The intimidation and power projected by the Lion's feet .

Had an eerie feeling in our minds

It was indeed a strange feeling to be caught in. Now, nearly 30 years later, when we think back about it, we are left to ponder, ‘Did Kashyappa and his Engineers pull off one of the best

Psychological Warfare Tactic

in Sri Lankan history, which continues to intimidate visitors to this day?

Sigiriya: Origins

Once upon a time, in the land of Sri Lanka, there lived a king named Dhatusena. The king was quite the player, with many wives and sons. As he aged, he wanted to hand over the throne to his rightful heir, Moggallana, the son from his royal consort.

All was going well and dull until another of the king’s sons, Kashyappa, from a non-royal consort, decided he wanted the throne for himself. He plotted a coup, colluding with the commander of the armed forces to dethrone Dhatusena.

The coup was hugely successful, and in the end, Dhatusena was walled up alive by Kashyappa. The rightful heir, Moggallana, fled to South India in fear for his life and to gain support and gather a resistance force to defeat and kill Kashyappa.

Sigiriya: The Masterpiece

If someone killed their own father and their half-brother is constantly plotting to avenge his death and claim the throne, naturally, that person would need extra defense around them 24/7. The solution? Build a masterpiece of architecture that is impossible for any enemy to penetrate.

Above is the best reconstruction of Sigiriya we could create based on descriptions from reference sources using generative AI. Now, it is time to delve into the defense-in-depth capabilities built around and within Sigiriya!

Sigiriya: Defense in Depth

Sigiriya is a prime example of defense in depth in ancient history. Let's examine these features in detail as we enter the premises.

Outer Rampart

The first thing we encounter when we enter is the outer rampart, a defensive wall providing the first line of defense. The outer rampart is a massive earthen structure, about 130 feet wide and nearly 6 miles long. Strangely, this wall was made of mud, according to scientists [5].

Outer Moat

Once we pass the outer rampart, we are greeted by the outer moat, which is about 175 feet wide and 13 feet deep.

Plain Green Field

Once we cross Outer Moat, we are greeted with plain field.

Middle Rampart

In the middle of the plain green field, we can see the middle rampart, an additional defensive barrier between the outer and inner moats. Scientists believe this was built with bricks.

Inner Moat

Once we cross the middle rampart and the plain area, we are greeted by the inner moat, another defensive water body about 80 feet wide and 14 feet deep. It is believed that Kashyappa had some crocodiles roaming the area to deter sightseers and coup plotters.

Inner Rampart

The final defensive wall protecting the inner area.

Water Gardens

These gardens served not only as aesthetic elements but also as obstacles for intruders, making movement difficult and enhancing the natural defenses.

Boulder Gardens

Natural rock formations and strategically placed boulders created physical barriers against attackers.

Terrace Gardens

Terraces made the terrain challenging to navigate, slowing down and exposing attackers.

Caves

These caves provided strategic vantage points and hiding spots, useful for surveillance and surprise attacks.

Mirror Wall

These defensive structures carved directly into the rock added difficulty and confusion for attackers.

Palace on the Summit

The summit palace, accessible only via a narrow staircase, was the final line of defense, providing a secure retreat for the king.

Sigiriya: The Uniqly Sri lankan Measures

Sigiriya employed several unique defensive measures which are not much found in other fortresses or castles around the world, those are

1. Camouflaged Fortress: The entire fortress blends seamlessly with the natural rock formation, making it difficult for attackers to identify and approach.

2. Mirror Wall: This polished surface was used to monitor approaching enemies through reflections, providing an early warning system.

3. Water Gardens with Hydraulic Systems: Beyond aesthetic appeal, these gardens included hidden canals and water traps that could be used to flood areas or hinder attackers.

4. Lion's Gate: The imposing entrance, flanked by giant lion paws, served as both a psychological deterrent and a defensive choke point.

5. Natural Rock Cisterns: Cut into the rock, these cisterns ensured a reliable water supply during sieges, maintaining the fortress’s resilience.

6. Symmetry and Asymmetry: The blend of both symmetry and asymmetry in Sigiriya's design not only contributed to its beauty but also its effectiveness as a defensive stronghold.

But was it enough?

For those wondering, did Kashyappa lived a blissful life in that secure pleasure palace built to withstand even the toughest invasion, The Answer is “Nope! He did not”

Despite Sigiriya's formidable defenses, it ultimately fell when Moggallana, leading a force from South India and allies, declared war on Kashyappa. In the final battle, Kashyappa's strategic maneuver on his battle elephant was misinterpreted as a retreat by his army, leading to their abandonment. Too proud to surrender, Kashyappa took his dagger, cut his throat, raised the dagger proudly, sheathed it, and fell dead.

Even the most impregnable fortresses can succumb to miscommunication and human error. What a wonderful lesson.

So in short it looks like!

Ayubowan!

References

[1] Sigiriya Wikipedia Article

[2] Sigiriya 1

[3] Sigiriya 2

[5] Sigiriya Map

Android is a well-designed, simple operating system created to be secure and easy to use. However, like any complex operating system, it naturally comes with features intended for usability that may put smartphones or tablets at serious risk of infection.

Today, we are going to look into a feature that is worth caution or could be regarded as the most dangerous of all. We will also explore practices we can follow to minimize the risks.

Accessibility

Accessibility is a powerful Android feature (Settings → Accessibility) originally designed for people with impairments. It enables them to interact with devices by:

• Control phone through voice commands

• Read screen through screen reading

It is important to note that for those with impairments, these features are not just a convenience but essential. However, the nature of Accessibility’s modus operandi violates the principle of strict isolation, i.e., an app can listen to and control everything going on within the Android operating system.

Non-Accessibility Apps

Several types of apps use accessibility services for purposes that extend beyond the original intention of aiding users with disabilities. These non-accessibility uses often involve enhancing functionality or providing convenience features. Here are some common app types that use accessibility services for non-accessibility purposes::

• Automation Apps

  • Ex : Automate, MacroDroid

• Password Managers

  • LastPass, 1Password

• Screen Capture & Recording Apps

  • DU Recorder

• Overlay & Floating Apps

  • Bubble Cloud Widgets

• Anti-Theft & Security Apps

  • Cerberus

Risks

As with any feature, Accessibility can be weaponized by malicious apps. These apps can request the above permissions under the guise of Accessibility and perform malicious activities such as

• Gathering your passwords

• Reading your OTP tokens

• Reading private/sensitive information

• So on , so forth..

In short, an application using Accessibility can see everything happening on the Android device’s screen. It also has the capability to perform any action on the user’s behalf.

Mitigation

Google has implemented several mitigation measures to enhance the security and privacy of Accessibility services on Android devices.

• Permission Transparency

  • User Consent : Apps must explicitly request permission to enable accessibility services

  • Permission Review : Users can review and manage accessibility permissions to apps

• Play Store Policies :

  • Strict Guidelines : Google Play Store enforces strict guidelines for apps requesting accessibility permissions. Developers need to provide valid justification for using these services. Apps that misuses these services will be removed from the store

What Can We Do ?

We can protect ourselves from the abuses of Accessibility feature by following these practices:

• Beware of apps requesting access to Accessibility features.

• Always install apps from official stores.

• Regularly review your Accessibility permissions.

Reviewing Accessibility Permissions

1. Go to “Settings —> Accessibility “ in your Android Phone.

2. Click “Installed Apps”.

3. Confirm permissions for the apps “On/Off” is as per to your intent.

References

[1] Android Most Dangerous Features

[2] Restricted Setting In Android 13 and 14

[3] Risk Of Accessibility Permission In Android Devices

[4] Google Removes Play Store Apps Misusing Accessibility Services

Ah, We always loved Robert Frost. Such a wonderful poet!

Anyway, as some of you might have guessed, today we are gonna ‘fish’ you with some interesting stories from the past to create some awareness about ‘phishing attacks’. let’s scribble it!

The Golden Deer : Ancient Phish

The Background

Once upon a time, long, long ago, there lived a charming prince named Ram. Due to a bit of royal trouble, he, his wife, Sita, and his brother found themselves taking a sabbatical in the deep forest.

While living in the forest, Ram had a bit of a beef with a mischievous villain named Ravana. Ravana was quite smitten with Sita! It got to a point where he wanted to kidnap her and take her back to his beautiful island called Lanka to show her off to his friends and Instagram followers.

As Ravana pondered the plan to kidnap Sita, his brother Maricha, who was skilled at 'Trick or Treat' casually approached him for a night out in the city. This sparked an innovative idea in Ravana’s mind. he asked!

“Hey Maricha! How about I pay you to pull a ‘Trick or Treat’ on Ram and his gang?”

Maricha, being the business magnet in the family replied!

"Sure, bro, if the pay is right, I'm in!"

The Ancient Phish

One sunny day, Ram, Sita, and Lakshman were strolling through the forest, digesting a hefty brunch. Maricha appeared in front of them disguised as a 'Dazzling Golden Deer.'

Sita was instantly smitten and mesmerized by the beauty of the golden deer. She exclaimed,

Hey Ram! I want to have that Deer , Can you get one for me dear ? please !

Ram, ever the devoted and sweet husband, sprinted off after the shiny deer.

Time ticked by from minutes to hours as Ram chased the elusive deer for his dear through the forest. Worried, Sita insisted that Lakshman check on Ram, in compliance to Sita’s request Lakshman also dashed off in search of his brother.

While alone, Sita was scooped up by Ravana, turning this forest tale into a full-blown rescue mission.

Sad!

Let’s jump time ships and fast ward to 2010,

Enter the Dear: Robin Sage

Thomas Ryan, a cool security researcher, decided to see whether smartest people in the world would be attracted to any ‘Golden Dear’. He whipped up a fake persona online, named her Robin Sage with a profile pic of an attractive lady. Claiming she was a top-tier cybersecurity analyst.

As Robin flicked her digital eyelashes across social networks, she had hundreds of bigshots from the military, spy circles, and Fortune 500 companies gobbling up to her virtual breadcrumbs of seduction. These top-tier players spilled secrets like they were swapping office gossip, completely mesmerized by her charming profile and knockout photo.

If you all want to learn more about this peek here.

Oh Dear ! The 25 Million $$ Phish

Welcome to 2024, and let’s open the scene in Asia, A finance worker at a multinational firm in Hong Kong was deceived into authorizing a $25 million payout to hackers who used Deepfake AI technology.

The worker was duped in to getting on a video call with familiar faces on the other end which made the worker believe that he was interacting with actual colleagues, but they were actually computer generated videos of co-workers.

We are going to stop our stories here and jump in to our ‘Phishing Awareness’ propaganda bandwagon AGAIN!, Let’s scribble on!

What is a ‘Phishing Attack’

A phishing attack is a scam in which someone impersonates a trusted entity, such as a deer, dear , bank, relative or friend, with the intention of deceiving you into divulging sensitive information, such as passwords or credit card numbers. This is typically done through E-mail, SMS, Call or fake websites.

Phishing : Where strengths become weakness

In all of these stories above ,attackers preyed on several human traits to pull these heists off , those are;

• Curiosity.

• Urgency.

• Obligation.

• Commitment.

• Love.

• Empathy.

• Fear.

• Duty.

How to spot a phish ?

• A message preying on human traits mentioned above.

• Inducing an urgent reaction.

• Comes with a ‘Call to Action’ such as.

  • Click a link.

  • Call.

  • Reply.

Channels of phishing !

• SMS.

• E-Mail.

• Instant Messengers ( Facebook Messenger, WhatsApp messenger etc. ).

• Phone Calls.

• Video Calls .

I got phished! What should I do ?

• Change your passwords.

• Report the incident.

• Monitor your accounts.

• Do a virus scan on your PC / mobile.

Most importantly ‘Keep Calm and Act Vigilant’.

References

[1] 25 Million Dollar Phishing Attack

[2] Robin Sage

[3] Phishing Attacks

Good day Everyone! It's time for another round of mythological scribble. Today, we're diving into a tale to understand how our ancestors programmed our subconscious minds with apex-secret defense wisdom.

You see, a wise woman once blurted out that humanity’s march toward progress—and beyond!—kicked off with,

spun for us through the ages. MAY be that’s why we call them folklores then. Buckle up, it's story time!

Jason and the Quest for the Golden Fleece

Once upon a time in ancient Greece, there was a young boy named Jason who faced a rather tricky family issue. His uncle Pelias had cunningly grabbed the throne from Jason’s father.

One fine day, Jason approached his uncle Pelias and said,

"Hey uncle , I need my throne back! What do you think?”

But Uncle Pelias, who is always in the lead even on his day off, proposed a seemingly impossible challenge. He was like,

“Sure, buddy, you can be king—just as soon as you fetch me the Golden Fleece. I need it for my retirement. I’m sure it’s no big deal for a hero like you.”

Jason, who has been ONLY binging “One Piece” on Netflix till that day accepted the challenge and gathered a team of warriors. Together, they set sail to grab the “Golden Fleece” in a ship called Argo.

We can hear your mind voice going ,

“Didn’t Jason just copy one piece plot?”.

We don’t blame him, remember “Never reinvent the wheel” if a plan works, stick to it until it doesn’t work. Ahem Ahem!

Now let’s move to the important part of this story.

Defense in Depth

After setting sail and hitting up some online forums for some quick tips, Jason quickly realized that snagging the Golden Fleece wasn’t going to be a walk in the park. Apparently, some overly cautious “Security Architect” had gone all out with the home security system in Colchis[ the place where the “Golden Fleece” was kept].

Here’s what our poor hero Jason was up against:

• Location: The Golden Fleece was stashed in Colchis, a land as unwelcoming as Skull Island. It featured dangerous seas and creatures not there to make friends, or had accounts on Instagram. Moreover, the locals certainly didn’t wave hello or accept any friend requests on Facebook.

• Physical Defenses: The Security Architect also had hired a dragon, not the sleepy kind that might ignore a sneaky hero. No, this dragon loved its job, curling around the tree holding the fleece like it was the latest dragon yoga trend.

• Magical Protection: As if a hyperactive dragon wasn’t enough, The Security Architect threw in some magic spells and enchantments. Basically, the fleece was wrapped up tighter than a top-level government secret with clearance level APEX-SECRET.

As you see, it is clearly evident that Jason had to break multitude of difficulties to get to the Prize “Golden Fleece”, this is called “Defense in depth”

What is “Defense in Depth” , A Technical Take?

Defense in depth is a strategy that leverages multiple security measures to protect an organization's assets

For example, in securing a typical asset our modern day “Security Professionals” employ mix of several strategies, Some of them are

• Physical Security : Fence , Cameras, Security Guards

• Perimeter Security : Firewalls, Intrusion Detection Systems

• Endpoint Protection : Virus Scanners , Anti-Virus softwares

• Access Controls : Ex : You got to have password / username to login to your office computer

Cool, Pretty much this is what “Defense in Depth” is about

If anyone wondering what happened to “Jason” ?

Turns out, Jason, armed with nothing but his wits and a bunch of online how to guides, managed to crack through all those defenses and snatch up the Golden Fleece. Along the way, he even managed to snag himself a girl and lived happily ever after, He is posting his epic moments on Instagram for all the world to envy!

So, next time you're gazing up at the stars, give a little wave to our ancestors and their sneaky story telling skills. Who knew those bedtime stories would come in handy for us in our modern age?

What's does throwing a rave party at your neighbor's house and deed forgery have in common?

Every threat modelling consists 5 step process , We are going to explain them in the “Baking the Cake” analogy

1. Scoping the work : Planning cake size.

2. Determining threats : Spotting sneaky dangers on our cake making, detective-style

3. Defining controls : Layering protective measures.

4. Assessing your controls : Checking for readiness

5. Monitoring : Keeping a watch, baker-style.

Today out of all days we are going to be using STRIDE methodology to protect our humble House. Get ready for a systematic safari through the jungle of potential hazards lurking in every nook and cranny to harm our house!

What is STRIDE ?

Imagine STRIDE like a magnifying glass for cybersecurity. It helps us spot and understand different types of threats lurking in the jungle. Each letter in STRIDE stands for a different kind of threat: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. It's like having a cheat sheet to protect yourself from all sorts of cyber shenanigans!

Spoofing

Spoofing is like a sneaky disguise. It's when someone pretends to be something they're not. For our house we have identified following threats for spoofing,

• Putting a “For Sale” sign in front of the house without owner’s consent

• Pretending to be the owner of the house and using a fake key to gain access

Tampering

Tampering is like sneaking into a puzzle box and rearranging the pieces, messing with the original design or function. For our house we have identified following threats in this category,

• Someone entering the house and rearranging all the furniture when no one is looking

• Swapping the pictures on walls with theif’s own pictures

• Swapping Sugar label with Salt label ( ouch )

Repudiation

Repudiation is like eating the last cookie and denying you ever touched the cookie jar. For our house we have identified following threats in this category,

• Unauthorized lease agreement without the consent of the owner

Information Disclosure

"Information Disclosure" is like spilling the tea on Taylor Swift's latest gossip to the entire neighborhood. For our house we have identified following threats in this category,

• Disclosing house floor plans and lock keys

• Disclosing personal information of house inhabitants

Denial of Service

Denial of Service is like your mom changing the Wi-Fi password just as you're about to binge-watch your favorite show. For our house we have identified following threats in this category

• Triggering power grid overload by malicious actor

• Earthquake and Cyclones destroying the house

Escalation of Privileges

Escalation of privileges is like your daughter sneaking her report card into your stack of signed documents, hoping you won't notice. For our house we have identified following threats

• A neighbors teenager hosting a rave house party for friends

• Forgery of property deed and transferring ownership to a third party

Ranking /rating threats

Now that we've got a handle on the threats lurking around, it's time to size them up in terms of risk. To make life easier, we're going to use a qualitative risk model, taking into account the following factors

Impact

• The damage potential

• Breadth of the damage

Possibility/Likelihood

• How often would this threat occur ?

Ease of Exploitation

• How easy is it to discover it ?

• How easy it is to exploit once discovered ?

• Is it possible to reproduce by everyone ?

Now, let’s break down our identified threats for Impact, Likelihood, and Ease of Exploitation. I've compiled them neatly into a table below. Feel free to zoom in if needed for better clarity.

Now that we've categorized Impact, Likelihood of Occurrence, and Ease of Exploitation into three levels each (Low, Medium, High), let's assign numerical values accordingly: Low = 1, Medium = 2, High = 3.

Next, we'll assign weights to these factors based on their significance. For instance

• Impact: 40%

• Likelihood of Occurrence: 40%

• Ease of Exploitation: 20%

Formula to calculate the threat score we can define as bellow for our purpose

Using the provided weights and numerical values, you'll compute the total threat score for each threat by inputting the values for Impact, Likelihood of Occurrence, and Ease of Exploitation.

For instance, let's take the scenario of "Earthquake and Cyclones destroying the house," where Impact is High, Likelihood of Occurrence is Low, and Ease of Exploitation is Low. Using the assigned values/weights, the calculation would be

Score =(3×0.4)+(1×0.4)+(1×0.2) = 1.8

By this, we can systematically assess and prioritize threats. This approach enables us to focus our resources on mitigating the most critical risks, thereby enhancing the overall security and resilience of our systems and of course Houses

Did you catch that? Turns out, throwing an illegal rave party next door and forging a lease have the same threat value as per to our analysis above.