Compliance to the PCI DSS standard is mandatory for all entities which store, process or transmit card-holder data associated with Visa, Mastercard, American Express, Discover and JCB. As part of this compliance the council requires organizations to undergo periodic assessments and evaluations. Vulnerability Assessments and Penetration Testing (VAPT) is a vital part of this requirement. Network […]

Enabling Auditing in Oracle To enable auditing and direct audit records to the database audit trail, we need to do the following. Login as a sys user and execute the below mentioned SQL command and then restart the database. SQL> ALTER SYSTEM SET audit_trail=db SCOPE=SPFILE; System altered. SQL> SHUTDOWN Database closed. Database dismounted. ORACLE instance […]

Introduction When an attacker compromises an end-point system in an organization, he needs some sort of confirmation that: his code was executed on the targeted system he is able to send data out of the organization without raising any alarm with the SOC Simple innocuous data from the compromised host to the attacker’s controlled system […]

Introduction: By default, all windows operating systems have a built-in Administrator account which has local administrator rights for the particular system.  Windows active directory provides centralized management for windows system and as per compliance requirements, built-in administrator name and passwords can be changed from there. This can be achieved by any of the following approaches: […]

Comma separated vulnerability also known as Formula Injection/csv injection. Introduction: This document demonstrates the CSV injection a technique for exploiting “Export to Spreadsheet” functionality. While working on some project, I have found this vulnerability in one of the Microsoft’s product i.e. CRM – Customer Relationship Management What is CRM? : It is a product by […]

From Our Blog: Data Privacy – An Introduction by Latha Sunderkrishnan (Senior Consultant) When companies and merchants use data or information that is provided or entrusted to them, this data should be used according to the agreed purposes.  Companies must ensure data privacy because the information is an asset to the company. Privacy concerns exist […]

I am pleased to share the story of our growth so far, specifically the progress made by our Security Solutions Division and the Security Operations Centre (SOC) – now renamed as the Security Services Centre (SSC) But first, some updates … NII posted growth of 80% year-on-year for the financial year 2014-15 We are on […]

Network segmentation plays a vital role while complying with the Payment Card Industry Data Security Standard. Effective segmentation helps in reducing the scope of assessment, cost and risk to data security. The PCI DSS standard recommends that networks which process, store or transmit card holder data should be segregated and segmented from network environments that […]

This write-up summarizes a workshop/humla conducted by Ashfaq Ansari on the basics of various kinds of attacks available for exploiting the Windows Kernel as of this date. It describes and demonstrates some of the very common techniques to illustrate the impacts of bypassing Kernel security and how the same could be achieved by exploiting specific […]

Definition of Information Privacy Wikipedia defines Information privacy as follows: Information privacy, or data privacy (or data protection), is the relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them. Introduction When companies and merchants use data or information that is provided or entrusted to them, this data should be used according […]