Archive

Archive for the ‘Application Security’ Category

Making your Gmail and Google account more secure

September 15th, 2011 1 comment

Making your Gmail and Google account more secure – A 5 point checklist.

Have you ever gave a thought what will it be like, if our Gmail or Google accounts password is compromised?? For a person like me who keeps backup of all important document, research papers, links, photos (the ones you cannot keep on home computer too :-) ) and nearly everything on the Google cloud. Most of us have no idea where and in what form my data is stored there but still I trust Google more then my personal laptop. We use so many applications like Gmail, Google docs, Picasa, Orkut but hey all share your same Google accounts password, and if that gets compromised it’ll be like tsunami for us, and with the number of hackers (including the ethical ones :-) ) growing in this world, the probability of it becomes pretty high. People can hack using a
network level attack, or using a poor password recovery options or if you think you are too intelligent to use your vehicle name or girlfriend/boyfriend name as password, your hacker friend will not take much time to prove that you a ‘@#$#@$’.
Well coming to the point, “How to make your Gmail and Google accounts more secure”. There is no special trick or hack to do so. It’s just that Google has provided you many features and options to do so; you have to use them in right way. Here is the check list of options you should use, to insure that your google accounts is safe enough.

1.) Use a secure connection when signing in – Google uses https by default but to make sure that Google uses https always, use the
“Always use https” option in “Browser connection:” under “General” Tab in Settings of your Gmail.

This will make sure that your user credentials are passed in encrypted form which will prevent network level attacks.

2.) Change your password regularly – With ’123456′ as the most commonly used password in this world you should start using a combination of numbers,characters, and case-sensitive letters for your password and avoid dictionary words. (Even if your dear one’s name is not there in dictionary avoid using such passwords :) )

3.) Update your account recovery options – Make sure that your Recovery email address is correct and you are still using it. It’s
really important as I have seen a case where a person’s recovery email id was never used and expired, which was available for anyone to take. Make sure to add your mobile number as Google can send you a recovery code via SMS, which can very handy. Last recovery option is the ‘Secret Question’ which is only available if you have not signed in during past 24 hours. The answer to the security question should be hard for others to guess, so better choose a difficult secret question and make sure you yourself remember the password :-) .

4.) Turn on 2-step verification - This option adds up one more factor of authentication (Two factor authentication) to your Google accounts. Two factor authentication implies the use of two independent means of evidence to assert an entity, rather than two iterations of the same means. Usually “Something one knows”, “something one has”, and “something one is” are useful simple summaries of three independent factors. For 2-step verification Google uses a verification code which is time specific. If you Turn on this option for your Google accounts, each time you try to login, a Google verification code will be asked(You can remember it for a computer). The next question may be how to get this verification code?? The answer is that Google provides many ways to get this verification code. You can install a mobile application to access this code, or Google can send you a SMS containing the code, and the last option is that you can print some static codes and keep then someplace accessible, like your wallet. You can turn on 2-step verification using this link “https://www.Google.com/accounts/b/0/SmsAuthConfig”. Try to subscribe to all the ways from which you can get your verification code as not all are accessible everytime. For example there may be a case where in you have subscribed to SMS as a way of accessing verification code, in this case if you forget to take your mobile somewhere you will not be able to access your google account.

5.) Keep monitoring your account details – Check the lists of websites that are authorized to access your Google account data. Go to My Account > Authorizing applications and sites. You’ll see the list of all third-party sites you’ve granted access to. If you see a website to which you think you have not granted the access, immediately revoke the access for that site. Second thing you should monitor is the ‘Last Account Activity’. At the bottom right of your page you’ll see ‘Last account activity’ with a link for details. By clicking on that link you can monitor, how many sessions are presently open with Access type, location and time of access.

Don’t forget to visit Google security tips and Gmail security checklist from Google for further information.
Reference :
Google security tips : http://www.google.com/help/security/index.html
Gmail Security Checklist : https://mail.google.com/support/bin/static.py?page=checklist.cs&tab=29488
Two-Factor Aunthentication from Wikipedia

Categories: Application Security Tags:

Rebuilding Spotlight’s Index on OS X (Manually)

August 20th, 2011 1 comment

After doing a number of disk clean up and optimizations, I found myself in the circumstance of OS X’s spotlight returning no results. Whether I searched for a keyword in Mail, or by Spotlight using Command-Space, I got no results backs – just an empty list for my troubles.

It turns out there’s a neat utility out there called Rebuild Spotlight Index 2.7 that does all the grunt work for you. Problem is, it didn’t work for me. What’s going on is actually fairly trivial, and it’s possible to simply do everything via the command line.

The metadata utilities need to run as root, so to see what your drive is up to, you’d enter something like: sudo mdutil -s /

This shows the status on the root volume.

To turn indexing on for a volume, you enter: sudo mdutil -i on /

And, to force Spotlight to rebuild its index, you simply erase the master copy of the metadata stores on the volume like this: sudo mdutil -E /

However, while I did all this, Spotlight was still not building the indexed for me.

Here’s how I solved it, using just the Terminal.

First, I wanted to see the schema file, so I printed it out using to the standard input using: sudo mdimport -X

At the bottom of the schema listing, I say a reference to a schemaLocation, and took a shot in the dark that perhaps that Spotlight’s index rebuilding needed to check data against its schema before it would start. To do that, it might need network access, if not back to the local machine. And, for good measure, I went to check the date/timestamp on the Spotlight directory using:sudo ls -la /.Spotlight*

While most of the files had the timestamp of when I tried to delete the index, not all the files had the current date and time. Additionally, the file sizes were not growing, a good indication the index was not being rebuilt.

Then, I did the following commands to ensure indexing was on, the spotlight metastore was really gone, and that I wanted it rebuilt:

sudo mdutil -i on /

rm -rf /.Spotlight*

sudo mdutil -E /

The moment I did the last command, this time the system sprung to life, the directory /.Spotlight-V100 was created, and the files inside it were growing quickly. Spotlight on the toolbar showed a progress bar, indicating the system would be done indexing in a bit.

Disable Spotlight Indexing in Mac OS 10.6 – Snow Leopard

August 20th, 2011 No comments

Disabling Spotlight in Snow Leopard is pretty easy, launch the Terminal and type the following command:

sudo mdutil -a -i off

This tells the Spotlight manager to disable all indexing on all volumes, the command will require your administrative password to execute.

Re-enabling Spotlight in Mac OS X 10.6 Snow Leopard is just as easy, just reverse the command to:

sudo mdutil -a -i on

Now Spotlight indexing will be back on and work as usual.

Binary-auditing training package – Manual decompilation, Exercise 8

August 13th, 2011 No comments
This problem statement is part of binary-auditing package. This needs
to be converted to HLL

Problem:(Assembly code)

sub_408138 proc near
000 push ebx
004 push esi
008 mov esi, edx
008 dec esi
008 test esi, esi
008 jl short loc_40816F
008 inc esi
loc_408142:
008 xor edx, edx
008 mov dl, [eax]
008 xor ebx, ebx
008 mov bl, cl
008 add edx, ebx
008 test edx, edx
008 jge short loc_40815B
008 mov ebx, 100h
008 sub ebx, edx
008 mov edx, ebx
008 jmp short loc_408169
loc_40815B:
008 cmp edx, 100h
008 jle short loc_408169
008 sub edx, 100h
loc_408169:
008 mov [eax], dl
008 inc eax
008 dec esi
008 jnz short loc_408142
loc_40816F:
008 pop esi
004 pop ebx
000 retn
sub_408138 endp

 
Pseudo/High Level code:
var_esi = var_edx;
var_esi -- ;

if(var_esi >=0)
var_esi++;

do
{
var_edx=0;
LOWER byte of EDX=*var_eax;  //EAX supplied from outside

var_ebx=0;
LOWER byte of EBX=LOWER byte of ECX;  //ECX supplied from outside

var_edx=var_edx+var_ebx;

if(var_edx<0)
{
var_ebx=100h;   //256
var_ebx=var_ebx-var_edx;
var_edx=var_ebx;
}
else
{
if(var_edx>100h)
var_edx=var_edx-100h;
}

*var_eax=LOWER byte of EDX
var_eax++;
}while(--var_edx!=0)

Application Security – The Basics

July 28th, 2011 2 comments

The Institute for Security and Open Methodologies (ISECOM) defines security as “a form of protection where a separation is created between the assets and the threat”.
Security in general has many categories, it can be the security of physical assets like Home, Airport, Infrastructure, or some kind of political security like Human security, national security or computer security which itself  has many categories.

Read more…

Switch to our mobile site