Security Articles

Oracle Padding Attack

The core to understand padding oracle attack is understanding the method that is in use. The method includes cryptographic padding using certain block ciphers. Usage of cryptographic block ciphers however leads to the conclusion that 'a text which has undergone a cryptographic block cipher encoding, must be a multiple of the block size that was decided upon, before enforcing the encoding algorithm'. 

Please read the attached document to learn more about Padding Oracle Attack.

Authored By - Binayak Banerjee
TCS Cyber Security Community

How to protect web apps with CA Single Sign On (CA Siteminder)

Before explaining how to protect the web apps with Siteminder SSO I would like to brief about how SSO works.

CA Single Sign On: It’s a property of access control of multiple related, yet independent, systems. With this property, a user with a single ID and password can gain access to a connected system and can seamlessly login into multiple systems.

There are organizations who have many web applications supporting the business. Those web applications must be secured and don’t want everybody to access the application. We can control this using a mechanism that forces each user to login into the application.

This document focuses on protecting an application using “WebAgent.” Webagents are CA developed agent which can integrate with variety of HTTP or Application servers. You can also provide SSO third party or vendor hosted applications through Federation module of CA SSO.

How to prevent security vulnerabilities in CA Single Sign On

How to prevent security vulnerabilities in CA Single Sign On

CA Single Sign On: It’s a property of access control of multiple related, yet independent, systems. With this property, a user with a single ID and password can gain access to a connected system and can seamlessly login into multiple systems.

There are organizations who have many web applications supporting the business. Those web applications must be secured and don’t want everybody to access the application. We can control this using a mechanism that forces each user to login into the application.

There can be many cross site scripting attacks and security breaches happen while launching any web application. CA Single Sign On can prevents these attacks by utilizing some out of box features.

How to clear .dat files from Siteminder AdminUI console

How to clear .dat files from Siteminder AdminUI console

dat files ?? :  These are the extension files which stores policy store information and it gets generated on the siteminder adminui server.

Any action on the siteminder adminui will generate .dat files on the server where adminui is installed. Deleting .dat files directly from the server will corrupt the data on the adminui console.

We have an option to clear these .dat files by performing the below steps on the adminui console.

You will see huge amount of space gets occupied by dat files. So clearing off these dat files will help in releasing more space in the server.

All you need to know about 3D secure Protocol

3D secure is an xml based protocols designed with the intention of improving additional security to the internet payments made cards. 3D secure is mainly designed to reassure the cardholder by proving the sense of security and reduce the fraud transaction by making the stolen credit card details. 3D secure controlled by verified by Visa (VBV) & and MasterCard Secure Code (MSC).

We need to understand how 3D secure act as an important role in payment gateway and why because increasing online transaction every cardholder intended to initiate the transaction in online to pay for their online purchase. 

Internet Payment

Security: No More A NON-FUNCTIONAL Requirement

Information is the heart of any business, be it banking, medicine, healthcare, insurance, retail etc. Hence it becomes imperative to protect the information for any business and its enablers. This is how the concept of information security could have been conceived. Information Security ensures to keep the Confidentiality, Integrity, and Availability of information intact. With evolving trends in the industry, security requirements emerged over a period of time including few listed below,

1.    Authentication and password management
2.    Authorization and role management
3.    Audit logging and analysis
4.    Network and data security
5.    Code integrity and security testing
6.    Cryptography and key management
7.    Data validation and sanitization
8.    Third party component analysis

Homomorphic Encryption : Is it a newbie in the field of data security?

Homomorphic Encryption : Is it a newbie in the field of data security?

Cryptography and data protection has been there since olden days. From earliest adoption by Julius Caesar (Caesar cipher) that used substitution of keep messages secret to Germany’s implementation of Enigma machine for protecting communication during the second world war to the latest implementation of Symmetric & Asymmetric cryptographic cyphers.

Nowadays, Encryption is not only in use to protect military communication but it’s also used to protect personal information. Data is everywhere, stored in billions and billions of computing devices driving the need to protect data from unauthorized access, theft, and misuse. There has been a lot of focus on data privacy and protection by governments and industries across the world. The latest implementation of GDPR is a huge step in the direction.

Spear Phishing: The Treading Cyber Security Threat

As we all are aware that phishing in general are scams which attempt to trick the recipient into providing confidential information, like account credentials, to the attacker. It is usually conducted by sending malicious emails to as many people as possible. In a way the attackers know that the more people they reach out to, more the number of victims.

On the other hand Spear Phishing is “an email targeted at a specific individual or department within an organization that appears to be from a trusted source”.

Access Recertification and its importance

Access review/ Access Recertification is an ongoing process which involves auditing user access privileges to determine if the access rights are valid and/or necessary. The various access privileges of current and former employees along with contractors, third party vendors and other temporary workers pose the biggest security risk in an organization. Hence it is mandatory to have proper and periodic access reviews in the process. 

Serverless Applications and Vulnerabilities

In this post, I shall be discussing about the vulnerabilities of a comparatively new concept called “serverless applications”. Before we can proceed with our discussion, the question that might come up is What is a Serverless App? (at least that was the question which bothered me initially, how can an app not be hosted but be used!!!). So I shall be discussing, in short, about this concept and then come back to the original concern – vulnerabilities in Serverless Apps(Please do skip the first part if you are already aware of it.).

Serverless Application

This concept came into beginning at the year 2015(and there are others who claims it to be 2012). This can be called the next stage for virtualization. We can see the journey from physical servers to virtual machines to containers and now the serverless applications. At each stage, the number of instances goes up and the lifespan becomes short. 

Pages

Subscribe to RSS - Security Articles