AlignMinds Technologies logo

Mobile Security: A Growing Concern in COVID Times

“One single vulnerability is all an attacker needs”
-Window Snyder

Mobile phones are becoming an efficient mode of communication and making life easier. New models and more advanced technology are introduced into the mobiles to meet the needs of people and make their life easier. With the ability to stay connected with people, pay bills online, storing data, taking pictures and many other irresistible features, the mobile phone has become an inevitable part in human lives.

As the different applications and features in a mobile phone make our life easier, it is also raising the risk of exposing our sensitive and confidential data to the hackers.

How do hackers cheat people to get their devices hacked?

The hackers are so much active and finding new ways to cheat people through a fake email, a fake web page etc. Especially, as people are in a state of fear due to this Covid-19, hackers are taking advantage of this situation. They use Covid-19 themes to create urgency and people unaware respond to this malware becoming victims of phishing and hacking. The scammers pretending to provide support and help by providing free meal coupons and such offers, often trick people to believe this is real. People unknowingly fall prey to this by clicking the malicious link and giving access to the personal information stored in their phones. Other sets of attackers persuade citizens to download malware by impersonating health organizations conveying important health information and tips.

Mobile malware, phishing, hacking is becoming common factors of threat in the mobile world. Protection of mobile phone data at personal and at the enterprise level has become very crucial.

How to protect your data in your mobile phones?

Bring self-awareness about security threats, training employees about the security measures, taking enough precaution steps are some good ways to protect the mobile phone data.

Popular brands have their own expert teams to protect their products and their users from attack. For example, Google’s Threat Analysis Group (TAG) is a group of experts that provide a solution to protect their products and their users from phishing and scams. They work continuously to identify new threats and scams in the market.

Various organizations provide several mobile security services such as Mobile Device Management (MDM), Mobile App Access (MAA), Data Leakage Protection (DLP), Identity Right Management (IRM).

Here are few recommended security practices everyone should follow at personal and at enterprise level:

  • Implement robust authentication measures
  • Ensure routine updates and data backup
  • Block suspicious applications
  • Continuous monitoring of connected devices
  • Perform regular health checks

Let’s consider each of the security practice in detail.

1. How to implement robust authentication measures in mobile phones?

At personal level,

Set a screen lock (there are a number of ways to lock your smartphones based on the model of your phone), eliminate unwanted apps, block ads/tracking malware etc in your phone, keep notifications off the lock screen are some of the simple and common ways to secure your mobile phones.

Some more advanced mechanisms to provide secured passwords are providing pattern lock, setting a PIN number, and biometric authentication with fingerprint and face recognition. To make the authentication even stronger, one can combine these authentication methods along with multifactor authentication:

The different levels of authentication that can be applied on mobile devices are listed below:

Username Password authentication is sufficient where the apps are not very sensitive. This is a common form of authentication among social media apps.

Dual factor authentication

This method adds an additional layer of security making it harder for the intruder to get access to the mobile phone and its data. Here, PIN along with security token is used to authenticate users accessing the device.

Three factor authentication

Biometric factor along with this dual-factor authentication makes this authentication more secure to access the devices. The personal attributes of the user such as the voice or fingerprint are also used to authenticate the user in this method.

Geographical location tracking and device information

Geographical location tracking and device information can help prevent fraud by providing limited access to devices.

Behavioural analysis

Bigger enterprises also make use of technology connected to behavioural studies. It helps track any unusual user activities. If any different behaviour is noticed at the user end, they will be subjected to re-authentication. This behaviour also gets included in the Audit Analysis database for further monitoring and analysis.       

The authentication mechanism that an enterprise adopts depends on their needs and ability to adopt security mechanisms. Some enterprise uses OTP to authenticate their user that works well for the enterprise needs. Many banking applications use OTP as a mean for ensuring security.

Other enterprises adopt PKI authentication which utilizes a private non-transferable encryption key stored as a hardware token. They are also recognized by government regulations.  

2. Ensure routine updates and data backup

Ensure the updates are installed in mobile phones. Software updates for the mobile devices include the patches to the security holes for various security threats, so make sure to install the update as soon as they are available. Running an outdated or pirated version of OS could be more prone to mobile malware and malicious attacks.

Data backup is an essential security procedure that must happen at personal and at the enterprise level. The user data can be set for auto backup. How much and how often can be pre-defined.

At the enterprise level, based on how much data to back up and the budget available for data backup processes, they can choose an appropriate media like an external hard disk or NAS box with cloud back up for backing up their data. Other optical storage media like CD/DVD, Blu Ray etc can be considered as other cheaper alternatives, however, their life and capacity could be short.

3. Block suspicious applications

It is worth to check periodically what applications are given access to your device. The malicious apps may contain a piece of code that can extract personal details and other critical data. Before a download, always check the permissions of the app, the number of downloads, ratings, and reviews about the app. Do not download from third-party stores.

There is also good antivirus software available. Some are free, and some are paid but might provide better support. Based on your preferences, you may select a good one that meets your requirement.

4. Continuous monitoring of connected devices

Logging of activities at a various level can help to make access to mobile phone secure. Logging of text messages, social media activities, other web activity, application blocking etc to track any unusual activity can bring better security.

Protection can be made stronger at the enterprise level by using security services by various providers. For Example, AWS Security Hub, you can receive security threat alerts using services like GuardDuty for continuous threat detection.

5. Perform regular health checks

With emerging technologies and evolving security risks, the security aspects have become a huge challenge. Strong security solutions must be in place to identify vulnerabilities and an organization’s risk against real-world threats.

The more we are technology-dependent, the more we are prone to malware and cyber-attacks. It is mandatory that every individual is self-aware about phone security threats and preventive steps to protect their mobile phone data. Every employee at the enterprise level must be trained for security awareness.

Even if all the necessary steps to prevent the threat are in place, the security threat cannot be eliminated, however, it can be mitigated. There could still be attacks and losses, however, those losses could be controlled in a reasonable manner if we are well prepared. Security breaches, the violation to compliance law, data leakage etc. can cause severe damage to an organization’s reputation and trust among their users and business partners. So, it is very critical to adopt enough security measures to protect the data in smartphones and mobile applications.

Implementing effective security measures, making data protection practices a mandate, setting defined protocols for lost or stolen devices, spending money to bring security awareness among employees is a worthwhile investment and would benefit the organization in their long run.

“The only real security that a man have in this world is a reserve of knowledge, experience and ability”
Henry Ford

Making Secure Financial Transactions on Mobile: Always Do This!

For the last few years, our mobile usage grew extremely high and this leads to a huge risk of data theft. Here the Government itself promote digitalisation and there arises a discussion on a very interesting topic of securing financial transactions on mobile devices.

Security for mobile devices has been advancing in an enormous way. But, compared to computers within your home network, mobile devices can be less secure. Here are a few tips you can follow to make your mobile devices more secure and use them to perform transactions that are protected.

How to make financial transactions on mobile secure?

1. Do not download apps from untrustworthy sources

Do not download 3rd party applications from other areas outside the App Store. Download apps only from the official App store for your device. Also, checking and verifying the following things before you download an app will help you with securing all the finical transactions you are going to perform later.

Read Reviews and check the ratings

Imagine ourselves as a customer who is buying a product from a shop. We would usually check the reviews and ratings of the shop and the products before making a purchase decision. Like that, you should undergo a habit of reading the reviews and checking ratings of the app before downloading it. There are apps that are fake and do not reveal much information on the app store. Going through the reviews and ratings will help you with deciding whether the app is useful to you and secure.

Number of Downloads

An app with a high number of downloads is more likely to be genuine and secure. An app with 1 million downloads makes it evident that there is a positive buzz created around the app due to its usefulness and security. A security breach will be less likely in case of such apps since it will affect the wide customer base they have.

Also, due to its huge customer base, the developer will usually have the budget and resources to maintain the security of the app even if the threats surrounding the mobile app evolves. So, using only the most popular apps is an easy way to secure financial transactions or any type of transaction on mobile devices.

Find the vendor or developer

App store shows the contact details of the vendor/developer of the app. Find and learn their security and privacy policies. Check whether your information is used for any other purpose and what are the purposes of sharing user data with third parties, if they are doing so.

Granting Permissions

Do you have a habit of granting all the permissions asked while getting the app installed on your device?

Due to convenience, users have the habit of granting all the permissions without checking what are they and whether they are really needed while installing a new app on their device!

While granting all the permissions allows users to explore the features of the app, granting unwanted permissions may put you in trouble. Asking permission to access the camera or social media accounts may be appropriate for a video editing app. Messaging apps like WhatsApp asks permission to access your messages and contacts. But, a mobile app that in no way is designed to make a call or send messages or email to people is asking for access to contact list may be inappropriate, especially if the app was downloaded from untrustworthy sources.

So, make sure that only the appropriate permissions are granted while installing the app.

2. Strong Password Protection

The first thing a user does in his new mobile is setting up a security password/pattern lock. The reason may be privacy more than security.

A strong password is a better way to protect your device. Nowadays, most of the smartphones are enabled with at least one of these features like facial recognition, iris scan, and fingerprint etc to secure mobile devices, restrict unwanted people accessing them and protect all types of transactions that will be done using the devices. These features offer more security and protection for your devices than a PIN or password can offer.

3. Keep your software updated

You must ensure that software on your devices is up to date. Updating software regularly ensures more security, and since they often fix security vulnerabilities from time to time, hackers will not be able to use them to their advantages.

4. Transactions only through secure mobile websites

In some cases when you have no computer to access online shopping portals to do some shopping and there are no apps available on the App Store to help you with it, you will be forced to use the mobile version of their website. In such cases, using only a secure HTTPS connection to access the website will be the first step to secure your transactions. This is a guarantee that any data passed between your device and the server are only shared between these two machines. Always check whether there is a padlock icon before dropping items to the shopping cart. The padlock symbol usually means that the transactions are protected and the webpage is secure. This also means that you should not be doing financial transactions through websites that do not have the padlock symbol on the address bar or on the top of the screen in case of mobile devices.

5. Don’t pass sensitive information through public Wi-Fi

Any information sends through public Wi-Fi can be accessible by those who have access to the network. So, use only your phone’s cellular network or your home’s password-protected internet connection for doing secure financial transactions.

6. Check bank statements and mobile charges

The majority of identity theft cases and cybercrimes involve financial fraud. So check your bank statements regularly and immediately report if there is any suspicious activity. Authentication through fingerprint can be enabled for banking apps on top of PIN or passwords authentication, allowing you to maintain more security for your financial transactions.

The Bottom Line

As technology is advancing, more techniques and methods and deployed to secure financial transactions. But, frauds and thefts are also on the rise as culprits are leveraging the same technology advancement. It may not possible to prevent all fraudulent transactions and data theft. These are some of the tips you can follow and invest in some type of protection to some extent.

This article is written by Sarath M V, Manager – Finance and Administration at AlignMinds Technologies

Most Dangerous Mobile Security Threats of 2020

Smartphones are widely used across the world today, hence the security threats are also widely spread. Our phones have become the most connected devices, at the same time the least secure. The security threats we face are those which we fail to notice and will be more hazardous in the near future. Let us look at some of the major security threats that every mobile user must be aware of.

Cryptojacking

Cryptojacking is defined as the secret use of your smartphone device by the attacker to mine cryptocurrency.

Cryptojacking used to be confined to the victim unknowingly installing a program that secretly mines cryptocurrency.

When using browser there is no need of a separate program to do the In-browser crypto-jacking.

  • The threat actor compromises a website
  • The crypto mining script executes when the user connects to the compromised website.
  • Users unknowingly start mining cryptocurrency on behalf of the threat actor
  • When successfully adding a new block to the blockchain, the threat actor receives a reward in cryptocurrency coins.
    • Insecure communications

      The networks that you use to communicate are never fully foolproof, making your device vulnerable to attacks from malware. There are chances that hackers tend to set-up fake access points when you access Wi-Fi in public places such as coffee shops, airports, etc. The access points are named using nonexclusive names, which can fool even the most brilliant people.

      It is always good to be cautious when connecting to public Wi-Fi. Use public Wi-Fi only if extremely required and never use it to access personal information like bank account access etc.

      Mobile ransomware

      A form of ransomware which affects only mobile devices is called mobile ransomware.

      A cybercriminal uses mobile malware to steal sensitive data from smartphones or attempts to lock a device, before demanding payment to return the data to the user or to unlock the blocked device. Sometimes people may find some innocent content or some software through social networks, which they download accidentally and get tricked into downloading some malicious ransomware.

      After the malware is downloaded onto a device, it will ask the user to pay an amount before encrypting files and locking the phone. After the payment is processed online, often via Bitcoin, the ransomware will send a code to unlock the phone or data.

      While installing any app, make sure the app is downloaded from Google Play or App Store than from any third-party app stores.

      Phishing attacks

      A social engineering attack often used to steal user data, including login credentials and credit card numbers is called Phishing.

      It occurs when an attacker fools the victim into opening an email, instant message, or text message by acting as a trusted entity.

      User can play smart by not clicking any unfamiliar email links. Always enter URLs manually as much as possible.

      SMS–based attacks

      From the email world, the phishing has evolved into the SMS world. You get SMS texts and links that you are asked to open to authenticate certain information. To any novice user, the links and the sender would seem genuine. However, clicking on these links can make your device vulnerable to the attacks, and in turn, give away your confidential information. This is a developing security threat for your mobile device.

      Botnets attack

      A botnet is just a short form for the terms “robot” and “network”.

      A botnet is a number of web-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed refusing of service attack (DDoS attack), send spam, steal data, and allows the attacker to access the device and its connection.

      A botnet attack firstly requires creating numerous botnets or a botnet army. Once the attack is initiated, these botnets are used to send network/Internet-based requests to the target system in a large quantity. These requests can be in the form of bulk email messages to simple ping messages. The attack can slow down the network/server, making it busy or unable for others to access it or temporarily freeze the server.

      Distributed denial of service (DDOS) is a common example of a botnet attack that utilizes a number of botnet devices to send a large number of simultaneous requests/packets to the targeted system.

      Installing effective antivirus/anti-malware software can protect your device from such attacks.

      User & device authentication

      Most mailing apps have provided the user & device authentication, which has allowed the user to store passwords, and their data on the devices. If the device is stolen, your authentication and the data will be at risk. This is one of the major threats to mobile devices, as they contain our valuable personal pieces of information.

      The smartphone is a device that blurs the boundaries between professional and personal life and the users are up to three times more likely to be the victims of mobile threats. Safe browsing, identifying suspicious files or phishing emails, ensuring safe data access at public Wi-Fi networks, safe downloads are some of the important tips that a user must be careful about. Other than these security measures, several mobile security software is available to download from Google Play and App Store to ensure safety in your mobile devices.

      Understanding these common security threats and implementing recommended solutions can help you protect data in your smartphone.

Solutions: Most Dangerous Mobile Security Threats of 2020

Prevention of mobile security threats helps organizations and individuals to protect their devices, apps, users and content from malicious attacks. Security teams can prevent these threats by using an app that scans devices and configurations within the network, or by setting up security protocols in case malware is present on the network.

1. Cryptojacking attacks

Check these steps to minimize the risk of your organization falling into a trap

Install an ad-blocking or anti-crypto mining extension on web browsers.

Since crypto jacking scripts are often delivered through web ads, installing an ad blocker can be an effective means of stopping them. Using ad blockers like the Ad Blocker Plus can easily detect crypto mining scripts. Experts recommend extensions like No Coin and MinerBlock, which are designed to detect and block crypto mining scripts.

Keep your web filtering tools up to date.

If you identify a web page that is delivering crypto jacking scripts, make sure your users are blocked from accessing it again.

Maintain browser extensions.

Browser extensions are meant to make our tasks simpler. But, some of them could be a trap set by an attacker to execute crypto mining scripts.

Use mobile device management (MDM) solution to better control users’ devices.

Bring-your-own-device (BYOD) policies for preventing illicit crypto mining. An MDM solution can help to manage apps and extensions on users’ devices. MDM solutions tend to be geared toward larger enterprises, and smaller companies that often can’t afford them. However, experts note that mobile devices are not as at risk as desktop computers and servers. Because they tend to have less processing power, they do not produce a great deal of profit for hackers.

2. Insecure communications

Here is a list of few best practices to be used for Android phones which may bring down risks related to insecure communication.

Understand that the network layer is highly capable of eavesdropping, thus making it insecure.

  • It is important to apply SSL/TLS to transport channels used by the mobile app to transmit sensitive pieces of information, session tokens, or other sensitive data to a backend API or web service.
  • When an application runs a routine via the browser/WebKit, using outside entities for third-party analytics companies and social networks could be more secure. Mixed SSL sessions should be avoided as they could expose the user’s session ID.
  • Always use a strong, standard cipher suites with suitable key lengths.
  • Use certificates signed by a trusted CA provider.
  • Do not pin certificate for security conscious applications and never allow using self-signed certificates.
  • Always require SSL (Secure Socket Layer) chain verification.
  • Always establish a secure connection with trusted certificates from keychain after verifying the identity of the endpoint server.
  • Build a UI that alerts users when a mobile app detects an invalid certificate.
  • Avoid sending sensitive data over alternate channels (e.g, SMS, MMS, or notifications).
  • Apply a separate layer of encryption to any sensitive data before it is given to the SSL channel. In the event of a possible vulnerability in the SSL implementation, the encrypted data will provide a secondary defence against confidentiality violation.

3. Mobile ransomware

  • Only install applications from authorized stores like Google Play or AppStore. To be sure that no application makes its way onto your device from an untrusted source, go to Android settings, choose Security, and make sure that the “Unknown Sources” box is not checked.
  • Regularly check updates for your installed applications and your device OS. You can choose to update all installed apps automatically. It’s better to do update the system to the latest version as soon as an over-the-air (OTA) update arrives.
  • Install a strong security solution. Downloading apps from only the official stores and updating them regularly alone will not promise maximum security. Malware can lurk into even Google Play and, can also spread by means of exploit kits using yet-unknown vulnerabilities.

4. Phishing attacks

  • Think Before You Click!
  • Keep Your Browser Up to Date
  • Keep Informed About Phishing Techniques
  • Check Your Online Accounts Regularly
  • Use Firewalls

5. SMS–based attacks

  • Think before you click a link from SMS
  • Do not open spam messages
  • Keep informed about phishing techniques

6. Botnets attack

To avoid system compromises, it is advised to use only licensed and genuine software. Keep your mobile updated with latest security patches. Install anti-malware solution and update it regularly. Disable Autoplay /Autorun for removable drives.

Always protect your device from Trojans and other threats by using effective anti-malware software.

7. User & device authentication

  • Think before allowing store passwords, and your data in mailing apps and browsers

Remember there is no single fool-proof way to avoid mobile security threats.

– Habeeb Rahman

References

Top 10 Vulnerabilities in Web Applications and How to Tackle Them

Before we begin with the vulnerabilities in web applications, it is good to know there are several open communities like OWASP that are always looking out for vulnerabilities and are dedicated to resolving these vulnerabilities. Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain web applications and APIs that can be trusted.

Now let us check the top 10 vulnerabilities in web applications and how to tackle these vulnerabilities.

1. Cross-Site Scripting (XSS)

It is a very common application-layer web attack. XSS targets scripts embedded in webpages that are executed on the client side (i.e., the scripts run on the user’s web browser). XSS is a threat for client-side scripting languages like HTML & JavaScript. It works by controlling the client side to work as desired by the attacker. Such an attack may, for example, use a script to run every time page reloads or on any other events.

XSS is mainly used for tampering and stealing user sensitive data. XSS usually targets the user and not the application.

We can prevent XSS by separating untrusted data from active browser content. We can also use frameworks like React JS or Ruby on Rails that automatically escape XSS by design.

2. SQL Injection

It’s an application security weakness that allows the attackers to alter the data in the database or just read confidential data such as a password. The vulnerability occurs when we enter untrusted data to the database from web forms or when it is part of a SQL query.

Web applications use SQL query to communicate with the database. SQL injections occur when the application fails to validate the data in a SQL query (from web forms) and hence, an attacker can trick the database to execute unexpected commands.

Using LIMIT and other SQL controls within queries are a way of tackling injections.

3. LDAP Injection

This is similar to SQL injection. Here also, the attacker place codes in user input fields to gain unlimited access. It may lead to information theft, browser or session hijacking, defacement of the website or even other problems.

LDAP (Lightweight Directory Access Protocol) injections work by inserting harmful codes to client provided data in LDAP statements. If a web application does not properly validate the input fields, attackers can construct LDAP statements which execute with user permission. Such queries can modify or delete anything in the LDAP tree and cause disastrous results.

To handle these injections, it is advised to use safe API, that avoids interpreter entirely and provides a parameterized interface, migrates to use Object Relational Mapping Tools (ORMs).

4. Cross-Site Request Forgery (CSRF)

Usually, a website sends an application a request that a user is authenticated from another website. An attacker can use this to access data and functionalities of the web application as the browser is already authenticated using the user’s credentials. Attackers may use XSS to defeat CSRF defence the application might employ. So, avoiding XSS will prevent these types of attack to some extent.

5. Insecure cryptographic storage

It occurs when sensitive data is not stored securely. Make sure all sensitive data are encrypted while storing & secured key management must be adopted.

Use a good encryption algorithm.

Make sure you do not use cryptography of your own since you can never predict whether it is secure or not. Do not ship or deploy with any default credentials, particularly for admin users.

6. Broken Authentication

Broken authentication happens when application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.

Practice implementing multi-factor authentication for web applications to prevent automated, credential stuffing, brute force, and stolen credential re-use attacks.

7. Sensitive Data Exposure

Many web applications and APIs do not properly protect sensitive data such as financial, healthcare, and PII (Personally Identifiable Information). Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection such as encryption at rest or in transit and requires special precautions when exchanged between browser and server.

We can prevent such situations by applying controls as per classification. Classify data stored processed and transmitted by an application.

Don’t store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Remember, data that is not retained cannot be stolen.

8. XML External Entities (XXE)

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

Points to keep in mind are, whenever possible, use less complex data formats such as JSON and avoid serialization of sensitive data.

Also, patch or upgrade all XML processors and libraries in use by web applications or on the underlying operating system. Use dependency checkers. Update SOAP to SOAP 1.2 or higher.

9. Broken Access Control

Restrictions on the privileges of authenticated users are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.

The possible solution to overcome this problem is to implement access control mechanisms once and reuse them throughout the application. Also, Minimize the use of CORS.

10. Security Misconfiguration

Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only all operating systems, frameworks, libraries, and applications should be securely configured but also, they must be patched and upgraded in a timely fashion.

We can avoid this by checking none of the default accounts credentials is the same.

The aim of this article is to give a good insight into common flaws that can lead to modern data breaches and could make web applications vulnerable to various attacks.

As the saying goes “Prevention is better than cure”, proactive and defensive security steps must be adopted beforehand than making it a practice only after a security breach.

Bharath Varma

Your Web Application’s Security: What You Must Not Ignore

Securing data always remains a challenge while we are witnessing the growth of technology at an amazing pace. The more secured your website, the more the chances of users accessing your website.

Whether it is an e-commerce website, social media websites or any other company website, every website existing online is prone to one or the other form of security threat. It is very important to be aware of the web application security threats and be prepared for handling it.

Organizations now use advanced technologies and heavy security testing to keep their website safe and protect customer privacy. Security testing is not just restricted to the testing team, the development team also plays an important role in ensuring security constraints.

What’s the risk?

Hackers are increasing day by day who are in continuous search of the vulnerable website. It’s essential for an individual or an organization to take steps for protection of their data by improving the web application security. Although various tools and technologies are available to handle security threats, protecting your website is possible only by continued effort.

Hacked website is a terrible thing that causes a lot of distress to both the owner and the customers. A website that is a victim of abuse will poorly reflect on your business and brand.

Enough proactive measures must be taken to ensure all preventive steps are taken for better web application security in the long run.

Sources of web application security risks

The security threat to websites web apps and mobile apps come in many forms today. While online threats are continuously evolving, following are very popular among hackers:

Malware

Malware is nothing but short computer programs that attempt to get access to a computer without user consent. It can be virus, worm or Trojan.

Virus

Virus is a program written to damage or delete your files/contents from your computer.

Worms

Worms do not cause any harm to your data but replicate it again and again. Due to its replication nature, it takes lots of memory space degrading computer performance and consuming more network bandwidth.

Trojan

A Trojan horse is a destructive program (not a virus) that looks like a genuine application. Trojan horses do not replicate, but it enters your computer, can give access to your confidential information to unwanted users.

Spoofing

Computer or a user pretends to be another, usually, one who has higher privileges to attack system to damage data or to deny access. Many of the TCP/IP protocols do not provide a mechanism to authenticate the source or destination of a message. When extra precautions are not taken by applications to verify the identity of sending or receiving host, it becomes vulnerable to spoofing attacks. Firewalls can help prevent spoofing attacks.

Spamming

Electronic spamming is sending of messages repeatedly. There are many forms of Spamming like mobile phone-messaging spam, internet forum spam, junk fax transmissions, social spam, search engine spam etc. E-mail is the most widely recognized Spam.

Phishing

Hacker sends emails that look legitimate to the recipient asking for confidential information. Recipient falls into such tricks and provides the login information or other important banking details thus; hacker gets access to their confidential information.

SQL Injection

SQL Injection is a Code Injection technique in which malicious SQL code is inserted into an entry field for execution. Top websites are vulnerable to Injection flaws especially, SQL Injection Flaws. By employing injections, a hacker can have your code run unintended commands or accessing unauthorized data.

How to ensure web application security?

SQL Injection

Here, the hacker makes use of web form field or URL parameter to manipulate data or to get sensitive data. For example, consider the following query to get login credentials:

ELECT * FROM Users WHERE user_id = ‘my’ and password=’test’;

Now, the hacker enters ‘OR 1 = 1; /* in Email id text field and */– in the password, the query on execution would look like:

SELECT * FROM Users WHERE user_id =’ ‘OR 1 = 1; /* and password=*/–

This will display all users in Users Table.

There are several automated scanning and detection tools available in the market to handle SQL Injection, however, the best way to avoid such attack is proper code review as complete coverage involves manual code review and manual testing along with usage of detection tools.

Cross Scripting

Cross Scripting (XSS or CSS) is one of the most common application layers hacking technique. Here, hacker attempts to insert JavaScript, VBScript, ActiveX, HTML etc code into the dynamic pages in an attempt to run malicious code.

The use of XSS might compromise private information, manipulate or steal cookies, execute malicious code to generate undesirable results, create request taking others’ identity. This is the most prevalent form of security attacks.

One way of protecting from XSS attack is to have all the code pass through some kind of filter that will omit keywords like <script> tags, JavaScript commands, CSS tags and other notorious HTML Markup (the ones that contain event handlers).

There are many libraries available to implement a filter mechanism, which one you choose will depend on your back-end technology. Ensure you always use updated filters for better security as XSS techniques keep changing and new ones keep emerging all the time.

Error Messages

Be careful about the error messages that get displayed when a user enters incorrect data. Always give generic messages. For example, when a user fails to enter the correct username/password, give a message like “Invalid username/password”. Giving exact information about what went wrong can give the hacker the clue that he has reached halfway correctly and need to focus only on the rest of the part.

Server/Browser side validation

Validation must be used at both browser and server end for better security. Simple failures like invalid phone format, numbers only, blank field etc. can be found by form validation itself; however, using stronger server-side validation can help prevent malicious code that can bring undesirable results in your website.

Password

Always practice for using stronger passwords. Your password must be a combination of special characters, numbers and upper-case letters. Passwords must be hashed while storing in database.

In case your data get stolen, damage can be minimized if the password is encrypted as decrypting them would not be possible. Plain hashing is not enough for the security of passwords. You can make encryption more secured by adding salt to your password.

Salt is a randomly generated string inserted before or at the end of the password to generate randomized hashes. As shown in below example, it makes a password hash into a completely different string every time. Salt is stored in user account database along with hash, or as part of the hash string itself. Salt must not be re-used; new random salt must be generated every time the user creates a new account or change password.

File Uploads

In today’s modern web applications, it has become necessary to provide an option for file uploading. Various social networking applications like Facebook, Twitter etc, blogs, forums, and other websites provide the option to upload files, pictures, avatar, videos and several other kinds of files. The more this feature is available on the website, the more the website is prone to malicious attacks.

Sometimes an uploaded file may contain a malicious script that can just open up the entire site. Below are mentioned some best practices if implemented while uploading a file can help you have secure file uploads:

  • Define a .htaccess (Hypertext Access) file  – A configuration file used by Apache-based web servers that has the ability to password protect folders, deny access to unwanted users, redirect users to another page, change the way files with certain extensions are utilized etc.
  • Do not place .htaccess file in the folder where your uploaded images will be preserved. Save it in the parent folder.
  • Provide a list of acceptable extensions for a website in the .htaccess file with proper deny/allow permissions. That way only allowed files can be uploaded by any user and can also limit access to each file type.
  • Always store files in a different folder outside of the webroot.
  • Avoid overwriting of files (to prevent .htaccess overwrite attack)
  • Create a list of acceptable mime-types
  • Generate a random file name and add the previously generated extension. Use a unique file name to uniquely identify each file name.
  • Implement both client-side and server-side validation for extra security.

SSL

SSL (Secure Sockets Layer) is a protocol used to provide security to websites over the Internet. If the communication channel is not secured while transmitting confidential information between website and web server or database, a hacker can easily get access to user accounts and personal information. SSL helps overcome this security threat by establishing a secured connection between browser and web server.

SSL allows confidential information like SSN, Credit Card details, login information etc to be transmitted securely over the network. SSL certificates have a key pair – public and private key. These keys work together to establish an encrypted connection.

The certificate also contains the identity of the website owner. Once the webserver has SSL Certificate installed and the communication between client and server is secured, it gives a trusted environment to the visitor indicating that their connection is secured. Browser assures visitors that their connection is secured by displaying a lock icon or a green bar and URL starts with https:// than “http:”

Conclusion

Do everything you can to improve web application security. Stay up-to-date, limit access to resources, use strong passwords and password storing techniques, and constantly monitor your site. These are some simple steps that if carefully considered can protect your data and website from hackers.

– Susan B. John