Interesting read here:

“Scam-Detective: How much money did you earn from scamming people?

Read more »

Like everything else, technology has got its ugly face which can no longer be ignored. With every patch released for a particular weakness, being followed by the next exploit at the very next moment, you can never be sure that your systems, your processes, your business and ultimately the economy are in safe hands. How good it would have been if technology alone could help us confide in it of totally securing ourselves? Unfortunately, that’s not the case.
With a wholesome increase in internal employee frauds, gone are the days when only firewall or IDS or other security devices could protect our networks and systems. As per the 2010 Cyber Security Watch Survey, insiders were rated as the second largest threat after hackers and also the worst since they are mostly silent and hence difficult to detect. Even a big list of policies, procedures and safe practices falls short owing to a small mistake, intentional or unintentional, by an employee. Putting money every time does not solve the problem. You may invest millions in building thousands of security controls, but a minor inexpensive measure, if not taken may cost you a fortune. As per the survey report, the most often neglected simple measures are listed below:
1. Patch Management: With ever growing business requirements, increases the number of softwares and applications fulfilling them with a single constant governing their complexity- the number of available patches. Each software vendor releases large number of patches continuously. The grave problem in many organizations is that the need for a patch is not realized until the business is impacted. The strategy adopted is often reactive and not proactive. The requirement for a particular patch is at times realized six months after the patch has been released.
The other problem is unmanaged changes. Patches, if not validated, approved and tested in a disciplined manner may cause other business functionalities or controls to break or malfunction. The challenges faced in patch management are affected by compound factors like volume and complexity of patches, speed of implementation, impact on business, events driving the need and environment changes.
Hence, an ongoing proactive process should be followed to identify the available patches, determine the organization’s need, validate, test, implement and continuously monitor the patches for compliance.

2. Log Analysis: Improper log analysis is a cause of many unauthorized and suspicious activities going undetected. Logs are often analyzed just for complying with regulatory and legal requirements. While focusing on compliance, an abnormal event is ignored at times. Organizations should set up rules to perform continuous analysis of daily logs to detect, alert and act upon any suspicious activity found. While doing this, business critical assets and the activities performed on them/by them that need to be monitored, should be identified first. Also, a baseline for security configuration settings should be developed for each device/type of device within an organization and any violation to these settings needs to be alerted. All network, system and critical server logs should be closely monitored to understand the implementation and health of security controls within the organization and their compliance with organizational policies and procedures.
3. Privilege Restrictions: Unmanaged user roles and privileges are similar to open doors of a treasury which can be escalated to gain control of critical systems within an organization. User roles and the privileges assigned to them if not managed and reviewed periodically may lead to privilege escalation attacks. Internet facing services are more risky and hence need foolproof protection against privilege escalation. There may be few services like SSH used in the organization which require complete security throughout their life cycle. All such critical services and business critical applications should be identified. A list of different users that require access to these services or applications should be prepared and privileges should be judiciously assigned based on their roles or “Principle of Least Privilege”. Such lists need to approved, authorized and regularly reviewed.
4. Password Expiration: In spite of thousands of things said, written, talked, and published about password security, needless to say, the lack of awareness still persists. Password policies of different organizations have many aspects in common like no. of characters, password history, type of characters etc. But the expiration period often varies in different organizations from 30 days, 45 days, 60 days or 90 days. The password expiration is always recommended to be set depending on the value of the data to be protected. Some even suggest that never expire passwords, rather than making them weaker by users adopting unsafe practices to choose new passwords and to remember them. Too short password expiration periods may cause user inconvenience leading to increase in number of helpdesk calls for password reset. On the other hand, too long periods have their own disadvantages of password being compromised due to user negligence or any other reasons.
There is no standard definition for password aging periods. The organization should set the expiration periods by striking a balance between data protection, password safety and user convenience.
5. Termination of Former Employees: Off late, the cases of access controls broken by terminated employees are on constant rise. Disgruntled employees taking revenge by deleting all of company’s data or by hacking own company’s systems or by leaking company’s confidential information are often heard. Despite of many security controls in place, improper removal of access rights of the employees who have been transferred, terminated or resigned may lead to huge loss to business. The amount and severity of loss depends on the position, roles and responsibilities of the employee and the privileges assigned to him/her. Organizations should follow a well-defined termination procedure with a separate checklist for removal of access rights from different systems for the IT department. Such removal should not be delayed for any reason and should be on top priority on the termination of employee.
The list of access rights on all systems and applications should be prepared, updated and constantly reviewed.

Read more »

Recently researches were able to find a loop hole in SSL certificate implementation which could could make any secure website (relying on md5 hashing of CA certificates) vulnerable to nearly undetectable phishing attack.

To brief the attack:

Read more »

Work at Home , Data Entry Jobs, Make money from home, Typing work from Home, Online Part time jobs, and i must also include another commonly used Google string “Data Entry Jobs” .

Ofcourse, every one likes to earn money online by investing less money, electricity, internet and their precious time. However the success ratio is very less. Its all because of Scammers. Many people afraid about internet job due to the increase of scammers these days. So what can we do to identify the scammers to get rid off these fears ? That is what we will be discussing here now. I found few websites which acts as a database to gather some review(positive as well as negative) about the Online Job Providers. Simply by giving their web address in the search bar of the webpage we can get the users feedbacks and reviews about them.

Read more »

I came across this interesting news on CNN where a woman in Japan was arrested for killing her virtual husband. She had happily married virtually to a man from Japan on popular interactive game “Maple Story” and suddenly the man decided to divorce her. This made her mad and she decided to take revenge on him in real life by logging in as her virtual husband and committed virtual suicide. Man..that hurtsss.

Read more »

Hello Everybody !

Hope you all are doing good and are in the best of your health..

I guess many of you might be excited after reading the subject of this post. Yes ! Today I’m going to discuss the various anti-forensic methods used by Jihadis to conceal their presence over the Internet.

The Internet, as we all know is a very wast field of information sharing and communication. And there are various ways by which one can be in contact with other person across the globe and this happens almost instantly. This saves time, money and effort that would otherwise be very high ! These all are the advantages of Internet.

Read more »

According to study conducted by Secure World, US ranks first as the cyber attacker. Maximum attacks are seen to be from US. However China which we would have thought to be no.1 dropped down at second position. These statistic figures obtained by Secure World were collected from the number of attacks that took place on all of their clients. They even claim that US is behind the massive internet attacks on Georgia.

Well Is US really the culprit or is US hosting maximum number of proxy servers?

As part of a plea-bargaining arrangement, Christopher Scott, 25, of Miami, has admitted to computer hacking, access device fraud and identity theft, according to the Associated Press. He could face a sentence of up to 22 years in jail and a fine of up to $1m (£538,000).

The plea comes almost two weeks after Damon Patrick Toey pleaded guilty to his role. The 11 defendants were formally charged last month. Three are from the US, one from Estonia, three from the Ukraine, two from China, and one from Belarus. Another man involved used an alias and his whereabouts are unknown.

Read more »