Bandit's walking through over the wire from 0-10

Over the wire game also same as other games. Bandit has to walk through from level 0 up to 26. This game has been developed for the beginners of the linux commands. This is a war game.

First to walk through the levels you have to download puTTY . Use this link to download it.
https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
download the .exe file.
Open puTTY...

Let's play it....
http://overthewire.org/wargames/bandit/

Use the provided host name and the port number to open the terminal.

Level 0

             For level 0 by using the password and the user name is given in the site can be logged in as Bandit.

Level 0 - Level 1

            The password is there in the Readme file in the home directory. Use cat command to read it. Get the password to login to level 1.

Level 1 - Level 2

           The password is stored in - directory. To read a - file use < after the cat command.

Level 2 - Level 3

         In user bandit1 the password to the next level is stored in the a file in which has spaces in the file name. the file name is 'spaces in this filename'.
if we use the cat command to read this file
cat spaces in this filename
The puTTY identify this as 4 file names (spaces, in, this, filename)
it gives an error. In Linux to get rid form that error and to say that there is a space we can use '\' before the space.

spaces\ in\ this\ filename

Level 3 - Level 4

             In level 3 the password for the level 4 is stored inside a hidden file in the directory called inhere.
ls -a command gives hidden files in side a directory.

       
Level 4 - Level 5

To gain the password fro Level 5 we have to access a only human readable file.
Use file command to find out all the files inside the inhere directory. File 07 is a text data. So it might be the file that we need to access.

Level 5 - Level 6

Use find command to find the file with given information.

Level 6 - Level 7

    In this level also the find command can be used to get the file with given information. But the permission was denied.

With ls -a the hidden file can be identified.

then with cat command bandit7.password file can be read.

Level 7 - Level 8

           There is a file called data.txt in which the password is stored next to the word millionth.

By using the grep command out put can be filtered. 

With the pipe operation the output of the grep command is taken as an input to the cat command.

Layer 8 - Layer 9

The password is stored in the data.txt file and the password text may not repeat in the file. So the unique line have to be find.

to find an unique line uniq command can be used.

Level 9 - Level 10

It says that the password is next to a '=' mark. Using the output given by the grep commnd as an input to the strings command strings that consists with '=' is shown.

OAuth in Facebook application

OAuth???

 OAuth (Open Authorization) is an open standard for token-based authentication and authorization on the Internet. OAuth, which is pronounced "oh-auth," allows an end user's account information to be used by third-party services, such as Facebook, without exposing the user's password. OAuth acts as an intermediary on behalf of the end user, providing the service with an access token that authorizes specific account information to be shared. The process for obtaining the token is called a flow.

Facebook OAuth-authentication flow

1.  On access of an url or in welcome page the Facebook Login button is shown and the user     will click the FB button to login into the Java web application. On click of that button a           Facebook URL will be invoked.

2.  Facebook will validate the application ID and then will redirect to its login page.

3.  User will enter the FB login credentials and submit the form.

4.  Facebook will validate the credentials and then redirect back to the browser with a request   to forward to the redirect_url. Redirect_url is the URL in our application which will take         care of further processing.

5.  Browser will call the redirect url.

6.  Redirect URL page will again call the Facebook to request for access_token.

7.  Facebook on validation success will respond back with access_token.

8.  Redirect URL page will again call the Facebook to request for user data by sending the         access_token.

9.   Facebook on validating the access_token will respond back with user data requested.

10. Redirect URL page will forward to a page showing user data in the client browser.

Phishing

Grabbing sensitive data

Phishing is a fraudulent attempt, usually made through email or massage with an URL, to steal your personal information. The best way to protect yourself from phishing is to learn how to recognize a phish. Phishing requests are coming from a third party who acts like a well known organizations and asking to enter some personal information like username,password and bank account number to log into a particular site.

It is easy to create a phishing site. 

step 1

go to the web site that you want to username and password. the right click and save the web page as .html file within www folder in wamp sever.

Step 2

Change the URL in action method in form tag to the php file on which the code for catching data is written.

Step 3

Then write php code to catch data and redirect the web site into some other web page while saving the captured data into a separate file.




Here you can find out how to code the php file and how it is going to work..

https://github.com/tharushi-pushpakumara/phishing

How to be aware from  phishing site??

To get rid from phishing attacks the URL should be double checked before to enter sensitive data like passwords usernames and credit card credentials.

Health Insurance Portability and Accountability

A DEFINITION OF HIPAA COMPLIANCE

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates must also be in compliance.

THE HIPAA PRIVACY AND HIPAA SECURITY RULES

According to the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. Additionally, the Security Rule establishes a national set of security standards for protecting specific health information that is held or transferred in electronic form. The Security Rule operationalizes the Privacy Rule’s protections by addressing the technical and nontechnical safeguards that covered entities must put in place to secure individuals’ electronic PHI (e-PHI). Within HHS, the Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

THE NEED FOR HIPAA COMPLIANCE

As HHS points out, as health care providers and other entities dealing with PHI move to computerized operations, including computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems, HIPAA compliance is more important than ever. Similarly, health plans provide access to claims as well as care management and self-service applications. While all of these electronic methods provide increased efficiency and mobility, they also drastically increase the security risks facing healthcare data. The Security Rule is in place to protect the privacy of individuals’ health information, while at the same time allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. The Security Rule, by design, is flexible enough to allow a covered entity to implement policies, procedures, and technologies that are suited to the entity’s size, organizational structure, and risks to patients’ and consumers’ e-PHI.

PHYSICAL AND TECHNICAL SAFEGUARDS, POLICIES, AND HIPAA COMPLIANCE

The HHS requires physical and technical safeguards for organizations hosting sensitive patient data. These physical safeguards include…

Limited facility access and control with authorized access in place
Policies about use and access to workstations and electronic media
Restrictions for transferring, removing, disposing, and re-using electronic media and ePHI
Along the same lines, the technical safeguards of HIPAA require access control allowing only for authorized personnel to access ePHI. Access control includes…

Using unique user IDS, emergency access procedures, automatic log off, and encryption and decryption
Audit reports or tacking logs that record activity on hardware and software
Other technical policies for HIPAA compliance need to cover integrity controls, or measures put in place to confirm that ePHI is not altered or destroyed. IT disaster recovery and offsite backup are key components that ensure that electronic media errors and failures are quickly remedied so that patient health information is recovered accurately and intact. One final technical safeguard is network, or transmission security that ensures HIPAA compliant hosts protect against unauthorized access to ePHI. This safeguard addresses all methods of data transmission, including email, internet, or private network, such as a private cloud.

To help ensure HIPAA compliance, the U.S. government passed a supplemental act, The Health Information Technology for Economic and Clinical Health (HITECH) Act, which raises penalties for health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act was put into place due to the development of health technology and the increased use, storage, and transmission of electronic health information.

DATA PROTECTION FOR HEALTHCARE ORGANIZATIONS AND MEETING HIPAA COMPLIANCE

Clearly, the need for data security has grown as the proliferation of electronic patient data grows. High-quality care today requires healthcare organizations to meet the accelerated demand for data; yet, they must ensure HIPAA compliance and protect PHI. Make sure that you have a data protection strategy in place that allows your organization to:

Ensure the security and availability of PHI to maintain the trust of practitioners and patients
Meet HIPAA and HITECH regulations for access, audit, and integrity controls as well as for data transmission and device security
Maintain greater visibility and control of sensitive data throughout the organization
The best data protection solutions recognize and protect patient data in all forms, including structured and unstructured data, emails, documents, and scans, while allowing healthcare providers to share data securely to ensure the best possible patient care. Patients entrust their health care to your organization; you need to take care of their protected health information as well.

How did the ENIGMA machine works??

Like all the best cryptography, the Enigma machine is simple to describe, but infuriating to break.

Straddling the border between mechanical and electrical, Enigma looked from the outside like an oversize typewriter. Enter the first letter of your message on the keyboard and a letter lights up showing what it has replaced within the encrypted message. At the other end, the process is the same: type in the “ciphertext” and the letters which light are the decoded missive.

Inside the box, the system is built around three physical rotors. Each takes in a letter and outputs it as a different one. That letter passes through all three rotors, bounces off a “reflector” at the end, and passes back through all three rotors in the other direction.

The board lights up to show the encrypted output, and the first of the three rotors clicks round one position – changing the output even if the second letter input is the same as the first one.

When the first rotor has turned through all 26 positions, the second rotor clicks round, and when that’s made it round all the way, the third does the same, leading to more than 17,000 different combinations before the encryption process repeats itself. Adding to the scrambling was a plugboard, sitting between the main rotors and the input and output, which swapped pairs of letters. In the earliest machines, up to six pairs could be swapped in that way; later models pushed it to 10, and added a fourth rotor.

Despite the complexity, all the operators needed was information about the starting position, and order, of the three rotors, plus the positions of the plugs in the board. From there, decoding is as simple as typing the cyphertext back into the machine. Thanks to the reflector, decoding was the same as encoding the text, but in reverse.

But that reflector also led to the flaw in Enigma, and the basis on which all codebreaking efforts were founded: no letter would ever be encoded as itself. With that knowledge, as well as an educated guess at what might be encrypted in some of the messages (common phrases included “Keine besonderen Ereignisse”, or “nothing to report” and “An die Gruppe”, or “to the group”), it was possible to eliminate thousands of potential rotor positions.

Eventually, the team at Bletchley Park built a machine, the Bombe, which could handle that logical analysis. But the final steps were always performed manually: the job of the Bombe was merely to reduce the number of combinations that the cryptanalysts had to examine.

Even as the Allied code-breaking team were working on Enigma, the Axis was improving its machines, adding more and different rotors, and minimising operator error. Eventually, the Enigma was superseded by the Lorenz. These required yet more codebreaking in Britain, and more automation to do it – leading to the production of Colossus, the world’s first digital programmable computer.

Internet of Things (IoT)

The Internet of Things (IoT) is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.

There is a lot of fear, uncertainty and doubt generated from IoT security issues. "Some organizations have been embracing this technology, saying, 'What can I do next from a business standpoint?' But there are controls that have been either bypassed, or for whatever reasons, missed during the product release cycle."

A look at recent news stories can reveal just how far hackers are able to go if they manage to exploit IoT security issues. One IoT exploit example includes a smart refrigerator hack. "What we've seen from the cybercriminal ecosystem is [hackers] want the data that is used on the refrigerator,". Hackers don't care about using a smart fridge as a means of a DDoS attack, but target the user information contained on the fridge itself.

One of the most prominent IoT security issues is the problem with individuals using the same login credentials for everything. "My experience has been that most individuals use the same user ID and password for multiple websites,". "Because of that, most individuals would then use the same user ID and password on their IoT devices or their appliances."

1. Securing the Device​

Gemalto’s embedded software and hardware solutions for consumer electronics and M2M help Original Equipment Manufacturers (OEMs) and Mobile Network Operators (MNOs) overcome security challenges:

M2M-optimised SIM​ and embedded SIM (eUICC)​: both tamper-resistant environments represent a strong authentication token for cellular applications. They encrypt and authenticate data and securely identify devices on global mobile networks​.

Cinterion Secure Element​: the hardware component, embedded in devices, provides the maximum level of protection at the edge, for the most critical IoT applications. Its tamper-proof environment works as a ´safe´ for secure storage of encryption keys and security credentials. Embedded cryptographic tools ensure high personalization to the IoT object, giving it a strong identity and solid device authentication on networks.

SafeNet Ha​rdware Security Modules (HSMs): HSMs excel in safeguarding the most sensitive IoT devices´ keys which are centrally stored (on servers or other systems). The hardened, tamper-resistant environment act as a trust anchor to protect the cryptographic infrastructure of some of the most security-conscious organizations in the world.  

Trusted Key Manager​​: the new solution authenticates IoT devices and secures data exchanges on both cellular and non-cellular networks, such as LoRa​, preventing unauthorized devices and IoT players from joining the network. ​It enables strong digital security through a simple and trustful mechanism of secure key​​ provisioning, remote cr​edential activation and lifecycle management.​

IP​​​ Protection: we protect the intellectual property of embedded software applications and data files, preventing reverse engineering or tampering 

2. Securing the Clo​​ud

Some major forms of threat come from the enterprise or cloud environment that smart devices are connected to. Gemalto solutions for data encryption and cloud security provide a comprehensive portfolio for cloud service providers and enterprises to secure their enterprise and cloud assets. Our cloud-b​ased licensing and entitlement​ solution ​helps technology companies leverage the full potential of the cloud environment, ensuring their intellectual property is secured.

3. IoT Security Life cycle Management

Often overlooked, managing the life cycle of security components across the device and cloud spectrum is a critical element for a robust and long-term digital security strategy. Security is not a one-off activity, but an evolving part of the IoT ecosystem.

Adding new devices, end-of-life device decommissioning, device integration with a new cloud ecosystem, managing secure firmware/software downloads - all these activities necessitate comprehensive management of identities, keys and tokens. Gemalto provides solutions to build a sustainable security lifecycle management infrastructure, to address current and future security threats:

Identity & access management​,

Crypto management,

Trusted Services Hub: the hub acts as a central interconnection platform, allowing the secure deployment of new service​​s and security updates towards IoT things already in the field, for complex ecosystems involving many stakeholders.

What is Cyber Security

In cyber security we concern on 3 major topics. (CIA)

1. Confidentiality
2. Integrity
3. Availability

Confidentiality

Simply it is the privacy of the message. When a massage is sent through the wire less communication media there can be intruder who looks in to the content of the massage. Then the content is exposed to a that third party person. Confidentiality means we should be able to ensure that the content of the message is only known to the sender and the receiver.

Integrity

   If the integrity is there in a message, that means no one has modified the message during the transition. there are several methods like Hashing to ensure the integrity of the message.

Availability

Availability is a main concern of a website or a database. A web site or a database is should be able access to any time. Because the intruder has the ability to down the database or the server on which the site is hosted.