Category Archives: information security

Good Read: 2020 Cybersecurity Trends to Watch

The wheels of 2020’s biggest cybersecurity threats have already been set motion. Mobile, the cloud and artificial intelligence, to name a few, are trends that will continue to be exploited by criminals. Couple that with the rapid growth of software development and a cybersecurity skills shortage and that should be enough to keep security pros on their toes.

Here is what experts say the year ahead in cybersecurity has in store. Reference

Mobile will become a primary phishing vector for credential attacks in 2020. “Traditional secure email gateways block potential phishing emails and malicious URLs, which works for protecting corporate email from account takeover attacks, but neglects mobile attack vectors, including personal email, social networking, and other mobile centric messaging platforms such as secure messaging apps and SMS/MMS,” according to Lookout security experts.

CyberSecurity: Why every app needs to know your location?

Just a few days back, Me & my friend was planning to go to Chipotle for Lunch. We both love Chipotle. We have been to Chipotle before. Just a few months back & Restaurant was little bit far away. So I asked him to go near by this time. While we were discussing, we both try to search the same Chipotle nearby. Interesting, For me Google shows nearby but for my friend, It shows up 15 KM away. Same google search.

He asked me why does google not show chipotle near by? The interesting thing is google didn’t show Chipotle which is near to us but showing the results where we have been before. It is not about search. It is about your location data. Google knows where your are & Where you have been before?
The truth is Google track your location even if you are offline.

So, What’s the big deal of Location Data?

Well, Applications have all your data. Very very sensitive data your health records, your home address & every details about you. Apps have penetrated successful in life & collected your data that we have come to the situation where apps know more about you than you know about yourself. Experts call it surveillance economy.

But question is Why is location data have more security concern? Isn’t like any other data? Well, Yes it is important because Home address, email etc are one & permanent address & do not change frequently. You can be out of home & close email etc. However, Keep an eye on location data means Someone following you wherever you go & you can’t stop them. Your smartphone is a spy device & you are carrying willingly allowing apps to track you.

Cyber experts always say the privacy isn’t something you own it or controlled it. However, If some app actually needs it then it makes sense. For example, If I want to take a cab. I wish to get my location by Uber or Lyft automatically. However, These apps should not track my location all the time. My location data would be used for commercial as well & This is perfectly alright up-to some extent.

However, torch, Health apps, photo scanner etc trying to collect your location data does not make sense.

Why these apps know about location?

It’s all about showing relevant content & ads to the users. And, One of the reason is that companies like Apple, Facebook, Amazon & Google are trying to reduce the gaps between offline & online world. Let’s if Google knows what kind of stores you have been visiting & same data shared with Amazon. They can target you & show personalized content, offer etc.

If weather apps can share your location data with facebook or other restaurants & facebook can start showing up ads accordingly. In general, Fee apps (Nothing is free as such) are more aggressive in collecting data & selling to companies like Facebook, Amazon etc.

How to put safety guards?

Android & iOS both operating systems supports apps level permission & settings. iOs devices have easy settings where user can modify apps behaviour & allow to collect location data when you are using it.

Google does have guide to change the apps permission.

CyberSecurity: EMV enabled credit cards does not stop fraud!

State bank of India asked their customer to get rid of a conventional swipe card and replace with EMV enabled chip cards. EMV Chips are considered to be safer & prevent credit/Debit cards fraud.

FYI: EMV stands for ‘Europay MasterCard Visa’ while the PIN is an acronym for the personal identification number.

Purpose of EMV

In theory, EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant’s point-of-sale terminal. EMV is meant to replace conventional swipe transactions that rely on magnetic strips, which contain data that is relatively easy for criminals to intercept and then copy on to a new card.

Reality of EVM

new report from the research firm Gemini Advisory has found that, of more than 60 million cases of credit card theft in the last 12 months, a whopping 93% of the stolen cards had the new chip technology.

This represents a major setback for the technology, known as the EMV standard, which is named after the companies (Europay, Mastercard and Visa) that created it.

“45.8 million…records [were] likely compromised through card-sniffing and point-of-sale (POS) breaches of businesses such as Saks, Lord & Taylor, Jason’s Deli, Cheddar’s Scratch Kitchen, Forever 21, and Whole Foods. To break it down even further, 90% or 41.6 million of those records were EMV chip-enabled,” states the report.

How fraud is still possible?

While the EMV standard is supposed to ensure the card data cannot be captured, many merchants are failing to properly configure their systems. This is the problem where banks & merchants are not configuring their systems and keep the system vulnerable.

What is the use of stolen Data?

There are multiple ways cybercriminals use stolen data. First & easy way is to sell these credit cards number in the dark web. A market full of criminals & isn’t public web or apps. The second method is that They create the replica of these cards & use it to withdraw money.


CyberSecurity: Reading my next book (Attacking Network protocols)

Today I received my new book “Attacking Network Protocols” from James ForshawBook seems promising & lots of interesting topics. Let’s see how it goes. 

My objective to read my new book is to get a deep understanding of network protocols, Networking layers & internal working of the internet. These are the core & foundational pillar of the internet. It also provides details about how to secure & break network protocols by stuff like sniffing data packets & finding vulnerabilities.

So far I have read multiple books on cybersecurity and some of them are:

  • Iron-Clad Java: Building Secure Web Applications: Every IT person should read this book. Basically, This is one of the best books for anyone who is involved in IT project development work. It explains a lot of good examples, practices & common mistake done by the developers. Also, Very much recommended for cybersecurity newbie like me.
  • Hacking: Hacking Practical Guide for Beginners: This isn’t great for the beginner, however, good for those who are looking to understand penetration testing & hacking stuff. This book has very precise information about a few important topics in penetration testing.
  • A few Online papers. will detail some of the important papers in some other posts.

Will keep updating as I read through this book.