Creating your own portfolio in ServiceNow platform

This blog post is a sort of guide rather than a full comprehensive tutorial to creating your own portfolio in ServiceNow platform.

I tried to create something in a short span of time in the last weekend. You can check that here !

Find out a template

The very first thing to do is to find a template or design for your portfolio. You can start from scratch but it would be a waste of hell lot of time. So, surf through the internet and Google would prove to be your best friend. I found my design from here. There are lot of sites out there like dribble. You can also search for SPA (Single Page Application) websites.

Create a UI Page

Download the template and open its html file in an editor. Copy the whole code and paste it in a new UI Page in between jelly tags. When you'll try to save the UI Page, oh ghosh ! you'll see a lot of errors. Most of the errors will be because of not having a closing tag. Try to resolve them.

Include css files using Style Sheets 

Yeah, you need to bring each css file to the platform. Go to Content Management >> Style Sheets. Copy each css file in the downloaded template to Style Sheets in the platform.

Now, go to your UI Page and find all <link> tags. For example, suppose a tag is like this:

 <link rel="stylesheet" type="text/css" href="./test_site_files/animate.css">

Change the href attribute as:

<link rel="stylesheet" type="text/css" href="<sys_id_of_animate_css>.cssdbx"></link>

Here, <sys_id_of_animate_css> is sys_id of animate.css in Style Sheets table.

Including js files using UI Scripts

Now, you need to copy each js file into UI Script.  Give name same as that in downloaded template but without the js extension.

Now, go to UI Page and change <script> tags. For example:

<script async="" src="./test_site_files/analytics.js"></script>

is changed to:

<script async="" src="analytics.jsdbx"></script>

If you get errors while saving minified js file in the UI Script, you can unminify using JSBeautifier and can try to resolve errors.

Adding Images

I added icons of twitter, facebook and gmail by using:

style="background: url(logo3.png) no-repeat 6px center;" 

Here, logo.png is uploaded to the platform using System UI >> Images.

The logo icons looks like:

Removing Padding

To have your container to occupy the whole window, you may need to add the following style to your container:

style="padding-left: 0px;padding-right: 0px;"

Making UI Page public

Let name of your UI Page be 'test_page'. To make this UI Page accessible to everyone without any logging credentials, you need to follow these steps:

1. Go to “sys_public.do” from navigation filter and give Page as “test_page” and click submit.
2. In a new incognito window, go to this url <servicenow_instance>/test_page.do  and it will work. 

Using Particle-JS library

I used particlejs for animation. Its syntax is like:

<div id="particles-js"></div>

<script>

particlesJS('particles-js',object);

</script>

So, there is a call to particleJS() function with first argument as id of the div which will have animation. The second argument is a javascript object setting the parameters of animation.

UI Page XML code

The code for UI Page can be found here.

Some Suggestions

Use your local for debugging

If you are stuck in something, try to run the html code in local.

Use inspect element to resolve errors

You can also use inspect element and console of chrome browser to debug

Issue of https and http

Replace occurrences of http in your UI Page, UI Scripts and Style Sheets with https.

By Pass proxy server to open sites like TopCoder, IRCTC ticket booking etc

This is intended for users having proxy issues while opening some sites and using Mac OS. Don't worry, the same method works for Windows as well :)

1) UltraSurf

1.1) Download UltraSurf here
1.2) Install UltraSurf and click "Option" button
       1.2.1) Go to Proxy Settings and enter Proxy Host and Port manually. Its "10.3.100.207" and "8080" in case of my institute i.e. IIT Kharagpur
1.3) Click "Retry" button
1.4) Now change System Proxy, Java Control Panel proxy and Topcoder Applet proxy as "127.0.0.1" and port as "9666"
Note : Choose Connection :"HTTP Tunnel A" in Topcoder Applet

2) Tor Browser Bundle 

2.1) Download Tor here . Note this is for 64 bit Mac OS. For other OS, go here
2.2) Enter your proxy and port while installing Tor. Its "10.3.100.207" and "8080" in case of my institute i.e. IIT Kharagpur
2.3) After installation, go to "Preferences" > "Advanced" > "Network" > "Settings" and check whether proxy is "127.0.0.1" and port is "9150"
2.4) Now you can open any site from this Tor Browser

Security Threats in Web : An Overview

Era of Online Social Networks 

Social Networking websites such as Facebook, Twitter, Google+, LinkedIn, Qzone, MySpace have been growing rapidly within the past few years with now over billions of users [1]. Most social network users share a large amount of their private information in their social network space publicly without careful consideration.

Percentage of CMU profiles revealing various types of personal information

Once the hacker has this information, he is free to engage in phishing, identity hijacking, spamming, malware and many other forms of social attack. Moreover, social network users tend to have a high level of trust toward other social network users. They tend to accept friend requests easily, and trust items that friends send to them. To make matters worse, oftentimes information travels through several hops of "friends," and by the idea of six degrees of separation it seems unreasonable to assume we are far from the bad guys. Because of social networks large population and information base, and its simple accessibility, social networking websites have become new targets that attract cyber criminals. We don’t bother to configure privacy settings provided by social network vendors.

Social Pishing

In phishing attack, attackers provide a fake website (e.g. bank) that looks authentic to lure victims into providing their sensitive information such as password, financial information, or identification number to the website. Typically, attackers leverage the available information on social networks to create highly specific and personalized messages. These messages are then either sent through the network directly or used in network applications to target their victims.

Possible remedies:

1) Browser plug-ins

• [2] presents a plug-in that identifies many of the known tricks that phishers use to make a page resemble that of legitimate site.
• Earthlink's Scamblocker [3] toolbar maintains a blacklist and alerts users when they visit known phishing sites; however this requires an accurate and dynamic blacklist.
• Trustbar [4] by Herzberg and Gbara is a plug-in for FireFox that reserves real estate on the browser to authenticate both the site visited and the certificate authority.
• Dhamija and Tygar [5] propose a method that enables a web server to authenticate itself, in a way that is easy for users to verify and hard for attackers to spoof.

2) Services like PhishTank[6] and BlueCoat [7] provide network and application level blacklisting.

3) Use of strong password management systems as described in [8].

Identity Thefts

Identity Theft is an act of stealing someone’s identity or sensitive information, and then pretending to be that person, or using that identity in a malicious way. Existing Profile Cloning and Cross-Site Profile Cloning are two common ways of account hijacking. Attack given in [9] provide ample evidence of identity thefts.

Solutions like VeriSign's Personal Identity Portal (PIP) [10] and OpenID [11] can be adopted.

•  PIP can be configured to perform two factor authentications and OpenID provides a central location for high grade security logon credentials. A malicious user would be forced to obtain not only the password but the key fob (often a cell phone) as well. A commercial entity like VeriSign can provide quick and deterministic actions in the event of an account theft. 
• OpenID would be a great way for users to cut off unauthorized access to all affected accounts.

Spams

In social networks, spam comes in the form of wall post, news feed, and messages. These contains ads and hyperlinks that may lead to pishing or malware sites and may spread to friend’s wall posts. Social networks support e-mail spams since attackers can now retrieve large amount of valid e-mail addresses thanks to social networking. Attackers can also create context aware email spams by using information from user profiles. For example, if attackers know that A is B’s friend, then an attacker can send a fraud email saying that A posted something on B wall, and provide a fake link for B to follow to see that post. Another case is if attackers also know B’s birthday, then they can send a fake online birthday card to B by saying that the card is sent by A.

According to [12], 8% of 25 million URLs posted to Twitter point to phishing, malware and scams while out of 200 million tweets from the stream, over three million tweets were identified as spam. Of spam links that generate any traffic, 50% of the URLs receive fewer than 10 clicks, as shown, while the upper 10% of URLs account for 85% of the 1.6 million clicks.

Possible solutions:

• To automatically identify spam, blacklists can be used to flag known spam URLs and domains. [12] has used three blacklists :Google Safebrowsing, URIBL, and Joewein.
• [13] and [14] shows the use of machine learning techniques to detect OSN spams.

HTTP Session Hijacking

HTTP Session hijacking on social networking sites is a man-in-the-middle-attack that can be used to obtain context-information from victims, as well as victim’s friend’s information that will later be used to generate context-aware spam.

First attackers try to sniff communication between victims (A) and social networking sites, especially those without data encryption. Different network attacks can be used in this case, for example, ARP cache poisoning or DNS poisoning.Attackers then capture HTTP headers that contain session cookies since many website use cookie-based authentication. After that attackers can now copy the HTTP session and use it to access the victim’s profile and personal information. Furthermore, attackers can use the victim’s profile to retrieve the victim’s friend’s (B, C, D) information such as email addresses, and then use this information to generated context-aware spam.

Malware

Malicious link can redirect victims to malicious websites, and then send malicious code to victim’s computer to steal information, or to use victim’s computer to attack others. The details can be found in [15].

Possible solutions:

• MyPageKeeper [16], which has over 15K subscribed users, continually scans the wall and news feed of every subscribed user to detect malicious posts and socwares.

• [17] reflects some anti-virus products for detecting and removing scams in facebook. 

Cryptographic Approach

There have been different approaches proposed for protecting the users’ privacy in OSN and can be compared based on following criteria:

1) Protection against breach of confidentiality by any third parties i.e. OSN providers and non-friends are not able to access the user’s data.

2) Relational confidentiality i.e. nobody except the user is not able to know the specifications related to the user’s online social relationships defined in her OSN 

environment.

3) Fine-grained access control i.e. the user is able to define access permissions over  her friends.

5) Flexible access control i.e. the user is able to define new access policies using  the combinations of friends and relations.

6) Dynamic access control i.e. the user is able to add a friend to a relation or  remove/revoke a friend from a relation.

In [18], modified BE approach has been proposed which consists of three main steps:

1) The privacy settings customization step that allows OSN users to have full control  over their privacy settings and customize them freely. This ability does not rely  on the need to trust the OSN providers.

2) The data sharing step that facilitates the sharing of private data between OSN  users and their friends. In this step, the user sets up the cryptographic key and  shares encrypted data with intended friends.

3) The data accessing step is used by the user’s authorized friends to access the  user’s private shared data.

Security in Cloud Computing

In public cloud, all applications and data accessed are susceptible to malicious attacks demanding the secure processing and storage of data via access control, authentication and encryption mechanisms. Private Cloud is on the other hand more secure due to its specified internal exposure. 

• The various security technologies currently deployed by cloud providers are :

• Platforms like Tonido [19] provides features of private data sharing.
• [20] provides an architectural design for a secure cloud computing environment

References:

1) http://en.wikipedia.org/wiki/List_of_social_networking_websites

2) N. Chou, R. Ledesma, Y. Teraguchi, D. Boneh, and J. Mitchell. Client-side defense against web-based identity theft. Proc. NDSS, 2004.

3) http://www.scamblocker.com.

4) A. Herzberg and A. Gbara. Trustbar: Protecting (even naive) web users from spoofing and phishing attacks. 2004. http://eprint.iacr.org/2004/155.pdf.

5) R. Dhamija and J. D. Tygar. The battle against phishing: Dynamic security skins. Symp. on Usable Privacy and Security, 2005.

6) http://www.phishtank.com/

7) http://www.bluecoat.com/security-policy-enforcement-center

8) http://research.microsoft.com/pubs/69369/mainsec2006.pdf

9) MarketingVOX. (2008, November). Watershed Ruling in MySpace Suicide Case May Criminalize Fake'Net Personas'.Retrieved from http://www.marketingvox.com/watershed-ruling-in-myspace-suicidecase-may-criminalize-fake-net-personas-042175/

10) https://pip.verisignlabs.com/

11) http://openid.net/

12) @spam: The Underground on 140 Characters or Less. Chris Grier, Kurt Thomas, Vern Paxson, and Michael Zhang. Proceedings of the ACM Conference on Computer and Communications Security, October 2010.

13) http://www.cse.ohio-state.edu/hpcs/WWW/HTML/publications/papers/TR-13-6.pdf

14) http://www.cs.northwestern.edu/~ychen/Papers/NDSS12_spam.pdf

15) http://www.cse.wustl.edu/~jain/cse571-11/ftp/social/index.html

16) M. S. Rahman, T.-K. Huang, H. V. Madhyastha, and M. Faloutsos. Efficient and scalable socware detection in online social networks. In USENIX Security, 2012.

17) http://nakedsecurity.sophos.com/2012/04/25/facebook-teams-up-sophos-other-vendors/

18)  http://www.sciencedirect.com/science/article/pii/S0045790612001681

19) http://www.tonido.com

20) http://www.vmware.com/files/pdf/cloud/VMware-Savvis-Cloud-WP-en.pdf