OWASP (Open Web Application Security Project) has come up with a top 10 risks for the mobile technology. This list is in the ‘beta’ stage. The list, released on 23rd September 2011, has been under a 60 day review period and is due for a final version release any time. When released, this will be the first official version of OWASP top 10 for mobile applications. The current list of OWASP Top 10 Mobile Risks (Release candidate) is reproduced below: Continue reading “OWASP ‘Top 10 Mobile Risks’ – Part 1”
Tech Terminology Demystified – WIPS
WIPS stands for ‘Wireless Intrusion Prevention System’. WIPS helps in identifying unauthorized (‘rogue’) access points in an organization and taking appropriate countermeasures against the rouge devices. Continue reading “Tech Terminology Demystified – WIPS”
How to secure a virtualized environment?
We had already gone through how virtualization works and the benefits it provides in an earlier blog, ‘Server Virualization Simplified’, in June 2011. Now let us find out how to secure a virtualized environment. Continue reading “How to secure a virtualized environment?”
Are QR codes safe to use?
QR – Quick Response – codes look like this:
Typosquatting-Use of Doppelganger Domains to steal data
We often mistype domain names when we are searching the web or trying to access a website. For e.g. we type instead of gmail.com, we may type gamil.com or icicibank can be typed as icici bank. Researchers have now shown that by creating ‘doppelganger’ (German origin-meaning duplicate or double) domains it is possible to steal information. A extract of the article has been included here.
Continue reading “Typosquatting-Use of Doppelganger Domains to steal data”
Some “Dumb” Hacks
Hackers are known to be very clever and smart — which they need to be to remain one step ahead of the IT Security Professionals and the law administrators. However, here are some interesting “dumb moves” by Hackers that helped the officials track them down. Extracted from an article by Alan Wlasuk, and from a recent “PC World” article.
How secure are we using embedded systems?
Virus hits Computer Systems on Airplanes. The US Airforce has reported that a computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions. Continue reading “How secure are we using embedded systems?”
The more they happen, the more they remain the same.
UBS reported a rogue trader attack and informed losses to the extent of over USD 2.3 Billion.
Links to the story can be found at
https://www.ft.com/intl/cms/s/0/d5547ba0-e05b-11e0-ba12-00144feabdc0.html#axzz1ZhGoMU1H
https://www.ubs.com/1/e/media_overview/media_global/releases.html?newsId=195150
As is customary nowadays, any incident is reported as effect of rogue trade. Banks in a momentary lapse of concentration fail to dwell on how a back office trader can run losses of over USD 2 billion, which in effect means unauthorised trades of many more billions.
Coming closely on the heels of the Socgen rogue trade, there is not much information yet on the modus operandi for the UBS scandal, but initial reports suggest a very similar methodology between Socgen and UBS such as dealing in complex financial instruments, exceeding authorisations and so on.
The initial disclosure by UBS indicates that the “positions had been offset in our systems with fictitious, forward-settling, cash ETF positions, allegedly executed by the trader”, which means that there was an individual who had complete access to the back office as well as the dealing room, or can only be attributed to a complete . This would mean that the fundamentals of investment banking which requires that back office be as distinct from front office and mid office was by passed. It is early days yet and only a full investigation will reveal the whole truth.
Till then do we blame the rogue trader or the Frankenstien that created the rogue trader.
Death worm phones home over DNS
A worm has been found attempting to hijack computers via the Remote Desktop Protocol (RDP) which is used commonly for technical support.
Tech Terminology Demystified – Private Cloud Computing
Private cloud is infrastructure operated solely for a single organization, whether managed internally or by a third-party and hosted internally or externally.
Continue reading “Tech Terminology Demystified – Private Cloud Computing”