Category Archives: Cyber Security

Cyber Security

Commands, Menus, Architecture & Features of Wireshark – Open source product dissection – Part 1 – Generated by Gemini & ChatGPT

Leave a comment

Wireshark is a renowned network protocol analyzer, often considered the standard across many industries. It’s an essential tool for network administrators, security professionals, and anyone looking to monitor and troubleshoot network traffic. Here’s an overview of its main features and architecture:

### Main Features of Wireshark

1. Live Capture and Offline Analysis: Wireshark allows for the capture of real-time network traffic as well as the analysis of previously captured files.

2. Broad Protocol Support: It supports hundreds of protocols and media types, with more being added regularly thanks to its open-source nature.

3. Deep Inspection of Hundreds of Protocols: Wireshark can drill down into the detail of network traffic, displaying each packet’s contents according to the protocol it belongs to.

4. Multi-Platform: Wireshark runs on Windows, macOS, and various UNIX and Linux distributions, making it widely accessible.

5. Graphical and TShark (CLI) Interfaces: While Wireshark is known for its graphical user interface, it also offers TShark, a powerful command-line interface tool, for those who prefer or need to work in a terminal.

6. Filtering and Search Capabilities: Users can filter network traffic displayed based on various criteria (such as IP addresses, protocol types, and ports) and search for specific packets.

7. VoIP Analysis: Wireshark can analyze Voice over Internet Protocol (VoIP) traffic, making it useful for troubleshooting complex voice communication issues.

8. Rich Visualization Options: It offers color coding and graphical visualization of network conversations and traffic patterns, aiding in the easier identification of problems.

9. Export and Conversion Features: Captured network data can be exported into various formats or converted into a different form for analysis in other tools.

### Architecture of Wireshark

The architecture of Wireshark is modular, consisting of several key components:

1. Capture Engine: Wireshark uses pcap (packet capture) libraries to capture live traffic from a wide range of network media types. On Windows, it uses WinPcap/Npcap, and on Unix-like systems, it uses libpcap.

2. Dissectors: For each supported protocol, Wireshark has a dissector – a module that understands how to interpret the structure of a packet belonging to that protocol. Dissectors parse the packet data and present it in a human-readable format.

3. Graphical User Interface (GUI): The GUI presents the captured and analyzed data to the user, allowing interaction through filters, search functionalities, and detailed views of individual packets.

4. Command Line Tools: Apart from the GUI, Wireshark comes with several command-line tools like TShark for capturing and analyzing traffic, editcap for editing capture files, and mergecap for merging multiple capture files.

5. Plugins and Extensions: Wireshark supports plugins in C, Lua, or Python, allowing users to extend its functionality with new dissectors or features.

The modular design of Wireshark, combined with its wide range of features, makes it a flexible tool for anyone working with network traffic. Its ability to analyze traffic in real-time or from captured files, along with its deep inspection capabilities, makes Wireshark an invaluable tool for diagnosing network issues, security analysis, and understanding network protocols in depth.

Wireshark offers a comprehensive set of commands and menu items that cater to various network analysis needs. Understanding the core functionalities available through its Graphical User Interface (GUI) and command-line tools can significantly enhance your efficiency in using this powerful network protocol analyzer. Here’s an overview of some important commands and menu items in Wireshark:

### Important GUI Menu Items

1. File Menu

Open: Opens a saved capture file for analysis.

Save As / Export: Allows saving the current capture in a different format or exporting specific data like HTTP objects.

Close: Closes the current capture file.

Quit: Exits the application.

2. Edit Menu

Find Packet: Enables searching for packets by various criteria such as packet content or protocol fields.

Preferences: Access to Wireshark’s settings and options for customization and configuration.

3. View Menu

Colorize Conversation: Highlights packet conversations in different colors to differentiate between them easily.

Zoom In/Out: Adjusts the size of packet details displayed.

Font & Colors: Customizes the appearance of the packet list, packet details, and packet bytes panes.

4. Go Menu

Go to Packet: Jumps to a specific packet number.

Next/Previous Packet: Navigates through packets according to the applied display filter.

5. Capture Menu

Start: Begins capturing packets on a selected network interface.

Stop: Stops the current capture session.

Options: Configures capture settings like filters, limits, and interface options.

6. Analyze Menu

Display Filters: Configures filters to display only certain types of packets.

Decode As: Allows the user to specify how packet data should be interpreted, useful for protocols over non-standard ports.

Expert Information: Provides a summary of potential issues found in the capture, such as retransmissions or malformed packets.

7. Statistics Menu

Summary: Displays a summary of the capture, including the number of packets, capture duration, and data rates.

Protocol Hierarchy: Shows a breakdown of protocols observed in the capture.

Conversations and Endpoints: Lists communication flows and network endpoints, respectively, providing insights into network interactions.

8. Help Menu

About Wireshark: Provides version and license information.

Wireshark Help: Access to the user guide and FAQs.

### Important Command-line Tools

1. tshark

– The command-line version of Wireshark, useful for capturing and analyzing packets in a terminal or scripting environment. Examples of commands include:

– tshark -i eth0 to start capturing on interface eth0.

– tshark -r file.pcap to read and analyze packets from a file.

2. editcap

– A tool for editing and converting capture files. Commands include options like:

– editcap -d infile.pcap outfile.pcap to deduplicate packets.

– editcap -s 64 infile.pcap outfile.pcap to truncate packets to a certain length.

3. mergecap

– Used for merging multiple capture files into one. An example command:

– mergecap -w merged.pcap file1.pcap file2.pcap to merge file1.pcap and file2.pcap into merged.pcap.

4. capinfos

– Provides summary information about a capture file. Use it like:

– capinfos file.pcap to get detailed information about the capture file.

Understanding and leveraging these commands and menu items will help you navigate through Wireshark more efficiently, making it easier to capture, analyze, and interpret network traffic data.

Absolutely! Here’s a breakdown of Wireshark’s main features and its underlying architecture:

Main Features

  • Deep Packet Inspection: Wireshark allows you to analyze the contents of network packets at a granular level, delving into various protocol layers and dissecting their headers and payload data.
  • Live Capture: Capture and examine network traffic as it flows in real-time.
  • Offline Analysis: Open and analyze previously captured traffic files (common format: .pcap).
  • Filtering: Powerful display filters let you zero in on specific packets or types of traffic using complex criteria. This is essential for making sense of the noise on a busy network.
  • Decoding and Dissection: Wireshark supports a massive range of networking protocols, automatically decoding them and presenting them in a human-readable format.
  • Reconstruction: Wireshark can reassemble TCP streams or other data flows, making it easier to follow conversations or file transfers across multiple packets.
  • Statistics and Reports: Generate various statistics and reports to visualize network traffic patterns and potential issues.

Architecture

Wireshark is built with these core components:

  1. libpcap/WinPcap (Packet Capture Engine): This library provides cross-platform access to low-level network interfaces. It handles the actual capture of network packets.
  2. Core Engine: Wireshark’s core is responsible for: Reading Packet Data: Reading from libpcap/WinPcap or from saved capture files. Protocol Dissection: Applying dissectors to break down packets based on their protocols and extract the relevant fields. Packet Analysis and Filtering: Applying display filters and performing deeper analysis on the decoded packet data.
  3. Graphical User Interface (GUI): Wireshark primarily uses the Qt framework for its GUI. This provides the visual interface where you see the packet lists, detailed packet views, and various configuration options.

Workflow (Simplified)

  1. Wireshark tells libpcap/WinPcap which network interface to listen on.
  2. libpcap/WinPcap grabs raw network packets.
  3. Packets are passed to Wireshark’s core engine.
  4. The core engine applies the appropriate dissector to decode the packet based on its protocol.
  5. Filtered and dissected packets are displayed in the GUI with detailed breakdowns of fields and data.

Key Points

  • Wireshark’s power comes from its vast library of protocol dissectors.
  • The GUI makes it easier to work with the complex information captured from network traffic.

Let me know if you’d like a deeper dive into a specific aspect of Wireshark’s features or architecture!

Here’s a breakdown of important Wireshark commands (mainly through the toolbar) and frequently used menu items:

Toolbar Commands

  • Start Capturing Packets: The iconic blue shark fin icon initiates a packet capture session.
  • Stop Capturing Packets: The red square halts the current capture.
  • Restart Capturing Packets: Begins a new capture discarding the contents of the current one.
  • Open: Opens a previously saved capture file.
  • Save: Saves the currently displayed capture data.
  • Find Packet: Opens a dialog to search for specific packets based on criteria.
  • Reload: Reloads the current capture file (useful if it was modified externally).
  • Go to First/Previous/Next/Last Packet: Navigation controls for moving through the packet list.
  • Colorize Packets: Toggles on/off color-coding of packets based on protocol type.

Menu Items

  • File Open, Open Recent, Save, Export (in various formats), Close, Quit
  • Edit Find Packet, Find Next/Previous, Time References (setting and marking), Preferences
  • View Coloring Rules (manage colorization), Zoom in/out, Expand/Collapse Subtrees, Time Display Format, Name Resolution (enable/disable)
  • Go Go to Packet, Go to First/Previous/Next/Last Packet, Back, Forward (navigation)
  • Capture Options (set interfaces, filters), Start, Stop, Restart, Capture Filters (manage)
  • Analyze Display Filters (create and manage), Follow (TCP Stream, etc.), Expert Info (view analysis results)
  • Statistics Offers a wide array of statistical analysis tools: Conversations, Endpoints, Protocol Hierarchy, Flow Graph, and many more.
  • Help Online documentation and resources

Important Note:

  • Display Filters: The power of Wireshark largely lies in its display filters. Learning the extensive display filter syntax is crucial for effective analysis. You can find tutorials and a filter reference guide on the Wireshark website.

Keyboard Shortcuts

Wireshark supports a rich set of keyboard shortcuts for faster navigation and actions. Check the official documentation or the Help menu for a complete list.

Additional Tips

  • Context Menus: Right-clicking on a packet or in various areas of the interface provides additional contextual options.
  • Customization: The toolbar, menus, and many other aspects of Wireshark are customizable to tailor it to your workflow.

Let me know if you want a focused guide on display filters or have any specific menu categories you’d like to explore in greater detail!

Cyber Security

Cyber security tips for Portals – Generated by ChatGPT & GEMINI – Part 1

Leave a comment

Cyber security is a critical concern for portal applications, which often serve as gateways to a wide range of resources and services. Here are some vital tips to enhance the cyber security posture of portal applications:

1. Use Strong Authentication Mechanisms: Implement multi-factor authentication (MFA) to add an extra layer of security beyond just usernames and passwords. Consider integrating biometric authentication, security tokens, or one-time password (OTP) systems.

2. Encrypt Data In Transit and At Rest: Use strong encryption protocols like TLS (Transport Layer Security) for data in transit. For data at rest, ensure that databases and file storage are encrypted using robust encryption standards.

3. Regularly Update and Patch Systems: Keep all software components, including the web server, database, and any third-party libraries, up to date with the latest security patches. Regular updates protect against vulnerabilities that attackers could exploit.

4. Implement Access Control and Authorization: Use role-based access control (RBAC) to ensure that users can only access information and functionalities relevant to their roles. Principle of least privilege should be strictly followed.

5. Secure APIs: If your portal interacts with other services through APIs, ensure those APIs are secured against common threats as defined by the OWASP API Security Top 10. Implement API rate limiting, access control, and ensure sensitive data is not exposed unnecessarily.

6. Conduct Regular Security Audits and Penetration Testing: Regularly assess the security of your portal application through audits and penetration testing. This helps identify and mitigate vulnerabilities before they can be exploited.

7. Protect Against Web Application Attacks: Use web application firewalls (WAF) and secure coding practices to protect against common web application attacks such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).

8. Monitor and Log Activity: Implement comprehensive logging and monitoring solutions to detect suspicious activities early. Regularly review logs for anomalies and signs of breaches.

9. Secure Session Management: Ensure secure session management practices are in place, including secure cookie handling and session timeout policies to prevent session hijacking and fixation attacks.

10. Educate Users: Conduct regular cybersecurity awareness training for all users of the portal. Educating users about phishing, safe browsing practices, and the importance of strong passwords can significantly reduce security risks.

11. Backup Data Regularly: Regular backups are essential for recovery in case of a cyber attack leading to data loss. Ensure backups are secure and tested regularly for integrity.

12. Compliance and Privacy: Ensure compliance with relevant legal and regulatory requirements, such as GDPR, HIPAA, or CCPA, which may dictate specific security and privacy measures.

Implementing these security measures can significantly reduce the risk of cyber attacks and data breaches in portal applications. Continuous attention to security, regular updates, and educating users are key components of a robust cyber security strategy.

Here’s a breakdown of cybersecurity tips specifically tailored for portal applications:

1. Authentication and Authorization

  • Strong Passwords: Enforce complex password policies (length, special characters, periodic changes). Consider password managers to help users.
  • Multi-Factor Authentication (MFA): Add an extra security layer with MFA (e.g., SMS codes, authenticator apps, hardware keys).
  • Role-Based Access Control (RBAC): Define granular access permissions based on user roles and responsibilities to limit the impact of any compromised account.
  • Session Management: Implement idle session timeouts and proper logout mechanisms to prevent unauthorized access.

2. Secure Coding Practices

  • Input Validation: Sanitize all user input to prevent injection attacks like SQL injection and cross-site scripting (XSS).
  • Output Encoding: Encode output to mitigate XSS vulnerabilities.
  • Secure Development Lifecycle (SDLC): Integrate security from the design phase, through development and testing. Include regular vulnerability scanning.
  • Use Established Frameworks: Choose well-maintained frameworks that prioritize security.

3. Encryption

  • HTTPS Everywhere: Use TLS (HTTPS) to encrypt all portal traffic in transit, protecting sensitive data.
  • Data at Rest Encryption: Encrypt sensitive data stored within databases or file systems.
  • Password Hashing: Store passwords using strong, salted hashes (like bcrypt, scrypt), never in plain text.

4. Network Security

  • Firewalls: Implement network and web application firewalls (WAF) to filter out malicious traffic.
  • Intrusion Detection/Prevention (IDS/IPS): Monitor network activity for anomalies and block potential attacks.
  • Segmentation: Separate sensitive areas of your network to minimize the attack surface.

5. Vulnerability Management

  • Regular Patching: Keep operating systems, web servers, frameworks, and third-party libraries up-to-date with security patches.
  • Penetration Testing: Conduct regular penetration testing to discover and address vulnerabilities proactively.

6. Logging and Monitoring

  • Extensive Logging: Implement comprehensive logging of authentication attempts, user activity, configuration changes, and security events.
  • Centralized Log Management: Use a SIEM (Security Information and Event Management) system to collect and analyze logs for anomalies.
  • Auditing: Regularly audit logs to identify potential security breaches.

7. Incident Response

  • Have a Plan: Develop an incident response plan for handling suspected breaches quickly and effectively.
  • Clear Communication: Establish clear communication channels internally and for reporting incidents to users or authorities if necessary.

8. User Education

  • Security Awareness Training: Educate portal users about phishing, social engineering tactics, password hygiene, and how to spot suspicious activity.

Additional Considerations:

  • Zero-Trust Approach: Adopt a zero-trust model where no user or device is inherently trusted. Verify and authenticate continuously.
  • Data Minimization: Collect only the data absolutely necessary for the portal’s functionality.

Remember: Cybersecurity is an ongoing process. Stay up-to-date with emerging threats and continuously evaluate your portal’s security posture.

Let me know if you’d like more details on any of the specific tips or want to discuss specific portal technologies!

Architecture, Cloud, Cyber Security

Security best practice, patterns & architecture links from AWS, GCP & Azure – Part 1

Leave a comment

Herewith I am providing a curated list of links for security best practices, patterns & architecture for AWS, GCP & Azure – Part 1.

AWS:

GCP:

AZURE:

Also, check out security as code products like oak9:

Email me: Neil@HarwaniSystems.in

Cyber Security

Cyber Security Keywords & Concepts – Part 1

Leave a comment

Here is a list of keywords & concepts in Cyber Security that technology professionals should be aware of. This is part 1 of the series.

  • CSP
  • XSS
  • ISO 27001
  • OWASP
  • Encoding / decoding
  • Encryption and it’s types
  • CSRF
  • CORS
  • Hashing
  • Authentication
  • Authorization
  • IAM
  • SSO
  • SAML
  • OAuth
  • Tokens
  • HTTPS / SSL
  • DOS / DDOS
  • Backdoor
  • Malware
  • Secure coding
  • Threats, Vulnerabilities, Controls & Mitigation
  • VAPT
  • Social Engineering
  • Spoofing
  • Proxy servers
  • Phishing
  • SQL injection
  • Buffer overflow
  • Viruses, Worms, Keyloggers, Spywares
  • Identity theft
  • RootKits
  • Zero Day
  • VPN / Firewall / IPS / UTM
  • Digital Certificates
  • Anti-Virus

References:

  • https://en.wikipedia.org/wiki/Cybersecurity_information_technology_list
  • https://en.wikipedia.org/wiki/Computer_security
  • https://en.wikipedia.org/wiki/List_of_computer_security_certifications
Cyber Security

Security tips for Google Drive & Android

Leave a comment

Google Drive:

  • Open Google Drive on web based browser like Chrome
  • On each of the folders if you see a person symbol it’s shared, if you don’t see the symbol its not shared
  • For each folder -> click SHARE -> Advanced -> Check which user has view rights and which user has edit rights -> Disable options to download, print, and copy for commenters and viewers -> Prevent editors from changing access and adding new people.
  • For each folder -> click SHARE -> Advanced -> SHARE SETTINGS -> Change -> Check settings there are 4 to 5 options
  • Note -> Even if your folder is not shared, files inside it can be in shared mode – This seems to be a big missing feature in Google Drive. There is no clear way to check this in one go for all files and we individually need to check each file. Workaround: Write Java code using Google Developers API to check this: https://developers.google.com/drive/

Android security settings to explore:

  • Emergency info – Settings -> Users -> Emergency info -> INFO & CONTACT – Note: Can be seen on locked screen
  • Settings -> Security -> Screen Lock
  • Encryption ON – at-least Android 6 required, by default it’s on from 6/7 onward – Settings -> Security
  • Settings -> Security -> Screen Lock -> Gear button -> Lock message
  • Security -> Install from unknown locations -> Should be OFF
  • Settings -> Users -> Guest user -> Turn on phone calls -> OFF
  • Settings -> Users -> Add users while screen is locked -> OFF
  • Settings -> Security -> Make password visible -> OFF
  • Settings -> Security -> Set up SIM card lock
Cyber Security, Software Security

Information security tips while working with digital sources and internet

Leave a comment
  • Setup OTP and recovery emails for all your accounts
  • Check permissions that various apps have on your phone
  • When you get an option – TRUST THIS DEVICE in Gmail or similar accounts, only select this option on your personal devices not public devices
  • Keep your desktop, laptop & mobiles password protected & encrypted if possible
  • Use standard Anti-Virus like McAfee, Windows Defender, Symantec, Norton, etc. Note: Android phones also have anti-virus
  • Explore and use a good VPN service
  • Go to your ACCOUNT settings regularly in Linkedin, Facebook, Gmail, etc. and see the logged in sessions (Who is using your account) and check which apps are integrated with your account, what information they are taking out – typically they take your friend’s list / relatives, age, email, phone number, etc.
  • Learn to backup your data in Cloud or external Hard Disk or both
  • Setup locate your phone, remote wipe, virus scan, link check, capture pic on wrong password attempts, etc. especially on Android via Anti-Virus or other means.
  • Update your devices across laptop, desktop and mobiles regularly using the official update process
  • Do not root your mobile devices
  • In Android don’t switch on the feature to TRUST UNKNOWN APPS to install APKs. Always install APPs from Android Play Store and Apple App Store only
  • Keep Bluetooth, WIFI, NFC off when not in use
  • When you leave your home switch off your WIFI
  • Change your passwords of WIFI, emails, accounts once in 6 months at-least. Your WIFI at home via router should be on encrypted network not non-encrypted, check the ADMIN page. Change the ADMIN password of your router at home, mostly many don’t change the username/password from admin/admin which is an easy entry point for wrong use. Update your router software also regularly via the official update option
  • For storing your passwords either use a diary / notebook OR there are encrypted software like password managers / wallets which store your passwords safely as an APP in your mobile – use them. See their ratings in PLAY STORE / APP STORE and then install or use. Don’t store passwords in plain text on computer or mobile.
  • Don’t keep same passwords across all your accounts – if you do so and one gets compromised all others get compromised