Wednesday, January 31, 2018

[Cyber-security Awareness Series] The Magic Card


Ramnath was quite happy when he received the “card” from the bank. This was no ordinary “card” given to him. He could withdraw money from his account at any point of time by using this card and could also swipe it at any shop to buy goods for his family. The villagers thought it to be a Magic Card.

You may think as to why would anyone consider a debit card as so special and extraordinary. Well, for Ramnath and other villagers in his village, this was the first time they had seen such a card. The bank had opened a new branch in this remote village and opened a new bank account for every villager under the “Khata Yojna” of the bank. Ramnath was also a beneficiary of this scheme.

The villagers were then encouraged to deposit some amount in their bank accounts. Ramnath decided to put all his savings of Rs. 18000 in his bank account. He had saved this amount over years for the higher education of his only daughter, Kalavati. Kalavati wanted to be a doctor from childhood. She had lost her mother in her early childhood as there was no doctor available in the medical centre in her village.

It was just over a month when Ramnath decided to withdraw a sum of around Rs 1050 for her daughter’s application form. He went to the bank branch around 9am to withdraw the amount. He filled the withdrawal form and submitted it to the cashier. The cashier checked the account and said that the transaction could not be processed due to lack of funds in his account.

Ramnath jokingly told the cashier that he was not withdrawing Rs 1,05,000 from his account. The cashier, however, was in no mood to joke. He told Ramnath that his account balance was just Rs 20 and he should have more funds in his account for the transaction to be completed.

Ramnath felt as if the sky had fallen. He told the cashier to recheck again. The cashier rechecked and asked him to meet the bank manager.

How did 18000 get converted to 20? To understand this mathematics, read on.

The bank manager offered some water to Ramnath as he was feeling dizzy now. His entire savings had been wiped off. The cashier had claimed that just Rs 20 was left in his account. The bank manager opened Ramnath’s account and queried him on his earlier transactions. Ramanth looked confused. “I had not transacted before. This is my second visit to the bank. I deposited Rs18000 last month when I opened my account in the bank. I needed the money for my daughter’s application form, hence I came today for the withdrawal “answered Ramnath.

The bank manager looked confused. He asked him about the “card” which the bank had given him. The bank manager could see transactions done using the debit card. Ramnath replied that he had safely kept the “magic card” under the God’s idol in his home. He had never used it.

The bank manager understood that something was not right. He decided to investigate the matter. He asked Ramnath to come to the bank next day. Ramanth was now quite angry. He asked the bank manager to return his money which he had deposited last month. He claimed that he would come with all the villagers tomorrow to the bank branch.

The news of money missing from the bank spread like wildfire in the village. Multiple villagers came to the bank branch to either check or withdraw their deposited amounts from the branch. Some of them had to leave empty-handed. By evening, the bank manager was the target of every villager.
-----
The bank manager called a meeting with his staff to understand the problem. Nobody could understand as to what would have happened. There was no money withdrawn from the ATM placed outside the bank, yet multiple accounts showed that withdrawals had taken place.
The bank manager shot a mail to the corporate office of his bank. The corporate team responded immediately with details of every transaction taken place for every account holder of that branch.
The bank manager understood as to what had happened, however, he could not understand how.
-----
The next day’s scene at the branch was as if the branch was offering free money to everyone. All villagers had gathered outside the bank branch to withdraw their money. Fearing such a kind of response, the bank manager had called in the police department. Two heavily built policemen had arrived, but clearly, they were no match for the agitated villagers.
The villagers were shouting when the bank manager approached to talk to them. In the midst of this shouting, something caught the bank manager’s ears. A person was shouting that he had got a call from the bank last week asking his card details as his rate of interest needed to be added to his bank account.
The manager asked everyone to be quiet to help understand what kind of call he had received.
---
What & how it happened?

Some of the villagers claimed that they received a call from the bank last week congratulating them on the interest they would be receiving from the bank. But in order to process that interest, the lady (on the call) requested them to share the card details which the bank had provided. The affected villagers were even asked to share the CVV number present at the back of the card.
The affected villagers had happily shared the details since they were convinced that the call came from the bank. On further investigation by the bank, it was found that the bank had employed a vendor to collect the details of the villagers. One of the people employed at the vendor decided to misuse these details and called some of the villagers to extract the card details. This person then used this card online to transfer money to his own account or do shopping on e-commerce websites.

It is imperative for the banks to make its customers aware, especially the uneducated lot, about the do’s and don’ts of banking and information sharing. Social Engineering is one of the most effective mechanisms by which any kind of security can be made futile.

Image Courtesy: Pixabay

Friday, January 19, 2018

[Cybersecurity Awareness Series] Token of Thanks

                             

Manish is invited to a conference as a chief guest to speak about his industry experience in the field of pharmaceuticals. Having worked in the industry for around 25+ years, Manish is a big name in this field. He is currently the Vice President of the firm, handling all the pharma clients in his company “IloveITSolutions”.


Our story begins when Manish receives a call from his CEO reminding him about the 1B $ deal about the new pharma client. Manish is supposed to prepare the company’s pitch and present it to that client. Manish steps into his car attending the call and signals the driver to take the car at the location of the conference. He promises the CEO that he would be working on this presentation after attending the conference today.



Manish arrives at the conference and shares his experiences about how he has clinched every deal in the pharma sector. He advises newbies to work on the domain knowledge as this is extensively required in this field. Manish is then shown around the various upcoming technologies put in place by the vendors at the conference area. He is given a memento by some vendors as a token of thanks.



He finishes the conference and steps into his car and leaves for the office. On his way, he starts to unwrap the gifts received from the vendors. Whatever be the case, Manish couldn’t resist opening gifts from a very young age. He opens up the first one and finds it to be a pen. The second and the third again turn out to be costly pens. He opens up the fourth one and loves it. He needed this one now.
Are you wondering what the fourth gift was? Let’s not spoil the mystery.
----------
On the third floor, Rakesh is busy giving final touches to his presentation. Rakesh is the CEO of the competitor firm “Me2ITSolutions”. He is confident that the presentation would land him up the 1B $ deal. He adjusts his tie and enters the client’s office. 
He enters the room and delivers the presentation. The clients love it.
-----------
It is a make or a break day for Manish. Clinching this deal would not only help him improve his stature in the organization, it would also help him to get him a promotion this year. He is confident of his pitch to the customer. After all, he took all steps to be ahead of everyone. Manish even poached the lead sales guy of the competitor firm “Me2ITSolutions” to understand their pitch.
Manish begins the presentation. The customer looks puzzled. Manish finishes the presentation and waits for a response from them. The customer conveys that they would inform the winner in the evening.
---------
Manish is pacing back and forth in his office. He is waiting for the phone call. His phone rings. His heart racing and ears waiting to hear those 3 golden words “Congratulations! You Won.” Unfortunately, the person on the other side informs him that his organization has lost the bid. The customer rejected the bid as Manish had presented exactly the same idea as “Me2ITSoultions”. 
-----
The CEO is puzzled as to how could two different companies present exactly the same slides to the client. He sends his best man to the rescue. He calls up the CSO – Arnav and asks him to investigate the matter.
------
Arnav meets Manish and understands the events running up to the meeting with the clients. Arnav has some tools in his arsenal which he uses and investigates the laptop of Manish. The results don’t surprise him. He just smiles and prepares the report which is to be presented to the CEO.

Saturday, January 13, 2018

[Cybersecurity Awareness Series] The Limited Time Offer


Varun was excited about the new phone which he had ordered yesterday. He couldn’t believe his luck when he got that message yesterday. Excited, he had immediately forwarded the message to his friends. Varun was imagining as to how would he showcase his new iPhone X with a swag at his college. He was lost in his thoughts when the doorbell rang. He jumped off his chair at the sound. He was pretty sure that it would be the courier boy who would be delivering his new phone. It turned out to be a salesman selling soaps from door to door. Disappointed, Varun came back to his room and decided to check his order status. He was pretty sure that the order date was today.

Varun logged onto his computer and quickly typed in the site’s name “wesellphonesonly.com”. The order status read “Delivery by 3.00pm today”. Varun looked at his watch. It was 3.30pm and there was no sign of the new iPhone X which he had ordered. Well, he decided to play Candy Crush on his old phone just to pass the time. It was 9.30pm at night when the doorbell rang again. His hopes rose but were soon dashed when it turned out to be his father who was back from the office rather than the courier boy.

Varun was now frustrated and decided to check with the customer care of the website and raise a grievance against them for not delivering the order on time. He logged on to the “Contact Us” page and found a textbox where anyone could submit any query or a grievance. He filled in his grievance and popped the message “We will connect with you soon on this”. Varun felt a sense of calmness after doing this. He decided that he would call them tomorrow to check the status of his iPhone X.
He met his friend Aarav the next day at the college. Varun enquired as to whether Aarav had ordered the new iPhone X from the website or not. After all, it was an unbelievable offer which only a fool would have missed. “Did you order it? It said just 200 left when I ordered yesterday !!” said Varun with a tone of urgency in his voice. “Shreya and Ankur had also ordered when I sent them the message yesterday,” he said in a rather confirmatory tone.

Aarav nodded indicating he was yet to order the phone. Varun was surprised. “Didn’t you read the exciting offer which I had sent you. Let me read it once for you”.

Varun took out his old phone, opened “Whatsapp” and started reading the message.

“Limited Time Offer, Just for you. Get the new iPhone X at just 21,999 only. Yes, you read it RIGHT!! Get a discount of 75%. Just log on to “wesellphonesonly.com” and the first 1000 customers get a free Apple watch too.”

“Mind-blowing offer! Isn’t it” said Varun. “You will not be getting that free Apple Watch. I was the 200th customer and that too yesterday.”

Aarav seemed unconvinced and asked “Did you get the iPhone X? It was supposed to be delivered yesterday, Right?”. “It might have been a courier issue. The status was updated to 7pm today.”

“It was a fake message and I told you that yesterday only.” Commented Aarav. In the meantime, Shreya and Ankur joined them. As they walked up to the class, Varun enquired as to whether Shreya and Ankur had got the iPhones which they had ordered. Both replied negative and said that the status of delivery was updated to 8.00 pm today. Varun was confident that the phone would be delivered today.

His class got over by 3.00 pm and he headed back home. As soon as Varun entered his house, he could sense that something was wrong. His father’s car was parked outside which was quite abnormal. Father always returned after 8.00pm every evening. He stepped inside and was shocked to see his mother crying and father extremely sad and holding his head.

Varun ran inside to inquire as to what had happened. His mother explained that Varun’s father received a stream of SMSs around noon indicating multiple transactions were made on his credit card totaling up to 15lakhs, his maximum card limit. He called up the bank after which they blocked the card. However, the bank claimed that the transactions were done yesterday and since there was a maintenance activity going on, the SMSs got delivered in the morning. Varun’s family had suffered a loss of around 15lakhs.

“I’m going to the police to register a complaint.” and asked Varun to accompany him. They both headed towards the police station. As Varun entered the police station near his house, he was shocked to see his friends Shreya and Ankur with their family seated in front of the police officer. Both were complaining that multiple transactions had occurred yesterday night on their credit cards.
The policeman heard them and asked about their recent purchases and usage of credit cards recently. While everyone claimed to have spent at different places, one common place of usage was “wesellphonesonly.com” for everyone. The policeman took the details from everyone and asked them to come the next day.

Varun quickly logged onto the website to check the order status. He wanted his fear to go away that he was duped off the money and the fact this was a fake website duping people. He was excited to see “Order successfully delivered.” He called up his mother to inquire about the order delivery.
He was shocked to hear her mother that no such person came to deliver any order.
The next morning when Varun picked up the newspaper, he got a shock of his life. The headline read:

“Fake Website Dupes People of Lakhs of Rupees, Owners Untraceable.”

Important Points:

a)This was a case of phishing where people are made to click on links so that they can be made to enter their bank details / personal details.
b)Such messages are spam messages which may result in malicious downloads on your system. Commonly such links are distributed through social media channels or messaging applications.
Never click on links which offer you such exciting offers unless you are particularly sure of the source of such offers.

Be Smart, Be Cyber Safe 😇

Do share your feedback and comments in the comment section below.

Wednesday, January 10, 2018

The Spectre of Intel’s (Past) Meltdown

The Internet is abuzz with reports of two major vulnerabilities codenamed “Meltdown” & “Spectre”. These vulnerabilities were independently reported by security researchers at Cyberus Technology, Google, and the Graz University of Technology. 



Thousands of articles have already been written over this. So what’s new in this blog post? I did read a lot of this information available on the internet before writing this article and found this:

a)Some of the articles contain highly technical information and jargon which doesn’t make sense for the common man.
b)Most of the articles do not explain what the real deal is and just touch upon the basics of good information security practices.
c)Leading press houses have taken this opportunity to thrash the tech companies on such vulnerabilities.

So if you just want to understand as to what “Meltdown” & “Spectre” mean in extremely simple terms … read on to find out.

The Speculation Problem

Do you have a favorite restaurant where you go or have been going for years? If yes, you would have appreciated the fact that the waiter knows “What’s your favorite?” 
Or, Imagine the coffee shop where you step in every morning and the lady on the other side has your cappuccino ready with “Just the way you like it John” statement.
In both these scenarios, the waiter and the waitress have assumed or rather speculated as to what are you going to order basis your history. 

Now let’s say that the coffee shop makes the coffee extra special for you by putting your name tag on the cup. Every day, you see your name on it and love it. 

But one fine day, when you step into the shop, you order an expresso rather than a cappuccino. The shopkeeper is taken aback as he has the order ready, remember, with your name on it and just the way you like it. Now since you changed the order, he throws that cup in the dustbin and gives you an expresso.

Well, so far, so good. Are you wondering as to did I forget that this article is about “Meltdown” and not about coffee. Hey, hold your horses, the story is about to get better and I did not forget about “Meltdown”. When the shopkeeper throws the cup away the garbage collector is able to get your name off the cup even though if it’s just for a moment.

Still wondering as to how “Meltdown” fits in this story? Read on. Our computers work in a similar fashion. They use a technique known as “speculative execution” to perform certain processing operations before it is known for certain that those operations will be required, on the premise that these guesses often turn out to save time.

So when you give an instruction to open say MS Word, the computer speculates that you may click on “File” as your next step based on usage pattern. So based on this speculation, it sends this information to the processor for processing to save time. Modern computer chips have sophisticated “branch predictors” that use fancy algorithms to determine what your next step would be and they are correct 99% of the times.

Now when you open MS Word, instead of clicking on “File”, you decide to close the program altogether. However, the computer had speculated that you would click on “File”. Now basis this new instruction, it throws away the previous instruction.

This information which is thrown away can be hacked or spied upon by the hackers and this weakness which can be exploited is dubbed as "Meltdown" and "Spectre". They differ in the way this is done.

I want to meet the Kernel


There is a new villain in town and yes, it wants to meet the Kernel. Let’s understand as to who “Kernel” is.
He is the boss and only he decides as to who can meet him and others in the town. In computer terms, it is the core of a computer's operating system, with complete control over everything in the system. There are only a few processes who can speak directly with the kernel. 

Now, let’s say, that this villain knows a secret about the kernel called the “Side- Channel”. To understand this “Side-channel” attack, consider that I follow you every day without even connecting with you. Basis this spy work, I am able to gather a lot of information about you and your habits.

“Meltdown” & “Spectre” are the villains in this case who know about the “Kernel” and his deeds. His deed being doing speculative execution of instructions and throwing away the “Unused” instruction in an unprotected space. This is what the security researchers have targeted. When Intel processors (affected by Meltdown) perform speculative execution, they don't fully segregate processes that are low-privilege and untrusted from the highest-privilege memory in the computer's kernel. That means a hacker can trick the processor into allowing unprivileged code to peek into the kernel's memory with speculative execution. 

Let’s Call the Patch Guy


Well, can you change the “Kernel”? Unfortunately, the answer is NO. We need to understand that both “Meltdown” and “Spectre” are hardware bugs and not software bugs. It’s the way, modern processors were built.
Imagine that you built your house years back. Now you discover that there was an issue with the design of the house and that could allow a thief to enter into your house from the back door. Can you change the house design now? No. You need to redesign the house. In a similar fashion, the tech companies have to redesign the processors, Mr. Kernel, and the instruction processing.

Are you wondering as to what happened to the patches that were issued by the tech companies? Well, to understand it, let’s go back to the coffee analogy. Now since the shopkeeper knows that you have changed your behavior, what would he do? He asks his waiter to wait until you give the order.
In a similar fashion, the patches deployed by most of the companies have in a way “suspended” or “try to suspend” this speculation. The patch makes it difficult for the villain to “spy” as to what Mr. Kernel is doing.

Now since the speculation has been made to suspend, it becomes obvious that the coffee which you may now order will take more time to be ready, which gives us the reason as to why the patch will make your systems either slow or unbootable. Also, Read https://gadgets.ndtv.com/laptops/news/microsoft-suspends-amd-spectre-and-meltdown-patch-rollout-after-complaints-of-unbootable-pcs-1797953.

Just tell me what to do

I wish I had the answer to this question. We are dependent on Intel or AMD and the tech companies to issue us new patches which may temporarily fix the problem. But is it really that bad? Trust me, it’s not. While the threat is real, it will take a lot of time and effort for the bad guys to use it in the real sense. Remote code execution will not work for these vulnerabilities and it is not cost effective for the bad guys to spend so much time and energy on the personal computers.
Well, for nation-states and national security, it’s a different game altogether. Until that time, we can just keep our systems updated with the latest patches and implement best information security practices. Don’t look at me like this …yeah I mentioned it too.

In case you wanna know more about advisories issued, Meltdownattack.com has a full list of vendor advisories. The academic paper on Meltdown is here (PDF); the paper for Spectre can be found at this link (PDF).  Cyberus Technology has their own blog post about the threats.

Do share your comments and feedback in the comments section below.

Monday, January 8, 2018

Now on Twitter !!!



Hi Guys,

It gives me great pleasure to tell you that you Learning Security With Mayur has now a twitter presence too. You can connect and spread the love on Twitter too.

Use #LearningSecurityWithMayur when you retweet the posts on Twitter.

My handle is @LearnWithMayur.

Looking forward to meeting you there.




Thursday, January 4, 2018

[Cybersecurity Awareness Series] The Free Gift


Anjali was sitting and surfing the internet on the computer at her desk when the phone rang. Startled, she picked it up and heard a rough voice at the other side. “Is this Miss Anjali?” asked the rough voice. “Yes, this is” answered Anjali. “There is a parcel for you in the mail room. Collect it as soon as possible” and the phone hung up.

Anjali was disgusted by the voice and the manner of this person. Surprised as to who would have sent her a package, she dragged herself to the mail room. She reached the mail room and asked the fat lady at the desk to give her the package. “Name Please,” asked the lady to which Anjali replied her name. She pulled the package from the drawer at her side and handed over the box.

The parcel read: “To, Ms. Anjali Mathur, ILoveIT Solutions, New Delhi”, “ From Security Conference, New Delhi”. Anjali worked as a Security Analyst in her company ILoveIT solutions and had attended a security conference last week. Well, it was quite natural for vendors to send out various pamphlets and product demo /trial coupons post the conference. Anjali too had dropped her visiting card at this conference.

She came back to her desk and started opening the package. The package came from a very well-known vendor “ILoveAntivirus” solutions. The vendor had provided a pamphlet and a CD for a new solution which they would be launching on the market next month. As a goodwill gesture, the vendor had provided a free one-month access to Anjali and her organization.  Anjali was elated at this free trial version and early access to her organization.

She took the CD provided by the vendor, pressed the button on the CPU to pull the CD/DVD tray and inserted the CD. The CD slipped inside and the software asked Anjali’s permission to install the setup. Anjali immediately clicked on the next button and completed the installation process. The anti-virus solution requested for a completed scan of her system to which Anjali clicked in affirmative.
It was around 1.00pm and Anjali thought to have a quick lunch till the time system was getting scanned.

1.30pm:
“Our web server is not responding and its rebooting again and again” shouted the data administrator to the network administrator. “The network is being bombarded from packets from an unknown IP and I have been locked out of the corporate firewall” boomed the network’s administrator voice in the IT area.

1.40pm:
All users were locked out of their systems and no one was able to understand the issue.

1.41pm:
The chief security officer calls up the Anjali to understand the situation from her aspect. Anjali however, unaware of the situation just came back from lunch. She was surprised to see that call.
She picked up the call and was flabbergasted to hear as to what had happened in just 40 minutes.

1.45pm:
The network and the web server team disconnected all their devices from the network and made all the systems offline to understand the problem.

1.50pm:
Anjali went to the network and the web server team to help them understand the problem. Both the team were wondering as to how were they locked out of their own systems. They were wondering as to how to resolve the issue at hand when someone suggested rescanning all the systems for a virus. Anjali just arrived at the tech team’s office bay and tried to understand the current issue at hand.
When someone suggested rescanning all the systems, Anjali immediately offered the tech team the new antivirus solution which she had received an hour earlier. The teams were surprised to learn about this new solution as the vendor had not communicated any such development to the tech team.

1.55pm:
Anjali rushed back and brought back the CD which she had received from the vendor. The team analyzed and scanned the CD on a standalone system using their current antivirus. They were shocked to see the results. Anjali felt as if she had been slapped in the face. The scan reported an extremely dangerous virus which was present on the CD.

2.00pm:
Anjali explained as to how had she had attended the security conference last week and received a package today offering her a free trial for an upcoming anti-virus solution.

2.15pm:
After understanding the complete scenario, the CSO and the tech team decide to rescan all the devices and bring them online by reinstalling factory software and backup from the backup tapes.


This activity took around 2 days and the company suffered a loss of more than 20,000$ per day. Since the web server was also affected, the brand image of the company also took a hit.
Upon further investigation, it was found that such a courier was sent by a hacker hired by a competitor firm. The hacker had met Anjali at the conference and noticed her moves at the conference. He noticed that she had shared her contact details with a security vendor which had promised to send free gifts to her. Taking advantage of what he had heard during the conference, he devised a plan to introduce the virus through a free gift sent to her. The competitor firm wanted to gain market share and poach users.


As an individual, it is imperative for us to understand that we should not blindly install anything in our organization’s or personal systems. We must install software or antivirus solutions from the original vendor's website and must check the hash values before installing. If possible , install them on standalone systems rather than directly on the production servers.

Do share your valuable feedback on this.


Cyber Security Awareness Series



As a security professional, you may agree to the fact that security awareness and training is an ongoing exercise in any organization. Most people in your organization would not even bother to think about security when working on their projects to meet their deadlines. As a security professional, we need to devise new ways to make people understand about security. It may be through web-based training or an awareness session or mailers or some innovative mechanism which you have thought of.

Whatever mechanism you employ to impart any security awareness training; it is often seen that security professionals start delivering sermons where they only reiterate the organization’s security policies. Cybersecurity Awareness, however, should not only be limited to the organizational policies when delivered. In my opinion, the next time you send a mailer or a training session, you can try sharing certain fictitious or original security scenarios. Users generally don’t appreciate when you dictate or flood them with multiple aspects of your security policy. Users are likely to retain and appreciate the same aspect of the do’s and don’ts if communicated via a video tutorial or a story.

In order to help you out, I would be sharing such scenarios covering various aspects of information security. These scenarios will be generic in nature and focus on the importance of following the security policies. Certain scenarios will also focus on cybersecurity and hygiene which we all should follow in our personal lives. Given the focus and the need for us to transact and live our lives digitally, it is imperative that we learn about phishing, identity theft, privacy, social engineering, digital fraud, smartphone data theft, password sharing etc.

It would be great if you use such scenarios to spread awareness and share your feedback on the same.

Note: All stories in this series are a work of complete fiction and published to spread security awareness. Any resemblance to any character is purely coincidental.