Thursday 25 July 2013

Security Tips #1 : Making your online presence safe




Here is my first blog article on security.It has been much of a question nowadays that what is the amount of security that is needed to prevent attackers/hackers.There is no answer to this question since absolutely security cannot be guaranteed.But,below are some measures that we can take to protect us from obvious risks


1) Having a strong password and changing it frequently


This has been suggested for the past many years and a very controversial one.But this might be a little outdated.


Following is a research paper from microsoft which outlies all these in an excellent manner.


http://research.microsoft.com/pubs/74162/hotsec07.pdf


Considering the attacks done on hacking user accounts having strong passwords alone does not much accomplish anything and also being a burden on the user to remember the password.Instead we can focus on having a password that we can remember and being a little different from obvious passwords such as 'password' or having your phone number as a password,which is vulnerable for guessing attacks.


In addition to this,many systems have a 'Three Strike' rule,when you enter your password wrong,security system activates and it comes up with a captcha,which prevents automatic scripts from performing brute force attacks.Facebook and most others usually send the user an e-mail notifying them that there has been recent attempts to access your account with failures and shall we help with your password reset.


But there are some sites which do not offer any kind of protection agains brute force,i.e no captcha or other security measures are provided,in such a case a strong password does help in a very great manner.

2)Reviewing recent login information


In addition to passwords, reviewing recent account activity is a great way to keep your account safe.Some like facebook offer real time login information to your mobiles through ways of an SMS and in GMail you can actually view which systems accessed your account by means of IP address and locations.This can help us keep track of who is logging in and when.


Some hacking mechanisms actually involve stealing your login cookie rather than knowing your password,so when you encounter suspicious activity in your account you change your password and it would void the cookie so that the supposed attackers cannot login anymore using the same cookie.Of course it depends on the application's architecture you are using,but most popular sites tend to have this built in.The more quicker we do this,the more damage we prevent.


3) Using modern browsers


IE6 is probably the worst browser you can use in terms of Usability and Security.It has many security related issues and many companies such as Google have dropped support for this browser.If you are using this version of IE,its high time you update your browser to either IE 8 or later if you are very specific with Internet Explorer,if not any latest version of Firefox or Chrome is good.


Basically the idea is to use something latest and well supported,and fixes in Chrome,Firefox are lot quicker.But that does not mean you do not have to use IE,we can always use it as long as it is updated with the latest patches/updates. 


4) Using HTTPS for sites


Many popular web platforms that we use such as Gmail,Yahoo,Facebook have options to enable HTTPS for all sessions/actions.HTTPS prevents people from Sniffing your traffic,most vulnerable when you are browsing over a public Wi-fi.


Gmail has HTTPS enabled by default.Yahoo mail does not have it by default but we can change that by a simple configuration change in account settings.Same goes for Facebook and LinkedIn and many other sites.It offers security against basic Man in the middle attack(MITM),there are many other sophisticated attacks that can be performed to break/bypass HTTPS,but as a user enabling HTTPS elevates the security to a considerable level.


Points to note in an HTTPS Session :     

    (i) Making sure that the HTTPS is not broken is a good thing.Most browsers have a lock symbol indicating this.If you do not have a lock symbol and the URL is still HTTPS,then you have a broken HTTPS session,we should avoid doing critical transactions in a broken session.

    (ii) Certificate Authority (CA) is a certificate issued by a trusted third party to verify the site's identity.Each browser has their own list.Some of them are listed below,although it is difficult to validate each and every CA,its a good practice just to check who has verified the site.In case of something fishy,you can always look up your browser list for the CA or google it,if you don't find them then probably you are using a manually enforced/installed certificate or possibilities are there that the HTTPS session is compromised.

Chrome and  IE's root CA list : http://support.microsoft.com/kb/931125

Firefox root CA list : http://www.mozilla.org/projects/security/certs/included/

Apple's root CA list : http://www.apple.com/certificateauthority/

The following link will help us understand why SSL certficates are required and what they are used for

http://security.stackexchange.com/questions/6737/what-is-an-ssl-certificate-intended-to-prove-and-how-does-it-do-it



5) Two-factor Authentication


Two-factor authentication is the process of adding another system into the picture to enhance security,i.e you have two levels of security,one is obviously your machine and the next can be something like security tokens.They are basically of two types Hard and Soft tokens.But we are concerned with Soft tokens.


Gmail,Yahoo,Facebook all have facilities for Two-factor authentication which will be turned off by default.But we can enable them using the help of our mobile phones.Whenever we login we get a Soft token in the form of an SMS,this is apart from the password authentication and it is usually a One Time Password(OTP).


This makes things difficult for hackers,even if they know your password they have to know the OTP to take over your account,which is in general very difficult.


Caveat : Make sure you have backup codes noted somewhere safe in case you lose your phone,without which it is very difficult access/recover your account.


These security tips are the ones that most users are not aware of,and it applies across many sites in a generic manner.It can be thought of some kind of a must have.But,of course the best place you can get more security tips are from the web site help pages themselves.

Gmail : http://www.google.co.in/goodtoknow/online-safety/


Facebook : https://www.facebook.com/help/ and then navigate to security


Yahoo : http://security.yahoo.com/ 


Linkedin : http://help.linkedin.com/app/answers/detail/a_id/267


and the list goes on.


Note : The above links might change,so make sure you google it if it is broken or something.

Do follow up with latest security practices on any sites that you are using.







Thursday 18 July 2013

Highlighting a Web Element in Selenium

Highlighting web elements comes in very handy when we are doing validations on web elements using selenium.It is also useful for debugging purposes when webdriver actually selects the element and we dont want to go in and use Selenium IDE each and everytime to visually find the element.

Link to the code : 
https://github.com/Madusudanan/Selenium/blob/master/WebElementHighlighter.java

The above code is kind of raw and is suitable if you are implementing it in a selector method in a framework of your own.But there is another way of doing this with the help of AbstractWebDriverEventLister.This is a utility class that was developed by the selenium folks that can be used for logging and other purposes.

AbstractWebDriverEventListener has a problem,it does not have listener methods for isDisplayed(), where we can verify if some text is displayed on the page,we cannot use click() here since it is just text.We can overcome this by putting our highlighter code inside the beforeFindBy method of the EventListener, so that all element FindBy's trigger the highlighter listener method.

I though this is the best way to implement it,but I would definitely welcome if there are better ways of implementing it inside the EventListener class,if you come across any,do let me know.

Link to the EventListener implementation code :
https://github.com/Madusudanan/Selenium/blob/master/WebElementHighlighterAsEventListener.java



Code in action : 



Please let me know in case of any issues you face with the code.

Tuesday 9 July 2013

Getting Parsed Page Content Using Selenium

There might come several situations where need to extract particular page content using selenium.This is different from getting the page source using 'driver.getPageSource()' which gives raw HTML code.

Suppose we want the entire text from a particular area from a web page Selenium provides an excellent way to do that.

'String required_text=driver.findElement(By.tagName("put the HTML tag here")).getText();'

This gives you the required text of the particular web element.We can also use By.id or By.xpath or other locator strategies whichever works for us.But this usually does the trick.It comes useful when we want the page content for logging purposes, plain text parsing of the required text from the DOM is usually difficult and not recommended. 



Saturday 6 July 2013

Learning Math

Learning math and its real world applications has always been a difficult task for all of us.But thanks to MIT, they now have Open Courseware in which we can learn math from them for free.

Below are the links for the courses.Start with Single Variable Calculus and then move to Mathematics for Computer Science and then Introduction to Algorithms.

This is truly some serious stuff.

Single Variable Calculus : 
http://ocw.mit.edu/courses/mathematics/18-01-single-variable-calculus-fall-2006/index.htm

Mathematics for Computer Science(Discrete Math) :
http://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-042j-mathematics-for-computer-science-fall-2010/index.htm

Introduction to Algorithms :
http://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-046j-introduction-to-algorithms-sma-5503-fall-2005/index.htm





You can always make a donation to support them for making these excellent stuff for free.

There are also other excellent courses that you can view in your subject/field of choice.

Happy Learning :)