Saturday, August 6, 2022

The Plan Ahead And Some Web Application Security Tips

        I am hoping to make positive personal announcement soon in the next 3 days. ALight Technology And Services Limited is implementing very high-security measures. The primary threats have been identified, the plan to mitigate the threats has been planned, pending implementation. Much more detailed monitoring, alerting and in few cases even automatic remedial actions are going to be implemented.

       ALight Technology And Services Limited plans to implement these threat mitigating plans over 6 to 9 months period. But, once implemented, world-class, enterprise-grade security and audit would be in place. In other words, ALight Technology And Services Limited would be in a position to instantly demonstrate the security measures in place and this would hopefully help in propelling forward.

       The primary threat is the capabilities of the invisible spying drone by India's spying agency known as R&AW - Research And Analysis Wing. The invisible spying drone has viewing, screenshotting, recording video and audio, whispering and even mind-reading. There is a very high possibility of some advanced hacker tools being used by the spies who could connect to Wi-Fi networks and remotely login into laptops and probably steal files / source code or may be even session hijacking. The invisible spying drone has mind-reading capabilities and if I am not wrong maybe even some kind of projecting images into the mind. The equipment has been used for privacy invasion, human rights violation. I don't know how many people have been victims, but I have been a victim for around 5 years. From what I know, the equipment has been mis-used on few other people also for getting favors done via threat / harassment.

     With the above threat in place, and being the target for over a dozen rogue R&AW spies, I know they would probably do parallel coding and maybe even steal source code - Intellectual Property Theft. As of now, I might not be able to prevent the mind-reading, parallel coding type of threat. But I can definitely secure the network, and use biometric authentication using YubiKey Bio. I have been using Biometric Authentication for over the past 1 year but certain websites have vulnerabilities and using the websites with vulnerabilities has become a headache.

    Over the next few months, I will share some security best practices to thwart these spies. I might even provide links to relevant code samples or I might provide some code samples for ASP.Net/C#.

       Some of the best practices are mentioned below:

1) Audit - Everything that happens in a web application needs to have audit, the audit log should not be tampered, should be viewable.

2) The list of active sessions should be viewable and should allow remotely logging off - Several websites like Facebook etc... implement such security.

3) For applications where multiple tabs are not necessary cookie values need to be changed. Most banking type of applications implement such security, but the problem - back button would invalidate the session. But this is a necessity for high security applications.

4) SSL for every resource such as css, javascript etc... Most applications nowadays implement this.

5) When resetting passwords etc... send long string codes - if the URL has a smaller token, the spies can see the token and can type the token in their browser. When a request comes with the token, immediately invalidate the token. Do not display the token in the emails, provide a link.

6) Do not display keys etc... in plain text on the screen. Instead mask the keys and show a copy button instead. This has been a huge vulnerability, multi-billion dollar businesses like Github, Microsoft Azure, AWS also do not implement this security measure as of today. But, I think this is a must to thwart the spies.

7) If possible use random application-generated passwords and use vaults for storing sensitive secrets i.e as much as possible, admins do not memorize passwords or type in passwords. 

8) SMS, Authenticator, EMail code type of MFA options are weak against these spies. Physical USB key like Yubikey or Yubikey Bio, long string links via email seem to be safer options. Long string links via email is a safe option only if the email provider has proper security in place, else, as of now, Yubikey might be the only safe option.

Extra note: If using SMS / EMail codes for MFA try create pairs of code. OTP's should be seriously for One Time use.

For example:

When user enters username and password and when the web application generate a 2 codes. 1 for displaying on the webpage and 2 for sending via email. On webpage display code1 let's say "QWERTY", in the email send "QWERTY" in the subject and inside email content send OTP. If anyone attempts parallel login, there should be 2 emails and the emails would have different pair codes. By specifying for which the code pair the  user is being prompted, the users can only enter for what was being prompted and email should provide the ability to delete emails without viewing and should be easy. 

Long story short, I went through a lot in the past 5 years and too many lost opportunities. I am hoping to share some knowledge based upon what I went through and how to secure web applications to thwart these spies attempts.

Who knows how many databases might have been hacked / altered / tampered by the spies.

I know that they definitely did screenshots and tried to create fake propaganda and even identity theft, framing, defaming etc...

No comments:

Post a Comment

WebVeta has been accepted into, actual details not finalized yet!

  My Software as a Service (SaaS) product, WebVeta , has been accepted into . is a venture capitalist firm with a stron...