Learning Security with Mayur

Confidentiality, Integrity, Availability are the three pillars of information security. All security professionals aim to achieve either or all the three areas when designing an information security program. While the video above explains these terms and many others in detail and simplified manner, here I take up a complete scenario to help you understand the context in which these terms can be used.
John has newly joined as a security practitioner in the company “IloveITSoultions” and has been instructed to find ways to improve the security by implementing confidentiality. The company is extending into an e-commerce domain and would like to explore as to how it can provide a seamless experience to the customer by making its site available 24X7. The CSO has also instructed him to explore ways to reduce fraud in the company in light of certain events. What should John do?
Such scenarios are common in the SSCP and CISSP exams and hence it is important to understand the basics concepts …

I wrote a blog post in the month of December where I detailed about the new CISSP CAT format being launched by the (ISC)2. The post gave details about the new exam – what would it be all about, what does the new exam mean for you and important points to consider. Well, since I had passed the exam way back in July, there was no way, I would decide to sit for this difficult exam again. Luckily, few of my friends gave the CISSP CAT exam and passed it, so I spoke to them to understand their experience with this new exam format and decided to write about it. So here it goes…
The Study Material
The first question that comes to everyone’s mind is – Do I need to look for a new study material since the exam format has changed. The answer is NO. The CISSP study material remains the same. My friends referred to the following material, but this is not an exhaustive list in any way. My recommendation would be to stick to one particular book and get to know every word and line of it. It is extremel…

When I started preparing for "Systems Security Certified Practitioner" certification offered by (ISC)2, there was hardly any free video course material available on the internet for this exam. Even today when you try to find some course material on this exam, you end up either paying heavily on some website(s) or finding video lectures which are extremely outdated.
Hence, as promised earlier, I launch the SSCP video course on my YouTube channel "Learning Security with Mayur". I request you to share, comment, like and subscribe to it.
The videos will also be available on the blog with additional description and pointers. Posts on the topics described in the videos will also be available on the blog. 
Salient Features of this Course :
1. It’s FREE. Yes, it’s absolutely FREE. 2. I have covered the entire course content in a detailed manner. (all domains) 3. I have provided an exam perspective at the end of every video. Having given the SSCP exam, it feels great to sha…

YourDomain.com was a big name in the domain management of various fortune 500 companies. Whenever a person or an organization wanted to buy or renew a domain name, “yourdomain.com” was the place to be for everyone. In a way, it was the market leader in this industry holding a 90% market share.
It was the early morning of 13th February, when Jason, the lead engineer noticed something strange in the name servers of the company. The domains owned by the various customers were not reflecting on the administrative page. He immediately called his boss informing him of the problem. He also called the help desk of the company inquiring if any issues had been reported to them. Jason was surprised to hear that a number of customers had called and logged in grievances. The domain names and websites of various top customers were either being redirected to objectionable websites or reported as offline. The messaging services were also affected as the domain was not reachable.
Jason’s boss, Yurik,…

Many years ago, when social engineering started via mails, you could appreciate and easily identify, if careful, that this is a phishing mail. You could find mistakes in the emails which were sent - different font sizes in different lines, absurd mail ids etc. With time everyone improves and so have the social engineers. It’s a new world and the rules of the game have changed completely. Welcome to the new age of social engineering.
Warrior Alone

For most users, the experience of dealing with a phishing mail is a solitary one. When you receive a mail in your inbox, you are the one who decides whether to open it or discard it, reply to or flag it etc. If you take a wrong step, you can get the organization in grave danger. Occasionally, everyone has an inkling to either respond to or click on a link which is provided in a mail. 
Today’s social engineering schemes are a step ahead. Let’s consider some of them:
1.Let’s Reply Back -  In earlier times when phishing mailers were sent, no one bot…

Mark was the head of the Marketing Department in the company “IloveITSolutions”. He had spent 25 long years in this organization. He was working on a marketing plan for an upcoming product launch. He had communicated his requirement of two interns for his department which had still not been fulfilled. He called up the HR department to understand the delay in getting the two interns. The HR communicated that the interns would be arriving today; however, would be busy in a 2-day induction workshop organized for the new joiners. Mark was in no mood to let another 2 days pass by. He instructed the HR to send those interns immediately to him. He was the opinion that such induction sessions where the HR elaborated the policies of the organizations were of no use.
Around an hour later, two nervous faces entered Mark’s cabin. Mark instructed them to prepare a marketing proposal by the end of the day. Annie and John looked at each other and enquired about the credentials to be used for loggin…

Recently, one of my friends told me about an application (mobile app) which could easily fetch a lot of details about a vehicle and its owner. I was quite intrigued and decided to check this app out. When I logged onto the Google Play store, I found that there was not just one app but multiple apps which are offering anyone’s details free of cost to everyone in this world.
Well, the first one of them is “RTO: Vahan Vehicle Registration”. It is quite simple. You just need to enter the vehicle’s number and voila, you get a trove of data. The app claims to provide you the following details - Owner Name, Address, Age, Engine Number, Chassis Number, Vehicle Registration Date, Vehicle Registration City, Type, Model, City, and State. The second one is “RTO Vehicle Information”. It also offers same details free of cost to you.

These apps only work for vehicle registration in India. 

Screenshots of the apps - courtesy Play Store:






While the free service is appreciated, there is no need to offer …

Imagine you are sipping cold coffee and enjoying the view outside your room, when you receive a message on your smartphone that you have spent 5 million rupees at a shopping mall in Dubai. After the initial shock when you enquire about the transaction, you are shocked to know that you have swiped your fingerprint and approved the transaction.
Well, don’t look at me in this manner and neither dismiss this as a wild fantasy. This is neither a fantasy nor a scene from an upcoming movie.
If you would like to know how this will happen, read ahead.
Fingerprint – Just a bitmap Image!!!
With the introduction of the finger print scanner on iPhone, it became natural for other smartphone manufacturers to follow suit. The market was flooded with fingerprint scanners on smartphones.
To understand the weakness which can be exploited, you need to understand the basics of how a fingerprint is stored in a smartphone.
Most smartphones store fingerprint images in an unencrypted, readable-by-any-app .bmp…