Why security is important ?
Lets say you are using Facebook and suddenly someone put a post about an application saying that you can earn money by using this app or something like that, so then you suddenly go to the play store and installed that app. First, do you think it is legit?, do you know what sort permission that you gave to that application?. Why a calculator app needs to know whats inside your gallery ????. Ha Ha. I don’t know what to say but that is the reality and you have already exposed to this world. Who read the Privacy policy from top to bottom when installing an application, most applications have vendors and these application will share our things to them to show the Ads in middle of something and which is very annoying. Peoples always want to look into others personal life while their life is on fire.
So in IT industry, If you are a developer you must aware of the security aspect while working on a project. It doesn’t matter the project is big or small. If you are doing project without any security concerns then its like wearing a fashion mask during this pandemic. Lets say you are working on a big company and you did a big project and it is launched successfully and after a week you getting a news saying that the system you helped to build has been hacked!!!. First, the reputation of the company will be gone, the trust of customers will be gone, sensitive data will be leaked and consequences of this might end up in a law suit against the company. So a Software Engineer must have to have a proper knowledge about the security.
There is something called No-Tech Hacking and lets talk about few of those,
Dumpster Diving
This is basically diving into dumpsters in search of valuable information. You know most of us throw the documents in the bin which we think as an unwanted docs but those who are gathering that can get valuable information out of those documents. You may put phone bill, bank invoices, insurance bill, maybe company related hardcopy docs and so on. If the hackers looked into those bin, you might end up in a critical situation after that. So this is what Dumpster Diving means and there is no tech involved in this to get all of your details. So how can we avoid this. First, raise awareness about the importance of trash. Shred the documents using cross cut shredder.
Social Engineering
A hacker tests a piece of technology to see if he can achieve valuable outcomes from it that the developer didn’t expect. Social Engineer uses psychological tricks to persuade users to make security errors or reveal critical information. To carry out the attack, an attacker first examines the targeted victim to obtain relevant background information, such as potential avenues of entry and weak security mechanisms. The attacker then attempts to acquire the victim’s confidence and give stimuli for later acts that violate security protocols, such as disclosing sensitive information or allowing access to key resources.
Investigation
In this phase, the attacker will prepare the ground. In the sense, identifying the the victim and gather some background information and finally selecting the method of approach.
Hook
This is where he or she will try to talk with the victim and starting the story of how he or she build a rocket in their garage (LOL 😂 I mean the fake stories.) and taking control of the interaction.
Play
This is where the information will be gathered from the victim by getting their attention after that they start to execute the attack.
Exit
In this phase, the attacker removes all the traces and leaves the conversation without arousing suspicions.
Lets see how it is happening in real life,
You know 99% of people put their answer for the security question that are so close to them. So lets say there a guy who is working in a company and a social engineer wants to get into the system. So he choose this employee as the victim and he tries to get in touch with him. after some point the attacker is keep on asking personal question casually like “So, you are a cat person right?” then the victim replies like “No, I am dog person”. So like this this continues and the attacker got the details what he wants. And he breach into the system by resetting the password of the victim and by giving the answers for the security question which he took before. This is social engineering.
There are many ways to do Social engineering and the five most popular types of digital social engineering attacks are listed below.
Baiting
Baiting assaults lure a victim’s greed or curiosity by making a false promise. They trick consumers into falling into a trap in which their personal information is stolen or their computers are infected with malware. Usually they leave a physical media like infected USB drive where the victim can see them. That USB might have labelled with company logo or something. Victims pick up the bait out of curiosity and place it in a work or home computer, causing malware to be installed automatically. Baiting can be happened online for example using click bait ads.
Scareware
The victims of scareware are assaulted with false alerts and bogus threats. Users are duped into believing their system is infected with malware, encouraging them to install software that has no purpose (other than to profit the offender) or is malware. And this is referred as deception software. The common example is the banner appears in you browser tab while surfing the web, it says in text such as, “You computer has infected with harmful spyware”
Pretexting
An attacker gathers information by telling a series of well-constructed falsehoods. A perpetrator may start the scam by professing to need sensitive information from a victim to complete an essential assignment. The attacker frequently begins by impersonating coworkers, police, bank and tax authorities, or other people with right-to-know authority in order to gain trust from their victim. The pretexter poses inquiries that are apparently intended to validate the victim’s identification, but are really used to obtain sensitive personal information.
Phishing
Phishing scams, which are email and text message campaigns aiming at creating a sense of urgency, curiosity, or terror in victims, are one of the most common social engineering attack types.It then pressures people into disclosing personal information, visiting fraudulent websites, or opening malware-infected attachments. An email sent to subscribers of an online service informing them of a policy violation that necessitates prompt action on their part, such as a necessary password change, is an example. It contains a link to an illicit website that looks almost identical to the official version and prompts the unwary user to input their current credentials and a new password. The information is delivered to the attacker when the form is submitted.
Spear phishing
This is a more focused variation of the phishing scam, in which the perpetrator targets specific people or businesses. They then personalize their communications depending on the traits, work titles, and contacts of their victims to make their attack less obvious.
Spear phishing takes a significant amount of work on the part of the attacker and might take weeks or months to complete. They’re significantly more difficult to detect, and if done correctly, they have a higher success rate.
How can we prevent Social Engineering
- Every employee must trained with proper security protocols
- Don’t open emails and attachments from suspicious sources and it must be verified.
- Use multi factor authentication
- Employee must not connect any unknown physical media to their system
- Keep your antivirus/anti-malware software updated
Password Protection
Most of the people put their social media password which is so close to them and the funny part is they use the same exact password for all the accounts like gmail, online other accounts and even for office email. Do you think it is secure enough to have that password.
These are the commonly used worst password from 2018 to 2020. As a best practice a person should change all passwords every 3 to 6 months. But it not possible to remember everything right. People must use different passwords to their accounts and it must more than 9 character long password. So the possibility of cracking the password is very low. So to have a good password, it should contains numbers, uppercase and lowercase letters and sometimes special characters such as “@,#” Or its also good to maintain a password manager. There are plenty of application out there.Its good to make a password with random words rather than putting names and numbers which are familiar to you such as DOB or name of the person who is around you. But not everyone will follow this principals. So As a developer we must protect users’ credentials. There are two ways to protect the user credentials,
- Encryption
- Hashing
Encryption
Encryption is the process of encrypting data in such a manner that only those with the appropriate key can decrypt and read it. Encryption is a two-sided process. When you encrypt anything, you’re hoping to decode it later. To encrypt and decode data, you use a cipher, which is an algorithm (sequence of well-defined stages that can be followed procedural).
And following image will show the basic understanding whats happening in the encryption,
Let’s take a look at encryption using a shift cipher where two parties determine a number between 1–25, and shift the letters that number of spaces in the alphabet. The shift number serves as the key. So if the shift number is 3. I am going to encrypt “Hello World”,
Plaintext: Hello WorldAnd this will become,
Ciphetext: Khoor ZruogHashing
Hashing is the process of mapping data of any size to a defined length using an algorithm.
This is known as a hash value (or hash code, hash sums, or even a hash digest if you want to get technical). Hashing is a one-way function, whereas encryption is a two-way function.
While it is technically possible to reverse-hash anything, the needed computational power makes it impractical. Hashing is a one-way street. Each hashing algorithm outputs at a fixed length. Every hash value is one-of-a-kind. A collision occurs when two separate files give the same unique hash value, rendering the technique unusable.
MD4, MD5 and SHA are some of the common Hashing algorithms in use today. You can get a basic idea, how the Hashing works from the following figure.
What is Salting ?
Salting is a term used to describe the process of hashing passwords. It’s a unique value that may be appended to the end of a password to generate a different hash value.
This provides an extra layer of protection to the hashing process, preventing brute force assaults. A brute force assault is when a computer or botnet tries every conceivable letter and number combination until the password is discovered. That additional value is known as “salt”. Basically by adding this salt and hashing will decrease the possibility of cracking the password.
