our students to make impressive presence in reputed web design industries.

Looking for best Ethical Hacking Training Course in Chennai? Enroll in FITA. Get Trained by Certified Ethical Hacker and become one!

Related search terms: Ethical hacking course in Vellore, kanchipuram, Chittor, Gudiyatham, Chennai, Ethical hacking course, Hacking course in Vellore, kanchipuram, Chittor, Gudiyatham, Chennai, Ethical hacker course in Vellore, kanchipuram, Chittor, Gudiyatham,Chennai, Ethical hacking training in Chennai, Ethical hacker training in Chennai, Ethical hacking course in Vellore, kanchipuram, Chittor, Gudiyatham,Chennai, Best ethical hacking institute in Vellore,kanchipuram, Chittor, Gudiyatham,Chennai, Ethical hacking training center in Vellore, kanchipuram,Chittor, Gudiyatham,Chennai, Ethical hacking training institutes in Vellore,kanchipuram,Chittor,Gudiyatham,Chennai, Ethical Hacking Course in Vellore,kanchipuram,Chittor,Gudiyatham,Chennai, Ethical Hacking Course in Chennai, Ethical Hacking Course in vellore.

Learn Hacking

2016-05-11T19:22:00.002+05:30

www.redbackacademy.com | www.redbackcouncil.org

IRCTC website hacked, information of lakhs feared stolen.

2016-05-05T12:30:00.003+05:30

The website of the Indian Railways Catering and Tourism Corporation (IRCTC) was hacked and the personal information of around 1 crore users is feared to be leaked, said reports on Thursday. The official website of the Indian Railways, IRCTC is the biggest travel e commerce website in India and lakhs of transactions are conducted by the site everyday. With the reported leak, safety and security questions about the customers’ personal information like PAN card numbers and other details have arisen.

The hacking occurred late on Tuesday night and the site has now been brought under control. But the fears of personal information of thousands of customers being misused still remain. A high-level meeting took place in Delhi regarding the hacking. Senior IRCTC officials discussed what measures could be taken to ascertain how far the hackers had gone. Speaking to Mumbai Mirror, AK Manocha, Managing Director of IRCTC revealed that so far, there has been no complaint from any customer, but Delhi police’s cyber cell has been informed.

Customers have to fill in important information for online reservations and when stolen, the same can be used by miscreants to create forged documents. ”The data is a valuable asset and can be sold to corporations who may use it for targeting potential consumers,” an IRCTC source was quoted as saying by TOI. Personal data of the users like email ids and mobile numbers which are also filled in, while making online bookings, can be used by telemarketers for promoting their respective products or services and spamming the customers with unwanted messages.

However, sources said that it was unlikely that bank details or credit card details are leaked since the website, since the payment gateway takes the customer out of the website during the online payment. Once the user is directed to the bank site, there are less chances of information getting leaked as these have better security. The hacking occurred even after the Railways reportedly spent Rs. 100 crores last year, for the upgrading of the website.

Source: http://timesofindia.indiatimes.com/tech/tech-news/IRCTC-website-hacked-information-of-lakhs-feared-stolen/articleshow/52116516.cms?

http://indianexpress.com/article/india/india-news-india/irctc-hack-data-theft-2785213/

http://www.hindustantimes.com/tech/irctc-website-hacked-data-of-1-crore-customers-stolen/story-9CXRiwPMkPgcDZVpNZd6aP.html

http://www.india.com/news/india/irctc-website-hacked-personal-information-pan-card-mobile-numbers-1-crore-customers-feared-leaked-1160460/

How to Become an Ethical Hacker

2016-04-26T13:14:00.000+05:30

Cyber-security is one of the major concerns of online users these days and hackers are an inevitable part of this discussion. Every part of our cyber world is influenced by hackers and they exploit the vulnerabilities of systems to gain unauthorized access. While numerous people are confused between the terms hackers and cyber-criminals, many of you are willing to know more about hackers and how to become one.

Have you ever considered hacking as a career? There are few things that should be considered to figure out if hacking is the right job for you.

As I’ve discussed in my earlier article, there is great confusion among people when it comes to things like cyber criminals, hackers, ethical hacking, black hat hacking, white hat hacking and more.

Who is an ethical hacker?

Ethical hacker performs hacking to help an individual or company and identifies the potential risks. An ethical hacker is a good guy and sometimes the term is used synonymously White Hats. They work to improve the overall internet security and search for weak points that could be exploited by the black hats – the bad guys.

Take a look at these points and you will understand what constitutes ethical hacking! These are “guidelines” that an ethical hacker must follow!

1. Respect an individual’s or company’s privacy.

2. Having a permission (expressed – often written) to break into a network and look for the loopholes.

3. After finding the vulnerabilities, you tell your employer about the unknown flaws.

4. After finishing the work, you must not anything open for later exploitation by you or someone else.

5. Do not take any kind of advantage of the permission and access granted to you.

Now, take a look , It’s a very well represented career path. For choosing this career as an ethical hacker, you can start by becoming an Information Security analyst or by becoming a computer programmer.

Learn more about this career path in the info-graphic given below:

To Build a best Career as Security Professional :

Contact :

Redback IT Academy

#AL 24, TNHB , PHASE III,

Sathuvacheri,

Near Vallalar Water Tank ,

Vellore.

Call us @ : 8189985551

The 7 Most Wanted Iranian Hackers By the FBI

2016-04-23T12:02:00.002+05:30

The Federal Bureau of Investigation (FBI) has lengthened its Most Wanted List by adding seven Iranian hackers who are accused of attacking a range of US banks and a New York dam.

The United States Department of Justice (DoJ) charged seven Iranian hackers with a slew of computer hacking offences for breaking into computer systems of dozens of US banks, causing Millions of dollars in damages, and tried to shut down a New York dam.

The individual hackers, who allegedly worked for computer security companies linked to the Iranian government, were indicted for an "extensive campaign" of cyber-attacks against the US financial sector.

All the seven hackers have been added to the FBI's Most Wanted list, and their names are:

1. Ahmad Fathi, 37

2. Hamid Firoozi, 34

3. Amin Shokohi, 25

4. Sadegh Ahmadzadegan (aka Nitr0jen26), 23

5. Omid Ghaffarinia (aka PLuS), 25

6. Sina Keissar, 25

7. Nader Saedi (aka Turk Server), 26

All the hackers have been charged with conducting numerous Distributed Denial-of-Service (DDoS) attacks on major U.S. banks, with Firoozi separately gaining unauthorized access to a New York dam's industrial automation control (SCADA) system in August and September of 2013.

"This unauthorized access allowed [Firoozi] to repeatedly obtain information regarding the status and operation of the dam, including information about the water levels, temperature, and status of the sluice gate, which is responsible for controlling water levels and flow rates," a DoJ statement reads.

Luckily, the sluice gate had already been manually disconnected for the purpose of maintenance at the time Firoozi attacked.

The hackers' work allegedly involved Botnets – networks of compromised machines – that hit major American banks, including Bank of America and J.P. Morgan Chase, as well as the Nasdaq stock exchange with floods of traffics measuring up to 140Gbps and knocked them offline.

The Iranian hackers targeted more than 46 financial institutions and financial sector companies, costing them "tens of Millions of dollars in remediation costs" in preventing the attacks in various incidents spanning 2011 to 2013.

All the seven hackers will face up to 10 years in prison on computer hacking charges while Firoozi faces an additional 5-year prison sentence for breaking into a dam in Bowman Avenue Dam in Rye Brook, New York.

To know more ..

WhatsApp’s end-to-end encryption: How to enable and what it means.

2016-04-06T13:18:00.000+05:30

WhatsApp is now end-to-end encrypted at all times. This will ensure that a user’s messages, videos, photos sent over WhatsApp, can’t be read by anyone else; not WhatsApp, not cyber-criminals, not law-enforcement agencies. Even calls and group chats will be encrypted.

WhatsApp co-founder Jan Koum announced the update on his Facebook page, stating that the company has been working on the feature for the last two years.

Koum wrote, “We’ve been working for the past two years to give people better security over their conversations on WhatsApp… People deserve security. It makes it possible for us to connect with our loved ones. It gives us the confidence to speak our minds. It allows us to communicate sensitive information with colleagues, friends, and others. We’re glad to do our part in keeping people’s information out of the hands of hackers and cyber-criminals.”

So what is end-to-end encryption and how exactly does it work in WhatsApp?

WhatsApp is using “The Signal Protocol”, designed by Open Whisper Systems, for its encryption.

In its White Paper, explaining the technical details of the end-to-end encryption, WhatsApp says that “once the session is established, clients do not need to rebuild a new session with each other until the existing session state is lost through an external event such as an app reinstall or device change.”

The post explains how messages are encrypted as well. It reads, “clients exchange messages that are protected with a Message Key using AES256 in CBC mode for encryption and HMAC-SHA256 for authentication. The Message Key changes for each message transmitted, and is ephemeral, such that the Message Key used to encrypt a message cannot be reconstructed from the session.” It also says that calls, large file attachments are end-to-end encrypted as well.

Note the ever-changing message key can mean a delay in some messages getting delivered, according to the paper. It should be noted that feature is enabled by default in WhatsApp, which means that if you and your friends are on the latest version of the app, all chats will be end-to-end encrypted. Unlike say Telegram where users have to start a secret chat to enable the feature, WhatsApp has the feature on at all times. Users don’t have the option of switching off end-to-end encryption.

Users need to be on the same versions of WhatsApp to ensure that their chats get end-to-end encrypted. If you’ve recently updated the app, and you start a chat with someone else (also on the new version) you are likely to see a message saying, “Messages you send to this chat and calls are now secured with end-to-end encryption.

Once you tap on the message, WhatsApp has a pop-up menu explaining what end-to-end encryption means. Users can verify if the encryption is working as well. If a user taps on verify, they will taken to a page with a QR code, followed by a string of 60 numbers. If your friend is nearby, take their phone scan the code from your phone (the option is there at the bottom of the same page) and if the QR code matches, then the chat is encrypted. When the codes match, a green tick appears; when it doesn’t there’s an exclamation mark in red alerting a user that the chat is not secure. So does the end-to-end encryption work all the time? We tried verifying some chats that had the message saying encryption was enabled. In some cases, the verification failed for us. In the first case, we tried to verify a chat between an Android and iPhone 6s device (running iOS 9.3.1), and the QR codes didn’t match. We also tried matching QR codes on an two Android phones, and once again we got the red alert indicating no end-to-end encryption

Android phones are on the latest version of the app from the Google Play Store. However a verification between a chat on two iOS devices, (iPhone 6s, iPhone 5s) worked for us and showed the green tick. We’re not sure why the verification failed, even though the chat says it is end-to-end encrypted. We might have to wait for another app update that could fix this issue.

Penetration testing for your organization has never been easier.

2016-03-14T09:09:00.001+05:30

Reback council offers a simple, easy-to-understand suite of penetration testing services to commercial organizations throughout the India. Reback council is a commercial product offering of Chameleon Integrated Services, and can demonstrate a strong track record of IT security systems past performance that includes work for the Indian government and a diverse group of commercial customers (small and large).

We make the process of executing the most critical elements of penetration testing available in an easy to implement and easy to afford manner. We offer four separate services individually and as a bundle, that we believe are critical to establishing IT system security for your organization.

Our service offerings include:

Internal Penetration Testing

External Penetration Testing

Wireless Penetration Testing

Spear Phishing Campaigns

These services can be performed quickly and easily by our team anywhere in the India. Reback council uses top pen. testing experts from across the India to implement our security procedures. You can rest-assured that all work performed will be completed by a verifiable and accredited IT security expert. Additionally, all of our service offerings include deliverables and reports following all of our security protocols.

HORNET is New Tor-like Anonymity Network With Superfast Speeds

2016-03-12T14:30:00.000+05:30

The Deep Web is a place that is hidden from the ordinary world because the browsers used to access the Deep Web, continuously encrypt user data. Due to this constant data encryption, the browsing speeds are slow. Our beloved Tor network has more than 2 million daily users that slow down its performance. To counter this speed issue, five researchers have developed a new Tor-style anonymity network called HORNET: High-Speed Onion Routing at Network Layer.

Compared to anonymity networks like Tor, the HORNET system is more resistant to attacks and it delivers faster node speeds. The researcher team writes, “unlike other onion routing implementations, HORNET routers do not keep per-flow state or perform computationally expensive operations for data forwarding, allowing the system to scale as new clients are added.”

This paper “Hornet: High-Speed Onion Routing at Network Layer” was written by researchers Chen Chen of Carnegie Mellon University, along with David Barrera, Enrico Asoni, and Adrian Perrig of Zurich’s Federal Institute of Technology, and George Danezis from University College of London. Here’s the research paper.

To achieve speeds higher than Tor, HORNET doesn’t encrypt data as often- instead it encrypts just the personal stuff. In Tor, anonymity comes at the price of speed. To provide anonymity, Tor takes data and passes it through series of computers before the final destination. Each time, it passes from one computer to the other, the encryption exists and IP addresses change. Thus, it forms a time-taking multilayer network (hence “The Onion Router”).

HORNET nodes process the anonymous traffic at more than 93Gb/s speed.

The basic architecture of Tor and HORNET is same(onion routing). HORNET creates an encryption key set along with the routing info (connection state) on your system. Thus, the intermediate nodes don’t need to build this information each time, as these keys and connection state info is carried within packet headers (anonymous header or AHDR).

According to the research paper, it makes the whole system more secure as the other intermediate computers don’t waste time playing with the sender’s and receiver’s packets. Thus, the whole process becomes more fast and secure.

It is worth mentioning that HORNET is not yet tested at a large scale, it’s just these 5 researchers. Thus, extensive peer review is needed to adopt systems like HORNET.

Top 10 safe computing TIPS

2016-03-09T12:23:00.002+05:30

1.Patch, Patch, PATCH!

Set up your computer for automatic software and operating system updates. An unpatched machine is more likely to have software vulnerabilities that can be exploited.

2.Install protective software.

Sophos is available as a free download for Windows, Macintosh, and Linux from IS&T's software page. When installed, the software should be set to scan your files and update your virus definitions on a regular basis.

3.Choose strong passwords.

Choose strong passwords with letters, numbers, and special characters to create a mental image or an acronym that is easy for you to remember. Create a different password for each important account, and change passwords regularly.

4.Backup, Backup, BACKUP!

Backing up your machine regularly can protect you from the unexpected. Keep a few months' worth of backups and make sure the files can be retrieved if needed. Learn more about TSM and how to backup your system.

5.Control access to your machine.

Don't leave your computer in an unsecured area, or unattended and logged on, especially in public places - including Athena clusters and Quickstations. The physical security of your machine is just as important as its technical security.

6.Use email and the Internet safely.

Ignore unsolicited emails, and be wary of attachments, links and forms in emails that come from people you don't know, or which seem "phishy." Avoid untrustworthy (often free) downloads from freeware or shareware sites. Learn more about spam filtering.

7.Use secure connections.

When connected to the Internet, your data can be vulnerable while in transit. Use remote connectivity and secure file transfer options when off campus.

8.Protect sensitive data.

Reduce the risk of identity theft. Securely remove sensitive data files from your hard drive, which is also recommended when recycling or repurposing your computer. Use the encryption tools built into your operating system to protect sensitive files you need to retain.

9.Use desktop firewalls.

Macintosh and Windows computers have basic desktop firewalls as part of their operating systems. When set up properly, these firewalls protect your computer files from being scanned.

10.Most importantly, stay informed.

Stay current with the latest developments for Windows, Macintosh Linux, and Unix systems.

6 Statistics that Prove You Need Application Security Training

2016-02-27T12:33:00.000+05:30

As well as protecting your applications and the sensitive data they contain, improving your application security can save your organisation a great deal of time and expense.

Good application security training is a crucial first step to improving your organisation’s application security. Today, I’m looking at 6 statistics that demonstrate why application security training is essential for protecting your organisation and its data.

1) At Least 70% of Vulnerabilities Exist in the Application Layer

Gartner has estimated that 70% of all vulnerabilities are caused by poor application security – and other researchers have estimated the figure to be as high as 90%.

While many organisations assume that the network layer of their infrastructure is the primary source of security vulnerabilities, it’s actually the application layer that poses the biggest threat.

2) Only 1 in 40 Web Applications has a Web Application Firewall

Web application firewalls (WAFs) inspect all traffic flowing to web applications for common attacks, such as cross-site scripting, SQL injection, and command injection.

Despite WAFs being able to detect many of the most common web application vulnerabilities, on average only 1 in 40 applications in a recent study was found to use a web application firewall to protect against common attacks.

3) 71% of Developers Believe Security is Not Addressed During the SDLC

The sooner you catch a vulnerability during the SDLC, the easier (and cheaper) it is to fix.

Despite the exponentially growing cost and complexity of fixing application vulnerabilities after deployment, more than two thirds of developers believe that their organisations make no efforts to address security during the development life-cycle.

4) Only 22% of Developers Have Any Role in Testing Application Security

Less than a quarter of software developers have any active role in testing application security during the SDLC.

This is because in most organisations, security is a separate department and the development team has very little security knowledge, making it harder to identify and remediate vulnerabilities, and prevent them from making it into the finished product.

5) 47% of Developers Have No Mandate to Fix Vulnerable Code

Even worse: once a vulnerability is detected, almost half of developers lack the authority to fix them. Instead it is normally passed over to the security team, making the remediation process longer and allowing more time for the vulnerability to be exploited.

If security isn’t prioritised during the SDLC and developers aren’t involved in security testing for their applications, they will make the same mistakes over and over, and without mandate to remediate these vulnerabilities, this can cause significant friction between your development and security teams.

6) 89% of Application Vulnerabilities Are in the Software Code

This is compared with only 11% that are caused by application misconfiguration. This highlights the importance of educating your development team in secure coding best practices, to guard against the most common application vulnerabilities such as those listed in the OWASP Top 10.

By teaching your developers defensive coding, your organisation can reduce vulnerabilities at the source, reducing the number of mistakes and loopholes that make it into the finished code.

Top 10 Skills Required to Become a Pro-Hacker

2016-02-21T13:24:00.002+05:30

The term hacker literally means a person who uses computers in order to get unauthorized access to data. Hacking is not crime unless and until you do it to get unauthorized access. In this article, you will see the skills required to become a pro-hacker. Stealing data and hacking into networks are not the only things that hacker does. The skills mentioned below can also help you to tackle with hackers who do hacking to obtain unauthorized access data.

Top 10 Skills Required to Become a Pro-Hacker

#1 Basic Computer Skills

Basic Computer Skills

You may laugh at this skill, however it is very necessary for a hacker to get strong hold on the functioning of the computer. Also you must be able to use the command line in Windows and editing the registry and setting own networking parameters.

#2 Networking Skills

Networking Skills

The skills mentioned below will be really helpful for those persons wishing to become hackers as these skills will help them to understand about its functioning.

DHCP, NAT, Subnetting, IPv4, IPv6, Public v Private IP, DNS, Routers and switches, VLANs, OSI model, MAC addressing, ARP.

#3 Linux Skills

Linux Skills

No Doubt, Linux is the most favorite operating system of hackers. Almost all the tools that we use as being as a hacker are developed for Linux. It has more potential that hacker requires but are not available on Windows. That’s why hacker prefer to use Linux Operating System.

#4 Wireshark

Wireshark

Wireshark is open source packet analyzer and available for free. It is particularly used for network troubleshooting, analysis, software and communications protocol development as well as in Education.

#5 Virtualization

Virtualization

It literally means the making of virtual version of something like operating system, server, storage device or network resources. It helps in testing the hack that is going to take place before making your hack go live and it also helps to test and revise the hacks before making it go live.

#6 Security Concepts

Security Concept

It is also vital skill in order to understand security concepts as well as technologies. Person having strong hold on security can control the barriers set by security administrators. It is also important for a hacker to learn skills like Public Key Infrastructure (PKI), Secure Sockets Layer (SSL), Intrusion Detection System (IDS), Firewalls and more. If you are learner in hacking, you can get most of these skills in a security course like Security +.

#7 Wireless Technologies

Wireless Technologies

Wireless Technology literally means the procedure of sending information via invisible waves in the air. Persons who wish to hack wireless devices must first understand the functioning of it. So you must learn encryption algorithm like WEP, WPA, WPA2, the four way handshake and WPS. Moreover you can also learn and understand things like protocol for connection and authentication as well as restrictions on wireless technologies.

#8 Scripting

Scripting

It is considered as important skill in order to become a pro-hacker because if any hacker is using tools of other hacker, he/she will be dis-rated for using them. Also, security administrators are vigilant about the hacking attempt and they come with new tool in order to cope with hackers.

#9 Database

Database

Database is a structured set of data present in computer and which is accessible in numerous ways. For those hacker’s who wish to hack database, then it is necessary for them to understand the functioning of the databases. It consists of SQL Language. It is better to understand the big DBMS like Oracle, MySQL or Oracle.

#10 Web Applications

Web Applications

Web Applications is software which you use on the Internet via your Web Browser. It has been witnessed that web applications have also became a prime target of the hackers since the last few years. You will be be victorious in your task if you understand the functioning of web applications and the databases backing them. Moreover it will also help you to make your own website for the purpose of phishing or other.

Why Android Malware is worse than you thought.

2016-02-19T17:56:00.000+05:30

The future will not only be about thinner, faster, and bendable smartphones, but it will definitely also be about security and bigger online threats.

Let’s imagine a scenario where you don’t need to take photos any more because Google will simply choose the best pictures from a live stream of the day’s events just to make your life easier.

Soon you won’t even need to decide what to eat, your Android phone will know exactly what you need and what you like, showing you the most suitable foods for your age.

But there’s so much hype around the future of Android that we forget to see the obvious threats, the alarmingly increasing number of Android malware, and the criminal activities carried out on smartphones.

According to a recent International Data Corporation (IDC) study, one out of every one hundred mobile devices (1.4%) on the global market was infected with malware in Q2 2015.

The same study reveals that vendors shipped a total of 334.4 million smartphones worldwide in the first quarter of 2015 and Android dominated the market with a 78% share. That’s a lot of Android phones affected by malware!

0.2% of the devices in the U.S. were infected with malware in the second quarter of 2015. Of the 0.2% infected devices, more than half (62%) were infected with malware aimed at stealing the user’s personal data.

Privacy-stealing malware can get a wide range of personal information and data from your Android device, including contacts, locations, pictures, and login credentials for your online banking.

Using this type of malware, hackers can easily gain access to your bank account data and use it to carry out criminal acts on your behalf or sell your info on the black market. This is not a spy movie we’re talking about, this is a very common scenario in 2016, anywhere in the world.

The good thing is that Google has been constantly making security improvements to the Android platform. The number of vulnerabilities that affect the OS compared to PC platforms is really small. But the customizable nature of the OS still leaves the door open to security breaches.

Guess where that leaves your Android smartphone security? That’s right, in your own hands. Every click counts!

Here are 5 must-follow tips to protect your Android device from malware:

Stop exposing yourself to bad apps in unofficial stores. Always get the latest apps from official Google & partner stores.
A good Antivirus is a must on your phone.
Don’t be afraid of all the updates your phone asks for from time to time. They can be a life saver.
Use a VPN when making online payments using public WiFi.
Beware of data-pulling adware. Install an ad blocker or at least an ad tracker.

No doubt that Android is here to stay and dominate the smartphone market and we’re really excited about the future of Android technology.

To Know more about Mobile Security.

Our Institute Location:

Redback IT Solutions Private Limited,

#AL 24 TNHB PHASE III,

Sathuvacheri,( Near Vallalar Water Tank)

Vellore. 632602

Contact :

Training Coordinator

8189985551

Cyber Crime & How to Protect Yourself From Them

2016-02-17T12:07:00.001+05:30

Cyber Crime and How to Protect Yourself from Them

As Internet usage is growing daily the world is coming closer. The World Wide Web sounds like a vast phenomenon but surprisingly one of its qualities is bringing the world closer making it a smaller place to live in for its users. However, it has also managed to create another problem for people who spend long hours browsing the Cyber World – which is cyber crimes.

While law enforcement agencies are trying to tackle this problem, it is growing steadily and many people have become victims of hacking, theft, identity theft and malicious software. One of the best ways to avoid being a victim of cyber crimes and protecting your sensitive information is by making use of impenetrable security that uses a unified system of software and hardware to authenticate any information that is sent or accessed over the Internet. However, before you can understand more about this system, let us find out more about cyber crimes.

Types of Cyber Crimes

When any crime is committed over the Internet it is referred to as a cyber crime. There are many types of cyber crimes and the most common ones are explained below:

Hacking: This is a type of crime wherein a person’s computer is broken into so that his personal or sensitive information can be accessed. In the United States, hacking is classified as a felony and punishable as such. This is different from ethical hacking, which many organizations use to check their Internet security protection. In hacking, the criminal uses a variety of software to enter a person’s computer and the person may not be aware that his computer is being accessed from a remote location.

Theft: This crime occurs when a person violates copyrights and downloads music, movies, games and software. There are even peer sharing websites which encourage software piracy and many of these websites are now being targeted by the FBI. Today, the justice system is addressing this cyber crime and there are laws that prevent people from illegal downloading.

Cyber Stalking: This is a kind of online harassment wherein the victim is subjected to a barrage of online messages and emails. Typically, these stalkers know their victims and instead of resorting to offline stalking, they use the Internet to stalk. However, if they notice that cyber stalking is not having the desired effect, they begin offline stalking along with cyber stalking to make the victims’ lives more miserable.

Identity Theft: This has become a major problem with people using the Internet for cash transactions and banking services. In this cyber crime, a criminal accesses data about a person’s bank account, credit cards, Social Security, debit card and other sensitive information to siphon money or to buy things online in the victim’s name. It can result in major financial losses for the victim and even spoil the victim’s credit history.

Malicious Software: These are Internet-based software or programs that are used to disrupt a network. The software is used to gain access to a system to steal sensitive information or data or causing damage to software present in the system.

Child soliciting and Abuse: This is also a type of cyber crime wherein criminals solicit minors via chat rooms for the purpose of child pornography. The FBI has been spending a lot of time monitoring chat rooms frequented by children with the hopes of reducing and preventing child abuse and soliciting.

Causes of Cyber Crime

Wherever the rate of return on investment is high and the risk is low, you are bound to find people willing to take advantage of the situation. This is exactly what happens in cyber crime. Accessing sensitive information and data and using it means a rich harvest of returns and catching such criminals is difficult. Hence, this has led to a rise in cyber crime across the world.

History of Cyber Crime

When computers and networks came into being in the 1990s, hacking was done basically to get more information about the systems. Hackers even competed against one another to win the tag of the best hacker. As a result, many networks were affected; right from the military to commercial organizations. Initially, these hacking attempts were brushed off as mere nuisance as they did not pose a long-term threat. However, with malicious software becoming ubiquitous during the same period, hacking started making networks and systems slow. As hackers became more skillful, they started using their knowledge and expertise to gain benefit by exploiting and victimizing others.

Cyber Crime in Modern Society

Today, criminals that indulge in cyber crimes are not driven by ego or expertise. Instead, they want to use their knowledge to gain benefits quickly. They are using their expertise to steal, deceive and exploit people as they find it easy to earn money without having to do an honest day’s work.

Cyber crimes have become a real threat today and are quite different from old-school crimes, such as robbing, mugging or stealing. Unlike these crimes, cyber crimes can be committed single handedly and does not require the physical presence of the criminals. The crimes can be committed from a remote location and the criminals need not worry about the law enforcement agencies in the country where they are committing crimes. The same systems that have made it easier for people to conduct e-commerce and online transactions are now being exploited by cyber criminals.

Categories of Cyber Crime

Cyber crimes are broadly categorized into three categories, namely crime against

1. Individual

2. Property

3. Government

Each category can use a variety of methods and the methods used vary from one criminal to another.

Individual: This type of cyber crime can be in the form of cyber stalking, distributing pornography, trafficking and “grooming”. Today, law enforcement agencies are taking this category of cyber crime very seriously and are joining forces internationally to reach and arrest the perpetrators.

Property: Just like in the real world where a criminal can steal and rob, even in the cyber world criminals resort to stealing and robbing. In this case, they can steal a person’s bank details and siphon off money; misuse the credit card to make numerous purchases online; run a scam to get naïve people to part with their hard earned money; use malicious software to gain access to an organization’s website or disrupt the systems of the organization. The malicious software can also damage software and hardware, just like vandals damage property in the offline world.

Government: Although not as common as the other two categories, crimes against a government are referred to as cyber terrorism. If successful, this category can wreak havoc and cause panic amongst the civilian population. In this category, criminals hack government websites, military websites or circulate propaganda. The perpetrators can be terrorist outfits or unfriendly governments of other nations.

How to Tackle Cyber Crime

It has been seen that most cyber criminals have a loose network wherein they collaborate and cooperate with one another. Unlike the real world, these criminals do not fight one another for supremacy or control. Instead they work together to improve their skills and even help out each other with new opportunities. Hence, the usual methods of fighting crime cannot be used against cyber criminals. While law enforcement agencies are trying to keep pace with cyber criminals, it is proving to be a Herculean task. This is primarily because the methods used by cyber criminals and technology keeps changing too quickly for law enforcement agencies to be effective. That is why commercial institutions and government organizations need to look at other methods of safeguarding themselves.

Redback Cyber Security Council offers a way to keep all information confidential by using safe and secure domains that cannot be tracked or accessed. This security solution can be used by commercial and governmental organization to ensure an impenetrable network while still making sure that users can get access to the required information easily.