Author Archives: securityresearch

Free Disk Encryption tool certified by Cyber Security and Privacy Foundation

Cyber Security &  Privacy Foundation is certifying Disk Cryptor (a freeware under GNU) for hard disk encryption. The tool is very small, compact, stable. It is better than most of the commercial software available in market. The product is robust and supports power failure/disruption during encryption of hard disk. It can encrypt USB/Mass storage/Hard disk/SSD Hard disks. You can safely encrypt your Hard disk, Bootable HDD using Disk Cryptor. Cyber Security & Privacy Foundation certifies Disk Cryptor product. 

DiskCryptor Certified by Cyber Security and Privacy Foundation

Main Page/Download of Disk Cryptor:



React OS – Built on Windows NT architecture

People of India/Gov/Corporate may start testing the alpha version of reactOS which is built with Windows NT architecture and can almost run any windows binary files. It could be replacement of Microsoft Windows in long run. Let the researchers in India start using this. CSPF is certifying ReactOS after extensively using it for last six months and studied the working quite closely. We congratulate the ReactOS foundation for the brilliant work.

React OS Certified by CSPF



Netbanking Security Presentation

Netbanking in Indian banks have various issue. There are issue where there is no server side validation, there are issue relating to keyloggers/trojans like zeus which can compromise OTP. Are banks doing enough. This is  presentation done by one of the researchers in india.

All netbanking users are advised to secure their PC with

a. Good anti virus like ESET NOD32 or Avast antivirus

b. Anti keylogger like Zemana(

c. Install Malwarebytes Anti Exploit and Anti Rootkit (

d. Then login to your bank netbanking.

Presentation on Netbanking

(The test has been conducted at client end , not on server side)

Program to Block all Removable Drives/CDROM in Network

The toughest job for CISO/IT manager/even an end user is to protect his data on the computer. One of the main programs which is used to do this is Antivirus/Patch management/Firewall/DLP. DLP has been one of major requirements for corporate. Only a few major vendors like Symantec, Comodo have good DLP solutions which are often out of reach of the SME segment. We have written a small tool which can be used to build a DLP module which is a single executable file which can deployed across network. This program monitors every removable drive/CDROM inserted/removed takes a log of date, time, pnp device id, volume name, disk space details.

The Device Control(DLP) can only be uninstalled with a encryption key, the uninstaller and viewer  need not be deployed to the end point system.

This system is written for end user computer and is given as a freeware. Any corporate interested in a network friendly version could approach the foundation.

Download DLP_DeviceControl

Antivirus Tests for Indian Environment

Most international tests are useless when it comes to antivirus for Indian computers. Most of Indian computers are preinfected. we have conducted a few tests with samples which verify if a product is good. we found only Avast and Eset NOD32 to be best in Antivirus products suited for Indian Environment.

Eset NOD32 test Results:

Eset NOD32 Report

Report on ESET NOD 32 Antivirus

Avast Antivirus

Executive Summary Avast Free Antivirus

Report on ESET NOD 32 Antivirus


Linux x86 Reverse Engineering

Most of the Windows as well as Linux based programs contains bugs or security holes and/or errors. These bugs or error in program can be exploited in order to crash the program or make system do unwanted stuff Exploit usually attacks the program on Memory Corruption, Segmentation Dump, format string, Buffer overflow or something else. In computer security, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called “shellcode” because it typically starts a command shell from which the attacker can control the compromised machine. It is just a basic guide, not for l33t reverse engineers 🙂


Download the full paper here – shellcode-disassembling-tpp

Recover Gmail password Vulnerability

Oren hafif, a Security researcher discovered a major workflow related bug in gmail account recovery allowing the users to hijack any given GMAIL account. He points out that, GMAIL stands for Global Main Authentication and Identification Library.

This is a type of the password reset vulnerability, in the hacking process attacker have to send an email which looks like an email from an official google account. It’s a simple spear-phishing attack by leveraging a number of flaws i.e Cross-site request forgery (CSRF), and cross-site scripting (XSS), and a flow bypass.

Upon clicking the link, it redirect users to a page that is linked to but in real it leads the victim to the attacker’s website because of CSRF attack with a customized email address.

After completing the information collecting process—attacker has received your new password that you set for your account and cookie information of your account.

You can check out the demonstration video uploaded to YouTube by Oren Hafif


HTTP Request Hijacking for iOS

Researchers from Skycure have revealed an interesting vulnerability which we tried out in our labs. This vulnerability has the potential to hijack a number of apps on the iOS platform. The attack is a variant of Man in the middle attack. If an app is used on an insecure Wi-Fi network, an attacker can intercept requests sent by the app, reply to the requests with a 301, and trick the app into being redirected to a hostile server.

This short video demonstrates the vulnerability – Courtesy: Adi Sharabani

What do you think about this? 😉


Security Testing for the QA

As a professional QA engineer it’s a part and parcel of one’s day to day life to test the limits of the application in terms of functional and non-functional requirements. This tutorial focuses on understanding and implementing security testing methodologies in your day to day testing so that the most common security threats and vulnerabilities are enumerated before the code goes in to production environment. We shall learn to use various tools which come in handy to perform basic security testing while performing regular duties with relation to testing.



The above cycle can be considered as the tester’s cycle for security testing.  Being a part of the team, within the organization, gives plenty of opportunity to understand the feature and the environment. Hence, the information gathering part is not made exclusive in the cycle. After having enough information about the features and the environments, the tester must learn to focus on scanning through the features for the possible vulnerabilities which might arise based on the usage of third party software, style of coding, if the feature is heavily client facing, amount of user interaction to a particular feature etc. After scanning thoroughly for the vulnerabilities, the tester must enumerate the vulnerabilities in the order of severity and prioritize them in a consolidated list. Based on the severity and priority rating the tester moves in to the next phase, to determine if the existing vulnerability is actually exploitable. More often than not, the tester comes in to situations where he manages to find a vulnerability which is not actually exploitable. If the exploitability exists then, the amount of user interaction involved to cause any damage. These parameters help us determine the final severity and priority of fix for a bug. Then, we report the findings to a developer who developed that feature and help him with the possible solutions which he can code. In the freeze phase, we do a re-testing of the fix and make sure that the fix is ready for a code freeze and can safely move in to the production environment.

There is a paradigm shift from software applications to web based applications – thanks to cloud computing. There has been a rapid surge of developing quick web application code to meet the demands of the market. Web applications are different as compared to software applications. We need to understand the nature of a security bug. The security bug is a major combination of 3 major parameters – Attacker, Asset and Vulnerability. Finding the areas where security bugs majorly hide is an important key criterion in starting security testing. Let’s find out more about this in the following section.

Security Bugs

In the above figure we see two ovals – As designed and As Implemented. The functional bugs are majorly found when the implementation lacks what the requirement specification whereas security bugs are majorly found when an implementation of a particular requirement does something extra other than what is required of it to carry out the operation. These include poor coding practices like improper input sanitization, non-verification of URL redirects, accepting URL requests without header checks, etc.

Security Frame to hunt for bugs:


  • Configuration 
  • Data Validation
  •  Authentication
  • Data Protection
  •  Authorization
  • Error exception and handling
  •  Auditing and logging
  • User and Session management


This gives a brief checklist for finding the most common security vulnerabilities which lay in the code base.  The list is not comprehensive but a good collection of parameters to begin with. We should always be prepared for new attacks which might not be covered in the security frame above. This is where the constant mental updates about the who’s who of security domain help.

Initiation to security testing through mnemonics:

Starting security testing initially might be challenging for folks who are not having the mindset of an attacker. For this we have some really helpful mnemonics which can help the initiation in to security testing. Let’s focus on them one at a time.

STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Escalation of Privileges.

STRIDE is a classification scheme for characterizing known threats according to the kinds of exploit that are used (or motivation of the hacker). This helps in getting to learn as to how we can think and work our minds like an attacker.

Applying them in to your day-to-day testing:

ü  Look at each function of the application

ü  Identify bugs from the security frame

  • Most common attacks under each bullet
  • Revisit stride and hunt for potentially new bugs

For example: Sign-up for a new account  à Authenticate à S.T.R.I.D.E

Be aware of the bugs which were lodged in the past. There is high possibility for those bugs to be present in and around the fix. This will also give a thorough understanding of the type of the bug under observation, its behavior and the fix that was applied.

DREAD: Damage, Reproducibility, Exploitability Affected users, Discoverability

DREAD is a classification scheme which can be used to prioritize each security bug based on the above parameters. The calculation for DREAD is as follows:

ü  Each parameter has a value from 0-10.

ü  0 is the lowest and 10 is the highest degree of damage.

ü  Calculating DREAD factor is pretty simple – (D+R+E+A+D)/5

  • The value is always between 0-10

Higher the DREAD value, Higher is the severity and priority to fix