PLS DONT COPY............
Sunday, May 1, 2011
Monday, April 4, 2011
Wednesday, January 26, 2011
Fighting Brute Force Attack...
The simplest type of hacking a hacker can do is to use brute force attack to gain sensitive information about some one.Generally ,it is applied to guess the password of any desktop or user name-password pair of any web application.
Brute force technique requires no decrypting tool,no computer knowledge and just nothing.
Brute force technique is sometimes also know an dictionary attack.
The "dictionary attack" method uses mostly words in the dictionary to guess the passwords and may add a number at the beginning or in the end for best guesses.
The "brute force" method uses a crypt analysis techniques to find more complex words that has a combination of "alpha" "numeric" and "special" characters in them.
In this technique a combination of strings is repeatedly applied to crack the password until a perfect match is found.The time is main component in this attack.
If sufficient time is given every password can be cracked sooner or later.The time depends heavily on the complication involved in choosing the password.
The power and efficiency of this simple algorithm can be understood but the fact that every password can be cracked through brute force attack provided a sufficient time is given,which partially means a password is 100 % can be cracked using this simple technique.
The process is extremely simple and a thousands of automated software are already available on the Internet.
However as a Member of an Ethical group i am interested in giving information about how to prevent it.
So lets us see how we can minimize this.
1.PASSWORD SELECTION
Its human tendency to search of comfort and so does it apply while choosing password.At least , yaar be specific while choosing password.Generally people don't remember complicated password and choose such as license number,date of birth,spouse,father name,pet name,gf/bf name etc.As these passwords are easy for u too remember it is equally easy for any interested hacker to guess it.
Alternatively as the hackers are very smart,he will not use any web browser to guess each user name and password .He will be using a computerised automated tool which can fire more than 1000 passwords combination per minute, with credentials generated from a large list.
This list is actually called as a dictionary.
Again if the attacker gets success in cracking password of any one website he might be able to crack all other passwords of different websites as most people keep same password for all places.So pls frends choose ur Passwords security.
A Strong password policy can be as follows..
must contain at least 7 characters..
must contain at least single uppercase letter
must contain at least single lowercase letter
must contain at least single digit
must contain at least single special characters
A pa sword like M!c12@ will generate 735091890625 combination trough brute force attach and about 37558352909169000000 through dictionary attack and would require approx.233 years at 100 passwords per second to crack on normal machine and at least 8 continuous days at 1000000 passwords per second on a highly powerful machine...
Again my password M!c12@isbest will require in 5389762 years, 2 months.
to check ur password strength pls click here
The above policy may seem st rick but will guarantee you that it will not be able to cracked easily.A password with 7 digits having a mixture of lowercase letter,uppercase letter ,special symbols generated more than 70 trillion combinations and requires more than 10000 years of human time through a dictionary attack.
Many organisation uses intrusion detection system (IDS) to monitor a high number of request from a same user but this is not sufficient to prevent brute force attack as the band with of the automated tool can easily be controlled.
2.USER NAME SELECTION
As disused above password is the only half information the other half is the user name.
While choosing user name is also equally important.The same policy can be applied while choosing user names also.
Some web development tools or frameworks implement default settings which is a very easy targets for any smart hacker.
.jpg)
User names can also be guessed and therefore is more risky than passwords as a default titles like admin or administrator gives a more privileged rights.If the hacker is able to lo gin through these administrative rights he may do more damage than normal users accounts.beside administrative accounts users accounts are also easily hackable.Normally the users choose names,email ids,phone number as their user names(remember face book).Here once again the user laziness is again benefited to the attacker.
The other methods can be disabling the account after a finite number of failed lo gin attempts occurs but this creates another type of attack known as denial of service attack(DOS).
first of all in this type of preventive measures the attacker might get frustrated as if suppose if after a 3 wrong attempts locks the account for few hours using automated tool for brute forcing at the rate of 100 will increase from a single seconds to many many days.
The side effect of this is the legitimate user will be denied by the service.
as the automated tool keeps on attempting wrong password and locking it continuously,the legitimate user will not get the chance to use the service.
Again locking is done to prevent the password guessing but what if the attacker is inters ted in user name.
Instead of varying the password this time he will vary user names and he will fire more than thousand of request and the system will register only single failed traction per account.
Another method can be using incremental delay in sending response.1 second delay for first wrong attempts,2 second delay for second wrong attempt and so on.The user can wait for few seconds instead waiting hours after locking but the automated software will suffer heavily from this delay.
There disadvantages of the above method can be as the the system has to keep the track of the sending application however the automated tool can be configured to send new session each time a request is end to the server.
The user can also be tracked by the ip address but there is many situations when multiple user shares same ip address or the single user can use different ip address.
however this is at least better method for guarding against brute force attack than locking the accounts.
3.ERRORS
The last strategies can be displaying the appropriate errors when a failed lo gin attempt occurs.
consider the two errors messages.
1.user name does not exist
2.incorrect password.
The first message tell us all that the user name is not existing in the system hence he will moved to the next user name and would a lot of time while trying to guess the password for that account.
The second message tells us that the user name does exist but the password is wrong hence the hacker now know the user name is correct he just constantly applies the password cracking techniques.
Error messages like " user name and password do not match " can be used to report failed lo gin.No one can guess from this error message whether the user name is wrong or the password.
There are numerous more techniques and me sures which we will see in the coming articles..
pls comments...
JITENDRA KUMAR PATEL.
http://www.facebook.com/bewithjitendrapatel
Monday, January 24, 2011
Disadvantages of MNP.....
Hope u all are fine and would have read my previous blog...{ pls click}
In that article i had already discussed about advantages of Mobile Number Portability.
There is basically four type of number portability mechanism
(A). LOCATION BASED PORTABILITY
Through this the user can port numbers between different geographical area.
Through this the user port its numbers from different service providers within the same circle.
(C).SERVICE BASED PORTABILITY
Through this the user can port numbers between CDMA to GSM or vice verse for the same operator.
(D).CONVERGENCE BASED PORTABILITY
Through this the user can port its land line number to mobile telephony or vice verse.
In INDIA only Operator based and service based number portability is launched and if success full would launch the other two also.
Lets us now examine the disadvantages of Mobile Number Portability.
Pls note that While reading u Might feel that over advantages, these are of no use but as an individual if one is using any service then he should know at least basic pros and cons.
The disadvantages are as follows...
1.The service if changed from two different technologies viz. from CDMA to GSM or vice verse, then it will require to change the handsets.
Changing handsets Means "Expense overhead".
2.Again for changing the service as was expected by just a Sm's is completely wrong. the user has still to visit the service provider outlet and i which i think is the most boredom task.
3.On switching ,the remaing funds are not transferred and hence either the user has to finish it unnecessarily or has to wait till it get exhausted.And interestingly more than 80% of mobile connections are prepaid.
4.There will be a higher marketing expenses for the operators with just a very little or no extra profit.
5.As already multi Sim mobile are in the market with a very cheap price so switching to another service providers for few extra service will not be feasible to Indian users.
5.Again if a user switches to interested service providers and if he find that the service provider is not providing good service as expected or not up to his mark then he would have to wait for at least 90 days to switch it again.
waiting 90 days is much more tedious than buying another Sim card.
6.The major disadvantage is the switching should be within circle.
The user is still not allowed to switch within different states.
7.By switching from frustrated from a single service would make the user away from other better services.
8.Despite the number remains the same ,the user finds problems in understanding the operating system,value added services,calling cards and settings of the new provider.
9.In order to avail this facility it requires many clerical formalities.
10.As a customer this facility should be free but TRAI has already charged INR 19.
11.By availing facility the user losses its number identity associated with particular operator.
NOW this will prevent predicting from where a subscriber avails hi Mobile service.Due to this criminal investigations also become complex and time consuming.
12.The porting period is very long and during that time the mobile might stop functioning and also it is not fixed till how long.
13.As from operators side this will install a tough competition between operators.
14.As after porting the cal routing mechanism is very complex there will be a lot of complaint about call drop and the call will be prone to get hacked.
Suppose if u are a reliance customer and if u call me(my airtel number but i have already ported my number to bsnl - hey don't abuse me. I will not do that) then the query results in bsnl LRN number and then the call is forwarded.
This whole process takes a very heavy amount of time and also expenses for the operators.
15.For Indian government,BSNL is already blamed for poor services , a heavy portability from bsnl will decrease government revenues.
Despite all this disadvantages this is a very good start for Indian customers and i fall goes well this disadvantages will be removed soon and customers will be benefited more and more and more.....
take few seconds to comment pls.......
JITENDRA KUMAR PATEL.
http://www.facebook.com/bewithjitendrapatel
Friday, January 21, 2011
Mobile Number Portability In India...
I would not blame if Mobile Number Portability reminds us all the famous dialogue " Tareekh pe tareekh,Tareekh pe tareekh" from bollywood famous film Damini. but finally the dot has announced the launch of MNP in India.
Finally after a long and long wait,Mobile Number Portability (MNP)has successfully been launched in India yesterday.
20.1.2011 is the day for mobile phone users in India.Previously it was only available in haryana and from January 20th it is available all over the nation.
The telecoms minister Mr. Kapil Sibal added to the news channel that the much waited and pending mobile service is finally set to launch on 20 Jan 2011.
Now the consumers has chance to command over their choice of telecoms provider.
OK lets now examine what really MNP is :
MNP i.e. mobile number portability is a service in which a user is free to choose whatever telecoms company with he is satisfied and to move between them without changing the old numbers.
Previously it was necessary to change the current mobile number if a user opt for other service provider but now the scenario has completely changed.
MNP is like dumping the service provider but keeping the favourite number.Is not a fun and kingly feeling ?.With more than 700 million mobile phone users in India this is not a service but a necessity as the range of 10 digit mobile number has already towards the dead end.
Technically MNP can be defined as a process of routing calls ,Sms and other services to the same numbers through the new service providers.
Mobile Number Portability service (MNP) will definitely launch a severe competition between service providers and users can see a better improvement in service quality and quantity.Cheap call rates ,and Sm's rates,data plans what i expect.
80,000 users already benifited from this service in haryana.
Now whats the procedure for availing this service..
There is a number of buzz in the market among which most accepted is as follows
(a.) The user has to send a message to 1900 in the format described below
PORT xxxxxxxxxx (replace x's with ur current mobile number).
(b). Then after few minutes the user will get Sm's reply having a unique Porting ID and expiry date.(c.) A second Sm's or a application is required to send to the new operator with unique porting code.Please remember this unique code is valid for few days and if expired can be requested again.
(d.) After that the existing operator will check if for any dues and if all is OK then it will give approval for porting the number.
(e.) The user will get an Sm's with the time and date when the porting Will take place.TRAI rules compels the porting procedure to be within 4-5 days.
(f.) Finally when the porting is done the user will get an Sm's confirming the porting.The phone may be dead for 2 hours during porting process.
The process of porting mobile number between service providers is a maximum of INR RS 19 but the same can be varies according to the service providers..
The benefits can be stated as with this the customer can be the king.
However there is some criteria which must be fulfilled before opting this service if the user is a post paid customer then there should not be any dues and for the pre paid customers the remaining balance will be lapsed and not be carried forwarded and also the user has to wait at least for 90 days for the second porting.
The user can also withdraw the application within a day if mind changes and user want to stick with the old numbers however the porting fee will not be refunded.
After the subbmission it hardly takes 4 days and for J&K and northern eastern it is within 12 days.
The user can flexibly switch from CDMA service to GSM service and vice verse.
DOT has mandate to implement MNP service within a circle hence service providers can be switch as along as they are within the same circle.
Land line numbers can not be ported as of now it is only for mobile phone numbers.
The user need to carry in two recent passport size photo graph and a proof of address(POA) and proof of identity(POI).
The following links can be used for getting more details about number porting
Airtel
Vodafone
Idea
Aircel
Tata Docomo
Reliance
Virgin
Loop
Enjoy Friends and tell me if u like this information and pls comments.
comments are extremely necessary for me to improve my articles and pls tell in what topics u would like to read....
JITENDRA KUMAR PATEL.
http://www.facebook.com/bewithjitendrapatel
Thursday, January 20, 2011
SafeGuarding Mobile Phones From Prying Eyes......
Hi friends,
Welcome back....
Thanks for waiting and Before forwarding to this post i would like you to read once again my
older post { http://bewithjitendrapatel.blogspot.com/2011/01/security-risk-associated-with-mobile.html } so that u can easily understand the objective of this post...
Lets start securing the phone .....
1.Sim Cards..
The most easiest way to secure sim card is using PIN codes.
Activating this service will ask the PIN code on each reboot of a phone or when someone
changes the SIM.So if u loose ur SIM card no one can use ur SIM card..
If for a reason u also get confused with ur PIN then u can use PUK code(PIN Unblocking Key).
Note: PUK has the limit of 10 and after that the sim card is permanently banned and might
require to replace the sim.....
The other security features u can use is to use Fixed Dialling and Call Barring.
These service will allow only outgoing to those numbers as authorised by you.
Both sms service,mms service and calling service is disabled for Un-authorised numbers.
How ever this service requires PIN2 and if blocked requires PUK2 which is not easily
provided by the telecom company as it intereferes with company revenue policy....
Also try to use services like caller line display,send my caller identity and closed user
groups...(if anyone suceeeds psl inform me also )
2.Phone
a.Use security keyguard off features...
b.Password protect ur sms inbox and gallery files.
C.The mobile phone must be kept in secure locations.
d.Avoid installing insecure or un signed applications.
e.Enable content encyption
f.Activate password encryption
g.Use memmory cards enrypting softwares.
h.Never use facebook ,orkut or any other social networking site through public hotspot.
i. Never ever do transactions through public computers like cafe of wi-fi.
j.BlueTooth must be turned off and turned on only when it is required.
k.Set the number of passwors attempts.
l.Disable wifi till required.
m.Use SSL for emails.
n.Pls follow some degree fo precaution while browsing.
o.Double or triple format the card before giving it to anyone else.
p.Wipe out the phone completely before Abondoing it.
q.Update phone software and firmwares on a regular basis.
r.Use paid antivirus.
s.regularly scan card and phone memmory for faults.
t.Back up the phone data at regular intervals.
u.Use more than two types of security softwares like malware,spyware and antiviruses.
v.chek for fraud billing.
w.Have initiatives in reducing mobile crimes.
x.Avoid talking in crowded areas,if required,use headphone.
y. Use digital certificates.
z.Use remote wipe features.
ALL CHARACTERS ARE USED UP SO Hmmmmmm....
ok
1.Use autolock features and keep them behind complex fatures..
2.Lastly, Awareness is the key to protection... ( BE AWARE and BE UPDATED. )
I would also like to list soem softwares for securing mobile devicess..
These softwares can easily be downloaded through a simple search in the google.
List of some common softwares....
Kaspersky Anti-Virus Mobile
McAfee VirusScan Mobile
Symantec Mobile Security 4.0 for Symbian
Symantec Mobile Security Suite 5.0 for Windows Mobile
Symantec Mobile Antivirus for Windows Mobile
SMobile Security Shield
Kaspersky Mobile Security
BullGuard Mobile Antivirus
Norton Smartphone Security
F-Secure Mobile Security
Trend Micro Mobile Security
NetQin Mobile Anti-virus
Airscanner Mobile Security Combo
SimWorks Anti-Virus
Avira AntiVir Mobile
Security Genius
More Productivity Applications"Security Genius" application is a value-added service on Nokia S60 3.0 platform. It can protect a mobile user from losing his/her phone just in case the phone is lost.
Kaspersky Mobile Security
Security ApplicationsKaspersky Mobile Security offers total protection of your privacy and personal information and maximises your chances of retrieving your phone if it is lost or stolen.
Security+
Restricted the use of Pocket PCs as a specialized device where access to many functions is restricted or disabled and only the applications configured are executed. It is like a Kiosk Mode but better.
Life360 Security Center
track in real time all ur family members..
SmrtGuard Mobile Security
Protect your BlackBerry with SmrtGuard Mobile Security. SmrtGuard includes Wireless Data Backup & Restore, Anti-Virus protection, Anti-Spam, Call Blocker, Anti-Theft & Recovery with GPS tracking, Remote Data Wipe, Personal Guardian & more!
SmrtGuard Mobile Securi...
Protect your Android with SmrtGuard Mobile Security. SmrtGuard includes Wireless Data Backup & Restore, Anti-Virus, Anti-Spam, Call Blocker, Anti-Theft with GPS tracking, Remote Data Wipe & more! After download, don't forget to register & activate
WaveSecure - Mobile Sec...
WaveSecure is an award-winning security service that protects your phone, data and privacy in the event of loss or theft.
Lookout Mobile Security...
Protect your phone. Get the official, free mobile anti-virus, data backup and Phone Finder solution with Lookout.
iTag - Mobile Security ...
iTag is a FREE, award winning, service to remotely locate and protect your lost phone. View your phone’s location, make it ring, lock the keys, back up, delete your phone. Get alerted when friends are near and find your lost car using bluetooth
MYMobile Protection
Protection against theft & losses , Virus protection, Performance optimisation, Backup & Data recovery, AntiSpam for e-mail & SMS, Credit card & Identity theft protection. For Android http://m.getjar.com/MYAndroid-Protection
mobecode
Keep your SMS messages and Emails secret. Send and receive coded messages
Sesame Password Manager
Sesame combines a password generator and password manager into a single, easy-to-use application. Store all of your passwords, or your customer passwords, in one convenient location. Sesame features: * Generate random passwords between 4 and 20 char.
CellBox Password Manager
security tool: password manager for mobiles. Passwords are encrypted using Anubis 320 bit ciphe
App lock
App lock can protect your privacy.It can lock the aplication what you need,and then someone must enter password to dispaly it.So it can protect your secrecy and privacy
message lock
Want to lock Messages of your Phone? So that no one else can see.
Contacts Lock
Want to lock
Gallery Lock
Want to lock Gallery of your Phone? So that no one else can see your images, music & videos.Locked Gallery is completely Invisible to others
S60 Lock Screen
Handy Lock screen application for S60 phones. All S60 3.x and 5.x phones supported. Looks a bit like iPhone lock scree
Memory Status
Memory Status has the following functions: 1. Memory Status "Memory Status" displays the status of the virtual memory. You can know the each meaning by pushing the info buttons. 2. Running User Processes "Running User Processes" displays the list
and a huge unending list......
So frends I hope that i have put some seeds in ur brain about mobile phone security.
Pls frends take the security of your phone seriously and always be happy..
Always remember prevention is better than cure....
pls post ur comments and ask me if u need any help......
have fun .....
JITENDRA KUMAR PATEL.
http://www.facebook.com/bewithjitendrapatel
Subscribe to:
Posts (Atom)