First Guest Blog Post on Web Service Attacks

There's no such thing as a new year. The way we measure time is entirely artificial. The only time that counts is right now. Worrying about yesterday or planning for tomorrow is much less important than doing something right now.

~ Joel Heffner ~

I wrote a Guest blog post on Santhosh Tuppad's blog http://tuppad.com/blog/. When Santhosh asked me to write one, I literally fell off my chair. Knowing an amazing tester and working with him is one thing. Getting a request for a guest blog is another and a special one! It's a great honour to be writing for Santhosh's blog. Thanks a lot Santhosh!

I have been doing a lot of research on how to test web services. Of course, web services is not a new thing. However, many of us struggle to do it the first time. Struggle is a good sign, it pushes to learn more and practice more. I have penned down a few learnings based on my experience so far. I hope it helps at least some of you who are doing similar stuff.

You can read my article here HERE.

Happy Right Now Everyone!

Regards,
Pari

Social Engineering Attacks

Social Engineering Attack
The art of tricking vulnerable and unsuspecting people into revealing confidential information like passwords, credit card numbers, social security numbers, login credentials to payroll systems, customer databases etc with little or no contact with computers.

Social Engineers
-- Sweet talkers with oozing confidence
-- Specialized in dealing with people, not necessarily computers
-- Great actors who can change their communication style and expressions at the drop of a hat
-- Already have access to few confidential details about the victim like Full name, Post code, Gender and others

Social Engineering Attacks
Impersonation
Suppose, I pose as a representative from a bank where you hold your salary account and call you at your office desk. I inform that current netbanking software faced a network outage and finance teams won't be able to credit your salary without your login credentials to the netbanking system. You are worried your salary will arrive late and share your credentials. I now have your bank account details. Whoopsie!

What you could have done?
1. Ask me to identify myself and verify my credentials.
[How do you know I work for the bank?1 It's hard on phone or email ;-). That's why social engineers use these channels more often]
2. Ask me why I called you on your office desk number though I had your mobile number.
[The attacker randomly picked a phone number based on the phone number listed on the company website where you work and modifed the last 3-5 digits to hit your number. Even worse, she asked the receptionist to connect to your extension.]
3. Was the netbanking site really down?
[If netbanking website was down, the bank should have informed you of any planned outages in advance. Even if it was down due to a sudden system failure, the website would have displayed a suitable message indicating the reason and what time the system will be up and running]

Intimidation
I pose as a direct reportee of your boss who works out of the US office. You work out of a tiny office in a small town from southern hemisphere. And of course, you are very fearful that you'll lose your job if you angered your boss. If I call you and say, "Hey Raaamalingaam, Jude asked you to share customer database server credentials with me", wouldn't you give it right away? And you'd expect a good hike in March after this great feat!

What you could have done?
1. Did Jude ever mention about this particular reportee ever?
2. Was there any kind of conversation with Jude prompting to share credentials with the attacker?
3. Customer database server has tons of customer contact details. How could you carelessly share these information with an absolute stranger?

Trespassing
I enter into your corporate campus as a plumber to fix the lavatory near the corporate virus lab. I somehow catch hold of you who swiped the access card to get into the lab and didn't notice me getting in. I get in, load some virus files into the server and get out. Meanwhile, I might have copied tons of data from your server just before I infected your server. Bingo!

What you could have done?
1. Restrict people from tailgating into restricted areas of the campus
2. Take note of suspicious people and report to Information Security team

Fake Prompts
I know of a few websites that you visit regularly first thing in the morning. If you are a teenager, you may first login to facebook or gmail. If you are a middle aged person, you may be interested in www.sharekhan.com. You happen to visit any of these sites and fail to notice the credentials prompt that threw up two consecutive times. One of the times, I stole your login credentials.Wow!  If you noticed, this was a computer assisted social engineering attack.

What you could have done?
1. You could have noticed why the credentials page prompted twice
2. You could have looked at the URL if it took you to another suspicious website or page

Shoulder Surfing
I sit very close to your work area and peeped in as you typed your password to login to your system. I even know the password for your gmail account. I'll send you an email from your email account to you if that helps.

What you could have done?

1. You could have observed if people around are looking for you

Sweet Talking (my own term)
As a friend, I ask you what your pet's name is. You say your pet's name. I type that as your secret answer for your email account and get your password. Now, your account is mine.

Here's a second level of sweetness. I ask you if your password contains 123 in it. You say 'Yes' with glee. I ask if its at the end. You say yes. I use dictionary attack, combine it with your liking for your favourite God and woohoo, I am inside your account. If your email account doesn't have account lockout policy in place, its a festival indeed.

What you could have done?
1. You shouldn't have trusted me
2. You should not have confirmed if specific data is present in your password

Countermeasures
Personal Security
-- Never reveal confidential information to suspicious people whose identity is unknown
-- Avoid revealing information out of trust or fear instilled by few people like your managers, directors, friends, family members etc
-- When someones asks for confidential information, ask them to identify themselves. Verify if the identification is correct or not

Corporate Security
-- Have a secure corporate security policy in place
-- Contact details of employees including email address, mailing addresses, personal phone numbers, official phone numbers and other details should be concealed from external world as much as possible
-- Desk phone numbers should be shielded from external world
-- Employ dummy social engineering attacks by internal security engineers as a periodic check

Here's a simple rule to handle social engineering:

When it comes to security, trust no one!

Regards,
Pari

Addendum on 17th Dec 2011: 
Added Shoulder Surfing and Sweet Talking attacks.

Claims Testing (Mindmap)

Claims Testing

P.S : This is in continuation with an old blog post on Claims Testing.

Regards,
Parimala Shankaraiah

Ramblings on Math and Testing

I was teaching math to one of my cousins who's about to get certified as a 10th grade pass out. I now figure pass out rhymes with drop out :-).

Math is an interesting subject. You have hundreds of theorems and corollaries, millions of formulae and lots of problems that appear like "Life and Death" problems to some of us at. I was looking into arithmetic progression in particular. There have been many theories based on which there is a formula that looks something like this :

Tn = a +(n-1)*d

In straight forward problems, students are asked to find one of the above parameters while giving away the rest. For e.g. Find Tn given a and d. What some students don't realize is that n is present in Tn itself. They go looking for n, get lost and leave the problem unsolved.

I was trying to simplify this for my cousin. First, I made her write down all given parameters, followed by some parameters known to her. I asked her to list out what her end goal (Tn) is. I asked her what more she needed to calculate Tn. And she did.

Trap Gods must be happy
Trap Gods are happy whether they trap you or lead you towards traps. One striking thing about my cousin was this. The moment I dictated one problem, she pounced upon the problem like a tigress on its prey. That is how some of us feel when we are working on math problems ;-). She didn't notice what's in the question, what is she supposed to find and how to proceed. All she did was to listen to one key term (Tn, in this case) and go looking for it. In short, she heard what she wanted to hear. Rest escaped into wilderness.

Why math class on a testing blog?
As I was helping her with her problems on problems , I figured how similar it is to testing.

• We are given some problem to test(product).
• We may know a few things about the product.
• We may not know many things about the product.
• Based on what we know, we go scouting for new things.
• If we don't know anything about the product, we still need to figure out how to know (learn) the product.
• Once we think we know at least a decent part of the product, we go figure new stuff again and again and again.
• Every observation made, every direction taken leads to different paths which become solutions.
• There is no one right answer, there could be a second right answer and even more.
• There is no one time permanent solution unlike in math.
• Every time, there is a new solution, there is a new breakthrough.

Heraclitus, a Greek philosopher once said, "Expect the unexpected or you won't find it". Unless we look for the unexpected, we won't find it. If we do, we may not recognize it. It's good to calm down, relax and look for the unexpected. Often, we lose out on sometimes obvious things either because we are looking for something else or we don't recognize what we see.

 [ PS : I have been struggling to write this post. I wanted to write this because I am thrilled for some weird reason. At the same time, I am not too thrilled with the way I am struggling to think and write. Need to be writing more often. Until then, have a good time reading this post. Who knows, a few years down the lane, I may look at this post and proudly say, "Oh! My writing used to be so damn bad :D" ]

Update: My friend Dhanasekar asks, "Expect the Unexpected, how is this possible? You are expecting so it can no more be called unexpected". Me : Go read some of Heraclitus's writings.
Expect the Unexpected,
Regards,
Parimala

Experience Report : BWST 3

 Bangalore Workshop on Software Testing – 3

Theme : Personal Excellence and Skill Development

6th August, 2011 @ S hotel, Bangalore

T-shirt Sponsor: Moolya

Photo courtesy : Santhosh Tuppad

Ever since BWST 3 announcement was put up on Pradeep's blog, we got many registration emails and calls. The slots got filled really fast. When some of them got to know that, they started sending emails asking "What can we do to get a slot in BWST3". We are Anna. We don't accept bribes :-)

As you notice, this experience report comes very late. Some of you must know that Moolyavans have been very busy with many exciting things at Moolya. By the way, we must confess we are loving every single moment of being busy. Pradeep kept delaying posting it despite repeated reminders from Santhosh Tuppad and Me. I just broke the tradition and decided to post the experience report on my blog. Feels very good, you know why :-).

The D-day finally arrived. It started with participants coming in, registering and receiving Moolya T-shirts. Common friends started chatting up, first time participants started making new friends.

Rahul Verma was the facilitator. We were glad  Rahul accepted to facilitate as we have seen him facilitate many discussions – formal and informal on several occasions. He started the day with a Welcome note, briefed the audience about K-cards and rules for using them.

Theme : Personal Excellence and Skill Development

Anuj Magazine was the first presenter. He started with a sponge ball trick. He popped a sponge ball in one hand and tossed it around. As it changed hands, the sponge ball multiplied into two. The audience slided into a tizzy. He started speaking about his foremost influence towards personal excellence and skill development..........and that was reading.  He went on to say, "Just reading is powerless. One needs to absorb what's in there and act on it". He quoted from many books which influenced him early on in life.

Anuj highlighted how we could manage disappointments in life using a  24-hour rule – cry, crib and feel sad, but move on after 24 hrs. One another thing he mentioned about is to identify the difference between commitment and interest. Are you committed or plain interested?, he asked as he shook the audience a bit. He also emphasized on how self discipline and prioritization helps achieve personal excellence.

Throughout the session Anuj spoke about his journey towards personal excellence. It appeared as though everyone could kick-start a journey with what they have at the moment, which is true by the way. Towards the end, he appeared to ask, “Do you have it in you to get started, to initiate, to ask for a slap in the face?”. He concluded the session by saying,

The idea of Personal excellence goes beyond self

We had about 45 minutes for Q & A. There were many questions floating around on how one can read more books, what are the challenges in asking a slap in the face and many more. Many veterans in the room shared their experience with regard to personal excellence and skill development. An engaging session indeed.

Tea Break.

Next in presenter's line was Sudip Naha, Program Director – Testing at Mindtree. His presentation was titled “My problems, someone else's solutions”. Sounded interesting. He started with the Theory of contradiction, “When you want to punish, appreciate it. It could change the way things are done”.

'Tritz' principals remained the highlight of his presentation. This is a model borrowed from the manufacturing industry containing a matrix of problems and solutions. If a particular problem exists, there is already someone somewhere who has faced and solved a similar problem. Tritz suggests to check if an already existing solution can solve current problem on hand. It's about using existing solutions to solve problems instead of re-inventing the wheel by looking for new solutions.  Many in the audience disagreed that this must have worked for the manufacturing domain, but fails in IT. He quoted examples from his own team where it worked wonders on multiple projects.

As expected, there was a flurry of activity in the hall after Sudip's session. Many concerns were raised regarding adopting Tritz to software industry. Meeta Prakash politely disagreed with Sudip on how these will de-motivate testers further. For this, Sudip mentioned that these are just ideas that have worked for his team and a few others in his organization. He also emphasized that there could be teams where it may work exceptionally well and where it might not work at all. It all depends on how people in the team perceive and implement it. On a side note, Sudip's session reminded us of the book “Are your lights on?” by Gerald M. Weinberg. The session drilled down to one thing:

My solution may not be the best solution to your problem.

Lunch time.

Post lunch, Deepak from chennai presented on “Testing Seed”. This session was about how Deepak and his friend Santhosh figured different challenges in testing early on in their careers and how they overcame those challenges.

Deepak highlighted the importance of conscious learning. As he and Santhosh faced resistance to the improvement suggestions they had to test in their day job,  it became clear that they had to learn about a lot of other things that tick and provide complete information especially to the senior management. This helped them come up with the idea of live demonstrations where they actually demonstrated to the teams about their exploration from time to time. This instilled confidence in the senior management that things can be done differently and for the better.

Often in life, each of us are encountered with challenges that we don't know how to face and overcome. Only the tough get going under such circumstances. I was amazed by sheer hard work and enthusiasm that Deepak and Santhosh had put in to fight many hurdles in their team. Kudos to both of them.

Tea Break.

Lightning Talks
Over the years, we have noticed that many folks who have attended BWST have been working wonderfully well on their skill sets and putting their organizations ahead of themselves by delivering better than what is expected of them. This is of utmost pride for us and something that brings utmost satisfaction. After all, peer workshops are meant for just that – Empowering People.

How did BWST 3 go this time?
This time around, we wanted to provide more time for discussions after each presentation. This worked really well. Many people were happy with the time allocated for questions. There was enough time not just for questions, but also for getting inputs/suggestions from experienced testers and managers who threw light upon different aspects of personal excellence and skill development.

We intentionally provided lengthy tea breaks so the participants from different organizations could chat up with others, discuss testing and challenges they face in day to day life.

We had a good mix of fresh grads turned testers, experienced testers and managers in BWST3. This resulted in different perspectives on many topics discussed during the day. There are many times in life when we feel victimized. Having a few folks who can empathise with us and set a direction will always help. This is where Meeta Prakash, Rahul Verma, Rahul Mirakhur, Natarajan, Sudip, Anuj Magazine and many others' presence helped.

Rahul Mirakhur was very happy with how BWST3 was organized and arrangements were made this time around. Now, that's a huge compliment. From our side, we had a gala time setting up the whole event and we were happy that every participant went back home satisfied for a day truly well spent!

Party time!
We got clicked. One of the hotel staff was kind enough to take a group picture. Many kept saying, "click a few more" to ensure they looked their unusual best :-)

What's a workshop without beer and snacks, huh? :-). We checked out of the hotel at 5.30 pm and went to a nearby pub to hang out for some more time. We spoke, ate, drank testing until we got tired and got back home safe.

Vote of Thanks
Special thanks to Rahul Verma for facilitation and to every participant at BWST3 who made this  event successful. And if you wanna know who cut through this years' tough competition to be at BWST 3, here's the list :

Rahul Verma, Rahul Mirakhur, Meeta Prakash, Anuj Magazine, Smitha Maraliga, Natarajan Alagappan, Mohit Verma, Yeshwantrao (Madurai), Pawan Kumar, Manjunatha C, Ravisuriya, Nagaraj Adarsha, Sudip Naha, Santhosh (Chennai), Deepak (Chennai), Vithya J, Korauhanba Singh, Pradeep Soundararajan, Parimala Shankaraiah, Santhosh Tuppad, Sunil Kumar, Dhanasekar S, Sreenuraj Varma.

What's next?
Get ready for next years' BWST :)

Regards,
Parimala
(On behalf of BWST team)

Public speaking continued............

This post is continued from my previous post. I dislike calling this part II and previous one as part I because every time I do that, I fail to write part II. Writing jinx.

In the book Linchpin, Seth Godin says the following :

It turns out that the three biological factors that drive job performance and innovation are social intelligence, fear response, and perception.  Public speaking brings all three together. Speaking to a group requires social intelligence. We need to be able to make an emotional connection with people, talk about what they are interested in, and persuade them. That's difficult, and we're not wired for this as well as we are wired to, say, eat fried foods.

Public speaking also triggers huge fear responses. We're surrounded by strangers or people of power, all of whom might harm us. Attention is focused on us, and attention (according to our biology) equals danger.

Last, and more subtly, speaking involves perception. It exposes how we see things, both the thing we are talking about and the response of the people in the room. Exposing that perception is frightening.

The above paragraph speaks for itself. I hope I don't have to elaborate. Seth Godin's simplicity in writing amazes me.

Content
With the advent of internet, there is no dearth of content if one intends to speak. However, speaking of one's own experiences has more human touch to it than copying something point by point and puking it in front of the audience. Learning in depth is not enough, one has to experience it before speaking highly of it. To paraphrase Rahul Verma, "Don't follow your guru's ideas blindly. Make them your own or discard them as need be. Experience ideas before professing to others"

Speaking style
Everyone's speaking style differs. I speak very fast. I speak very loudly. I don't smile enough as I talk about stuff that I am damn serious about. Some people are slow. Few others maintain a balance between the good and bad aspects of their speaking skills. One can change the style by practice. Rehearsing talks, talking amidst friends or colleagues who provide feedback are some small steps that could .3help.

Thought process
We would have prepared with a certain thought process in mind. We would have a list of topics we want to deliver. One single question can doom this whole process. Your thoughts are no longer yours. Someone hijacks it and before you realize, your talk will be over. My friend Netra suggests I try meditation. I annoyed her by saying, "I'm too restless to meditate". Slowing down while talking helps. Being conscious of where we left the topic as we answer a question helps. Off late, I have seen this work for me as I deliver lectures.

Evoking
Evoking serious thoughts through humor or satire helps convey serious messages in a funny way. I have a few speakers do this exceptionally well. This is where listening to more and more good speakers helps. One may start with imitating their favorite speakers, but eventually develop their own style.

Your style a.k.a Originality
If we have known the speaker closely, we can tell if he is original or not. By original, I mean being one's own true self. Seasoned speakers might appear to have their own style that works. However, they must have started from somewhere. By listening to some of the better speakers around and by working on their own style. It's hard to be original and still be a good speaker, I guess. Still thinking on these lines........

These are just a few highlights of what I think goes into good public speaking. It's a post written consciously to tell myself that I need to focus on these as I pursue serious speaking opportunities. If this helps any upcoming speakers, that will make me happy too.

Regards,
Parimala Shankaraiah