AlignMinds Technologies logo

Mobile Security: A Growing Concern in COVID Times

“One single vulnerability is all an attacker needs”
-Window Snyder

Mobile phones are becoming an efficient mode of communication and making life easier. New models and more advanced technology are introduced into the mobiles to meet the needs of people and make their life easier. With the ability to stay connected with people, pay bills online, storing data, taking pictures and many other irresistible features, the mobile phone has become an inevitable part in human lives.

As the different applications and features in a mobile phone make our life easier, it is also raising the risk of exposing our sensitive and confidential data to the hackers.

How do hackers cheat people to get their devices hacked?

The hackers are so much active and finding new ways to cheat people through a fake email, a fake web page etc. Especially, as people are in a state of fear due to this Covid-19, hackers are taking advantage of this situation. They use Covid-19 themes to create urgency and people unaware respond to this malware becoming victims of phishing and hacking. The scammers pretending to provide support and help by providing free meal coupons and such offers, often trick people to believe this is real. People unknowingly fall prey to this by clicking the malicious link and giving access to the personal information stored in their phones. Other sets of attackers persuade citizens to download malware by impersonating health organizations conveying important health information and tips.

Mobile malware, phishing, hacking is becoming common factors of threat in the mobile world. Protection of mobile phone data at personal and at the enterprise level has become very crucial.

How to protect your data in your mobile phones?

Bring self-awareness about security threats, training employees about the security measures, taking enough precaution steps are some good ways to protect the mobile phone data.

Popular brands have their own expert teams to protect their products and their users from attack. For example, Google’s Threat Analysis Group (TAG) is a group of experts that provide a solution to protect their products and their users from phishing and scams. They work continuously to identify new threats and scams in the market.

Various organizations provide several mobile security services such as Mobile Device Management (MDM), Mobile App Access (MAA), Data Leakage Protection (DLP), Identity Right Management (IRM).

Here are few recommended security practices everyone should follow at personal and at enterprise level:

  • Implement robust authentication measures
  • Ensure routine updates and data backup
  • Block suspicious applications
  • Continuous monitoring of connected devices
  • Perform regular health checks

Let’s consider each of the security practice in detail.

1. How to implement robust authentication measures in mobile phones?

At personal level,

Set a screen lock (there are a number of ways to lock your smartphones based on the model of your phone), eliminate unwanted apps, block ads/tracking malware etc in your phone, keep notifications off the lock screen are some of the simple and common ways to secure your mobile phones.

Some more advanced mechanisms to provide secured passwords are providing pattern lock, setting a PIN number, and biometric authentication with fingerprint and face recognition. To make the authentication even stronger, one can combine these authentication methods along with multifactor authentication:

The different levels of authentication that can be applied on mobile devices are listed below:

Username Password authentication is sufficient where the apps are not very sensitive. This is a common form of authentication among social media apps.

Dual factor authentication

This method adds an additional layer of security making it harder for the intruder to get access to the mobile phone and its data. Here, PIN along with security token is used to authenticate users accessing the device.

Three factor authentication

Biometric factor along with this dual-factor authentication makes this authentication more secure to access the devices. The personal attributes of the user such as the voice or fingerprint are also used to authenticate the user in this method.

Geographical location tracking and device information

Geographical location tracking and device information can help prevent fraud by providing limited access to devices.

Behavioural analysis

Bigger enterprises also make use of technology connected to behavioural studies. It helps track any unusual user activities. If any different behaviour is noticed at the user end, they will be subjected to re-authentication. This behaviour also gets included in the Audit Analysis database for further monitoring and analysis.       

The authentication mechanism that an enterprise adopts depends on their needs and ability to adopt security mechanisms. Some enterprise uses OTP to authenticate their user that works well for the enterprise needs. Many banking applications use OTP as a mean for ensuring security.

Other enterprises adopt PKI authentication which utilizes a private non-transferable encryption key stored as a hardware token. They are also recognized by government regulations.  

2. Ensure routine updates and data backup

Ensure the updates are installed in mobile phones. Software updates for the mobile devices include the patches to the security holes for various security threats, so make sure to install the update as soon as they are available. Running an outdated or pirated version of OS could be more prone to mobile malware and malicious attacks.

Data backup is an essential security procedure that must happen at personal and at the enterprise level. The user data can be set for auto backup. How much and how often can be pre-defined.

At the enterprise level, based on how much data to back up and the budget available for data backup processes, they can choose an appropriate media like an external hard disk or NAS box with cloud back up for backing up their data. Other optical storage media like CD/DVD, Blu Ray etc can be considered as other cheaper alternatives, however, their life and capacity could be short.

3. Block suspicious applications

It is worth to check periodically what applications are given access to your device. The malicious apps may contain a piece of code that can extract personal details and other critical data. Before a download, always check the permissions of the app, the number of downloads, ratings, and reviews about the app. Do not download from third-party stores.

There is also good antivirus software available. Some are free, and some are paid but might provide better support. Based on your preferences, you may select a good one that meets your requirement.

4. Continuous monitoring of connected devices

Logging of activities at a various level can help to make access to mobile phone secure. Logging of text messages, social media activities, other web activity, application blocking etc to track any unusual activity can bring better security.

Protection can be made stronger at the enterprise level by using security services by various providers. For Example, AWS Security Hub, you can receive security threat alerts using services like GuardDuty for continuous threat detection.

5. Perform regular health checks

With emerging technologies and evolving security risks, the security aspects have become a huge challenge. Strong security solutions must be in place to identify vulnerabilities and an organization’s risk against real-world threats.

The more we are technology-dependent, the more we are prone to malware and cyber-attacks. It is mandatory that every individual is self-aware about phone security threats and preventive steps to protect their mobile phone data. Every employee at the enterprise level must be trained for security awareness.

Even if all the necessary steps to prevent the threat are in place, the security threat cannot be eliminated, however, it can be mitigated. There could still be attacks and losses, however, those losses could be controlled in a reasonable manner if we are well prepared. Security breaches, the violation to compliance law, data leakage etc. can cause severe damage to an organization’s reputation and trust among their users and business partners. So, it is very critical to adopt enough security measures to protect the data in smartphones and mobile applications.

Implementing effective security measures, making data protection practices a mandate, setting defined protocols for lost or stolen devices, spending money to bring security awareness among employees is a worthwhile investment and would benefit the organization in their long run.

“The only real security that a man have in this world is a reserve of knowledge, experience and ability”
Henry Ford

Making Secure Financial Transactions on Mobile: Always Do This!

For the last few years, our mobile usage grew extremely high and this leads to a huge risk of data theft. Here the Government itself promote digitalisation and there arises a discussion on a very interesting topic of securing financial transactions on mobile devices.

Security for mobile devices has been advancing in an enormous way. But, compared to computers within your home network, mobile devices can be less secure. Here are a few tips you can follow to make your mobile devices more secure and use them to perform transactions that are protected.

How to make financial transactions on mobile secure?

1. Do not download apps from untrustworthy sources

Do not download 3rd party applications from other areas outside the App Store. Download apps only from the official App store for your device. Also, checking and verifying the following things before you download an app will help you with securing all the finical transactions you are going to perform later.

Read Reviews and check the ratings

Imagine ourselves as a customer who is buying a product from a shop. We would usually check the reviews and ratings of the shop and the products before making a purchase decision. Like that, you should undergo a habit of reading the reviews and checking ratings of the app before downloading it. There are apps that are fake and do not reveal much information on the app store. Going through the reviews and ratings will help you with deciding whether the app is useful to you and secure.

Number of Downloads

An app with a high number of downloads is more likely to be genuine and secure. An app with 1 million downloads makes it evident that there is a positive buzz created around the app due to its usefulness and security. A security breach will be less likely in case of such apps since it will affect the wide customer base they have.

Also, due to its huge customer base, the developer will usually have the budget and resources to maintain the security of the app even if the threats surrounding the mobile app evolves. So, using only the most popular apps is an easy way to secure financial transactions or any type of transaction on mobile devices.

Find the vendor or developer

App store shows the contact details of the vendor/developer of the app. Find and learn their security and privacy policies. Check whether your information is used for any other purpose and what are the purposes of sharing user data with third parties, if they are doing so.

Granting Permissions

Do you have a habit of granting all the permissions asked while getting the app installed on your device?

Due to convenience, users have the habit of granting all the permissions without checking what are they and whether they are really needed while installing a new app on their device!

While granting all the permissions allows users to explore the features of the app, granting unwanted permissions may put you in trouble. Asking permission to access the camera or social media accounts may be appropriate for a video editing app. Messaging apps like WhatsApp asks permission to access your messages and contacts. But, a mobile app that in no way is designed to make a call or send messages or email to people is asking for access to contact list may be inappropriate, especially if the app was downloaded from untrustworthy sources.

So, make sure that only the appropriate permissions are granted while installing the app.

2. Strong Password Protection

The first thing a user does in his new mobile is setting up a security password/pattern lock. The reason may be privacy more than security.

A strong password is a better way to protect your device. Nowadays, most of the smartphones are enabled with at least one of these features like facial recognition, iris scan, and fingerprint etc to secure mobile devices, restrict unwanted people accessing them and protect all types of transactions that will be done using the devices. These features offer more security and protection for your devices than a PIN or password can offer.

3. Keep your software updated

You must ensure that software on your devices is up to date. Updating software regularly ensures more security, and since they often fix security vulnerabilities from time to time, hackers will not be able to use them to their advantages.

4. Transactions only through secure mobile websites

In some cases when you have no computer to access online shopping portals to do some shopping and there are no apps available on the App Store to help you with it, you will be forced to use the mobile version of their website. In such cases, using only a secure HTTPS connection to access the website will be the first step to secure your transactions. This is a guarantee that any data passed between your device and the server are only shared between these two machines. Always check whether there is a padlock icon before dropping items to the shopping cart. The padlock symbol usually means that the transactions are protected and the webpage is secure. This also means that you should not be doing financial transactions through websites that do not have the padlock symbol on the address bar or on the top of the screen in case of mobile devices.

5. Don’t pass sensitive information through public Wi-Fi

Any information sends through public Wi-Fi can be accessible by those who have access to the network. So, use only your phone’s cellular network or your home’s password-protected internet connection for doing secure financial transactions.

6. Check bank statements and mobile charges

The majority of identity theft cases and cybercrimes involve financial fraud. So check your bank statements regularly and immediately report if there is any suspicious activity. Authentication through fingerprint can be enabled for banking apps on top of PIN or passwords authentication, allowing you to maintain more security for your financial transactions.

The Bottom Line

As technology is advancing, more techniques and methods and deployed to secure financial transactions. But, frauds and thefts are also on the rise as culprits are leveraging the same technology advancement. It may not possible to prevent all fraudulent transactions and data theft. These are some of the tips you can follow and invest in some type of protection to some extent.

This article is written by Sarath M V, Manager – Finance and Administration at AlignMinds Technologies

Most Dangerous Mobile Security Threats of 2020

Smartphones are widely used across the world today, hence the security threats are also widely spread. Our phones have become the most connected devices, at the same time the least secure. The security threats we face are those which we fail to notice and will be more hazardous in the near future. Let us look at some of the major security threats that every mobile user must be aware of.

Cryptojacking

Cryptojacking is defined as the secret use of your smartphone device by the attacker to mine cryptocurrency.

Cryptojacking used to be confined to the victim unknowingly installing a program that secretly mines cryptocurrency.

When using browser there is no need of a separate program to do the In-browser crypto-jacking.

  • The threat actor compromises a website
  • The crypto mining script executes when the user connects to the compromised website.
  • Users unknowingly start mining cryptocurrency on behalf of the threat actor
  • When successfully adding a new block to the blockchain, the threat actor receives a reward in cryptocurrency coins.
    • Insecure communications

      The networks that you use to communicate are never fully foolproof, making your device vulnerable to attacks from malware. There are chances that hackers tend to set-up fake access points when you access Wi-Fi in public places such as coffee shops, airports, etc. The access points are named using nonexclusive names, which can fool even the most brilliant people.

      It is always good to be cautious when connecting to public Wi-Fi. Use public Wi-Fi only if extremely required and never use it to access personal information like bank account access etc.

      Mobile ransomware

      A form of ransomware which affects only mobile devices is called mobile ransomware.

      A cybercriminal uses mobile malware to steal sensitive data from smartphones or attempts to lock a device, before demanding payment to return the data to the user or to unlock the blocked device. Sometimes people may find some innocent content or some software through social networks, which they download accidentally and get tricked into downloading some malicious ransomware.

      After the malware is downloaded onto a device, it will ask the user to pay an amount before encrypting files and locking the phone. After the payment is processed online, often via Bitcoin, the ransomware will send a code to unlock the phone or data.

      While installing any app, make sure the app is downloaded from Google Play or App Store than from any third-party app stores.

      Phishing attacks

      A social engineering attack often used to steal user data, including login credentials and credit card numbers is called Phishing.

      It occurs when an attacker fools the victim into opening an email, instant message, or text message by acting as a trusted entity.

      User can play smart by not clicking any unfamiliar email links. Always enter URLs manually as much as possible.

      SMS–based attacks

      From the email world, the phishing has evolved into the SMS world. You get SMS texts and links that you are asked to open to authenticate certain information. To any novice user, the links and the sender would seem genuine. However, clicking on these links can make your device vulnerable to the attacks, and in turn, give away your confidential information. This is a developing security threat for your mobile device.

      Botnets attack

      A botnet is just a short form for the terms “robot” and “network”.

      A botnet is a number of web-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed refusing of service attack (DDoS attack), send spam, steal data, and allows the attacker to access the device and its connection.

      A botnet attack firstly requires creating numerous botnets or a botnet army. Once the attack is initiated, these botnets are used to send network/Internet-based requests to the target system in a large quantity. These requests can be in the form of bulk email messages to simple ping messages. The attack can slow down the network/server, making it busy or unable for others to access it or temporarily freeze the server.

      Distributed denial of service (DDOS) is a common example of a botnet attack that utilizes a number of botnet devices to send a large number of simultaneous requests/packets to the targeted system.

      Installing effective antivirus/anti-malware software can protect your device from such attacks.

      User & device authentication

      Most mailing apps have provided the user & device authentication, which has allowed the user to store passwords, and their data on the devices. If the device is stolen, your authentication and the data will be at risk. This is one of the major threats to mobile devices, as they contain our valuable personal pieces of information.

      The smartphone is a device that blurs the boundaries between professional and personal life and the users are up to three times more likely to be the victims of mobile threats. Safe browsing, identifying suspicious files or phishing emails, ensuring safe data access at public Wi-Fi networks, safe downloads are some of the important tips that a user must be careful about. Other than these security measures, several mobile security software is available to download from Google Play and App Store to ensure safety in your mobile devices.

      Understanding these common security threats and implementing recommended solutions can help you protect data in your smartphone.

Solutions: Most Dangerous Mobile Security Threats of 2020

Prevention of mobile security threats helps organizations and individuals to protect their devices, apps, users and content from malicious attacks. Security teams can prevent these threats by using an app that scans devices and configurations within the network, or by setting up security protocols in case malware is present on the network.

1. Cryptojacking attacks

Check these steps to minimize the risk of your organization falling into a trap

Install an ad-blocking or anti-crypto mining extension on web browsers.

Since crypto jacking scripts are often delivered through web ads, installing an ad blocker can be an effective means of stopping them. Using ad blockers like the Ad Blocker Plus can easily detect crypto mining scripts. Experts recommend extensions like No Coin and MinerBlock, which are designed to detect and block crypto mining scripts.

Keep your web filtering tools up to date.

If you identify a web page that is delivering crypto jacking scripts, make sure your users are blocked from accessing it again.

Maintain browser extensions.

Browser extensions are meant to make our tasks simpler. But, some of them could be a trap set by an attacker to execute crypto mining scripts.

Use mobile device management (MDM) solution to better control users’ devices.

Bring-your-own-device (BYOD) policies for preventing illicit crypto mining. An MDM solution can help to manage apps and extensions on users’ devices. MDM solutions tend to be geared toward larger enterprises, and smaller companies that often can’t afford them. However, experts note that mobile devices are not as at risk as desktop computers and servers. Because they tend to have less processing power, they do not produce a great deal of profit for hackers.

2. Insecure communications

Here is a list of few best practices to be used for Android phones which may bring down risks related to insecure communication.

Understand that the network layer is highly capable of eavesdropping, thus making it insecure.

  • It is important to apply SSL/TLS to transport channels used by the mobile app to transmit sensitive pieces of information, session tokens, or other sensitive data to a backend API or web service.
  • When an application runs a routine via the browser/WebKit, using outside entities for third-party analytics companies and social networks could be more secure. Mixed SSL sessions should be avoided as they could expose the user’s session ID.
  • Always use a strong, standard cipher suites with suitable key lengths.
  • Use certificates signed by a trusted CA provider.
  • Do not pin certificate for security conscious applications and never allow using self-signed certificates.
  • Always require SSL (Secure Socket Layer) chain verification.
  • Always establish a secure connection with trusted certificates from keychain after verifying the identity of the endpoint server.
  • Build a UI that alerts users when a mobile app detects an invalid certificate.
  • Avoid sending sensitive data over alternate channels (e.g, SMS, MMS, or notifications).
  • Apply a separate layer of encryption to any sensitive data before it is given to the SSL channel. In the event of a possible vulnerability in the SSL implementation, the encrypted data will provide a secondary defence against confidentiality violation.

3. Mobile ransomware

  • Only install applications from authorized stores like Google Play or AppStore. To be sure that no application makes its way onto your device from an untrusted source, go to Android settings, choose Security, and make sure that the “Unknown Sources” box is not checked.
  • Regularly check updates for your installed applications and your device OS. You can choose to update all installed apps automatically. It’s better to do update the system to the latest version as soon as an over-the-air (OTA) update arrives.
  • Install a strong security solution. Downloading apps from only the official stores and updating them regularly alone will not promise maximum security. Malware can lurk into even Google Play and, can also spread by means of exploit kits using yet-unknown vulnerabilities.

4. Phishing attacks

  • Think Before You Click!
  • Keep Your Browser Up to Date
  • Keep Informed About Phishing Techniques
  • Check Your Online Accounts Regularly
  • Use Firewalls

5. SMS–based attacks

  • Think before you click a link from SMS
  • Do not open spam messages
  • Keep informed about phishing techniques

6. Botnets attack

To avoid system compromises, it is advised to use only licensed and genuine software. Keep your mobile updated with latest security patches. Install anti-malware solution and update it regularly. Disable Autoplay /Autorun for removable drives.

Always protect your device from Trojans and other threats by using effective anti-malware software.

7. User & device authentication

  • Think before allowing store passwords, and your data in mailing apps and browsers

Remember there is no single fool-proof way to avoid mobile security threats.

– Habeeb Rahman

References

Top Five Software Security Threats You Must Know!

With the emergence of advanced technologies, there is an increase in information sharing through social networking sites and using the web for doing business. As a reason, websites are being hacked more than often. Majority of website attacks happens due to imperfection in coding and failure to sanitize input to and output from the web application. Here are some of the software security issues that we face today.

1. SQL injection

An SQL injection is one of the mechanisms used by hackers or attackers to steal data from organizations. SQL injection as the name suggests it is the process of injecting malicious SQL statement into the application where the hacker or attacker has the access to back end database.

It helps the attacker or hacker to create, update, read, alter or delete the data stored in the back-end database. Once the attacker understands the system is vulnerable to SQL injection the hacker or attacker can inject SQL commanhds through an input field, which helps an attacker to take control of the database where he can execute various Queries.

SQL injection can be prevented by providing validation for the fields where the user input is authenticated for specific length type and business requirements.

Also, remove all the stored procedures that are not in use to improve your software security.

2. Cross-Site Scripting (CSS or XSS)

XSS allows the attacker to inject client-side script into Web pages viewed by other users. These may be used by attackers to bypass access controls. By using cross-site scripting the attacker or hacker can inject malicious Javascript, VBScript, Flash, ActiveX into a dynamic web page to gather all the data executing these scripts. Mainly web server applications that generate the page dynamically are vulnerable to Cross-site Scripting if there is no proper validation for user input and to ensure that pages generated are encoded properly.

Two types of Cross-Site Scripting are Persistent and Non-Persistent.

Persistent

A persistent type of CSS is done when the attacker enters the malicious data to the web application and the entered data is permanently stored in the database. In this case, each and every person visiting the page will be a victim of Cross-site scripting. This affects every user of the website as it is stored in the database permanently.

Non Persistent

The malicious code injected by the attacker is executed on the users’ browser and the code is not stored anywhere it is executed along with the response from the server.

3. Cross-Site Request Forgery

A malicious website will send a request to a web application where the user has already entered the credentials through a different website. Like this a hacker can access all the functionalities in a target web application via the victims already authenticated browser.

In these cases, the malicious request is sent from the attackers’ website to another site the user has validated against.

The malicious requests are sent to the target site through the victim’s browser, which is authenticated against the target site.

Cross-Site Request Forgery can be prevented by inserting unpredictable challenge tokens to each request and associating with the user’s session. Each token created will be unique for each session. By including these tokens, the programmers can be sure that the request is valid and not coming from other sources.

4. URL redirection

URL redirection happens when a user clicks on a link on the vulnerable website takes him to an untrusted website. This way an attacker can redirect web user to other websites which are used for phishing and similar attacks. These URL redirections can pass the applications access control check and make the attacker use the privileged functions that they would normally not able to access.

These kinds of URL redirection can be prevented by

  • Do not use users’ input for URL
  • If dynamic URLs are used Make a list of the valid URLs and never accepts invalid URLs
  • Always make sure that the accepted URLs are located on the accepted domains.
  • Make all the redirects to first go through a page notifying users that they are going off your site and have a confirmation link to click.

5. OS Command Injection

OS command injection is a technique used to inject the OS command through the web interface to execute it on the Server.  Any web interface that is not properly coded will be subject to this attack. With these, the user can upload malicious programs or even obtain passwords if the attacker is successful in executing OS commands. These threats occur because the application fails to validate and sanitize the parameters invoking shell functions such as system() or exec() to execute system commands.

Types of command Injection

  • Direct command injection
  • Indirect command injection.

Direct Command Injection

In this case, the attacker understands the application invokes a system command as an argument to the command. Then passes the malicious command as a part of the expected arguments.

Indirect Command Injection

In this case, the additional commands are indirectly supplied to the vulnerable application through a file or environment variable. Once the attacker deducts that the application invokes a system command from an external source, then he modifies the contents from the external source to add a malicious command.

The best way to prevent OS Command injection is to sanitize the URL and form data for invalid characters. Also, a list of allowable characters should be created to validate user input. Characters that are misused and unwanted threats should be eliminated by this list.

Computer security is a vast topic that is becoming more important as all the transactions taking place are interconnected. If given proper attention to the coding standards and necessary validation for the field, we can have control over the main security threats happening.

– Ebin J Sebastian

Your Web Application’s Security: What You Must Not Ignore

Securing data always remains a challenge while we are witnessing the growth of technology at an amazing pace. The more secured your website, the more the chances of users accessing your website.

Whether it is an e-commerce website, social media websites or any other company website, every website existing online is prone to one or the other form of security threat. It is very important to be aware of the web application security threats and be prepared for handling it.

Organizations now use advanced technologies and heavy security testing to keep their website safe and protect customer privacy. Security testing is not just restricted to the testing team, the development team also plays an important role in ensuring security constraints.

What’s the risk?

Hackers are increasing day by day who are in continuous search of the vulnerable website. It’s essential for an individual or an organization to take steps for protection of their data by improving the web application security. Although various tools and technologies are available to handle security threats, protecting your website is possible only by continued effort.

Hacked website is a terrible thing that causes a lot of distress to both the owner and the customers. A website that is a victim of abuse will poorly reflect on your business and brand.

Enough proactive measures must be taken to ensure all preventive steps are taken for better web application security in the long run.

Sources of web application security risks

The security threat to websites web apps and mobile apps come in many forms today. While online threats are continuously evolving, following are very popular among hackers:

Malware

Malware is nothing but short computer programs that attempt to get access to a computer without user consent. It can be virus, worm or Trojan.

Virus

Virus is a program written to damage or delete your files/contents from your computer.

Worms

Worms do not cause any harm to your data but replicate it again and again. Due to its replication nature, it takes lots of memory space degrading computer performance and consuming more network bandwidth.

Trojan

A Trojan horse is a destructive program (not a virus) that looks like a genuine application. Trojan horses do not replicate, but it enters your computer, can give access to your confidential information to unwanted users.

Spoofing

Computer or a user pretends to be another, usually, one who has higher privileges to attack system to damage data or to deny access. Many of the TCP/IP protocols do not provide a mechanism to authenticate the source or destination of a message. When extra precautions are not taken by applications to verify the identity of sending or receiving host, it becomes vulnerable to spoofing attacks. Firewalls can help prevent spoofing attacks.

Spamming

Electronic spamming is sending of messages repeatedly. There are many forms of Spamming like mobile phone-messaging spam, internet forum spam, junk fax transmissions, social spam, search engine spam etc. E-mail is the most widely recognized Spam.

Phishing

Hacker sends emails that look legitimate to the recipient asking for confidential information. Recipient falls into such tricks and provides the login information or other important banking details thus; hacker gets access to their confidential information.

SQL Injection

SQL Injection is a Code Injection technique in which malicious SQL code is inserted into an entry field for execution. Top websites are vulnerable to Injection flaws especially, SQL Injection Flaws. By employing injections, a hacker can have your code run unintended commands or accessing unauthorized data.

How to ensure web application security?

SQL Injection

Here, the hacker makes use of web form field or URL parameter to manipulate data or to get sensitive data. For example, consider the following query to get login credentials:

ELECT * FROM Users WHERE user_id = ‘my’ and password=’test’;

Now, the hacker enters ‘OR 1 = 1; /* in Email id text field and */– in the password, the query on execution would look like:

SELECT * FROM Users WHERE user_id =’ ‘OR 1 = 1; /* and password=*/–

This will display all users in Users Table.

There are several automated scanning and detection tools available in the market to handle SQL Injection, however, the best way to avoid such attack is proper code review as complete coverage involves manual code review and manual testing along with usage of detection tools.

Cross Scripting

Cross Scripting (XSS or CSS) is one of the most common application layers hacking technique. Here, hacker attempts to insert JavaScript, VBScript, ActiveX, HTML etc code into the dynamic pages in an attempt to run malicious code.

The use of XSS might compromise private information, manipulate or steal cookies, execute malicious code to generate undesirable results, create request taking others’ identity. This is the most prevalent form of security attacks.

One way of protecting from XSS attack is to have all the code pass through some kind of filter that will omit keywords like <script> tags, JavaScript commands, CSS tags and other notorious HTML Markup (the ones that contain event handlers).

There are many libraries available to implement a filter mechanism, which one you choose will depend on your back-end technology. Ensure you always use updated filters for better security as XSS techniques keep changing and new ones keep emerging all the time.

Error Messages

Be careful about the error messages that get displayed when a user enters incorrect data. Always give generic messages. For example, when a user fails to enter the correct username/password, give a message like “Invalid username/password”. Giving exact information about what went wrong can give the hacker the clue that he has reached halfway correctly and need to focus only on the rest of the part.

Server/Browser side validation

Validation must be used at both browser and server end for better security. Simple failures like invalid phone format, numbers only, blank field etc. can be found by form validation itself; however, using stronger server-side validation can help prevent malicious code that can bring undesirable results in your website.

Password

Always practice for using stronger passwords. Your password must be a combination of special characters, numbers and upper-case letters. Passwords must be hashed while storing in database.

In case your data get stolen, damage can be minimized if the password is encrypted as decrypting them would not be possible. Plain hashing is not enough for the security of passwords. You can make encryption more secured by adding salt to your password.

Salt is a randomly generated string inserted before or at the end of the password to generate randomized hashes. As shown in below example, it makes a password hash into a completely different string every time. Salt is stored in user account database along with hash, or as part of the hash string itself. Salt must not be re-used; new random salt must be generated every time the user creates a new account or change password.

File Uploads

In today’s modern web applications, it has become necessary to provide an option for file uploading. Various social networking applications like Facebook, Twitter etc, blogs, forums, and other websites provide the option to upload files, pictures, avatar, videos and several other kinds of files. The more this feature is available on the website, the more the website is prone to malicious attacks.

Sometimes an uploaded file may contain a malicious script that can just open up the entire site. Below are mentioned some best practices if implemented while uploading a file can help you have secure file uploads:

  • Define a .htaccess (Hypertext Access) file  – A configuration file used by Apache-based web servers that has the ability to password protect folders, deny access to unwanted users, redirect users to another page, change the way files with certain extensions are utilized etc.
  • Do not place .htaccess file in the folder where your uploaded images will be preserved. Save it in the parent folder.
  • Provide a list of acceptable extensions for a website in the .htaccess file with proper deny/allow permissions. That way only allowed files can be uploaded by any user and can also limit access to each file type.
  • Always store files in a different folder outside of the webroot.
  • Avoid overwriting of files (to prevent .htaccess overwrite attack)
  • Create a list of acceptable mime-types
  • Generate a random file name and add the previously generated extension. Use a unique file name to uniquely identify each file name.
  • Implement both client-side and server-side validation for extra security.

SSL

SSL (Secure Sockets Layer) is a protocol used to provide security to websites over the Internet. If the communication channel is not secured while transmitting confidential information between website and web server or database, a hacker can easily get access to user accounts and personal information. SSL helps overcome this security threat by establishing a secured connection between browser and web server.

SSL allows confidential information like SSN, Credit Card details, login information etc to be transmitted securely over the network. SSL certificates have a key pair – public and private key. These keys work together to establish an encrypted connection.

The certificate also contains the identity of the website owner. Once the webserver has SSL Certificate installed and the communication between client and server is secured, it gives a trusted environment to the visitor indicating that their connection is secured. Browser assures visitors that their connection is secured by displaying a lock icon or a green bar and URL starts with https:// than “http:”

Conclusion

Do everything you can to improve web application security. Stay up-to-date, limit access to resources, use strong passwords and password storing techniques, and constantly monitor your site. These are some simple steps that if carefully considered can protect your data and website from hackers.

– Susan B. John