OffSec Bulletin

executive summary

‘Offensive Security’ a technology that can help any organization in finding critical vulnerabilities to mitigate and safeguard their IT asset. But the same technology can be used to take down any network infrastructure and send it back to stone ages. Taking  example of Sony Pictures, if they had already used offensive technologies to perform real life penetration testing in their  network then there should be a different scenario. But   unfortunately they were limited only to standard penetration testing and didn't used offensive technologies to assess their   network.

Most of us do the same, we do not perform offensive methods while performing security assessment, thinking that if we will use offensive technologies then it may impact my servers and  devices. But the truth is that when a attackers attacks a network, he don’t use any standard protocols, he will always use offensive               technologies to take down your network and hence one must perform offensive assessment and simulate worst case scenario while performing security assessment. 

In this bulletin we have discussed few offensive technologies like advanced malware, server issues and example of hardware backdooring. s

The “any-to any” evolution already involves billions of internet connected devices and is expected to grow many folds in next few years. OffSec Bulletin is a small step to make our Users aware about Internet Security.

pivoting: game over

Most of us secure only those servers and systems which are directly or in-directly connected outside the network. In lots of security assessments, we have realized that network & system administrators only focuses on securing the web server and firewalls, not the internal PC. Most of them claims that we are not exposing these PCs, they are on different VLAN, they doesn’t have any live IP,  we have end point antivirus and their servers, we have strict firewall policy, etc. and many more. But what we have realized that when the attack is targeted, nothing stops the system from compromising, take example of recent hacking of Sony.

Hacker’s first attempt to compromise any system from exploiting is by locating and targeting the most insecure machine of any network. Sometimes they also take advantage of combination of technology weakness with human weakness.

In a research recent research conducted at CCFIS labs, we created a network scenario to simulate such attack. First we     created a small network, installed router and latest firewall, installed a web server, installed few reputed PHP and ASP based CMS, created another DMZ network, installed internal router and firewall for additional security of database server and storage.

Now we defined database server as target and tried to  compromise it from outside the network, to simulate the most complex environment for attacking and we found that there are several ways to achieve the same –

· An attacker can compromise the database server if he find a SQL injection in web application/CMS installed on web server.

· Another targeted method is first compromise the webserver using some remote exploit and then using the compromised system to target another machines of network and hence finally  compromising the server.

· Another simple method was to compromise any system of user network and then

simply pivoting attack from that compromised user machine to database server.

After this research we concluded that no matter if you have    configured even a second firewall in your network to secure your database or server then also it can be compromised by taking advantage of any less secure system.

The best recommendations our research team concluded is to  secure not only your network but also to secure your end points. Proper training to employees can may reduce threat to network by human weakness.

rakshasa : a real daemon

It’s the age where we lives on    information: What if, no matter how hard we are trying, every computer on the market - from PCs to smartphones to fridges to cars - can come pre-loaded with an irremovable backdoor that  allowed the government or spy agency or company or even hacker to snoop on our data,  behavior, and communications?

It’s quite hard to believe but with recent research and talks on conferences, we already have the technology to do this. It’s called a hardware backdoor, and it’s a lot like a software virus that grants backdoor access to your computer — but the code resides in the firmware of a computer chip. Firmware is software that is stored in non-volatile memory on a computer chip, and is used to initialize a piece of hardware’s functionality. In a PC, the BIOS is the most common example of firmware — but in the case of wireless routers, a whole Linux operating system is stored in   firmware.

Hardware backdoors are lethal for several reasons like they can’t be removed by conventional means (antivirus, formatting), they can circumvent other types of security (passwords, encrypted file-systems), and they can be injected while manufacturing.

In recent responsible disclosure by CCFIS we found that even manufactured don’t have any idea how and why their systems have backdoors pre-installed in their laptops. A leading vendor concluded that we import system components from different   other small and local vendor to create a complete system and it might be possible that they had installed something in their  components.

But scenario become scarier when some malware like BadUSB and Rakshasa, source code is available on internet for anyone to tinker with. We captured one malware sample of Rakshasa travelling in Indian network through our ATP sensors.

We have heard about Brain virus, backdoor EFI bootloader, patch/flash a Pheonix-Award Bios, Stoned bootkit, vbootkit, UEFI rootkitting, and many more but after analysis we found that this Rakhasa is a masterpiece. So of its beautiful features are that its persistent, stealth (0 hosting code on the machine), portable (OS & version independent), remote access, remote update, state  level quality like plausible deniability and non- attribution, cross network perimeters, redundancy and till date not detected by   almost all antiviruses. Its core components are coreboot, SeaBios, iPXE and few payloads; the best part is that you can embed your own payload too.

Its development stages includes flashing the system BIOS then flashing the network card or any other PCI devices, booting a payload over the network..say it bootkit, booting a payload over Wi-Fi, and then finally remotely re-flashing the BIOS. Rakshasa can do everything that one need to spy a system completely.

777 – permission to come and hack me

No, doubly Linux is the best OS for hosting web applications servers especially when you are on low budget and application works and supports better in Linux than Windows planform.  The best part of using Linux server is that the OS is free and one can configure security as per their requirements. But think from 

another perspective, Linux is best for you only when you know how to use it or how to secure it, a misconfigured Linux system are open call invitation for hackers to come and compromise the server. Most of administrators says that why someone will come and hack me, I don’t have anything to hide or I am not a MNC. But in CCFIS research labs with our experience we have realized that hackers doesn’t always hack your server or network to harm you, most of the time your IT assets like server, systems, bandwidth are used to hard someone else. A hacker network can be used to perform DoS or DDoS attack that can take down another server and the actual hacker will never be traced back.

While performing penetration testing we discovered Remote Code Execution   vulnerability in several servers of a  network. While delivering the assessment report, we recommended the server   administrator to not to keep any folder or file with permission 777. He implemented our recommendations and just after     implementation, the application running on server stopped working. When he changed the folder permission to 777, again the application started working. We tried changing several combination of permissions but they all had some glitch. At last we analyze the entire web application and assigned   different permission to different folders and files inside them and this made the application work properly.

Due to pain in analyzing most of us simple assign vulnerable permissions like 777 and run the application but this is an open call for hackers. So next time when you are configuring your server or troubleshooting and web application, make sure to assign permissions only after analyzing all the folders and files. Even one single mistake in permission to any of folder can compromise your entire server.

DLP: friend of foe

Most of us deploy DLP (Data Leak Prevention) software or hardware to add additional layer on security into our networks. We define web rules to monitor and control web traffic, mail rules to monitor and control emails, removable storage rules to control data copies and pasted over removable media, printer rule to manage printing jobs, discovery rules to control data   storages, and lot many other rules depending upon types of   device and your users.

DLP devices saves a lot of company confidential data like URL    visited, quarantine documents, mails, network map and in some cases username and passwords too. Most of the DLP software are installed on some OS and these OS are generally Linux based OS. Even products developed by top most security companies are   also based on customized version of Linux.

With recent release of Shellshock and other vulnerabilities, these all devices are at risks. Most companies release updates for the software that is running on the OS, very few are releasing update for the based Linux OS over which the software is running. Our ATP sensors installed in different location have analyzed attack traffics and we have come to know that attackers are now targeting the DLP to take advantage of vulnerabilities that exists in operating systems rather than exploiting the DLP software that’s running on appliance.

By compromising any DLP of organization, attacker will get everything that he wants, he doesn’t need to compromise any network anymore.

The same issue can happen with any devices running on Linux. Even if you are using any open source firewall, IDS/IPS or DLP then first of consider upgrading your base operating system before   upgrading the software installed on it.

We recommend our readers to verify thoroughly before deploying any types of security appliances and if you have already installed then ask your vendor if he is releasing only software updates or  updates related to OS installed on that device too.

 firmware backdoor

 As a research organization CCFIS team is always involved in R&D to find

vulnerabilities and backdoors in IT of different manufactures ranging from camera, servers, systems,  scanners, network devices, and     almost all IT assets. Also as a part of commercial services, we find vulnerabilities in suspected devices sent to us by our clients. Hence CCFIS research team get a hand’s on experience in finding backdoor and vulnerabilities in these   devices.

Recently we picked one random IP camera from market. We installed the device and it was working perfectly fine for couple of weeks. We had some doubts over that camera and later on we realized that it used to change its defined position automatically. For further verification, we downloaded the exact firmware that was installed on that camera from official site of manufacturer.  After reverse engineering in our malware analysis labs, we found a backdoor user that was included in the source code of the device except the default user. There wasn’t any information about this user in camera documentation or anywhere in site.

Manufacturers are creating root level access to cameras, some for genuine reasons to release updates and some for malicious purposes for government spying.

The issue that raise here is that the firmware can be downloaded by anyone over internet and even if the download option isn’t available than anyone can extract the source code of the firmware from actual device and start tinkering with it. So these credentials can be used by anyone to access any camera with backdoor user account. Using a device for government surveillance isn’t bad but installing backdoor in these devices leave the device vulnerable to hackers. Now a days with smart Google dorks and ShodanHQ search engines, anyone can locate any specific camera of any country or state and access it with the backdoor username and password without even knowing the original credentials.

It might be possible that the devices that you are using, most of them are backdoored for any good or bad reason but it can be good for  manufacturers or government but it’s always bad for users like us. We recommend our readers to       perform analysis of any device’s firmware before installing it in your network. And if any such vulnerability or backdoor is found, CCFIS team will help you to create PoC and report it to  authenticated vendor so that they can either release update or close this backdoor.

Forensics Bulletin

executive summary

In this issue we would like to take our readers a step ahead from cyber security to cyber & digital forensics. In this high-tech world variety of computer crimes that take place in small scale as well as large scale. The loss caused is dependent upon the sensitivity of the computer data or the information for which the crime has been committed. So computer forensics has become a vital part in our corporate world.

Those golden days are gone when criminals were using only guns and other offensive equipment to commit a crime. Now a day’s a mobile is used to connect lives, run business, and same mobile is used to commit crimes and hence it is next to  impossible to predict that who is actual criminal when everyone is carrying    weapons i.e. phones in their pockets. Someone who is carrying unauthorized guns can be declared a criminal but what if billions of peoples are carrying same digital weapons in their pockets?

We at CCFIS faced and solved several forensics cases that   cannot be solved by traditional pre-defined forensics technologies and protocols. Sometimes forensics is more of a   research and behavioral analysis. 

eProtect

Online complaint portal

Most of the time, we don’t want to share cybercrime happened with us with anyone and that’s why they are remain unsolved and culprits are getting encouragement to repeat it again. To maintain anonymity and to resolve these cases we started eProtect initially for students and staffs of Amity Education Group.

eProtect is an online complaint portal developed by CCFIS team for students of Amity University to report any case ranging from cyber-harassment incident on social media to online fraud. Once a complaint is registered CCFIS incident response team gets notified and acts to resolves it in minimum possible time.

 whatsapp forensics

Recovering & decrypting deleted conversations

WhatsApp Messenger is a cross-platform    mobile messaging app which allows you to exchange messages without having to pay for SMS. Most of us use WhatsApp to   communicate with our loved ones.

We recently seized a mobile during an  investigation. After further analysis of mobile, we found that all conversations were already been deleted by  user. But WhatsApp create database of all conversations and that files still resided inside the mobile even after the conversations are deleted. We initially tried to recover those messages from database but the user was smart enough to delete these databases too.

Finally, we tried mobile data recovery procedure and tried recovering WhatsApp database. After all efforts these database were recovered but were in encrypted state. At final stage our   research and development team were able to understand the encryption methodology and developed in house tools to decrypt those messages.

biometric fraud

Employee attendance system fraud & RFID trick

Biometric attendance    devices are used in almost all offices. Every morning we punch our card & fingerprint before starting our work and repeat the same every day. But what if data of these security appliance can be manipulated? Most of the bio-metric devices works on database authentication and comparison model.Whenever an RFID enabled card is punched along with fingerprint, it compares the data to original database and  authenticate the uses. Once the user is verified, a database entry is made into ERP system that particular used punched at particular timestamp.

Recently we resolved one biometric fraud case, in which none of traditional forensics methodologies worked. Every day over 800s of employee were using that biometric attendance system before stating their work. The data from all 10 biometric devices were saved in one central database and from there it was taken to organization’s ERP and other departments like HR and accounts. System administrators created rules to take automated regular backup of everyday’s database.

 The fraud was came to knowledge of management when  employee was called up for a meeting and employee didn’t showed up and mentioned that employee is not in office but employee was marked present in biometric attendance system and everything was normal in ERP as well as all databases. Biometric device vendor was called up and he checked all biometric devices by taking 100s of sample, but everything was normal.

Management later on decided to have a forensics investigation over this issues and case was handed over to CCFIS team for further analysis. Initially we tested all biometric devices and realize that everything was normal. Then we started comparing original and backup database manually, and data were same  everywhere. We also found that few database entries were  deleted form database of both original and backup database. After recovering those deleted database, we realized that  administrator who was in close relationship with employee created several SQL scripts to manipulate both original as well as backup database. This issue was resolved, management was informed and employee was fired from office.

We thought that this was the end of investigation. But problem started again when one busy day biometric device stopped  working and all employees were standing in line to punch their card making chaos. Again the vendor was called, they checked everything and blamed CCFIS forensics team that forensics vendor CCFIS had done something with these devices. CCFIS team again visited the premises, to investigate the issues.After investigation, we found that one sticker based small RFID chip was pasted on side of biometric device. So whenever anyone was trying to punch their card, the device wasn’t working as it was busy in reading that sticker based hidden RFID chip that was hidden on side of device and it was so small that it left unsuspicious to everyone.

After removing this sicker RFID sticker, everything was normal like before and system started reading and processing all the cards. And unfortunately these stickers are available at very low price and accessible to anyone to purchase. Even few mobiles comes with free RFID sticker to customize according to their needs.

 encrypted document   malware

We all know about CryptoLocker malware which encrypts all  documents of infected system. The Trojan encrypts data on the  affected computer, switching the extensions of affected files to .cryptolocker afterwards. It uses a weaker encryption method than the original, so it’s possible experts may be able to regain  access to the locked files, but this won’t be an option for most infected users.

We recently handled and solved a case related of infected server by CryptoLocker. Entire server of user was infected and all       documents hosted over the site were corrupted. Ever the         document files that were hosted on company’s website and FTP server was infected and infected document started spreading   internally through FTP and to outside world by company’s website. Everytime administrator tried to decrypt the document, an alert was generated and application was demanding money to       decrypt the files. Following were the reasons why server was        infected –

• Administrator was visiting malicious sites for downloading  torrents and other stuffs on server.
• Administrator didn’t installed ad-blocker to block malicious advertisements.
•  Administrator clicked on some lucrative ads of his interested and followed the instructions.

CryptoLocker cannot only infect server but it can infect your  systems also, recently in a blog post virus coders mentioned that they are already working on development of CryptoLocker for  android and other handheld devices.

In order to resolve this case, we tried many different traditional techniques. But as this version of CryptoLocker was working on some different protocols so none of them were working. Later on we realized that original filed were deleted by this tool and a  duplicate file of same name with .cryptolocker extension were created for all documents hosted on server. So even if administrator had paid the amount to the tool, he might not be to get original documents.

Our forensics team started data recovery of deleted files and since the hard disk was in good condition, so all original documents were recovered. Unfortunately the administrator had to format his server but documents were recovered.

Same case can happen with anyone of us and in most of the  cases, tools like CryptoLocker demands some money to unlock these documents. Most of us think that the amount which the tools is asking is much less than cost and importance of documents and user pays the money. But as these tools are not from trustworthy sources and should not be trusted that even after paying the amount, the user will get his all documents. The same scenario happened with administrator of this company

Following are some of recommendations to avoid these types of malwares or ransom wares –

 ·  Instead of using internet explorer as your default browser, use Chrome or Firefox. In your company policy forced you to use internet explorer then use the latest updated version of internet explorer.

 · Avoid clicking on lucrative advertisements. For better security you can install ad-block plugin in your browser.

 · Install original anti-virus software and update to avoid these type of malwares.

 · Also, no matter how secure your computer is, if you are not aware then you cannot stop these types of malwares from  infecting your computers as there is always a cat & mouse game between malwares and anti-viruses.

intelligence gathering

Tracking Pakistan Haxor Crew

 Intelligence is what we all need to run our business effectively. But in our case intelligence gathering helped us in resolving one major controversial website hacking case.

Recently one site was hacked and attack was claimed by     hacking activist group called Pakistan Haxor Crew. This case was brought to us for further investigation. Initially we started analyzing server logs and retrieved a number of IPs through which site received XSS, SQL injection, null byte, bruteforce and many more active attacks to take down the site. Later on after analyzing and tracing IP, we came to know that all IPs were fake and attacker used multiple proxies and tor anonymising software to perform these attacks. So we were not able to trace the trace the actual culprit and with provided data.

 After few hours, we started looking for Pakistan Haxor Crew over different blogs and underground communities. We were able to gather complete intelligence about the entire crew members, their Facebook profile, their websites & blogs, sites hacked by them, their future targets, and every possible detail they had over internet.With these data we were able to locate all the team member and case was resolved by tracing IPs of their personal email ID and   Facebook login.

Threat Bulletin

executive summary

In this worlds of digitalization when everything is online. We do business online, we make money online, we meet our friends and families online and hence we all understand and appreciate importance of website. Now a day, no matter how small a business, everyone has got a website. Even we are searching for laundry or saloons online before visiting them. We even finalize our dine by checking the restaurant’s website online.

With this enhancements, need of security for these websites are increasing. Most of the times there is a myth that, why someone will hack my site as I don’t have anything important or classified on my website. But one important point that should be considered that customers are finalizing their plans just be     seeing their websites and if the site is compromised, it’s just directly impacting their businesses and hence this is why security of website is important.

The same scenario with almost all sectors, from IT companies, MNCs, restaurants, hospitals, schools, colleges and just for everyone.

wordpress in-secure

WordPress is most common and easiest way to develop website. Anyone with basic knowledge and internet technology can make their site or online application and bring it live and running within several hours. WordPress is completely open source and code is available to download for anyone, and for hackers too. Most of users do not care to configure it properly and harden its security and that’s the main reason why WordPress sites are compromised and servers are used for spamming and mass mailing. In 2015, we believe that with increment in WordPress sites, there will be a huge increment in hacking of these sites. Here are some of the most common  reasons why WordPress sites will be hacked in 2015, you can use these as checklists for securing your WordPress based sites and  applications –

Outdated WordPress version – We create site, update the content of sites but do not update the core WordPress as most of the time site is broken if they are updated as the plugins and themes doesn’t always support the latest version of version of WordPress. Using outdated version of WordPress open doors for hackers to a world of vulnerabilities. WordPress team keep of researching to find these vulnerabilities and releases security updates frequently. So consider changing your priority from broken WordPress to updating the core WordPress. Subscribe to mailing list of WordPress so that you can receive each and every update and bug fixes.

WordPress Version – WordPress version can be revealed from default installation files like readme.html, license.html and in    generator metatag. If these information are revealed then any  attacker can search for available exploits over exploit-db and get the exploit targeting that particular version.

WordPress database table prefixes – While creating table during insallation process of WordPress, the default prefix is ‘wp_’ . If      attacker manage to find SQL injection in your application then it will be very easy for him to get access of your databases too. So next time when you create a table in WorPress, make sure that you are not using default table prefix ‘wp_’.

WordPress Admin wp-admin lockdown - Most of the developers leave the wp-admin folder in without locking i.e. http://example.com/wp-admin. Finding this URL is very easy for any      attacker to launch bruteforce based password cracking         technique to get your login credentials. Consider changing your admin URL to http://example.com/red-plasma.

Database Permission – Most of the time when the WordPress      applications is compromised, the first thing hacker does is either to install backdoor or tamper with database. Instead of assigning FULL permission to any WordPress user; only five permission should be given INSERT, CREATE, ALTER, UPDATE and SELECT to any   WordPress user.

Insecure WordPress theme – Your WordPress core installation might be secure from most basic attacks like SQL injections but not your theme. Most of the themes don’t sanitize the input given by users on different fields and URLs and that lead to SQL injections. So no matter how much secure your WordPress installation is, if the theme isn’t secure then your site is also not secure.

Default WordPress Login – Most of the default WordPress login are vulnerable form bruteforce based password attacks. So if you are using username as admin then you are vulnerable and it’s possible that your password can be stolen. In many these, the name of the user who posted a particular post is revealed, so avoid using those themes and make sure your username isn’t revealed anywhere anyhow.

These are the most common vulnerabilities that attackers are     exploiting on WordPress sites, so if you are a WordPress user then stay alert as these types of vulnerabilities will be trend in 2015.

software piracy

Software piracy doesn’t only hurts the economic growth rates of companies but also directly hurts the users using pirated  software. Hackers are spreading malicious files like backdoors & Trojans to users on the name of free software. In an internal     research conducted at CCFIS labs we found that of the pirated software are binded with some malicious code. The users installing these pirated software,    watching pirated movies, listening pirated software are victim of cyber-attacks and in most of the cases, their systems are used to launch mass attacks as a part of botnet. In 2015, we predict that hackers will pirate more software and movies in order to increase their botnets.

Some of major disadvantages of using pirate software are – illegal use, no update or bug fixes, no technical support but the major disadvantage is being a part of any cyber-attack. Typically a cyber-attacked is launched in phase wise –

1. Hacker buys original software

2. Reverse engineer it and create crack or keygen

3. Bind its malicious code (backdoor/rootkit/trojan)

4. Spread thee software or movie via torrent

5. Use the system of users who install these software for launching mass cyber-attacks or for spamming.

Another smart way and easier way which is most common and  famous now a days is movie piracy. This involved below steps –

1. Hacker buy original HD print of any latest movie.

2. Bind it with exploit code of any most common media player, in most cases its either VLC or MX Player.

3. Upload it on torrent and start spreading

4. Once the user download and play it, the malicious code exploit the media player and as the media player have some access like System access of the system and hence this malicious code gets all the access that media player have i.e. System access.

5. Now attacker use the compromised system to perform           malicious activity like brute-forcing, DDoS, spamming, etc.

To mitigate this, one should must understand that ‘Nothing is Free’ except open-source. If you are using pirated software, watching movies, listening pirated songs then you are not only promoting  piracy but you are affecting yourself and pivoting cyber-attacks.

security practice failures

Most of us still believe that following standard security practices, policies, standardization and protocols saves the   network from attacks. These   assumptions are completely wrong as the security policies are structures, made by experts and follow a set of rules or we can say some protocols. But hackers who try to bypass these    policies are unstructured and have no policies or standard        protocols to follow to compromise your network. This is the major reason of failure of security policies. Simple – building have its rule but breaking doesn’t.

The truth is that most of the security appliances, products and techniques doesn’t work the way they are advertised and even few cases we have found that these devices who are there to protect are have vulnerabilities that allows attacks to gain access of network very easily. In 2015, we believe that no matter what policies we are following, hackers will find a way around to break it. Following are some of the standard policies which we are following and how hackers can bypass these standard policies –

Antivirus will safeguard my users – No, an antivirus can’t save your users completely and it never will. Hackers are releasing millions of malware every month which is more than even the number of computer users worldwide. While developing the malware, the first

 aim is to define its functionality and the second aim is antivirus evasion in which hackers write malicious code to bypass most    famous antivirus sites. The way we use sites like VirusTotal to scan a suspicious file for malicious code, even hackers follow the same approach while developing the malware. The malware is never   released until and unless it bypass all antiviruses. The time that the     antivirus vendors take to realize, analyze and release update for that particular malware, the malware had infected millions of users and the hacker is ready with another malware which is still undetected by most antivirus companies.

Firewall protects my network – Believing this the one of the biggest   mistake done by network administrators and security planners. In past we have seen that malware uses non-famous port to connect back to it command & control center. For example – a hacker developed a malware and coded it to connect with port number 8888 and then hosted it on his website or spread it wild on internet. Now how the hacker will come to know that how many PCs he have infected or how many PCs are part of his botnet. Simply, he will run a port scan and he will find all the systems with port 8888 open and he will find all the systems infected with his malware. This attack scenario has been mitigated by today’s firewall as if configured properly they only allow connection only on port no 80 or 443. The malware that are being    developed today are not establishing connection on ports like 80 and 443 and hence are not blocked by most of the firewalls. Previous    generation of malware were waiting for hacker to connect back but malware that are wild now a days send reverse connection and information automatically once the user is infected or compromised.

Password Policy will work – Policies says create strong password, one that is more than 8 characters, includes capitalization, number and special characters.

But think why this policy was made, because policy makers came to knew that password can be broken and hence the only way to      safeguard their breaking is to make the password more complex to make hacker’s task more difficult. This only make the hacker’s task    difficult to break the password not impossible. Let’s take a standard password with upper case, lower case, digit, symbol and of 8          character (Tx9@eLsP) and see how much time it takes hackers to break that password.

So the password of this complexity can be broke in 1.12 minutes.      Obviously breaking this password will need a lot of processing power and hackers have already found a way for that. By compromising   systems across the globe and adding them in their botnet and using the resource of those systems to break the password. Through these  almost every password can be broken.

Intrusion detection systems can find intent of traffic – IDS are good and in some scenarios it can be trustworthy. One can define malicious    signatures and if it that signature is detected then it alerts you or do the defined task of blocking or whatever the network admin defined. But like the most of the technologies, it doesn’t work the way we       expect it to work. The major bug in this system is that no vendor can put all the malicious signature into it. For example if a hacker is coding a script to launch a attacks and he launches the attack, then how this IDS will identify the signature of malicious attack or traffic, there isn’t any way until the vendor’s technical team have analyzed the attack and released signature for the same. Another scenario is how an IDS will identify the difference of between traffic of a CEO trying to get some documents from internal network from outside the network and an attacker using the CEO’s machine to enter the network to steal documents.

This doesn’t mean that all security policies are redundant and not of any worthwhile security your network. The most important way to       secure your network is to think like hacker, be innovative, taking risks, thinking out of box.

mobile devices

With increase in mobile devise and it users, mobile applications are also increasing. But this rapid increase in use of mobile technology has made tasks of hackers quite easy. According to research conducted at our CCFIS labs we have found that it’s easier to compromise any server with mobile application as compared to web application.

Most of the developer only focuses in securing their web  application so that any malicious or unauthorized requests are not send and processed on server but they don’t notice that their  mobile applications are also sending requests on their server and even malicious requests can also be send using mobile apps.Almost all functionality of web applications are present in their mobile apps.

In 2015, we predict that three major issues will raise in mobile security.First issue is of secure connection. Developers are implementing SSL to encrypt the communication between web applications and server but not using any strong mechanisms for encrypting communication between mobile applications and server.Second issue will be of  database. Till date hacker were using SQL injection in web applications to get access of all database files. But now    mobile applications are also communicating with database and hence any unexpected query can cause database   error and that may lead to SQL injection.

Third major issue that will raise in coming future is of reverse  engineering. Most of the mobile based operating systems are open source, except iOS and hence their applications are also open source which are vulnerable to reverse engineering. Hacker can steal  credentials that are stored in mobile application to authenticate with server and other databases.

These upcoming treats may bring any service or business down in  minute. We recommend developers to take care of these vulnerabilities while developing their applications. First issue can be   resolved simply by encrypting the connection using combination of several algorithms. For second issue we recommend to use sanitization. There isn’t any fail proof technique for stopping reverse engineering but best practices of secure coding will help users secure their applications and from reverse engineering.

hacking human healthcare equipment

With enhancement in smart technology from smart phones to smart house, now healthcare is also entering into making smart healthcare equipment for better healthcare. This saves life of many and provide medical support which wasn’t really possible decade also but also bring cyber threats that can allow a hacker to manipulate these devices and directly impact the health of any patient. In 2015, we predict that hackers will start developing exploits for these devices.

The drug infusion systems that are used for delivering morphine drips, chemotherapy and antibiotics are controlled remotely as these devices are installed in every room of patient and its easier, convenient and more efficient than manual doses. As these devices are controlled remotely and an attacker can also manipulate this systems to change the dosage. Many other     Bluetooth operated devices that are used for defibrillation to deliver shock to patient’s hearts can be manipulated. There are many other IP based devices which ae connected to the network can be compromised if attacker digs into the internal network of hospital.

Now a day’s many hospitals provided WiFi internet to families of patients and hence anyone can connect to the internal network of hospital network.Once a hacker is connected to the network, he can manipulate with the settings and inputs of these devices may lead to direct loss of life.

This domain still need a lot of research to identify exact vulnerability and loopholes that lies in these medical equipment’s and the system to mitigate this attacks. In 2015, along with security researchers, hackers will also perform attack on these devices to identify vulnerabilities.