Facebook accounts hacked

You must have heard about Facebook accounts hacked. Around 30 million Facebook account was hacked.

There was a security patch in last month which gave access to hackers to steal secret access tokens for millions of accounts by taking advantage of a flaw in the ‘View As’ feature.

Though Facebook estimated that 50 million accounts were hacked, a report said that 30million accounts have hacked using this vulnerability.

A Facebook resource person said that hackers have collected these data from the victim accounts

  1. Usernames and contact information including phone numbers, email addresses and other contact information depending on what users had on their profiles of 15million users.
  2. And the other 14million users data were collected in detail such as personal data, along with other details users had on their profiles, like gender, language, relationship status, religion, hometown, current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or pages they follow, and the 15 most recent searches.

How to check if your Facebook account was hacked or not:

Facebook users can check their account was hacked or not by visiting this social network’s help center

Facebook will also directly reach out attacked users and inform them what data was collected when they were hacked.

Note: Please don’t overuse Facebook in your life. Make sure that you don’t add the check-in’s or your traveling post. So that the Hacker(attacker) will not get complete data on you. Live your life in real rather than in virtual(Social media).

OWASP top 10

OWASP stands for Online Web Application Security Project. It aims to raise awareness about application security by identifying some of the most critical risks facing organizations.

So the newly released list are:

  1. Injection.
  2. Broken Authentication.
  3. Sensitive Data Exposure.
  4. XML External entities.
  5. Broken Access Control.
  6. Security Misconfiguration.
  7. Cross-site Scripting(XSS).
  8. Insecure Deserialization.
  9. Using Components With Known Vulnerabilities.
  10. Insufficient Logging and Monitoring.

Injection:

Flaws such as SQL, NoSQL, OS occur when untrusted or unverified data is sent to an interpreter as a part of a query.

Ex: SQL injection is a popular attack.

Mitigation:

1. Use safe API, which avoids the use of interpreter entirely.

2. Whitelist server-side input validation. This is not a complete defense as many applications require special characters, such as text areas or APIs for mobile applications.

3. Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection.

Broken Authentication

It refers to improper authentication, such as session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.

Mitigation:

1. Implement multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential re-use attacks.

2. Do not deploy with any default credentials, particularly for admin users.

3. Implement weak-password checks, such as testing new or changed passwords against a list top worst passwords.

Sensitive Data Exposure

Web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.

Mitigation:

1. Classify data processed, stored or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs.

2. Apply controls as per the classification.

3. Don’t store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Data that is not retained cannot be stolen.

4. Make sure to encrypt all sensitive data at rest.

5. Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.

XML External Entities

External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

Mitigation:

1. Implement positive (“whitelisting”) server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes.

2. Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or similar.

3. Patch or upgrade all XML processors and libraries in use by the application or on the underlying operating system.

Broken Access Control

Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.

Mitigation:

1. With the exception of public resources, deny by default.

2. Implement access control mechanisms once and re-use them throughout the application, including minimizing CORS usage.

3. Model access controls should enforce record ownership, rather than accepting that the user can create, read, update, or delete any record.

4. Unique application business limit requirements should be enforced by domain models.

5. Disable web server directory listing and ensure file metadata (e.g. .git) and backup files are not present within web roots.

6. Log access control failures, alert admins when appropriate (e.g. repeated failures).

Security Misconfiguration

It is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.

Mitigation:

1. A minimal platform without any unnecessary features, components, documentation, and samples. Remove or do not install unused features and frameworks.

2. An automated process to verify the effectiveness of the configurations and settings in all environments.

3. A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically, with different credentials used in each environment.

Cross-site Scripting(XSS)

Whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

Mitigation:

1. Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. Learn the limitations of each framework’s XSS protection and appropriately handle the use cases which are not covered.

2. Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities.

Insecure Deserialization

Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.

Mitigation:

1. Monitoring deserialization, alerting if a user deserializes constantly.

2. Implementing integrity checks such as digital signatures on any serialized objects to prevent hostile object creation or data tampering.

Using Components With Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover.

Mitigation:

1. Remove unused dependencies, unnecessary features, components, files, and documentation.

2. Only obtain components from official sources over secure links. Prefer signed packages to reduce the chance of including a modified, malicious component.

Insufficient Logging and monitoring.

Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.

Mitigation:

1. Ensure that logs are generated in a format that can be easily consumed by a centralized log management solutions.

2. Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar.

For more details, visit the official website 

What happens when you sleep

Recently you must have read or heard about Google collecting your data even though you are not
using them. You will be amazed at how they can collect your data without your knowledge. In this blog, I have shown how data is collected with a minimum lab setup.

Lab Setup:
1. I have installed a free Proxy server(JanaServer) on my laptop and started the server.
Link to download the software here.
Note: If the link is not working, Google “JanaServer server download”. And download from the website.

2. Go to the IP address section.

3. After clicking the IP address, you will be directed to the new page. Enter your laptop/System’s IP address there. In order to check your system’s/ laptop’s IP address. Open Command prompt-> Ipconfig->IPv4 address will be your IP address.

4. After setting the IP address go to the ports section. Set which port function you want and then click on submit.

5. Now Proxy server setup is done. To check the port number used by the functions, scroll down.

6. On your mobile:

a. Go to Settings->Wifi->On->Select wifi->And press the wifi name for a second.

b. It will give you options such as Forget network and Modify network.

c. Select modify network->select proxy->Enter your laptop’s IP address(192.168.225.62) and port number(3128) from server’s settings. Here 3128 is HTTP port.

d. Now save the settings.

e. Access the google.com or any other website to check whether your proxy is working or not.

f. Change the proxy port server to random and refresh the website. if its says problem occurred then your proxy setup is working fine.

g. Change the proxy port to the previous one.

7. After proxy server setup, I was browsing from 6.10PM-6.13PM.
8. And then I kept my phone idle from 6.14PM-6.21PM.
9. After a while, I went to the proxy server’s log file. In which log file will be created under “proxy.log” name.


10. After going through the log file, I got to know how much of my data was being collected by the apps that were installed on my mobile.

I have attached the “proxy.log” file. you can check it here Proxy_log.

Mitigation :

Always disconnect wifi/data carrier on your mobile/tablets so that your data won’t be sent the application’s server you have installed.

Now you know how much data is being collected even though you have closed application.

 

GDPR: From a Developers Perspective

GDPR developer’s perspective:

General Data Protection Regulation (GDPR) is a set of rules that come into effect on May 25th, 2018. It regulates the use of data and it applies to all organizations that store or process any data relating to individuals inside the EU. I have covered what is GDPR and what are its principles in my previous blogs. If you haven’t read it yet, please go through it.

So in this blog, I will be writing about GDPR from a developer perspective, as in what are the steps the developer has to take in order follow GDPR regulations for the data collected for his Data Subjects/Clients/User.

Rules that must be implemented:

  1. There must be a feature in the application where the data can be deleted related to particular UserId.
  2. Notifying the third party about erasing data that is related to a data subject. The developer should have third parties API’s as to verify that the data is restricted as per the user’s wish.
  3. Restrict processing, there should be an option given to users, whether they don’t want some of their data to be exposed(Publicly). When once clicked on the button, the data should not be exposed to the application or to the third party.
  4. There should be an export button in user’s portal, so as to export his data that has been collected by the application.
  5. The terms and conditions. Previously terms and conditions would be a long page and at the end, it would be accepted or rejected. Instead, this can be changed into FAQ(Frequently Asked Questions) with consent checkbox(Yes/No). The user will get clear picture were his data will be shared and whether is she/he ready to share data, if not she/he can opt for “No”.

Data Rules for Developers:

  1. Encrypt the data at rest.
  2. Encrypt data at transit.
  3. Make a log file whenever the personal data is viewed/edited.
  4. Create a backup of the data.
  5. Protect data integrity.

Checklist for developers:

  1. Make sure the data is collected with users consent and it is used for its given purpose.
  2. Make sure old logs of personal data are deleted.
  3. Make sure the third party have a basic level of data security

For more details click on this link

What is GDPR? Why are we getting new mails regarding privacy policy update?

You might have noticed about mails from social media and other services were you have shared your data about their updated terms and conditions . This means that these services have changed their terms following GDPR compliance.

What is GDPR?
GDPR stands for General Data Protection Regulation. It exists protect and give more control toEU citizens over their data . This is the fundamental change the way organisation must approach data privacy.

When did GDPR start?
GDPR came into effect across the European Union on 25th May 2018.

GDPR Definitions :-
Natural Person , Personal data , Processing , Profiling , Controller , The Processor , Supervisor Authority.
Natural Person : Natural Person can be identified by name,Identification number ,location data, online identifier.
Personal Data : Any information related to natural person, that can be used to identify him.
Processing : Any operation that is performed on personal data by automated means or by manual means to record the data and collect them.
Profiling : Profiling is automated processing of personal data I.e, intended to evaluate , analyse or predict subject behaviour.
Controller : The entity that determines the purpose, conditions and means of processing personal data.
Processor : Entity that process the data on behalf of the controller.
Supervisor Authority : A public authority which is established by government to make give supervision .

Principles of GDPR:
1. Data collected for specific and explicit purposes.
2. Data must be accurate and maintained.
3. Data retained only for how long it is needed.
4. Data must be processed lawfully, transparently and fairly.
5. Data must be processed securely and you must be able to prove this.
6. Data held must be adequate, relevant and limited to what is needed.

Next question would be who has to follow these GDPR rules?
Anyone who is located within EU union and anyone who holds information of EU citizen has to follow these(principles of GDPR) rules.

You must be thinking what rights as a customer/client/user of social media,Email and other service, do we have on my personal data. These are the rights of data subject.
* Portability.
* Rectification.
* Erasure.
* Profiling and fairness.
* Access.
* Restrict processing.
* Object to processing.
* Information privacy.

WhatsApp ‘hang’ message prank!!

Hi ,

You must have seen or heard about WhatsApp hang message. Many users are facing issues with the functioning of their WhatsApp after taping on this message “If you touch the black point the your whatsapp will hang”.

What is this message and why WhatsApp is hanging ?
To answer this, There is either two messages or perhaps a single message with a line break that contains a line saying “If you touch the black point the your whatsapp will hang” – followed by a second line with some space in the start of message and a line that reads – “t-touch-here”. Also there are some emojis of a finger pointing downwards in the first line before the word “black” and a black circle next to the emoji of a finger pointing left in the second line.

The moment you tap on the message, or the black point just to confirm with the directions given in the first line, your WhatsApp “hangs” for a while where you cannot scroll up and down. While there is nothing malicious behind this bug but has seemingly been composed to annoy you. The message that is being forwarded contains some unknown special character that upon being tapped impedes the operations of WhatsApp.

Those who have received this message need not worry, as this is harmless prank. However, you are advised not to touch any part of this message.

What is Cambridge Analytica? What is the Scandal about it?

Hi,

Cambridge Analytica is basically a consulting firm which deals with data mining, data analysis for the electoral process.

In March 2018, there were reports about data breach by Cambridge Analytica on Facebook. Now how they collect data, How did they classify them. To whom did they sell these data and how did they strategize for their benefit.

You may have seen ads about “Which celebrity do you look like”, “How will you die”, “Will you be rich in future”, apps like thisisyourdigitallife, etc., Now when you click on these ads or post you will be directed to access page, were you have to give permission for the post to access data from your profile like your name, date of birth, religion, your interest,etc., without seeing what access is it asking, you just click on ok as you read “It will not post anything on your profile”. It will give you some bluff results based on your posts and views, Which you think is correct.

At the backend, they collect the data and structure that data according to them. From that collected data they are able to tell what’s your age, What is your interest, Who do you support, Are you an introvert or extrovert. And based on this they provide data to either ruling or opposition party and give them a suggestion and how to attract users to their vote.

Now as per resource half million Facebook users data from India has been mined for the electoral purpose. And also facebook has said that on 11th April users will get a notification in their news feed if their data has been affected or not. And if affected then how has it affected. for more info on this click here

Facebook settings that you should change right now

HI all,

You may have heard that there is a breach of data security on Facebook. Here are some settings that will help to protect your data.

Facebook settings you need to change:

1. To know which apps and service share your data on Facebook.

Settings->Apps->You will get the apps and service that are connected to your Facebook account.

Remove them if you don’t recognize them.

2. Limit information that friends share with you:

Settings->Apps->Scroll down->Apps other use->Edit->uncheck the data which you don’t want to be shared

3. Manage App permission: If you have installed the Facebook app on your phone

Settings->App permission->Facebook app->switch off the button(Revoke permission) for contact, messages, call logs, etc. And in that way, your information will not be shared with Facebook.

And also if you are using Facebook Messenger, then uninstall it. And install it again without turning on you “Text anyone in the phone”, Don’t add your number to the messenger app(You can just skip it), and don’t turn on “Send and receive SMS from messenger”

4. Limit the adds: Settings-> Ads. You can revoke permission under “Your Information”, “Add settings”, “interest”.So that your data will be safe from now.

5. Make sure you never log in to Facebook in the 3rd party apps. If you do click on review and see what permission is it asking for access.

6. You must have seen the adds like “Know what you will be future” or “who is your spirit animal” or “which celebrity looks like you” because these are the adds which take access to your data and may sell it 3rd party.

7. Check this link that Facebook has gathered contacts from your mobile though never shared.

CredSSP Flaw in Remote Desktop Protocol Affects all versions of windows

Hi Everyone,

A critical vulnerability has been discovered in Credential Security Support Provider protocol (CredSSP) that affects all versions of Windows to date and could allow remote attackers to exploit RDP and WinRM to steal data and run malicious code.

This Flaw was discovered by researchers at Cybersecurity firm Preempt Security. This issue can be exploited by Man-in-the-middle attack with wifi or physical access to the network.

How to defend yourself?

  1. Recommended: To patch workstation and servers using available updates from the Microsoft.
  2. It would be better if the use of the privileged account is decreased.  For more details click here