Linux Security Good Practice

Some people say that hackers like to attack Windows/Mac system. The reason is because there are a lot of user of those. Is it true? I think it is not.
Each computer is prone to be attacked once you start to use it. In this case, if you are using Linux, you also need to keep good practice to protect your computer.

These are some good proctice to keep your Linux system safe.
a. Keep your system up-to-date
b. Only install software from trusted sources
c. Use strong password and always change it regularly
d. Disable all services that you are not using
e. Backup your data/system regularly
f. Do not use root account to access your machine. You can use sudo utility to act as root temporaly

Protect yourself from phishing

Phishing is a form of electronic communication that masquerade as a trustworthy entity. The goals are to acquire sensitive information such as password or credit card details. It is a psychological attack used by criminals to trick you. At the beginning, they used emails to do so. But now, it has evolved to become message-based attack (e.g. instant messaging or social media post).

Before they spread attacks, they have prepared the system to receive response from victims. They craft a convincing-looking message using “good” grammar as if a good or reputable company send email to its customer. Then, they send to millions of people around the world. Actually, they do not know who will fall victim. They just wait whoever clicking on a malicious link or opening an infected attachment or responding it.

There is another kind of phishing. It is spear phishing. Actually, it is same as phishing, except that instead of sending to random recipients, criminals send it to selected recipients. In this case, they have done a research to whom they are targeting. If you want to know more about spear phishing, you can read this incident (0xHACKED: Brown University Accounts Distributing Phishing Emails) that happened recently.

Let’s say you have been targeted by them. Perhaps, you wonder from where they get your email address. The answer is very simple. It can from social media such as Facebook, Twitter, Instagram, LinkedIn, etc. Or, you may put it on-line through public blogs or forums. Please be aware that they have tool to craw this kind of information. In cyber security, we call it as Email scavenger. It is a type of web crawler program that searches the Internet and collects all email addresses it finds posted on web pages.

Now, the big question is how to stop it? Only YOU can do that. These are phishing indicator

Is the email being sent by someone you do not know or do not work with?
Check “FROM”, “To” and “CC” addresses. Are those personal accounts and using public email service (e.g. @gmail.com, @yahoo.com, etc) ?

Check greetings. Does it being sent to you? Or, does it use “Dear Customer”? If a trusted organization has a need to contact you, they should know your name, right?

Be suspicious of grammar or spelling mistakes.

Be suspicious of any email that requires an immediate action.

If you do not know the sender, DO NOT OPEN its attachment(s). DO NOT CLICK any link(s). For hyper links, hover your mouse over that link and you will see its destination.

Be suspicious of any message that sounds to good to be true. Remember.. there is no free lunch

 
Hope it helps you…. 🙂

Secure Programming with JavaServer Pages

JavaServer Pages is a Java technology that helps software developer to create dynamic web pages based on HTML, XML or other document types. It has been widely  used as front end since released in 1999 by Sun Microsystems. Actually, it is similar as PHP, but it uses Java language.

Our web pages hold important role to protect application system from a malicious user who wants to exploit any vulnerabilities. Based on my experiences, these are best practices for developing web pages using JavaServer Pages.

• Comments
  Comments should not be wrapped in HTML comment tags ( <!– xxx –> ). We should use JSP tags (<%– xxx –%> ). This is to prevents an attacker from viewing information behind its page. With those information, he may be able to understand the behaviour of our web page and try to manipulate the logic behind it.

• Hidden fields
  Avoid to use hidden fields if applicable. Every parameter sent to server is an entry point. Usually, we put “important” or “critical” values in hidden fields but those are not supposed to be seen by user. We assume that user does not need to know but an attacker may violate our assumption. He thinks the other way around. Because of its hidden type, he can alter or change the value with malicious data and then send it to back end process. Remember that some tools (e.g. Firebug) have abilities to amend HTML/JavaScript code on the fly.

• Passwords fields
  We have to set auto-complete=off and do not use maxlength attribute. Because those help an attacker to prepare his attack to the application.

• Database connection string and SQL Statements
  Do not ever show/put database connection and SQL Statements in web page. An attacker know how to exploit it and try to send malicious values to get confidential data. I know that some reporting applications usually also provide a functionality for user to enter SQL for self-service purpose. I think that it is a bad idea to have it.

• Disabled button
  If possible, hide all buttons that cannot be viewed by users. Avoid to disabled those because an attacker may use tool to change those behaviour and submit malicious requests. Remember that some tools (e.g. Firebug) have abilities to amend HTML/JavaScript code on the fly.

• Use POST for all forms instead of GETThere are some of advantages of POST from security point of view. First, name-value pairs of parameters are not displayed in URL. Second, POST request parameters will not be saved in the browser’s history.

• All values must be validated at server side
  As I said in previous item, we should never trust any value from front end because those can be tempered at user’s browser or a proxy. Server side validation is quite important to have.

• Store JavaServer Pages in WEB-INF directory
  JavaServer Pages usually include some business logic and authorization condition to hide or protect some parts in the page based on user roles. Those must not be opened to an attacker. To protect those, we have to put all Java Server Pages files in the WEB-INF directory. Remember that the WEB-INF directory is not to be directly accessible by external users.