Monday, October 5, 2015

Voice Biometrics: Advantages and Disadvantages

Less prone to compromise: Contrary to PIN/ Passwords storages compromised and stolen and replayed, the voice prints can not be replayed. Thus a compromised voiceprint is unusable for account access.
Anti reversing: A voiceprint is a hashed string of numbers and characters that represent how a specific individual’s voice rates on the myriad of characteristics being measured Also, it’s not possible to reverse engineer it to recover someone’s voice.
Proactive detection of known fraudsters: Each time a fraudster speaks within an IVR or to a contact center agent, the fraudster leaves his/her voiceprint in the same way that our fingers leave fingerprints when we touch an object. This enables an organization to create and store voiceprints of known fraudsters.
Non guessable: A voice is unique to the individual. It can’t be guessed unlike PINs or passwords.
Cost effective: The cost of implementation is low because there is no special hardware required. A simple telephone or microphone is all that a user needs to authenticate using her voice. Other methods of biometric authentication like fingerprinting and retinal scans require special devices.
Ease of usability: Most important to the future of voice biometrics is that it is the only biometric that allows users to authenticate remotely.
Quick enrollment: It is quick to enroll in a voice authentication system. The user is asked to speak a certain set of words or phrases, or to speak for a certain length of time.
Fast: Authentication is very fast; it can be completed in 0.5 seconds.
Less storage size: Another advantage is that the storage size of the voiceprint is small.

Relatively low security: The biggest disadvantage is the replay attack. Hackers might attempt to gain unauthorized access to a voice authenticated system by playing back a pre-recorded voice sample from an authorized user. Need to implement proper anti-replay/ spoofing measures.

Low accurate: Person voice change, the difference in speaking instruments etc can affect the recognition. Compared to that other forms of biometrics such as retinal or fingerprint scans are more accurate and less prone to change.

Wednesday, September 16, 2015

For non-proxy aware clients

Monday, August 10, 2015

Implementing HSTS

Everyone know the what HSTS (HTTP Strict Transport Policy) does- It instructs the browsers to load a website over HTTPS no matter what. You cannot load a website on the http. When you hit a website, eg,, the server returns ‘Strict-Transport-Security’ Header that tells that now onwards the website must be loaded over https.
We know the issue related to redirecting a site from http to https, the 302/ 301 redirects the site to its secure scheme by loading the when user hits . The issue here is the response from the first request which loads on http can be modified and contents can be replaced with some phishing ones. Still a large no. of websites do this redirection, one classic example is American Express. When you try to access first time , it redirects you to :

The website first loads as http and then makes a 301 redirect and loads again over https. The below pic will make it clearer:

Now let’s examine the following website (Facebook). Try accessing and it loads on . But there’s a difference here, instead of making 301/ 302 redirect the Facebook site makes a 307 redirect which is an internal redirect:

The 307 instructs that the browser is not going to make the first request itself on http, instead it will make the first request over https. The browser has refused to make any connection on insecure protocol http. Let’s examine the response:

You can see the HSTS header in the response:

All the sites which need to be loaded over https by default must be submitted to site. This site is maintained by chrome and has a list of domains which needs to be loaded over https by default. That means, when the browser is shipped, your site will be a part of the list where https is by default.

Tuesday, July 7, 2015

Bluetooth security modes and supported versions

Security Mode
Versions supported
No Security. Device operates in promiscuous mode allowing any other Bluetooth device to connect it
v2.0 and earlier devices support it.

v2.1 and later devices support for backward compatibility. 
Service level enforced security. Security measures are established after the channel is established. Supports Authentication, Authorization and Encryption.
v2.0 and earlier devices support it.

v2.1 and later supports for backward compatibility .
Link level enforced security. Security measures are established before the channel is established. Supports authentication and encryption.
v2.0 and earlier devices support it.

but v2.1 and later devices support for backward compatibility. 
It is a service level enforced security mode in which security procedures are initiated after link setup. Uses SSP (Secure Sample Pairing)
Mandatory for communication between v2.1 and later BR/EDR devices.

Backward compatible with any of the other three Security Modes.

Thursday, June 11, 2015

Difference between Cross-site scripting and Cross-frame scripting

Often mistaken and confused with each other- Cross site scripting (XSS) and Cross frame scripting (XFS) Both seems to be very similar to each other, but they are not. Both are pole apart. One deals with malicious Javascript injection, other one is related to framing of a particular page under another page. The later one is more of a phising attack.
XSS: Injection issue. Forced malicious javascript code execution in browser.

XFS: Phishing-like attack. Where a legitimate looking page is iframed inside a malicious website.


XSS: Input validation, Output encoding

XFS: Frame-busting code, so that the page can't be framed inside other websites.

Tuesday, May 5, 2015

One more attack on SSL

After Heartbleed, POODLE, one more in this series:

Wednesday, April 8, 2015

Agent based cloud scanning

As a part of security assessment of cloud based apps/ infrastructure we always face a challenge in scanning the servers in the cloud. Few of them are:
  • Obtaining/ managing credentials always an headache
  • Not ideal for cloud solutions
  • Requires target machines to be always online
The limitations of the scanners:
  • Traditional infrastructure scanners  such as Nessus are of not much use
  • Sometimes the scanners does not report  vulnerabilities correctly due to many issues such as machines frequently go down while scan is in process, some firewall issues etc
We need a solution which is rather than we scanning the target servers, it resides on the server and keep doing the scanning and sends the report back to the organization periodically. And here comes the concept of 'Agent based clod scanning'. 
The benefits are:
  • Rather than targeting the remote servers in the traditional approach, the agents installed on the servers keep on doing the scans and sends the periodic reports
  • Can run offline and syncs when becomes online
  • It helps reducing the network congestion
  • Enumerates Bluetooth, USB devices and mounted shares
  • Detects malwares and suspicious processes
Nessus recently launched such tool called, Nessus Agents which fulfills above conditions.