Monday, April 26, 2010

Security Professionals' Group

We're glad to have formed a group of professionals working in the area of information security. In our first meeting yesterday, which was conducted at K-Secure's office in Mumbai, we discussed on the Vulnerability Assessment services, where the members shared their experiences talking about what vulnerabilities are commonly found and the challenges they face in closing them. There was also a demonstration of tools which made it more interesting.

The meeting was supposed to be for a 1 hour duration but there was so much excitement that we wanted to go on and on but finally decided to wind up after about 10 hours.

We have lots and lots of plans for the future of the group, so if you are interested in joining this group, please email to spg@ksecure.net.

Wednesday, April 21, 2010

OWASP Top 10 - 2010 released

Want to get started with application security? OWASP (The Open Web Application Security Project) has released the list of ten most critical web application security risks.

Top 10
------
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration (New)
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards (New)

More on Top 10 is given here - OWASP Top 10

Friday, April 2, 2010

Facebook phishing through live chat with Ranbir Kapoor


I was hooked on for a while to Ranbir's live chat for the Pepsi game on facebook today. At the end of the session, i observed some messages informing the users that Ranbir was still online and asked them to click on a link. Though the link looked legitimate, however, I did not want to trust it so I ran my tools to do some investigation. Soon I found that it was taking me to another URL which included the word 'hacking'. Now I was very sure that it wasnt a genuine message. Little more into it and there came a page which looked exactly like the login page of Facebook. It did not need any further investigation as it was very obvious that this was a phishing site and was looking for usernames and passwords.