Category Archives: Security

Chrome and popup policy

Google Chrome has different policy to detect and block popup window.

Generally, a browser blocks popup if it’s automated, i.e. with some JavaScript call on page load or so. Moreover the way state of popup can be known by browsers using JavaScript only.

Chrome is bit smarter in this.

window.open(); is expected to return reference to opened popup window, or null / undefined if popup is blocked.

But, chrome holds reference of so called popup as non null value and still blocks popup.

Below snippet is perfect example to test:

<script language="JavaScript">
<!--
function showpopup()
{
	setTimeout ( "showpopupAfterTime();", 1000 );
}

function showpopupAfterTime()
{
 var popwin = window.open("http://harit.kotharee.com/", "popupwindow",
   "width=400,height=300,resizable,status,menubar,scrollbars");
 popwin.focus();
}
//-->
</script>

<a href="javascript:showpopup()">Click for a pop-up window!</a>

Chrome allows popup only if opened directly, i.e. without any kind of delay through JavaScript or any other means of delay.

So, in the above example, it will work only if showpopupAfterTime(); is called on hyperlink!

AXIS Bank website & services – reviews & suggestions

www.axisbank.com is official website of AXIS (formerly UTI Bank). The bank brands their Internet enabled services as iConnect. I eventually came through and accessed the website some time back.

Here is what I felt…

  • The website is simple, and belongs to the professional look. However according to the footnote, it’s friendly with IE only. Where did firefox & safari go?

    Home Page

    Home Page

  • The login window does not have virtual keyboard which is very important shield to fraud cases, when user keystrokes are being recorded. ICICI Bank and Bank of India provides this.

    Virtual Keyboard

    Virtual Keyboard

  • In any case, the script should be written so that browser cannot store username and / or password even if user forces. Again, ICICI Bank takes care of this. Disabling ctrl + C & ctrl + V is added advantage, that can be provided!

    Storing private data

    Storing private data

  • Once user successfully logs in, welcome page has menu bar on left. But, again, a usability suggestion When user selects anything from drop right menu (menu to be displayed after selecting main menu item) item, it should be closed. It gets hidden only when user mouse focus is lost! So few user might not feel, whether he / she has clicked to menu item or not.

    Drop Right Menu

    Drop Right Menu

  • Account bifurcation is simply good.

  • The eMail section is not so good. The email text is given less importance in user interface design. The eMail body text is shown in 8 or 9 lines only, user need the help of scrollbars. Better UI design is required.

    eMail Section

    eMail Section

  • Mobile banking service can only be enabled, there is no option to either disable or change number! The Input Area to mention mobile number is non editable! Also, the bank is charging for this services a sum of amount which is higher compared to its accuracy and conditions for SMS alerts etc.

    Mobile Banking - no second chance

    Mobile Banking - no second chance

  • Session management seems handled with respect to time & browser activities such as back and forward button clicks, which is good way to prevent misuse. However, if you click multiple menu items before the respective page being actually loaded, the last clicked item will load, and session will not be lost – this seems unusual!

These points are just to save the bank from future online fraud and legal procedures. Banks have always been soft target of attackers.

This bank belongs India’s one of the well reputed and old established and recently converted to private bank. Of course, banking services are poorer than an Indian nationalise (so called Government!!! :P) bank, charges are like normal private bank!

Few highlights of the banks’ unprofessional approach!

  • Irregular & sometimes irrelevant response.

  • Rare response to queries / request via authentic emails.

  • SMS server is less dependable in terms of timely delivery or acknowledgment to request SMSes. No error message for wrong SMS / inappropriate SMS sent to the bank!

  • Response from bank via email lacks proper formation of text. Just ctrl+C and ctrl+V.

By the time I am posting this, I received one simple screenshot of a duplicate website of ICIC Bank via alert email.

This is not ICICI Bank's official website - beware before you log in!

This is not ICICI Bank's official website - beware before you log in!

Security tips – mostly generic for all banks.

  • Never give your PIN, Card No., Internet banking username, passwords (login and transaction), etc. to anybody.
  • Changing login & transaction password regularly is good practise.
  • Never keep login and transaction password similar.
  • Keep an eye over URL of bank’s login page. It must be the bank’s original one. Someone may easily prank you by similar name. (as shown in ICICI Bank’s duplicate site – above)
  • No bank asks for whole 16 digit debit card number especially for any online purchase. It might ask very few randomly selected numbers for authentication, which is acceptable. ICICI Bank has introduced GRID Card which is really unique and addition to its security features.
  • In most cases, user ID will be required to log in, no account number or card number will help.
  • Avoid accessing net banking like services from public / shared computer.
  • Use virtual keyboard, on screen keyboard etc. utilities to enter username / password or any confidential information, especially if accessing website from someone else’s computer. In short avoide keystrokes, use mouse clicks!!
  • Last but not least, clear all URL, access history, form details from Browser Settings when you are done.
  • Close browser. All instances / tabs of the browser, if multiple are running.
  • And yet many more…. that you can contribute by comments. 🙂 Thanks in advance.

HALF BOY and HALF MAN

A post on today’s occasion, worth to read. I received this as an forwarded e-mail from a professor.

The average age of the army man is 19 years.

He is a short haired, tight-muscled kid who, under normal circumstances is considered by society as half man, half boy. Not yet dry behind the ears, not old enough to buy a beer, but old enough to die for his country.

He never really cared much for work and he would rather wax his own car than wash his father’s, but he has never collected unemployment dole either.

He’s a recent college graduate; he was probably an average student from one of the Kendriya Vidyalayas, pursued some form of sport activities, drives a ten year old jalopy, and has a steady girlfriend that either broke up with him when he left, or swears to be waiting when he returns from half a world away.

He listens to rock and roll or hip-hop or country or gazals or swing and a 155mm howitzer.

He is 5 or 7 kilos lighter now than when he was at home because he is working or fighting the insurgents or standing gaurd on the icy Himalayas from before dawn to well after dusk or he is at Mumbai engaging the terrorists.

He has trouble spelling, thus letter writing is a pain for him, but he can field strip a rifle in 30 seconds and reassemble it in less time in the dark. He can recite to you the nomenclature of a machine gun or grenade launcher and use either one effectively if he must.

He digs foxholes and latrines and can apply first aid like a professional.

He can march until he is told to stop, or stop until he is told to march.

He obeys orders instantly and without hesitation, but he is not without spirit or individual dignity. His pride and self-respect, he does not lack.

He is self-sufficient.

He has two sets of combat dress: he washes one and wears the other.

He keeps his water bottle full and his feet dry.

He sometimes forgets to brush his teeth, but never to clean his rifle. He can cook his own meals, mend his own clothes, and fix his own hurts.

If you’re thirsty, he’ll share his water with you; if you are hungry, his food.. He’ll even split his ammunition with you in the midst of battle when you run low.

He has learned to use his hands like weapons and weapons like they were his hands.

He can save your life – or take it, because that is his job.

He will often do twice the work of a civilian, draw half the pay, and still find ironic humor in it all.

He has seen more suffering and death than he should have in his short lifetime.

He has wept in public and in private, for friends who have fallen in combat and is unashamed.

He feels every note of the Jana Gana Mana vibrate through his body while at rigid attention, while tempering the burning desire to ‘square-away’ those around him who haven’t bothered to stand, remove their hands from their pockets, or even stop talking.

In an odd twist, day in and day out, far from home, he defends their right to be disrespectful.

Just as did his Father, Grandfather, and Great-grandfather, he is paying the price for our freedom.
Beardless or not, he is not a boy.

He is your nation’s Fighting Man that has kept this country free and defended your right to Freedom. He has experienced deprivation and adversity, and has seen his buddies falling to bullets and maimed and blown. But,

He has asked nothing in return, except our acknowledgement of his existence and understanding of his human needs.

Remember him, always, for he has earned our respect and admiration with his blood.

And now we even have women over there in danger, doing their part in this tradition of going to War when our nation calls us to do so.

As you go to bed tonight, remember this shot. . ..
A short lull, a little shade and a picture of loved ones in their helmets.

Prayer Wheel ‘Lord, hold our Indian Army in your loving hands. Protect them as they protect us. Bless them and their families for the selfless acts they perform for us in our time of need. Amen.’
When you read this, please stop for a moment and say a prayer for our soldiers, sailors, and airmen, in all frontiers.

There is nothing attached…
This can be very powerful…
Of all the gifts you could give a Soldier, Sailor, or Airman, prayer is the very best one.

Pray for the Indian Soldier. Unlike your ‘Babus’ or ‘Netas’. He will always do you proud.

National Anthem (Collective) Instrumental Version

Danger

This is yet another post, to clarify a major difference about a wrong or incomplete information. This is about LPG Cylinders, widely used.

E-mail with following content is spreading at higher speed than the myth, or undeclared clarification about the same.

Here is what the incomplete e-mail reads like:

Have U ever heard about LPG gas cylinder’s expiry date….!!

I also didn’t know how to find LPG cylinder’s expiry date? Expired Cylinders are not safe for use and may cause accidents. In this regard please be cautious at the time of accepting any LPG cylinder from the Vendor.

Here is how we can check the expiry of LPG cylinders:

On one of three side stems of the cylinder, the expiry date is coded alpha numerically as follows A or B or C or D and some two digit number following this e.g. D06.

The alphabets stand for quarters –

1. A for March (First Qtr),

2. B for June (Second Qtr),

3. C for Sept (Third Qtr),

4. D for December (Fourth Qtr).

The digits stand for the year till it is valid. Hence D06 would mean December qtr of 2006.

Please Return Back the Cylinder that you get with a Expiry Date, they are prone to Leak and other Hazardous accidents

Of course, the content is partially correct. However, it is incomplete!!

In an FAQ, Indian Oil Corporation says,

In any case, this is not the date of EXPIRY of PHYSICAL LIFE of the CYLINDER .

It is further clarified that, during service, every empty LPG cylinder when it comes from the Distributor to the Bottling Plant for filling, is checked for its condition including the marked date for Statutory Testing due. Cylinders due for testing are segregated and sent for testing.

This seems more logical.

Thus, I can conclude that in case the date period mentioned on cylinder is passed, it is better to be sent for effective testing, not just sent to trash.

Wireless Security – a 5 star need of today

Market is flooding with a lot many wireless devices, for home and business applications. Also, many wireless devices, especially wireless routers / access points are available at attractable prices.

Many of us purchase them, set up them, and often forget the rest – once we get it functioning.

But, setting up primary security is a very next step after setting the device and testing it.

Recent terror attacks was a red signal for many wi-fi home users.

Here is a brief idea, how we can set up primary but essential security with the available wireless router.

  1. Change default user name and password, few routers do not support change in user name. Default user name is generally admin in most cases. Use combination of aLpHaNuM3R1C (alphanumeric) and $peC|@l (special) characters as password. Keep password as long as possible to avoid break by bruit force technique. Providing sp a ce (spaces) in between password character increases strength in most cases.

  2. Once password is tightened, now it’s time to reduce number of maximum (possible) users. In DHCP settings, generally a lot – like 100 of users can be connected. If in actual situation, say there can be maximum of 2 users at a time, keep maximum user figure as 2, or keep IP allocation in such a fashion that the DHCP will be in position to allocate only 2 IPs, even if more attempt to connect. Of course, disabling DHCP, and allowing only manual configuration, is always best practice, since it is difficult to guess the settings by hacker, if IP allocation is made smartly.

  3. Now, actual security comes into picture. Disable SSID broadcast, unless it is very important. This makes it difficult to identify network name in wireless coverage area without smart tools. You may also reduce connection idle time and other router specific features to reset connection with client device such as laptop or PDA in case of idle time.

  4. Keep the SSID difficult to guess. Always change default SSID of your router.

  5. MAC filtering is another and important feature. MAC is a universally unique number of any network equipment. Typically for known usage, set MAC filter with allow policy viz. Allow devices to be connected only with mentioned MAC numbers, reject rest. Of course, MAC spoofing is possible through few tools, however for an attacker, it is very difficult to guess correct MAC without touching the device, without making single connection, or unless the user reveals it. :p

  6. Next in picture comes software enabled security, typically Keys. Define and set different set of keys and use appropriate method of key to set up and avoid unauthorised access to network. This will deny network connectivity to the client in case it is just standing before the network door. Without a key, the router does not allow access. Of course, few techniques and few weak key algorithms are there, those can be broken. 🙁 But, combination of all mentioned techniques, here, is a fruitful solution to increase security.

  7. Port(s) blocking and service(s) disabling is also helpful, feature available in most of today’s routers.

A before buy tip – do not be trapped in marketing blues….. The salesperson will mostly encourage to buy best (in features and price too!) device. Go for a device which is good enough for security measures, and not really more that what you want – say wireless coverage area. If the need is max. 90 feet, a router with coverage up to 100 feet is best, no need to offer a chance to neighbor hacker, by purchasing a router with 150 feet coverage range! Of course, your needs are the best judge to decide suitable product, not always the sales person!! Buy and set the device in center area of its potential use, to utilise the covered radius area of connectivity.

%d bloggers like this: