Is it Sophisticated Cyber Attack?

These days I have been reading more and more about the sophisticated cyber attacks. There are agencies that report cyber attacks as state of the art – too awesome to detect. But, these news start with a pointer to vectors like “spear phishing” or “social media privacy leak” or plug in “unknown USB”.

Now to me, this is weird because I don’t think any of these vectors point to “sophistication” in my cyber dictionary. Come’on fellas, we all have been there, done that. An article on Wikipedia says -

This (Spear Phishing) technique is, by far, the most successful on the internet today, accounting for 91% of attacks.

When I see the news and blogs documenting a cyber attack, and talk of a malicious email, a USB found somewhere, or a person pwned via his personal account, personal computer – I think we are not learning from mistakes. We have to agree that you were careless when you opened that email, plugged in “some” USB, or visited some lucid website. I mean how many times have we undergone this training in Security Class 101.

If you don’t know it -> don’t trust it -> you must not open it.

Alas, we have to address the fact that human link still holds the weakest link in the cyber defense and needs awareness. We are making machines smarter and smarter, everyday trying to defeat human - turing tests, chess games, rubik’s cube. But, oh human - you are withering away your own intellect. And, it is proved in studies.

So, the attacks like StuxnetRSA breach etc. all started with some very naive vectors related to direct human error. Very few like the hospital cyber attack last week, had a catch to it which says the attackers probably used Heartbleed vulnerability to exploit and steal information.

A recent article on information leak related to doomed MH370 states -

“Sophisticated” malware was sent to officials involved in the search disguised as a news story claiming that the plane had been found, The Star reported. Around 30 computers were compromised. [Reference: Telegraph News]

A malware that anti-virus solutions couldn’t detect was sent via email. Users sitting in critical secured zone handling the documents just opened that email and get pwned.

I absolutely would agree the sophistication of the malware, and it definitely would have been a custom code out of someone’s artillery (bypassing AV is well known) but still, why rely and open the email? Moreover, with such confidential data in your premise – Is it not essential to have no internet access on such machines, or even so why open attachments without validating the source of the email. So, either tell me that it was not as documented by media, or else do not call it sophisticated.

In most cases, the sophistication starts with the fact that some human sitting on the terminal messed it up!

It gives leverage to the attackers to go full throttle. We still have miles to go to spread the right awareness, and right means of educating the weakest link. And for the media, any report that has words like – Chinese, APT, cyber attack; falls under sophisticated category. Sometimes I wonder do the attackers actually chuckle when they read the news of their naive attack as termed as sophisticated? I hope not.

Feel free to comment your views.

LinkedIn Reference:

Aug 28th, 2014 | Filed under: Hacking, Personal, Security, Technology
Author: Rishi Narang

Employer’s Social Media Policy

My IdeasWhile the topic may sound too dramatic, but this may soon shape into a legal IP rights (ref: Intellectual Property) issue in coming times. Over the last few years, there has been a constant change in the firm’s outlook about our personal cyber life. Some firms I know have been very aggressive in putting a strict policy upfront, at the time of joining. We are pushing our social IQ, and increasingly becoming more vocal sitting behind a device connected to internet.

I believe with fast paced social media expansion, two things are converging very rapidly – your personal opinion and your company’s internet footprint.

I have been managing my blog for last 4-5 years, authored information security articles for multiple magazines, and had been a speaker in conferences. I do have presence on LinkedIn, Facebook, Twitter and other mumbo-jumbo social channels as well.

Initially, companies never really bothered about what you do online as long as it’s your “personal time” and “personal resources”. Then came into effect the screening part. Ideally I had to get my blogs verified by the “Communication Excellence” (CE) or marketing department before posting it public. This also included my talks, and magazine articles. Whether I’m writing for my company blog, or my personal, I had to get the necessary approvals beforehand.

The reason behind this screening or approval process was to make sure there is no confidential content that can harm client relations or companies presence in the market. The CE department verifies that you don’t breach the NDA (Non Disclosure Agreement) and have been secretive towards your employer’s internal buzz. This all makes perfect sense.

I abide as long as it does not include ripping the essence of the article and making it a chaos of words.

Now in 2014, a new trend is hitting the cyber freedom. Employers are getting too possessive of their employee’s public presence because it may bite them in their #$% with the public feedback and interpretation.

Often, the reader tends to believe in the personal opinions of the individual as being a reflection of the employer. This sucks!

So what can we do? Some bloggers, and social media buffs do mention the disclaimer specifically addressing this very cause. It’s must and I’ve done that as well (here). But still, there have been times when office management has raised concerns on the material being posted. They do have concerns of the brand image that follows with the article on my “personal blog”.


I know, we may chuckle on such Glassbergen cartoons, but its not a satire. Today, employers are asking to submit your credentials for Facebook and Twitter for background checks and to keep a close scrutiny. Recently, there has been news (suggested reading) where employees have been asked to give control of their social media accounts to their employer for the right ‘marketing purposes’ – A new social media policy as they say! Employees may own the account, but the employer has right to post on their behalf as well. To me, this is not right. This is not my employer’s property. Worst thing, this policy holds even if you leave the company. Damn!

Such policies will get more restrictive and conservative towards your voice on a public platform, and will eventually encourage you towards “anonymous posts”.

I urge that deterrence is not the way to prevent social freedom, and neither should an employer reach to retributive decisions. I suggest to have a clear discussion with your employer, or the concerned team and set the ground rules. Always have a consent in written, and make sure you are aware of the firm’s hush hush.

But, it is never viable to share credentials at all under any circumstances. The content on a personal account on any social media is still the property the creator. Firms should not be overly insecure. Period.

Let me know your thoughts around it.


Aug 27th, 2014 | Filed under: Technology
Author: Rishi Narang

Try try ‘or’ Quit right?

Try!You may have to read this with a pinch of salt. While you may disagree, I have my fair share of experience to voice my opinions. Let me get this straight,

  1. I am not asking you to stop trying at all,
  2. I am not advising you for not to give your best effort,
  3. And, I definitely don’t mean to undermine anyone’s potential.

I believe mantra for this century is -

You show versatility, creativity and innovation. Machines can handle hard-work, and dedication.

I am saying it’s not a good idea to keep trying beyond a right time. There is a legend “try and try until you succeed” and I do have my concerns around this ‘aphorism’ as we may call it. I’ll call out some examples, and you decide what may have been the best way in such situations. I understand with my conversations in social circles, that it’s subjected to beliefs – some think we have evolved in a smarter generation, while others question that phones are being smarter, humans not so!


Over the decades, the society has changed a lot, the culture has evolved; its not the time when there were too few opportunities to play and excel. There always have been enough opportunities to play, but now the era has arrived when they have surfaced up to get all the spotlight they deserve. I sometimes feel it’s an utter disrespect to the opportunists to keep trying, keep hitting the same iron until you nail it.

I believe whether its gamble, or the strike of an opportunity, giving up at the right moment holds the treasure. With life and opportunities all around you, chances are you will find better one elsewhere. I wonder why stick to a single path, cling to a particular hinge, drop ‘n’ many years just to clear that one single exam (ask Indians about this).

I feel it’s not brave but an incapability to deal with life on your own, without the ‘planned’ paths and shortcuts. Your goal is to find a workaround to succeed, and not just keep hitting the same nail. Find a way to fix it, and stop trying to work out the only wonder glue you have!

With the cut throat competition in the Indian academics, people are wasting time to be the number 1 in their subjects and classes. Where there is still a percentage system, people are under immense pressure to achieve 100% (yes, 100%) because the standards say – college cut off list closed at 99%. I call this #wtf situation!

Students in India drop years just to clear the prestigious exam of IIT (Indian Institute of Technology) or IIM (Indian Institute of Management) both of them being ace universities. So, you drop 2 years of your ‘N’ years of life just to clear one exam. But why? I think they are just not prepared to take other routes to their goals, or to achieve success.

Lack of innovation, creativity and versatility is the outcry of this generation.

Let me ask you – what’s you aim? Is it to be the best engineer or to be the best management person so you can earn a good living, and serve for the purpose? Then, in those two years you would have joined another college, rather than sitting in a room and thriving to clear 1 exam. And, you would have got 2 years subject experience by now! Why didn’t you move on, and try something else to achieve your goals? I guess you were afraid of the hurdles in the new route.

In poker, it’s always right to quit when you either have enough or lose enough!


No one ever said to me on a table – Try and try until you succeed. Because, chances are someone else will throw me off balance. Isn’t life full of such tables as well?

We want humans to make best use of their times in solving problems, cutting edge solutions. And, it all depends how much can you foresee and what’s your end game. If your only aim in life is to clear an exam, then my friend you are short sighted, and your world is smaller than you think. It soon going to crumble. Rather, if your aim is to be productive, there are zillion ways to do that – stop trying one, and move to another as long as you serve the cause.

You will get few chances to pave your own path, but will have a lifetime to join the rat race.

Choose wisely and be kind.


Aug 22nd, 2014 | Filed under: Personal | No comments
Author: Rishi Narang

Cyber Attack! Buckle up.

cyber-attackRecently I came across the news of hospital network hacked, 4.5 million records stolen and was shocked. Sometimes I wonder is the offensive toolkit and mindset evolving stronger or is the defensive side withering away. Of all the developers I have interacted with, very few understand the need for security. They always undermine their application and its scalability.

If your application or environment is handling ‘any’ records more than 10,000 in numbers – you my friend can be the next target. Better, if you have more than a million records – you can be a state sponsored target.

The attackers are not choosy, though the sponsored ones are targeted but again not choosy. They target an enterprise, a system and then steal whatever they can. The data analysis is more of an offline task. Yes, some may keep their footprint low, and therefore steal slowly and in small amounts. They will steal it all, eventually.

When we hush hush about being defensive in a reactive approach, there are various SIEM and Forensics tools at our disposal. These tools are not shelf trained i.e. they are not your plug and play devices. You have to train them, teach them, give them the visibility of your network, system and logs.

SIEM and Forensics tools have their IQ (investors’ quotient) – the more you invest in training them, the better they will in response times & quality.

You’ll have to write rules/ filters/ monitors (whatever you want to call) to make them understand your architecture and data flows. And, to initiate such exercise you need people who have seen the other side, who have been fighting with the dark forces.

Focus on the kind of expertise you are employing and they will puppeteer your tools in the right direction.

With hundreds of security conferences happening around us, I wonder – how many of them talk about defensive security as a holistic approach. Security guys, no offense, but of all the conferences I have attended (including the 1337 ones) , most of them have been driven by hack to win, or concentrated to pwn the system/ network/ or browsers. At any day, we are talking 75% times on the next gen attacks on the forefront, and taking the defensive technologies as by-products or side effects. we yell out a bug, and someone somewhere attempts to fix it. I agree we trigger the evolution, but we do not contribute to any development.

How many of “hall of fame” ethical hackers or bug finders have submitted a patch themselves?
I empathize with the developers, who at every step get to know why their application is piece of junk, and they are the ones that take the heat – through business deadlines and security assessments. On the contrary, we as security people, wonderfully dodge the bullet stating no body can be 100% sure, we only check the attacks we now know; no insurance or guarantee. This is a false sense of security to the enterprise that they have been tested (but may not be thoroughly)

I have been in this industry long enough to understand where the golden eggs are. There are handful of companies that do red team assessments – thoroughly & sincerely. And more often the enterprise themselves do not allow comprehensive tests across all verticals.

Who do you want to knock down the front door? A responsible security guy, or a cyber attacker who will show no mercy.

Even one loophole is enough. An attacker is like Octopus Houdini – they will find the track, and the hole. All we can do is make it difficult, tiring and unworthy of the efforts. Also, in the worst case scenario of a breach – why didn’t the systems trigger a response. Why can’t a good log monitoring system find the anomaly.

We have to be on our toes – 24×7 else, the next time you call a 2 min break, the attacker calls it his triumph.

So, buckle up, they are on your way!


Aug 19th, 2014 | Filed under: Hacking, PenTest, Security | No comments
Author: Rishi Narang

OWASP X – Cheat sheet, not Bible.

sessionFirst of all am sorry to all my readers/ subscribers that I haven’t been active on my blog. I know its been an year now, and the reason was silly enough – I couldn’t get hold of a good blogging client for Mac OS. But now, thanks to Blogo – I am back in business. On my windows box, Live Writer was to my rescue, but since I shifted to Mac, I couldn’t find any. Too lazy to use online web editor. blah blah … whatever.

Okay, so what do I mean by “OWASP is cheat sheet and not Bible”. To understand it, let me give you a background on where does this statement came from.

Its been a decade since I’m dealing with web applications, and we all agree they have been growing exponentially – in number as well as complexity. We have walked a long way from static HTML pages and WYSIWYG editors, to web sockets and frameworks. Back in December 1st, 2001, Open Web Application Security Project was founded (OWASP Foundation). Following its’ endowment, another term made it to headlines in 2004 – OWASP Top 10 (in short, OT10). Now, since 10 years to its existence and kudos to the community, it has evolved with the web coherently at all levels. The idea behind OT10 is to document “a list of the 10 most critical web application security risks”. Did you get it? It means – It talks about most important, and not all the web application security risks. Remember, they are top 10, and not only 10.

Now honestly, how many of you know lists beyond OWASP Top 10? Do you know any other list of attack vectors, or vulnerabilities or references? Perhaps no. Don’t you wonder, if the applications running on world-wide-web or wicked witch of the west (WWW) have other issues as well?

The unfavourable part is we are so focussed on these 10, that we often miss the bigger picture. The enterprise, the consultants, the client and the vendors; all have their minds wrapper around the OWASP Top 10. Unfortunately, we are mentoring and promoting a work force of pen-testers so focussed on OT10, that if we ask them something beyond OWASP context, their expressions get pwned. To me, it’s not the right encouragement. As a pen-tester the first and foremost rule is – break the rules and find your way in. Then why do we behold the OWASP as the only rulebook in our hands, and think we have everything in our artillery? Why don’t we go beyond and above it.

OWASP, by all means is damn awesome to encourage, to kick-start your marvels but not to stick and forget your contribution. It’s onto us to populate it and find new vectors. You my friend are the analyst, the consultant, the pen-tester – go out of the box, break the rules (not the contract) and find something new. Always remember that every assessment is different – take new approach, new environment and refer OWASP; but don’t limit yourself. You never know you may find some vulnerability that could have affected the client more than what’s documented in OWASP Top 10.

Enough said, here is a list of things you should consider -

Next time when you deliver a report, do observe the vectors beyond OT10. Many of us may find grey areas but understand, they are different, and have different impacts (example – not all injections are lethal or critical, so don’t club them or take default ratings). Also, spend sometime to think what new can we deliver, that others can’t.


If we, holding the security batons will not take the holistic approach, who else will? Think about it.


PS: Do comment if you know something beyond OWASP categories. And, to some of my known fellas – please pronounce it OWASP and OWAPS ;)

Aug 16th, 2014 | Filed under: Hacking, PenTest, Security | 2 comments
Author: Rishi Narang