Saturday, 11 May 2019

Bank Vulnerability : Accessing Account Information of Other Users One in the Top 5 Private Bank Vulnerability -

"Saga Of "One of the Top 5 Private Bank Vulnerability - Accessing Account Information of Other Users

This disclosure is regarding a vulnerability which left Remain Open Till 5 Months Even after a Reporting to Bank Officials. God known wether this was actively exploited or not but that was something serious which bank should take care but they did not till 10th May I asked them again about the status.

I have found on "One of the Top 5 Bank" iPad Version application end of the last year Nov 23rd 2018 which is fixed on  10th May 2019.

Saturday, 24 November 2018

Indian Mutual Fund Customer Data Is On Risk | Mutual Funds Vulnerability

Indian Mutual Fund Customer Data Is On Risk | Mutual Funds Vulnerability

Mutual Funds in India is growing today and most of the people are investing some part of income for a better future and creating a good wealth through SIP and LumpSum. In India we have around 34 AMCs out there. While Investing users need to submit their data ex. Name, Email, Address, PAN, Aadhar Number etc. details to AMCs for KYC process. Having those kind of Critical Details of customers can be useful for Cyber Criminals to get their hands on it for fraud and other criminal activities.

Monday, 5 November 2018

Pentesting CMS : Wordpress Joomla Drupal

Hello All, Today we will see how we can pentesting CMS like wordpress, drupal, joomla etc.

Sometimes we might get CMS based website or application to do perform VAPT. Pentesting CMS is just like a head ache, Because in CMS the back-end codes are mostly pre-defined as CMS nature and behaviour, Any one can download the CMS package and create his website or blog in seconds without knowing any knowledge of coding and extra skills.

So finally while Pentesting CMS we have to fight with the pre-define codes or you can Static code which id designed by experts like wordpress, drupal, joomla etc.

First of all we have to map our target for structured view. It will better if we crawl our target using different tools like Burp will be the great option, Apart from this we can use "dirb" present in kali linux which will brute force the URI and directory name for possible existence.

Wednesday, 4 July 2018

Information Security Controls

Information Security controls is mechanism or a set of rules to to decrease the risk in terms of vulnerability , internal and external threads etc. Information security also covered the other aspects of an organisation like Computer Security , Physical Security , Network Security , Business Continue Planning , Disaster Recvery Planning, Counter Measures With Existing Or Future Attacks.

These controls facilities an organisation to keep his Information Confidentiol from external or internal attacks, Its maintain and help organisation to keep running their system after any attacks.

Its also proview you an view that how much your Information secure.

Here are some important thing which you should be covered under Information Security Controls.

  • This rule comes under the physical security , In this set each and every person should be pass into the organisation by well managed physical security which should be monitor properly to identify the unknown Intruder.

  • Every information which generated or produce in an Organisation should be properly backup time to time to prevent data loss due to hacking attempt and system failure, Its also recommended to create an extreme back and restore system which should run and managed properly.

  • Incident Response should be there to perform an immediate reply for any incident which can be anything like , Fire attack , physical attacker or any technical hacking attack.

  • Keep you employee Train And Educated about Any incident its also covered in Information Security Controls , If your employee is well trained about these types of situation then there will be less chance of any loss in an organisation.

  • Log monitoring Must be in organisation to identify the Inside and outsider attack before the incident happened , Many organisation use Log Monitoring for their web application and internal system , Incoming and outgoing traffic.

Information security controls are mainly Devided in 7 Categories

1. Network Security

2.Access Control

3. Security Management

4.Physical Security

5.Business Continuity & DR Planning

6.Operations Security

7.Application/System Security

1. Network Security Controls

Network Security Controls if the first or the important part for an organisation because this part start from bottom line or you can say that this is the heart of any Company . Network Security Covers his internal devices like routers , Switcher and other devices which is very important for an organisation to continue his work.

Setting Up firewall and UTM are recommended for every organisation to keep controls on their Network Environment .

2. Access Controls

Access controls Covers the right or privilege for each and every user which is under an organisation and internal employees , Access controls is comes as Authorization.This is very important that every user his limited user privilege and right to continue his work , Like an employee for any organisation should not able to access administrator level access things action Like changing some one password , access to internal resources , Etc.

 3. Security Management

Security management is the classification of an organization assets inventory which should be followed by proper guidelines , rules set and documentation.Many organisation create Security Policies which should followed by his employee. Like no employee can bring any storage devices in office primasius which decrease the risk of insider data theft.

4. Physical Security

Physical Security its also an important factor for an organisation to identify an unknown intruder or attacker, decrease the risk of business loss like fire attack , earth quake or any natural or unnatural attack.

Many things are comes under the Physical Security Like , CCTV Cameras, Security Guards , Fire Preventions Systems

Entry Gates authentication such like Finger Print Scanner or Eye Detection Mechanism.

5. Business Continuity & DR Planning

Business Continuity & DR Planning allow an organisation to keep running his business regularly if he is/was under attack , Data loss or system failure.

This control managed the whole data of an organisation which automatically back up time by time , to restore  in case of data loss or any hacking attack.

6. Operations Security

OPSEC ( Operation Security ) Covers unwanted or unintended risk which can be performed against us,OPSEC maintain these all things to take care that is there any information can be used against us or not.

7.Application/System Security

Application/System Security is an major control for an organisation to maintain his on-line identify safe and confidential. This controls covers that we should maintain our Application/System Security by different technologies like Firewall , IPS , SIEM and Other Log Monitoring Systems.

This will help an organisation to keep them self secure before or while the attack.