Web Security, Online Security &

Mobile Security
Dr. Inadyuti Dutt,
Asst. Professor, Dept. Of Computer
Applications, BPPIMT
 Introduction
• Web Security is very important nowadays.
• Websites are always prone to security
threats/risks. Web Security deals with the
security of data over the internet/network or web
or while it is being transferred to the internet.
• For e.g. when you are transferring data between
client and server and you have to protect that
data that security of data is your web security.
 Web Security Threats
• Web security threats are constantly emerging and evolving,
but many threats consistently appear at the top of the list of
web security threats. These include:
• Cookies
• Cross-site scripting (XSS)
• SQL Injection
• Phishing
• Ransomware
• Code Injection
• Viruses and worms
• Spyware
• Denial of Service
 Security Consideration
• Cookies
– They are text files that are accepted when we
browse in the web
– They access the behaviour of the user
– Can be of two type
• Session cookies (not saved in the hard drive)
• Privacy cookies (saved in the hard drive)
 Security Consideration
• Updated Software: You need to always update your
software.
– Hackers may be aware of vulnerabilities in certain
software, which are sometimes caused by bugs and can be
used to damage your computer system and steal personal
data.
– Older versions of software can become a gateway for
hackers to enter your network.
– Software makers soon become aware of these
vulnerabilities and will fix vulnerable or exposed areas.
That’s why It is mandatory to keep your software updated,
It plays an important role in keeping your personal data
secure.
 Security Consideration
• SQL Injection is an attempt to manipulate your
data or your database by inserting a rough
code into your query.
– For e.g. somebody can send a query to your
website and this query can be a rough code while
it gets executed it can be used to manipulate your
database such as change tables, modify or delete
data or it can retrieve important information also
so, one should be aware of the SQL injection
attack.
 Security Consideration
• Cross-Site Scripting (XSS): XSS allows the
attackers to insert client-side script into web
pages.
– E.g. Submission of forms. It is a term used to describe
a class of attacks that allow an attacker to inject
client-side scripts into other users’ browsers through a
website.
– As the injected code enters the browser from the site,
the code is reliable and can do things like sending the
user’s site authorization cookie to the attacker.
 Security Consideration
• Error Messages: You need to be very careful
about error messages which are generated to
give the information to the users while users
access the website and some error messages are
generated due to one or another reason and you
should be very careful while providing the
information to the users.
– For e.g. login attempt – If the user fails to login the
error message should not let the user know which
field is incorrect: Username or Password.
 Security Consideration
• Data Validation: Data validation is the proper
testing of any input supplied by the user or
application.
– It prevents improperly created data from entering the
information system.
– Validation of data should be performed on both
server-side and client-side.
– If we perform data validation on both sides that will
give us the authentication. Data validation should
occur when data is received from an outside party,
especially if the data is from untrusted sources.
 Security Consideration
• Password: Password provides the first line of
defense against unauthorized access to your
device and personal information.
– It is necessary to use a strong password. Hackers in
many cases use sophisticated software that uses brute
force to crack passwords.
– Passwords must be complex to protect against brute
force. It is good to enforce password requirements
such as a minimum of eight characters long must
including uppercase letters, lowercase letters, special
characters, and numerals.
• Online Security
 Online Security
• Online security is something most of us use on a daily
basis – sometimes we don’t even know we are using it!
– It is commonly used by websites to keep your personal
information as safe as possible.
– Some websites apply their security by asking for your
email address and other contact details which are unique
to you.
– Most websites will have a disclaimer explaining exactly
how the information you provide will be used and/or
distributed. This should be reviewed carefully to ensure
you are fully aware of your digital footprint and how your
personal data is being stored and used.
 WHAT IS A DIGITAL FOOTPRINT?
• A digital footprint is like a file of unique, traceable online activities,
contributions, communications and actions specific to you.
• When you supply information to a website, sign up for a social
media account or contribute to a forum, these activities will
automatically become part of your personal digital footprint.
– One being our active digital footprints, which is made up of
websites and platforms that we have purposely given
information to – such as when you sign up for a social media
account.
– The other is called our passive digital footprint – where our data
is collected without us knowing. This is used by businesses and
websites in order to track website traffic and is collected
automatically. This data is commonly referred to as ‘cookies’ and
gets stored while you are browsing a particular webpage.
 DIFFERENT TYPES OF ONLINE SECURITY

• Almost all of us use online security on a daily

basis. Some examples of frequently used online
security include:
• Complex password entry–Because of
advancements in technology and the
sophistication of hacking software – websites are
asking for passwords to be increasingly complex.
– They often require a combination of at least 8
characters made up of one uppercase letter, a number
and at least one special symbol such as a question
mark or full stop.
 Different Types of Online Security
• Security questions – Commonly, banks will ask you to set up
security questions. These questions will be personal to you
and you should never share your answers with anybody.
• Anti-virus software/freeware – Antivirus software that can be
purchased or freely downloaded can be very useful in
providing protection to internet users.
• Two-factor authentication –Two factor authentication means
that more than just a username and password are required
when logging in to an account.
– Most companies and social media platforms do this by sending a
unique code to the user via SMS. This code will expire after a certain
amount of time and also lets people know if anyone is attempting to
gain access to their account without permission.
• Mobile Security
 Introduction
• In this modern era of e-gadgets (mobile hand held
devices), security of these devices become challenging
– Portable computers
– Tablet PC
– Internet tablet
– Personal digital assistant (PDA)
– Ultramobile PC
– Smartphone
– Carputer (computing device installed in an automobile)
– Fly Fusion Pentop computer
 Mobility?
• User Mobility
• Device Mobility
• Session Mobility
• Service Mobility
 Key findings for Mobile Computing
Security Scenario
• With usage, awareness of mobile users gets
enhanced
– Survey shows that people with vast experience in
using the wireless laptops, give less emphasis on
the usage of mobile phones
– It also shows that the people having experience
only in smart hand held devices have little or no
knowledge in using these devices
 Key findings for Mobile Computing
Security Scenario
• People continue to remain the weakest link for
laptop security
• Wireless connectivity does little to increase
burden of managing laptops
• Laptop experience changes the view of starting a
smart-hand held devices
• There is a neglect in smart hand held security
• Rules rather than technology keep smart devices
usage in check
 Types of Attacks against 3G mobile
networks
• Malware, viruses and worms
– Skull Trojan (targets Series 60 phones equipped with
Symbian mobile OS)
– Cabir Worm (first dedicated mobile-phone worm; infects
phones with Sybmian mobile OS)
– Mosquito Worm (affects the Series 60 Smartphones & is
cracked version of “Mosquitos” mobile phone game
– Brador Trojan (affects the Windows CE OS by creating a
svchost.exe file in the Windows start-up folder that allows
full-access of the device)
– Lasco Worm (released first in 2005 to target PDAs and
mobile phones running the Symbian OS, replicates over
bluetooth.)
 Types of Attacks against 3G mobile
networks
• Denial-of Service (DoS)
• Overbilling attack
– Involves an attacker hijacking a subscriber’s IP
address and then using the connection to initiate
downloads that are not “Free downloads” or
simply use it is his/her own purposes.
• Spoofed policy development process
• Signaling-level attacks
 Types of Attacks against 3G mobile
networks
• Mishing (Mobile phones + Phishing)
– Attacker will pretend to be an employee of a baank
and try to claim the personal details of the user
• Vishing (Voip + Phishing)
– Attacker calls over the telephone system via VOIP
• ID theft, purchase goods, money/fund transfer, monitoring
account of the victim, making loan applications
– Via Internet e-mail, Mobile text message, Voicemail,
Direct phone calls
 Types of Attacks against 3G mobile
networks
• Smishing
– Attacker attacks using social engineering
techniques
– Uses cell phone text messages to deliver a
message inorder to get information of the user
• Pretexting
• Sexting
• Voip Spam
 Bluetooth attacks
• BlueScanner
• BlueSniff
• BlueBugger
• Bluesnarfer
• BlueDiving