17 September, 2014

Security and Hacking

Security today is an unsaid requirement (which is assumed implemented) by customers, but if neglected can cause huge losses including monitory and reputation. Most of the applications deal with at least one of the following
  • Financial Information
  • Credit Cards
  • Account Numbers
  • Customer's Personal Information
  • Name
  • Contact information
  • Special information
Such information is extremely crucial for the information owners, as it can cause major financial and emotional impacts  if it goes in wrong hands. This area of study about information and its impacts is called Information Sensitivity. You can read more about it on wikipedia.
Before understanding the basics of writing secure applications we need to understand how do hackers think, so as to take preventive steps. Hackers depending upon their behaviour have been given following types of hats.
  1. White Hat - The Good ones
  2. Black Hat - The Dangerous ones
  3. Grey Hat - The Confused Ones
White Hat Hackers , hack applications ethically. Means they have a positive mindset, their aim is to find bugs in security well in advance than anyone could take an advantage of. They make the owners of application aware of the bug so that it can be fixed. Ethical hacking is one of the major sub field in today's IT industry. Big organizations like Facebook and Google pay awards for finding and reporting bugs in their application. For Facebook, such defects can be reported https://www.facebook.com/whitehat. Google maintains a Hall of Fame for white hackers at http://www.google.co.in/about/appsecurity/hall-of-fame/
Black Hat Hackers, hack applications to gain advantage that they are not supposed to have. e.g. for gaining money, spreading their message to people (unethically), Gaining some processing power (e.g. for minting bit-coins) or for fun. Such are most dangerous as they act like terrorists of Internet world. There are many banned groups operating for finding out security bugs in big applications and make use of them. One such example is LulzSec. Even their slogan is "Laughing at your security since 2011".
Majority of people lie in a category called grey hackers. They may be ethical in one instance and may wear black hats in other. Or depending on situation, they may switch sides.
Before we proceed with security principles let us discuss some of the common flaws in applications that hackers take advantage of.
Role of Social Media
Writing secure code is sometimes not sufficient if the requirements are not properly thought of.
Ever heard of Security Questions ? It is a feature used in many applications for recovering lost access to the application. With the emerge of social networking sites, this has become a danger zone. Any one having “Friendly” access to a profile in such social networking sites can get answers to most of such questions used. Also, If one can forget the password, one can forget the answer he provided to the security question. e.g., In one of the security questions (What was the name of your first school?) I provided several possibly correct answers but i am still not able to recover my password. e.g.
  • Seventhday Advantist
  • seventh day advantist
  • 7th day advantist
So, such requirements do more harm than benefits. Secure Questions approach is quite old dated and must not be used in today's world. Instead OTP (One Time Passwords) are a better solution.
Clues
Just like every technology, software skills can be utilized as per needs. Hackers today are efficient enough and are becoming more and more powerful day by day. Hackers are able to collect data points and enter a restricted site by gaining knowledge about the code structure/ behaviour of the application.
Hackers make use of the smallest possible clue including
  • any comments visible to end users
  • error messages
  • time taken by request to respond
  • any input or output field
Comments
Comments or unused code if reach to hackers, can lead information to be leaked to hackers
  • Technology used behind for application development
  • coding style
  • users of the environment
Also, since comments are non-executable contents, transmitting them from server to client has a cost without any advantage. Following are examples of comments I have observed in many live sites:
<!--
Commented code as per comments from MANAGER_ID as this is just for testing. should not be used in live environment
<input type="hidden" name = "bypass_security" value="true">
-->
All the front end must be passed to an output filter, which removes all comments and unwanted code. These days many popular filters are available which not only remove comments, they also obfuscate output to prevent code information leakage and reduce the bytes to be transferred over network making your web-apps faster.
Error messages
Error messages are used to provide information about the error happened to valid users. But in case they reveal extra information than required, either directly or indirectly they can impact the overall security of the application.
For instance, consider the following error messages which occur generally on websites
  1. Your username or password is invalid
  2. the email id you entered is incorrect.
The first error is thrown generally when the user enters invalid password. The idea behind adding username to the message is not to reveal if the user is valid in apps DB or not. On the other hand, if user enters an email, which is not present in database, a completely different error message (e.g. number 2) is displayed. This fails the idea of first error message. The user is confused which one of username or password is incorrect, and this has no impact on hackers, as they can still find out valid users.