The Mobile Phone Is Your Private Property

This morning, when I was on my morning walk, a person came out of a construction site and was requeting me to lend my phone to make a phone call. I was not comfortable lending my phone primarily for three reasons: First he is a stranger to me; Second, he seem to be working in the construction site and he should have sought help from those around in his workplace as they would be more comfortable helping him; Third, my mobile is my private identity and would not want a stranger to use impersonate me. I did not lend my phone on that occasion.

How about you? Would you mind lending your phone for such requests? I understand, the answer will be "it depends." Thank's to "Selfie" feature, seeking help from a stranger to take a snap on the mobile phone is not required any more. Any ways, I thought it would be useful to list out the concerns, so that one can decide how safe is to part with one's smart phone. These apply for stolen / lost mobile phones as well.

Your Phone Contains Sensitive Information

You have your email configured on your mobile and typically, it does not expect you to login every time you use your mail app on your mobile. So lending a phone may allow the stranger gaining access to your emails and depending the duration it remains with such stranger, the impact of such compromise could be larger. Similarly, all your social media accounts do not expect any additional authentication. It is needless to say that what a smart or malicious stranger could do with access to your social media accounts. Exposing all the intimate details of our lives because of a lost, stolen or hacked phone is a serious issue.

Banking / Payment Applications

"There is an App for everything". Yes, every bank and the investment advisors are rolling out their own Apps with pre-stored credentials for the mobile savvy customers. Mobile users, find it convenient to use such an App, without having to login every time. However, the issue of how many such Apps will you install on your mobile phone is an issue to be discussed in a separate blog. For the purpose this blog let us consider the prevailing App culture. Driven by the Digital economy, there are humpteen number of Payment / eWallet Apps out in the store. The user convenience always wins over the security requirements and as such most such Apps doesn't requie a login to initiate a payment. This could be a potential risk one should be aware of and be careful about.

Personal & Corporate Information

If you are working for an organization, it is most likely that you would have setup your corporate email account as well on your smart phone and there you go, you are putting your organization's data / information at risk. Your organization would have a BYOD policy and procedure, stating what precautions you should take on the corporate data that you use or access using your smart phone. If you are an senior level executive, it is likely that you will have access to your organizational applications configured on your mobile. This includes compromise of your or your organization's cloud storage if any configured on the phone.

Illegitimate Calls / Messages

In addition to your device, your mobile phone number (SIM) is very well linked to your identity. As such any calls or message that such a stranger sends using your phone will be logged against your identity and you are responsible and answerable for consequences if any that may arise out of such calls or messages. Even if the activity is legitimate, it may be possible that the other person might call or message you back in future with or without any specific intent.

AVAST did a research in February 2016 and according to them, their researchers were able to recover the following files from the 20 phones that were sold:

• More than 1,200 photos
• More than 200 photos with adult content
• 149 photos of children
• More than 300 emails and text messages
• More than 260 Google searches, including 170 searches for adult content
• Two previous owners’ identities
• Three invoices
• One working contract
• One adult video

Given the ever evolving capabilities of the smart phones, the devices are increasingly becoming one's identity and as such should be handled with care and caution, or else one has to face the consequences that may arise as a result of such compromise.

WAF - Typical Detection & Protection Techniques

WAF - Web Application Firewalls is a new breed of information security technology that offers protection to web sites and web applications from malicious attacks. As the name suggests, WAF solution is intended scanning the HTTP and HTTPS traffic alone. The WAF solutions have evolved over the last few years and are capable of preventing attacks that network firewalls and intrusion detection systems can't. The WAF offering typically comes in the form of a packaged appliance, i.e. with a purpose built hardware and a software running on it and is plugged in to the network. Different appliances offer different level of deployment capabilities, like, active / passive modes, support for High Availability,etc.

Different vendors have come up with various techniques to detect and protect web applications of the enterprise and thus the capabilities of the solution differ. However, at a minimum these devices offer the following detection and protection capabilities:

Detection Techniques

Normalization techniques

Web applications of those days were simple and mostly was comprising of the HTML content. Various tools and solutions have emerged to leverage the HTTP protocol for use by various applications to receive and send complex data including encoded binary data of higher volumes and also extend the use of the HTTP methods. Hackers also leverage these techniques to attack a web application. This calls for the WAF device should have the ability to use a technique to transform the input data into a normalized form, so that the same can be inspected for potential malicious content that could be leverage to perform an attack.

Signature Based Detection

This technique involves use of a string or regular expression based match against the incoming traffic for a specific signature and thus detecting a potential attack. For this purpose, the need to maintain a database of such attack signature is essential. Most popular WAF solution vendors maintain their own databases, whereas others subscribe to such databases.These databases need frequent updates to take into account the signatures used in recent attacks elsewhere.

Rule Based Detection 

Rule based Detection technique is similar to Signature Based Detection, but it allows use of a more complex logic. For instance, even if a signature match is detected, it can be further subjected to certain other conditions, like if the data is from a trusted source, the traffic may still be allowed to pass through with or without appropriate alerts and triggers for manual inspection. While the WAF solution is shipped with the standard rules, the same would be configurable to meet the security needs of the customer. The standard rules may also be part of the signature / rule database as may be maintained or subscribed to by the vendor

APIs for Extensibility

Despite the standard signature and rule based detection techniques, the actual deployment scenario at the customer site may require customization of the techniques used in detection. WAF solutions vendors usually support this need by offering extensible APIs, plug-ins, or scripting. These extensiblity options if not appropriately secured, can be exploited by hackers too.


Protection Techniques

Brute Force Attacks Mitigation

These attacks use automated scripts that attempt to login to the web application with common user name and passwords. The attacks usually originate from a large number of sources consisting of both legitimate web servers and private home computers. Once a username and password is successfully guessed, the hackers or their scripts / tools use the gained admin credentials for the next stage of attacks. Given that the user name passwords follow stricter rules and thus these attack is most likely to fail in guessing the valid credentials, but these attacks generate unduly high traffic, which will result in resource drain and in turn affect the availability of the web application.

Protection from Cookie Poisoning

Cookie Poisoning attacks involve the modification of the contents of a cookie (personal information stored in a Web user's computer) in order to bypass security mechanisms. Using cookie poisoning attacks, attackers can gain unauthorized information about another user and steal their identity. Cookie poisoning is in fact a Parameter Tampering attack, where the parameters are stored in a cookie. In many cases cookie poisoning is more useful than other Parameter Tampering attacks because programmers store sensitive information in the allegedly invisible cookie. Most WAF solutions offer protection from Cookie poisoning by facilitating the signing and / or encryption of cookies, virtualizing the cookies or a custom protection mechanism as the specific web application may demand.

Session Attacks Mitigation

Session store is an important component of a web application and this store is used to share some of the common parameters pertaining to the user and the specific session across various actions within the application. Thus the session data is a key component that is used to secure the web applications. The hackers on the other hand try various techniques to hijack the session or tamper the session parameters. While tampering the parameter values is similar to Cookie Poisoning, Session Hijacking is stealing the session identifier and simulating requests from different sources with the stolen session identity. WAF solutions provide protection to session hijacking by signing and / or encrypting the session data and also linking the session identifier with the originating client.

Injection Attack Protection

An SQL injection attack is insertion of a SQL query via the input data from the client to the application. A successful SQL injection attack can read sensitive data from the database, modify database data, or shutdown the server. Similarly operating system and platform commands can often be used to give attackers access to data and escalate privileges on back-end servers Remote File Inclusion attacks allow malicious users to run their own PHP code on a vulnerable website to access anything that the PHP program could: databases, password files, etc. Most WAF solutions using the normalization technique and the signature and rule database would be able to deny requests carrying such data, command or instruction that could lead to any of the injection attacks.

DDoS Protection

Distributed Denial of Attack is a common technique used by hackers to impair the availability of a website or application by directing unusually huge traffic against the site or application. This will result in all the computing resources used up and eventually leading to the site not being available at all. The WAF solutions making use of the normalization techniques and the signature and rule databases would be able to block such requests. Some common techniques used by the WAF solutions are to have a check on the content length and by evaluating the number of requests or sessions from the same originating client within a given time period.


Obviously, what is listed above are most common detection and protection techniques that any WAF solution would offer. But vendors are constantly improving these techniques and thus adding more detection and protection features. This has to be a constant endeavor as the hackers on the other hand are also coming up with newer techniques to exploit various vulnerabilities.

Internet of Things: What Strange Things Can Happen

It was about 6 years back, by when we have started to see WiFi enabled digital cameras and we were wondering what this has to do in a digital camera. But with that, the digital cameras were able to upload the captured images automatically to the cloud based photo albums. Later came in GPS equiped digital cameras, which attaches the location to the captured images. Of course, with smart phones equiped with higher resolution cameras, the digital cameras are on the downfall. That is just a well known example of how a 'thing' or a smart thing can connect to a network and share useful data for a purpose. So much have evolved since then and we now see a world of possibilities to have all the 'things' connected.


Researchers see a lot of benefits by making things smart and inter-connecting them. The networking technologies are also evolving at a brisk pace, offering various improvements over the wireless technologies and protocols. We can see this trend advancing further and may mature in about two decades from now. Looking further, in line with my blog on Human Interface Technology, even humans can remain connected, and that will render human disabilities a thing of the past century.


If you followed this year’s CES, it is evident that the future is all about connected devices. We could see everyday devices equipped with sensors and connectivity to work together, understand what we’re doing, and operate automatically to make our lives easier. Here are some of real world examples of Internet of Things:


A smart refrigerator that can read the embedded tags on the grocery items that are stored in it and then using the supported backend platform on the cloud, identify the items and fetch its details as to date of manufacture, expiry date, quantity, etc. Thus the fridge may alert the consumers about the state and stock of such items. With the kind of wearable gadgets that we see now, these alerts can be through such devices too. It is left to your imagination to what extent this smart capability can be extended.


Medical and emergency care is another area where the smart 'things' play a very useful and life saving role. For instance, a connected car can call emergency services faster than a mobile phone. Again, with the help of embedded or worn smart gadgets, the hospital can get to know the patient history as the patient gets into the hospital and can get ready for the emergency services thereby saving precious time, which can be life saving. Check out this interesting video. Check out this video that IBM has made out describing how it is growing fast and could invade into the everyday life of human beings.


Extending this further to the daily routines of a business executive, the possibilities are endless and here are some that are close to reality, if not already real:

• Your smartphone once it hears a hint about a meeting in a conversation, it will in the background look up your calendar and will pass on the busy / free information. If the executive uses a glass, then he would be seeing the schedule as he talks and thus facilitates the scheduling of the meetings.
• The smart alarms will be smart enough to consider information as to what time did go for sleep, the schedule (both personal and official) for the following day and thus will intelligently decide the wake up time in the morning and triggers the alarm.
• Depending on the traffic conditions, your car will intelligently suggest alternate routes to reach the office or such other scheduled meeting venue and if needed, automatically inform the meeting organizers about the possible delay or may seek rescheduling of the meeting.
• As you drive back home, you just remember that you need to pickup some drugs from a drugstore. Your smart car will already know this and will identify a store that stocks the drugs that you need and that is on the route or closer to the route that you drive. It can even place the order with the store and let the store keep your items ready for delivery and you just need to pick up enroute.
• Needless to say, your car will be smart enough to perform a health diagnostics of itself and will decide on a best date for its own garage visit so that your schedules are not impacted.
• These smart things will know about your presence and which device is in touch with you to send out alerts. For example, if you are at home watching TV, you may see your TV showing alerts from your washing machine and similarly, when you are at work, your smartphone would be used to show these notifications.
• Here are some more ways the 'Internet of Things' can impact your daily life.

Coming back to the household, you are watching your favorite action movie with surround sound and you did not changed your smartphone from a silent mode back to a ringing profile. You don't have to worry, your smartphone knows what you are upto and over a period would have learnt by itself, as to which of the calls you would want to answer at this situation and accordingly either rejects the call by answering the caller appropriately. If it is an important call that you would n't want to miss, it knows it already and will tone down the TV audio volume and thus draws your attention to the call and you don't have to reach out to your phone, your TV will take over the call from your smartphone. To extend this further, depending on the profiles of other members at the house, which the house already knows through its sensors and networks, your smart phone will decide whether to route the call on to the TV or not.


We can now visualize the possibilities and it is endless. The smart things will have built in learning capability and will keep learning from its master's behavior to perfect its services. This trend will lead us to a situation where the things might by themselves or under the influence of hackers attempt to take over human beings as portrayed in some of the recent science fiction movies. On top of this, hackers will also be leveraging these smart abilities to hack into these connected networks and could do whatever they have been doing with the connected systems now.


Here is how the hackers can intrude into your digital lifestyle:

• We have already seen reports of a smart refrigerators sending out spam emails.
• By hacking into your house network, hackers may get to know how many members are home or if there are none inside the home, which information will be useful for them to plan their burglary attempts, etc.
• Your TV may refuse to play your favorite channel and will rather play content that the hackers prefer you to watch.
• Your car may drive to a place that is different than where you wanted to visit. On the same lines, hackers can execute traffic diversions and cause traffic jams as portrayed in the movie Die Hard 4
• All your orders for home supplies may be hacked and deliveries may happen elsewhere, while you would have paid for it. And of course, your house network will still acknowledge for having received the deliveries, while it is not actually.
• The impact of hacking into the emergency service network could be huge and life threatening.
• Your smartphone can be hacked to refuse critical business calls and thus causing revenue impact to your organization.

IDC anticipates that more than 200 billion connected devices will be in use by 2021, with more than 30 billion being autonomous devices. Cisco’s Internet Business Solutions Group (IBSG) predicts some 25 billion devices will be connected by 2015, and 50 billion by 2020. How will having lots of things connected change everything? Find the answer in the infographic. With all this, Internet of Things is coming and will be here to stay soon. Whether we, the humans are ready to take on this evolution remains to be seen.

Google Chromecast - My Initial Experience

Google's Chromecast is a tiny usb drive kind of gadget which plugs into the HDMI port of your HDTV and can facilitates media casting on to your HDTV. With built-in wi-fi modules, most of the HDTVs in the market today allows browsing and streaming media directly from internet. With chromecast, you stream movies, videos and music from Netflix, Hulu, HBO and other media sites from internet. You can use your Android or iOS devices or even your Windows PC or Laptop to cast and control the streams on to your TV. This blog is not to write about what it is, but to share my first experience with this cute little gadget. Check out more about the device here.

I ordered this device on ebay.in and it was delivered at my home the very next day. The pack as delivered contained the Chromecast device, HDMI extender cable, USB power cable for charging the device and a power supply. And of-course there was a small, micro-printed product information leaflet, which just contained license information, warnings, warranty and the contents in the pack. For everything else, it referred to Google Chromecast site.

The three step setup instruction as printed on the inside of the flip top of the packing read as: 1. plug it in; 2. switch input; and 3. set it up. That was pretty simple and I was curious how simple this is going to be when actually setting this up.

I just plugged the device on to the HDMI port of the TV and then used the provided USB power cable to power up the device. Just in case your TV does not have the USB ports, then you can use the provided power supply and plug it on to the mains power source. And yes, the device does needs power to work and unlike USB ports, HDMI ports (per its current specification) do not offer power to the connected devices.

Upon connecting the power source, the LED on the device emitted a red light for a few seconds and turned to white. In my case the second step was not necessary as my TV smartly detected a new source on one of the HDMI ports and switched to it to receive video data. For those TVs that don't automatically switch, then you need to use your TV remote to select the relevant HDMI port as the input source.

The moment my TV switched to the HDMI port on which the Chromecast is plugged in, I could see a PC desktop like screen on the TV with a random nice background pictures and prompting me to visit chromcast site for setting up the device.

I however had the chromecast app installed on my HTC One M7 device the day I ordered the device. The App upon launch scans the connected wi-fi network and look for presence of a chromecast device. It did find the device and the device had a default name as chromecast 7151 (I was offered to choose a name of my choice, but I left it to the default for now) and prompted me to setup the device. At this stage the chrome device is not connected to my wi-fi network. Upon detecting the device the App on my HTC device prompted me to setup and at this stage, my TV displayed my wi-fi network name as well.

As I moved on to the next step, my TV displayed a code 'C3W8' and the app also prompted me to verify
whether it is the same code. Upon verification, I was then prompted to enter my wi-fi security passcode. At that stage, the app displayed the mac address of the chrome device, which was needed as in my case as I have enabled mac filtering in my wi-fi router and unless I add up the mac address of the chromecast to the whitelist on my router, it won't be able to connect to the internet. I added the mac address to the whitelist on my router and entered the passcode, but the setup did not succeed and was prompting me to check couple of configurations on my router: 1. to enable Access Point isolation and 2. to enable uPNP or multicast.

I could not figure out the first configuration parameter on my dlink 605L wi-fi router. I could however find the uPNP setting, which I enabled and rebooted the router. But the Chromecast device still could not connect to my wi-fi network. A quick search on Google led me to a useful page listing out the known issues and work around for different routers. It could find my router listed therein with a suggestion to enable another configuration parameter 'wireless enhance mode'. Upon enabling this parameter in the router, Chromecast was able to connect to internet and with that the setup is complete. The device immediately started downloading updates and it took couple of minutes to complete and then it was ready for casting.

The 'discover applications' option in the Android App listed few applications and the quite familiar ones are YouTube, Google Play Movies and Play Music. There were few other apps which are for streaming the photos, videos and music stored on the device. The supported applications display a cast icon to start casting the media on to the TV. Upon casting, in case of internet media, like YouTube, the device sources the media directly from, the internet through wi-fi, but at the same time, you can control it using your device. Here is a screen shot of the first YouTube video I chromecasted using my HTC One Android phone. More apps would start supporting Chromecast in the future.

In case of stored media, the streaming happens through the local wi-fi network and in case of certain high resolution videos, there were pauses in between. This probably depends on the specific app that is used for such casting.

Next I tried to set it up on my Windows PC, but no, my PC is connected through physical LAN and the Chromecast app said that I need wi-fi enabled on the PC. I then turned on to my Windows 8 Laptop. It was a breeze and no hassles in setting this up on my Windows 8 laptop. The Chromecast App is just for setting up the device and since mine is already setup I just needed the extension to be added to the Chrome browser, so that it facilitates casting a specific tab of the chrome browser. The extension adds a little icon on to the addressbar
which on click allows the casting of the browser tab. At this time I could see the YouTube and Netflix windows app with support for chrome cast and lot more windows 8 apps may start supporting chromecast soon. Here is how it looked like when I casted an YouTube video on the Chrome browser tab.

If you were to connect the Chromecast on to a different network, you have to do a Factory Reset, which can be done using the Chromecast App on the device or on the PC and then set it up with the new network.  Another great advantage is that the software gets updates automatically when Google releases updates and more apps are coming up offering support for Chromecast.