Risks inSocial Networking

InfoSec Concept : 4

For Virus Alerts, Incident & Vulnerability Reporting

Handling Computer Security Incidents

InfoSec Quiz : 2 | InfoSec Tip : 3 | InfoSec Tools : 7 | InfoSec Alerts : 10 | InfoSec Latest News : 11

InfoSecMagazine

2013-Edition-II

Credits

Editorial Committee

Design Team

Action Group Members

Acknowledgement

isea@cdac.in

Joint Director, DeitY

ConsultantC-DAC Hyderabad

Data Security Council of India

Professor of Computer Engineering, NIT Surat

Principal Consultant, TCS

Executive Director,C-DAC Bangalore

Shri.Sanjay Kumar Vyas

V.Muralidharan,DirectorMr.Ch.A S Murty &

Mrs.Indraveni KShri G.V.Raghunathan,

K.IndraKeerthiS.Om Aarathi

Dr.Kamlesh Bajaj

Dr.Dhiren R Patel

Shri.Sitaram Chamarthy

Dr.N. Sarat Chandra Babu

&HOD, HRD Division

DeitY, Government of India

HRD DivisionDepartment of Electronics & Information Technology

Ministry of Communications and Information Technology

Government of India

Comments & Feedbackmail us to

InfoSec Quiz1.Which of the following is used for secure exchange of email is a) HTTPS b) HTTP c) SSL d) www

2.Social engineering is a con-artist or some one makes you to reveal personal information a)true b)False

3.Skimming is terminology given to a) Theft of Internet banking information b) Theft of Credit/Debit card information c) It is one type of Social Engineering d) Both b & c

4. ____is an attack which targets the specific high profile executives in the businesses or targeting upper management in the corporate. a)Whaling b) Phishing c)Baiting d)Vishing

5.It is one of the methods of social engineering a)baiting b)Virus c)Skimming d)None of the above

InfoSec Crossword

Across1. it is one method of social engineering4. refers to politically motivated hacking to conduct sabotage and espionage5. It is one type of malware6. It is one type of phishing method

Down2.Discovering the person's age, place of birth, school, and previous companies, this can all be used to target an individual3. theft of credit and debit cards

InfoSec Quiz

ISEA,Supported by DeitY,Government of India

logon to

to participate in Infosec Contest and win prizeswww.infosecawareness.in

InfoSec Tip

How to prevent?

Guidelines for using e-Mail safely

Never open e-mails from unknown person.-Mails are just like postcards from which the information can be viewed by eanyone. When a mail is transferred from one mail server to another mail server

there are various stops at which there is a possibility of unauthorized users trying to view the information or modify it.

?Using filtering software’s:Use e-Mail filtering software to avoid Spam so that only messages from authorized users are received. Most email providers offer filtering services.

?Ignore e-mails from strangers:Avoid opening attachments coming from strangers, since they may contain a virus along with the received message.Be careful while downloading attachments from e-Mails into your hard disk. Scan the attachment with updated antivirus software before saving it.

?Since the e-Mail messages are transferred in clear text, it is advisable to use some encryption software like PGP (pretty good privacy) to encrypt email messages before sending, so that it can be decrypted only by the specified recipient only.

?Use Email filtering software to avoid Spam so that only messages from authorized users are received. Most e-Mail providers offer filtering services.

?Do not open attachments coming from strangers, since they may contain a virus along with the received message.?Be careful while downloading attachments from e-Mails into your hard disk. Scan the attachment with updated antivirus

software before saving it.?Do not send messages with attachments that contain executable code like Word documents with macros, .EXE files and ZIPPED

files. We can use Rich Text Format instead of the standard .DOC format. RTF will keep your formatting, but will not include any macros. This may prevent you from sending virus to others if you are already infected by it.

?Avoid sending personal information through e-Mails.?Avoid filling forms that come via e-Mail asking for your personal information and do not click on links that come via e-Mail.?Do not click on the e-Mails that you receive from un trusted users as clicking itself may execute some malicious code and spread

into your system.

For more details visit www.infosecawareness.in

InfoSec Guess TipGuess the Tip which best suits the cartoon by logging in to http://www.infosecawareness.in

InfoSec Cartoon

InfoSec Concept

Never send sensitive details like password or credit/debit numbers through e-mails.

www.cert-in.org.in

What is Social Network ?

Asocial network is a social structure made

o f n o d e s ( w h i c h a re generally individuals or organizations) that are tied by one or more specific types of interdependency, such as values, visions, ideas, financial exchange, friendship, dislike, conflict or trade. Social networks are fun to use, helpful for job hunting, and great for keeping in touch with friends, business contacts and relatives.

Social Network Service focuses on building online communities of Apeople who share interests

and/or activities, or who are interested in exploring the interests and activities of others. The other side of Social Network is security and privacy issues and is entirely treated as two different issues.( A security issue is a hacker gains) unauthorized access to sites protected resources and the privacy issue is someone can gain access to confidential information by simply while you enter the password. But both types of breaches are often intertwined on social networks, especially since anyone who breaches a site’s security network opens the door to easy access to private information .

The reason social network security and privacy lapses exist results simply from the astronomical amounts of information the sites process each and every day that end up making it much easier to exploit a single flaw in the system. Features that invite user participation - messages, invitations, photos, open platform applications, etc. are often the avenues u s e d to ga i n a c c e s s to p r iva te information. Some of the Social Networking sites are third party

Illegal content:Illegal content on the sites, such as images of child abuse and unlawful hate speech.Age-inappropriate content on the sites, such as pornography or sexual content, violence, or other content with adult themes which may be inappropriate for young peopleContacts:This relates to inappropriate contact from adults with a sexual interest in children or by young people who solicit other young peopleConduct:This relates to how people behave online, this may include bullying or victimization (behaviors such as spreading rumors, excluding peers from one’s social group, a n d w i t h d raw i n g f r i e n d s h i p o r acceptance) and potentially risky behaviors (which may include for example, divulging personal information, p o s t i n g s e x u a l l y p r o v o c a t i v e photographs, lying about real age or arranging to meet face-to-face with people only ever previously met online)

application program interface (API) which allows for easy theft of private information and it gave developers access to more information like addresses, pictures than needed to test the applications.

A message from one of your friends shows up in your inbox, sent via a social network site that you use regularly, such as Facebook.The message promises a big laugh, and points to a web site you’ve never heard of. You think you can trust it, so you click the link and the next thing you know, your PC is misdirected into a phishing page that steals your log-in details or to a drive by download site that infects your system with a password-stealing Trojan horse in zipped format. Your friend says she never sent you the message

How Social Networking is done?

Risks involved

InfoSec Concept

Uses of Social Networking?Meeting the people online across the world?Making friendship with the people who are far away?Profile building?Self representation?Exchanging / Sharing the information related to studies or education, current

affairs, sports, business, transport, movies, latest news updates, event announcements, exchanging the thoughts etc

?Share the data files, videos, music, photos

InfoSec Concept

Social Networking Risks and Challenges

ocial networking has become most popular activity in today’s Internet Sworld, with billions of people

across the world are using this media to meet old friends, making new friends, to collect and share information, social networking while being a popular media has several disadvantages associated with it. These sites can be trapped by scammers or hackers leading to loss of confidentiality and identity theft, of the users. Social Networking sites are becoming very popular especially among the growing kids. These sites expose the kids to various risks like online bullying, disclosure of personal information, cyber-stalking, access to inappropriate content, online grooming, child abuse, etc. In addition there are many more risks like fake profiles with false information, malicious application, spam, and fake links which leads to phishing attacks etc.,

Spam

Scams

Malicious applications

Clickjacking

Phishing

As we all know that spam is usually unwanted e-mail advertising about a product sent to list of e-mails or group of e-mail addresses. Similarly spammers are sending the unwanted mails or messages to the billions of users of social networking sites which are free; and is easily accessable by spammers to gather the personal information of the unsuspecting users.

Online scammers generally send an e-mail or message with a link to the user which ask for the profile information and tells the user that it would add new followers.These links sent to the user would be similar to applications, games etc. So whenever the user post his details in the link then the details will be received by scammers and information would be misused.

Malicious application might come through different application while using or installing software’s. Similarly, the clicking on the social networking application starts the application installation process or link to view the video, etc. In order to fulfil its intended operation the application requests for some elevated privileges from the user like access to my basic information , update on my wall, post on my wall, etc .

Generally, clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous Web pages. Vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can run without the user’s knowledge. The same is followed in the social networking domain. The objective behind such an attack is that users can be tricked into clicking in the links, icons, buttons etc, which could trigger running of processes at the background without the knowledge of the user.

As we all know the phishing attack is creation of fake site just similar to original site. Similarly these days even

social networking phishing has come in different flavours just like phishing attacks on banks and popular trading websites. Social networking phishing has come up with fake mails and messages like offering some specialized themes, updating the profile, updating the security application/features etc. In order to see the updates the user needs to follow a link and log in, through which the credentials are taken by the attacker. The linked page is a fake copy of the original login page, focused on stealing user account credentials.

Always use updatedspam-blocking

software.Be on the alert for

phishing e-mail scam.

InfoSec Concept

Guidelines :

Don’t give or post any personal information like your name, address of the school / home, phone numbers, age, sex, credit card details?The information which was posted by you in online can be seen by everyone who is online because internet is the world’s

biggest information exchange tool. Many people who are having access to the site which you are using can access your profile and get all the information what you have posted. The persons who is having access to your profile may include good persons like your friends, parents, teachers and bad persons like strangers

Be aware that the information you give in the sites could also put you at risk of victimization?Never give out your password to anyone other than your parent or guardian?Change your password frequently, and avoid clicking links that purport to send you back to the social network site. Instead,

type the site’s address directly into your browser (or follow a bookmark you’ve previously saved) to get back to your account?When you are choosing a Social Networking site, privacy issues should be considered?While accepting the friends on Social Networking sites, be selective. Only add people as friends to your site if you know them

in real life ?Never meet in person with anyone whom you met on Social Networking site because some of the people may not be who they

say they are ?Take your parents permission if you want to meet the person whom you met in the networking site?Most of the Social Networking web sites enabling users to set privacy controls for who has the ability to view the information.

So try to use such facilities?Do not post anything which harm to your family credibility?Never post photographs, videos and any other sensitive information to unknown persons in Social network sites?If you think that your social networking account details have been compromised or stolen, report your suspicions to the

networking site support team immediately.?Never respond to harassing or rude comments which are posted on your profile.?Delete any unwanted messages or friends who continuously leave inappropriate comments and immediately report those

comments to the networking site?Do not post your friends information in networking sites, which may possibly put them at risk. Protect your friends by not

posting the group photos, school names, locations, ages, sex…etc?Avoid posting the plans and activities which you are going to do in networking sites?Check the privacy settings of the Social Networking sites and set the settings in such a way that the people can only be added

as your friend if you approve them also set the settings in such a way that the people can only view your profile if you have approved them as a friend.

For more details visit : www.infosecawareness.in

Social Networking Survey

?49% of children 8-17 have an online profile?22% of 16+ have an online profile?On average adults have profiles on 1.6 sites?63% of 8 to 17-year-olds with a profile use Bebo?37% of 8 to 17-year-olds with profile use MySpace?18% of 8 to 17-year-olds with a profile use Facebook?59% of 8 to 17-year-olds use social networks to make new friends?16% of parents do not know if their child's profile is visible to all?33% of parents say they set no rules for their children's use of social networks?43% of children say their parents set no rules for use of social networks

Source www.whatissocialnetworking.com

ec.europa.eu/information_society/activities/.../sn_principles.pdf Ofcom

InfoSec Tools

Qualys BrowserCheck

ualys BrowserCheck is a cloud service that scans your browsers and plugins to see Qif they’re all up-to-date. It’s an “online checkup” that relieves you from having to manually chase the constantly-shifting landscape of patches and updates to determine what you should be using. BrowserCheck identifies which browsers and plugins are used on your computer and whether newer versions have been released by vendors. On PCs running Microsoft Windows XP or later and Mac OSX 10.6.8 or later, BrowserCheck can also verify that important OS settings are enabled and OS security updates are being received.

Keep your computers & browsers up-to-date. In seconds!

Q u a ly s B r o w s e r C h e c k Business Edition provides a web-based console from which IT administrators can:

?Set how often users’ machines are scanned (such as daily, weekly, or monthly).

?Get easy instructions for connecting users’ computers to BrowserCheck.

?Continuously track which browsers and plugins are installed on each machine.

?Verify that crucial OS security settings are enabled and that OS security updates are being received.

?View at-a-glance dashboards and drill down into per-machine status.

?Download an MSI file and activation codes that can be automatically pushed to users' computers.

With BrowserCheck, you can quickly see if you computers are keeping current or are falling behind, potentially giving online thieves an opportunity to steal information or break into your corporate network. Tracking whether computers are up-to-date and fixing issues quickly as

or software to deploy and manage.

Rich integration:Full data and control APIs for connecting enterprise systems.

Market leader:IDC ranks Qualys #1 in Device Vulnerability Assessment revenue share for its 5th consecutive year and Gartner awards Qualys the highest possible rating in its MarketScope for Vulnerability Assessment.

The threat of browser-based data breaches is growing. The number of vulnerabilities in

browser plugins is on the rise. Now is the time to be proactive about the security of your web

browser.

they arise are widely cited as the first steps in exercising good web “hygiene.” Automating these processes makes businesses more efficient, boosts security and shows compliance auditors that industry best practices are being followed.

Unified view of your security & compliance:Integrated suite of security & c o m p l i a n c e s o l u t i o n s e n a b l e organizations to simplify processes and achieve compliance with internal policies and external regulations.Actionable Security intelligence: Discovers and scans your entire global IT infrastructure for vulnerabilities and malware.

Global scalability:Easily perform scans on geographically distributed and segmented networks both at the perimeter and behind the firewall.

Lower and predictable TCO:Cloud computing offers significant economic advantages with no capital expenditures, extra human resources or infrastructure

Why QualysGuard?

InfoSec Tools

The Leading Provider of Information Security and Compliance Cloud Solutions

he QualysGuard Cloud Platform and Tintegrated suite of solutions helps businesses simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications.

The QualysGuard® service is used today by more than 6,000 customers in over 100 countries, including a majority of the Forbes Global 100, and performs more than 1 billion IP scans/audits per year.

Founded in 1999, Qualys has established strategic partnerships with leading managed service providers and consulting organizations including BT, Dell SecureWorks, Fujitsu, IBM, NTT, Symantec, Verizon, and Wipro. The company is also a founding member of the Cloud Security Alliance (CSA).

The QualysGuard Cloud Platform: Qualys' flagship product, QualysGuard Cloud Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. The QualysGuard solutions, including

Security Standard (PCI DSS).

Qualys’ move into IT compliance management has particularly benefited the company’s client base in such heavily regulated

industries as financial services, retail, manufacturing, government and health care. In 2008, Qualys introduced QualysGuard Policy Compliance; which extended the platform’s global scanning capabilities to collect IT compliance data across the organization and map this information into policies to document compliance for auditing purposes.

Since that time, Qualys has continued to broaden the scope of its on-demand services to address new threat vectors, part icularly web sites and web applications, with the releases of Qualys

Guard Web Application Scanning (WAS), Qualys Guard Malware Detection, Qualys SECURE Seal and most recently with the introduction of the QualysGuard Web A p p l i c a t i o n F i re wa l l ( WA F ) fo r automated protection of web sites.

vulnerability management, policy compliance, web application scanning, malware detection and Qualys SECURE Seal for security testing of web sites.

ualys was founded in 1999 at the height of the technology bubble, Qwhen Internet security was just

beginning to appear on executive agendas. The company launched QualysGuard in December 2000, making Qualys one of the first entrants in the vulnerability management market. QualysGuard’s market entry was marked by a powerful combination of highly accurate and easy-to-use scanning t e c h n o l o g y t h a t p i o n e e r e d t h e revo l u t i o n a r y n e w a p p ro a c h to delivering security applications through the web that would become known as “Software-as-a-Service,” or SaaS.Qualys ’ customers were c learly impressed by the power and flexibility of the SaaS model: lower total cost of ownership, high scalability, centralized management from any Web browser, and continuous access to new and upgraded applications.

In 2005, Qualys extended its QualysGuard product line to help those customers better manage burgeoning IT compliance requirements, which are inextricably i n t e r t w i n e d w i t h v u l n e r a b i l i t y management—including what has now become the Payment Card Industry Data

Pioneering SaaS Security

InfoSec Tools

Spread Security Insighton

31st Jan & 1st Feb

For Academicians, Students & Industry

atJawaharlal Nehru Auditorium,

JNTU Hyderabad

InfoSec 2014

For more details visit

www.infosec2014.in

Features & Benefits

New Service Offerings: Provide critical and on demand vulnerability management services as part of a comprehensive and differentiated managed security program.

Offering includes: Co-branding capabilities to show partner branding are included.Trial accounts for online marketing and prospecting.

Greater Security Confidence: Proactively safeguard your customers with the most accurate, comprehensive vulnerability scanning available in the industry.

Reduce False Alerts & Increase Efficiency: By correlating actual vulnerability exposures with IDS and firewall logs, MSPs can eliminate as much as 70% of irrelevant alerts, dramatically improving response time and operations efficiency.

Independent Audit Confirmation: Document security compliance and support service level agreements through trusted third-party reports and workflow capabilities.

Seamless Integration: QualysGuard extensible XML APIs allow security partners to seamlessly integrate vulnerability management into their existing offerings. It offers partners:?Ability for partner to provision and create customer accounts Single-sign-on for seamless portal integration?Allows partners to manage customer authentication from within their security portals

For more detrails visit :https://browsercheck.qualys.com/

InfoSec Alerts

For more details visitwww.cert-in.org.in

Multiple vulnerabilities in Apple Safari

Multiple vulnerabilities in Mozilla products

InfoSec Latest News

www.cert-in.org.in

http://www.dnaindia.com/scitech/report-hugely-addictive-candy-crush-making-pockets-lighter-1913743

http://www.bbc.co.uk/news/technology-24348395

Centre for Development of Advanced Computing (C-DAC), a Scientific Society of Department of Electronics and Information Technology, Ministry of Communications & Information Technology, Government of India, is primarily an R&D institution involved in design, development and deployment of Advanced Electronics and Information Technology Solutions, including the celebrated PARAM series of Supercomputers. The C-DAC, Hyderabad is working in R&D with a focus on system level programming, web technologies and embedded programming in the application domains of Network Security, e-learning, Ubiquitous Computing, India Development Gateway (www.indg.in), Supply Chain Management and Wireless Sensor Networks.

Supported by Executed by

Department of Electronics & Information TechnologyGovernment of India

National LevelPainting/Drawing Competition

on

For more details visit

www.infosecawareness.in/contest

Information/Cyber Security Awareness

@Kanchanbag @Hyderabad

@Hyderabad @Visakhapatnam