Monday, June 27, 2011

Be Careful you may be exposed!!! Protecting your online Identity.


The Internet has changed the meaning of human psychology. Now, every user has some form of online identity either representing social (Facebook, Twitter etc.) or professional (LinkedIn etc.) life. Knowingly or Unknowingly, we post each and every small detail of our life either in the form of text, pictures or are Tagged in someone else profile and even we post-professional details to get some resolution. The way internet is designed, keeps all these details forever. 

Have we ever thought sharing of details over the internet may not be fruitful-socially or professionally? We have seen many examples where people have faced issues during background verification for employment and marriage proposal. They have not realized that proposal or employment is rejected due to some past content, revealing sensitive information. 

As soon as you realize the information is synchronized across and is made available on various search engines. It’s often seen that false and misleading content posted on the internet affects your business image as well.
A simple Google search on “removing online identity” revel 73,300,000 results. Don’t you think it’s a huge number and many users has raised the same concern-


The question is what we can do? There is a fine line between what to expose and what not... We fail to understand that each and every activity of ours is monitored and may not be useful or may create obstruction/difficulties in future life. There are many mechanisms to protect your online identity


  1. Manual deletion of details posted by yourself or requesting other users to remove who tagged your detail.
  2. Google and Yahoo have implemented “Delete URL” functionality for website administrators. This means that if you are a webmaster (or blog owner), you now have the power to stop specific URLS from being indexed (using a Robots.txt file). Non-admins can also take advantage of these tools and request that “private” information be taken down.
  3. Email administrator, to delete your online details 
  4. Online Tools-There is many sophisticated tools available in the market, which helps the user to search online identity details and remove the same. 
  5. SuicideMachine.org is doing its best to expand possibilities of erasing your entire presence; however, it is a work-in-progress research. Please note, that they are not deleting your account! Their aim is rather to remove your private content and friend relationships than just deactivating/deleting the account
  6. Reputation.com-Powerful tools to help you monitor and shape your reputation
  7. Monitor your information online
                    a. Remove personal information from the web
                    b. Define your online presence
                    c. Defend your reputation from negative content

Sunday, June 12, 2011

India's Promising Politician Web Site Hacked …….

The servers and website hosting information of constituencies of Rahul Gandhi and his mother, Congress chief Sonia Gandhi were hacked ..The systems used to store huge databases in terms of constituencies, individuals and trends etc.
Initial investigation reviled password hacking of email account and in turn translated to DNS server address manipulation. It was a well-planned attacked, where Email IDs created for password recovery was also hacked. As experts reset the password for amethi@hotmail.com and accessed the account, they found several suspicious emails. "These emails were sent by domain management console, godaddy.com (of amethinet), to an unknown person on his request regarding password recovery," says the FIR.

Officials said the recovered emails revealed the times at which the IP address password recovery requests were generated by the hacker. "The unknown hacker has cracked all of our domain management console passwords using password recovery email account amethi@hotmail.com and has made changes in DNS zone files so that it got redirected into some other websites," the FIR said.

Amethinet and raebareli were created specifically to address the constituents, but the former, after hacking, opened onto www.pdmce.ac.in, the website of an engineering college in Bahadurgarh, Haryana. When Rahul's team checked the domain name system (DNS) of the website, it showed an IP address different from that of Rahul Gandhi's network. "Amethinet domain is registered with godaddy.com domain and when officials tried to log in to the domain management console, it was not working," the FIR said.

The FIR was filed under 66 Information Technology Act. According to the Act-

  1. Whoever with the intent of cause or knowing that is likely to cause wrongful loss or damage to the public or any person destroys or deletes or alters any information residing in a computer resource or diminishes its value or utility or affects it injuriously by any means, commits hacking. 
  2. Whoever commits hacking shall be punished with imprisonment up to three years, or with fine which may extend up to two lakh rupees, or with both.

Wednesday, June 8, 2011

Rating future Security Services-Cloud.......



Customer in Dilemma with Current Business Trends around security-Every business runs on some basic trust. In today’s digital world, Compliance and standard are the enablers to achieve security along with optimized performance. Every service company has same compliance standards to showcase their capabilities and security mechanism in place. So Customers have no clue which company and services to opt for since every Service companies are providing security using limited available products.



Can Security be rated the way Car Manufacture rate their Products -5Star safety rating. Also, even Other industries(hospitality) rate their services and products like5Star, 4star. To distinguish service providers would be as easy as buying a new car. While dealing with Customer it gives quantitative value and provides more confidence. 

In Near future, do we expect same approach by some Global Security Body(GSB) or by Analyst Firms(Gartner etc) to define star rating for Security which may be mapped with the compliance standards. I am sure most of you will have some concerns around this thought, but let’s take a scenarios of Cloud based solution which are rising  exponentially. Customer should have some  mechanism to identity and rate service provider based on simple rating…These ratings are in turn will be mapped with the Security Infrastructure  hosting the service , like Gateway  security solution, Data Loss Protection, SIEM, Proprietary Encryption and digital signature mechanism, Digital Right Management etc. Also, it won’t be limited to Technology solution; however operational processes needs to aligned as part of compliance standards.

Monday, June 6, 2011

Required Security Solution around Mobile Devices based on recent research.

  • Laptop encryption will be made mandatory at many government agencies and other organizations that store customer/patient data and will be preinstalled on new equipment. Senior executives, concerned about potential public ridicule, will demand that sensitive mobile data be protected
  • Theft of PDA smart phones will grow significantly. Both the value of the devices for resale and their content will draw large numbers of thieves.
  • Cell phone worms will infect at least 100,000 phones, jumping from phone to phone over wireless data networks. Cell phones are becoming more powerful with full-featured operating systems and readily available software development environments. That makes them fertile territory for attackers fueled by cell-phone adware profitability.

Technology solution for a Broken Trust

Enterprise is a combination of 3 pillars- People, Process & technology solutions in order to provide value added services to customer keeping Trust assurance.


An employee uses various devices in an enterprise, since the IT companies are user friendly and support mechanism like smart phones, wireless system and personal Laptops 
which may or may not be aligned with IT security policy.There have been cases of data loss, where employees were part of such act at will. A report by Bnet shows that 45 Percent of employees take data when they change jobs. Such is the case with a former HP employee Atul Malhotra, who had allegedly sent copies of IBM confidential documents to his Vice Presidents at HP. Prior to joining HP, he was employed by IBM and had access to this information.




How can we stop data theft against malpractice?
There is an obvious need to minimize breaches of security, but this task goes beyond simply securing the technologies. Solutions have to be pragmatic and relevant to work processes they are going to protect, so there may be trade-offs. Users have to work with the solution and if usage is too complex or cumbersome it won't work.
This means that C-level management should take a more active role as security shifts from being technology-centric to business risk-centric. Security decisions should involve business-level discussions, and management is in a better position when it comes to determining the risks involved. And the biggest security risk may turn out to be a disgruntled employee.

How could this incident have been prevented?


Proper implementation of DLP would have marked this data as sensitive and rated it a highly critical. Common exit points of this type of data breach are corporate email, web mail, FTP, removable drives and printing. At any of these exit points DLP would have flagged this activity. Periodically, Security Policy should be reviewed and transformed as part of DLP solution.

Thursday, June 2, 2011

It’s A Risky Business ?? Cloud v/s In-house


Cloud computing- once considered a mere buzz-word- in now a happening reality. Cloud based solution provide mechanism to host office on the cloud not just because they are cheaper(they do away with Software costs & hardware), but also provide flexibility to access information from any place with a decent internet connection. It typically works service on depend on rented environment.
So if you’re not on the cloud already, you might want to check out options to see what you’ve been missing out on…
Five Free web based office Suites that might of use

1. Google Docs
2. Office Web Apps
3. Thinkfree
4. Documents to Go
5. Zoho
Fortify Software sponsored a survey of 100 hackers at last month. They discovered that 96% of the respondents think that the cloud creates new opportunities for hacking, and 86% believe that “cloud vendors aren’t doing enough to address cyber-security issues.”

In line with the recent developments, Amazon.com Inc. (AMZN)’s Web Services cloud- computing unit was used by hackers in last month’s attack against Sony Corp.


Is it secure and reliable solution for Customer ?Are we expecting to see growth and Customer attention ?
Definitely, such event will not slow down the usage of Cloud based system, infect it will encourage system owner to build robust security framework. The major loop holes or one of the biggest weak link is the limited user awareness on security i.e. password management.
It has been observed that majority of users either use same password across all the system/application they use or store password in file without any encryption mechanism. User needs to be educated on best practices of password management strategies. Multi-level authentication like OTP should be introduce which will also reduce social engineering attacks.
Intentional attacks can happen from anywhere, but at a same time Cloud provider needs to introduce background verification process to reduce attacks within the cloud …

Cloud solutions are not the only one experiencing issues related to security, however major player in the market devastated and trying to realign the security framework from the security breach.

  • NASA website hacked(May 11, 2011, 04.53pm IST)-According to Fox News, hackers compromised pages on NASA's Jet Propulsion Laboratory website, before the May 16 scheduled launch of the shuttle Endeavor. The affected pages included barrages of "nonsense text" and interest-generating keywords, like "Edit buy adobe premiere pro cs4 some callouts and balloons to make this time it took you and saved you a long time,
  • Nasdaq Confirms Servers Breached
  • Hackers steal owner data from Honda
  • Two Arrested For AT&T iPad Network Breach
  • Nigerian government agency website hacked by “Cyberhacktivists”
  • 100,000 Credit Cards Compromised By Data Breach



Wednesday, June 1, 2011

High Tech Identity Theft-Electronic Pick Pocketing

Technology advancement has lead to many security issues and concerns around the world. Identities are the common and popular target in today scenario. Identities can be credential based or digital identities. Credentials based theft can be prevented by using complex password policy and mechanism along with user awareness. One of the Immerging trends of Digital theft is Electronic Pickpocket to steal your credit card information and passport information. Around 10 Million Victims are affected by this advance form. Simple device is capable to fetch your credit card information, without touching your credit card.

Online Consolidation of Banking Information

The common problem an individual is facing around is management of information associated with identities. Internet is growing giant, which keeps on pulling- information, People, attract unethical community etc. Every user is furious and eagerly looking for Simplified solution to manage their identity & information in a structured form. One of such initiative is taken by mint.com to consolidate information from single interface with various security measures.
More than 5 million users are using this application; however it only available in US. There are various such initiatives, happening to provide Common Authentication body(CAB) under various verticals.
Question is –Are we opening more doors for malicious users by simplifying processes. Subjective to answer; however depends to individual exposure to technology/systems along with importance to ease.