CLICKJACKING COUNTERMEASURES

https://addons.mozilla.org/en-US/firefox/addon/noscript/

The link of the tool that is used in Firefox against ClickJacking, you need to install No Script. This free, open source add-on will only allow JavaScript, Java, Flash and other plugins to be executed by sites you trust; all scripting is blocked by default. When you visit any website you will find the option on the down side.

Fig 1: Options add-on

You have multiple option to choose from either stop some script to run and allow some script to run, beside it you can allow the entire website to run as well as you can stop to complete website or simply block it. What you do for trusted website click it on option and allow you trusted website, but when you are visiting about an tentative website so be careful and allow NoScript to do the job.

Fig 2: Enable iframe

There are so many options beside it like tracking site and ad host etc. Clickjacking you needed to enable the Forbid <IFRAME> and possibly apply these restrictions to trust sites as well NoScript options.

Fig 3: Clickjacking blocking alert

When you are enabling the Forbid <IFRAME> it will block the clickjacking IFRAME.

CLICKJACKING TOOL

Introduced by Stone at the Black Hat Europe in 2010, it is visualize clickjacking techniques in practice. This tool can be used to craft and replay various clickjacking techniques against web sites that have not yet implemented clickjacking protection. This tool has been tested in Firefox 3.6 and Internet Explorer 8.

Download the Clickjacking tool link: http://www.contextis.com/research/tools/clickjacking-tool/

Fig 1: Clickjacking Practice Tool

Online Clickjacking Sample Page

http://myweb.wit.edu/duffj2/Homework/clickjack.html

Click the above URL it’s a real time sample page. This is simple example of clickjacking; it will show the top of a visible dummy page and bottom of the transparent or target page.

Fig 2: Clickjacking dummy page

User sees the top of a visible dummy page

Fig 3: Clickjacking Invisible page

Inside Clickjacking the invisible page

BASIC CLICKJACKING

A typical clickjacking attack uses two nested iframes to crop and position an element from a target website. The inner iframe contains the target page and must be large enough to display it in its entirety, such that the element on which the user will click is visible without scrolling. The outer iframe is much smaller and acts as a window onto the page loaded in the inner iframe. For a user interface redressing attack, the outer iframe should only be large enough to display the targeted element . You think you are clicking on the website you see but no, you are really clicking on an invisible website you cannot see that’s right under your mouse. Clickjacking affects many browsers and platforms.

Inner.html.h

1. <iframe id =" inner " src =" http :// www.google.com " width ="2000" height ="2000" scrolling =" no" frameborder =" none ">

2.      </iframe >

Fig 1: Inner.html

Clickjacking.html.

1. <iframe id =" inner " src =" inner.html " width ="2005" height ="290" scrolling =" no" frameborder =" none "></ iframe >
2. <style type =" text /css "><!--
3. # inner { position : absolute ; left : -1955 px; top : -14 px ;}
4. //--></ style >

Trustedpage.html

1. <h1 >www .nds .rub .de </h1 >
2. <form action =" http :// www.nds.rub.de">
3. <input type =" submit " value =" Go">
4. </form >
5. <iframe id =" clickjacking " src =" clickjacking .html " width ="50" height ="300" scrolling ="

no" frameborder =" none ">

6. </iframe >
7. <style type =" text /css "><!--
8. # clickjacking { position : absolute ; left :7 px; top :81 px; opacity :0.0}
9. //--></ style >

Fig 2: Trustedpage.html

1. “inner.html”: Frame “google.com” (2000x2000px)
2. “clickjacking.html”: Shift the iframe with “src=inner.html” to the left
3. “trustedPage.html”: Place a transparent iframe with “src=clickjacking.html” over the “Go” button

The order of search results on Google’s search results pages is based, in part, on a comparison between three attacks.

 Table 1. Clickjacking vs. Browser Based Attack

	Google Results	Years
Cross-Site Scripting(XSS)	15,700,000	15
Cross-Site Request Forgery(CSRF)	2,870,000	11
Clickjacking	1,200,000	3

The following chart (figure 3) shows the clickjacking google results.

Fig 3: Clickjacking growth chart

Clickjacking

The Clickjacking attack was introduced by Robert Hansen and Jeremy Grossman in September 2008. This attack constructs a malicious web page to trick the user into performing unintended clicks that are advantageous for the attacker. Its propagate worms, steal confidential information passwords, cookies, send spam, delete personal mails, etc. This is very much attracted a broad attention by the security industry and the web community. Most websites still have not implemented effective protection against Clickjacking. 

This vulnerability across a variety of browsers and platforms, a Clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function. Clickjacking also known as user interface redressing is one of Malicious Technique tricking users to click the button or image that will run hidden malicious script from another site. An attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the innocuous page. Thus an attacker hijacks the click to another website. That's why it is known as Clickjacking (Click+Hijacking). The possibilities for how clickjacking software could be abused are endless. 

There are a number of things that have major Web sites and companies especially alarmed. In some cases, the user may be able to recognize this immediately; in other cases, the user may be totally unaware of what took place. First is the fact the program can run on virtually any Web site without the Web site owner's knowledge or ability to stop it. Second, clickjacking can take the user to a mirror site while still making them believe they are on the Web site of the company and mine personal information, often which is freely given. Third, no browser, except the very few that are not based on graphics, is immune from clickjacking software. In addition to stealing personal data, such as bank account information, credit card information and Social Security numbers, clickjacking can also install a number of software applications on a computer without the user's knowledge. This software could be harmful viruses, spyware or adware. The latter may not be extremely harmful in nature but it often presents a big problem for computers. Browsers and Internet security software companies are working on a security patch that would help correct the situation. However, that may take some time.

Honeypots

In computer terminology, Honey Pot Systems are decoy servers or systems setup to gather information regarding an attacker or intruder into your system. It is important to remember that Honey Pots do not replace other traditional Internet security systems; they are an additional level or system. A honey pot is a computer system on the Internet that is expressly set up to attract and "trap" people who attempt to penetrate other people's computer systems. (This includes the hacker, cracker, and script kiddy). Attacker can use honeypot to harm, attack, or infiltrate other systems or organizations. Honeypots are a highly flexible security tool that can be used in a variety of different deployments.

Honey Pots can be setup inside, outside or in the DMZ of a firewall design or even in all of the locations although they are most often deployed inside of a firewall for control purposes. In a sense, they are variants of standard Intruder Detection Systems (IDS) but with more of a focus on information gathering and deception.

According to the Wepopedia.com, a Honeypot luring a hacker into a system has several main purposes: The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned. The hacker can be caught and stopped while trying to obtain root access to the system. By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers.

Microsoft Attack Surface Analyzer

The Attack Surface Analyzer beta is a Microsoft verification tool now available for independent software vendors (ISVs) and IT professionals to highlight the changes in system state, runtime parameters and securable objects on the Windows operating system. This analysis helps developers, testers and IT professionals identify increases in the attack surface caused by installing applications on a machine.

The tool takes snapshots of an organization's system and compares ("diffing") these to identify changes. The tool does not analyze a system based on signatures or known vulnerabilities; instead, it looks for classes of security weaknesses as applications are installed on the Windows operating system.

The tool also gives an overview of changes to the system that Microsoft considers important to the security of the platform, and it highlights these changes in the attack surface report. The Microsoft Security Development Lifecycle (SDL) requires development teams to define a given product's default and maximum attack surface during the design phase to reduce the likelihood of exploitation wherever possible. Some of the checks performed by the tool include analysis of changed or newly added files, registry keys, services, Microsoft ActiveX controls, listening ports and other parameters that affect a computer's attack surface.

Read More : http://blogs.msdn.com/b/sdl/archive/2012/08/02/attack-surface-analyzer-1-0-released.aspx

Penetration Testing

Penetration testing is the process of simulating attacks on a network and its systems at the request of the owner, senior management. Penetration testing uses a set of procedures and tools designed to test and possibly bypass the security controls of a system. Its goal is to measure an organization’s level of resistance to an attack and to uncover any weaknesses within the environment. Organizations need to determine the effectiveness of their security measures and not just trust the promises of the security vendors. A penetration test emulates the same methods attackers would use. Attackers can be clever, creative, and resourceful in their techniques, so penetration attacks should align with the newest hacking techniques along with strong foundational testing methods.

The type of penetration test that should be used depends on the organization, its security objectives, and the management’s goals. Some corporations perform periodic penetration tests on themselves using different types of tools, or they use scanning devices that continually examine the environment for new vulnerabilities in an automated fashion. Other corporations ask a third party to perform the vulnerability and penetration tests to provide a more objective view.

Penetration tests can evaluate web servers, DNS servers, router configurations, workstation vulnerabilities, access to sensitive information, remote dial-in access, open ports, and available services’ properties that a real attacker might use to compromise the company’s overall security. Some tests can be quite intrusive and disruptive. The timeframe for the tests should be agreed upon so productivity is not affected and personnel can bring systems back online if necessary.

The result of a penetration test is a report given to management that describes the vulnerabilities identified and the severity of those vulnerabilities, along with suggestions on how to deal with them properly. From there, it is up to management to determine how the vulnerabilities are actually dealt with and what countermeasures are implemented.

Vulnerability Assessment 

A vulnerability assessment is designed to test your internal or external infrastructure against known vulnerabilities. A vulnerability assessment will also test an infrastructure against manufacturer known passwords and default configuration parameters. Vulnerability Assessment is not rocket science to perform automatically. Vulnerability Assessment scans starts after all is pretty automated from the beginning and then reports back its findings in the form of a report and that's it.

Linux is the primary tool for system hacking. All of the best scripts run on it, and developing new tools is easier than in Windows. The code also tends to be more compact. Since the network assessment process usually begins with automated or semi-automated vulnerability scans, and progresses to attempting to exploit weaknesses found by those scans, a product that does both, and integrates both results and reporting. We apply human logics in the context of business risks, and the results are more thorough and comprehensive than an automated scanning report.

A Vulnerability Analysis provides an overview of the flaws that exist on the system. Vulnerability Analysis is the process of identifying vulnerabilities on a network and quantifying the security Vulnerabilities in a system. A Vulnerability Analysis works to improve security posture and develop a more mature, integrated security program. Commonly Vulnerability Assessment goes through the following phases: Information Gathering, Port Scanning, Enumeration, Threat Profiling & Risk Identification, Network Level Vulnerability Scanning, Application Level Vulnerability Scanning, Mitigation Strategies Creation, Report Generation, and Support.

Types of VPN Protocols

A protocol is a set of standardized rules that determines error detection methods, data authentication, signaling and representation of data over a communications channel the medium used for the transfer of data from the sender to the receiver. Its purpose is to ensure a reliable channel for the exchange of data. Virtual Private Network technology is heavily influenced by tunneling, which is the process of creating and maintaining logical network connection or ‘tunnels’ with the help of public internet.

Once we have decided to use the VPN service we further have to decide what type of VPN protocols to use. There are a number of VPN protocols in use that secure the transport of data traffic over a public network infrastructure. The most used VPN protocols are: PPTP, L2TP, IPSec, SSL.

PPTP

Point-to-Point Tunneling Protocol (PPTP) is a networking protocol that is built on the Point-to-Point (PPP) protocol. PPTP is one of the most widely used VPN protocols because of its simple configuration and easy maintenance and also because it is included with the Windows operating system. Its main function is to ensure that data from one VPN computer, or node, to another is transmitted securely. The PPTP also supports VPN over public networks like the Internet. It was created by Microsoft in association with other technology companies. But compared to other methods, PPTP is faster and it is also available for Linux and Mac users.

L2TP

L2TP (Layer 2 Tunneling Protocol) is another tunneling protocol that supports VPNs. This was developed as a joint effort between Microsoft and Cisco Systems. The Layer Two Forwarding protocol (L2F) is the Cisco Systems equivalent of the Microsoft-based PPTP protocol. In an attempt to improve on L2F, the best features of it and PPTP were combined to create a new standard called L2TP. Alongside providing data confidentiality as in PPTP, L2TP also allows data integrity that is the protection of data against its customization between the times it takes to reach from sender to receiver. It requires a digital certificate or a shared key for its implementation and is available as built-in feature in Windows.

IPSec

IPSec (IPSecurity) traffic can use either L2TP data packets transport mode or tunneling to encrypt data traffic in a VPN. The difference between the two modes is that transport mode encrypts only the message within the data packet (also known as the payload) while tunneling encrypts the entire data packet. IPSec is often referred to as a "security overlay" because of its use as a security layer for other protocols. IPSec can be expensive and time consuming client installations.

SSL

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) use cryptography to secure communications over the Internet. SSL is a VPN accessible via https over web browser. The advantage of this SSL VPN is that it doesn’t need any software installed because it uses the web browser as the client application. Through SSL VPNs the user’s access can be restrict to specific applications instead of allowing access to the whole network.

What is VPN?

A Virtual Private Network (VPN) is a network technology that creates a secure network connection over a public network such as the Internet or a private network owned by a service provider. File sharing, video conferencing, network services, large corporations, educational institutions, and government agencies use VPN technology to enable remote users to securely connect to a private network. By using a VPN, ensure security to anyone intercepting the encrypted data can't read it.

A dial-up or leased line connection creates a physical connection to a port on a remote access server on a private network. A virtual private network can be contrasted with an expensive system of owned or leased lines that can only be used by one organization. However, using dial-up or leased lines to provide network access is expensive when compared to the cost of providing network access using a VPN connection. The goal of a VPN is to provide the organization with the same capabilities, but at a much lower cost.

VPNs provide security through tunneling protocols and security procedures such as encryption. In protocols, by encrypting data at the sending end and decrypting it at the receiving end, send the data through a "tunnel" that cannot be "entered" by data that is not properly encrypted. An additional level of security involves encrypting not only the data, but also the originating and receiving network addresses.

This summary is not available. Please click here to view the post.

HTTPS or HTTP over SSL

HTTPS (Hyper Text Transfer Protocol Secure or HTTP over SSL) is a secure way of using HTTP. HTTPS was developed by Netscape. HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the Web server. When a user connects to a website via HTTPS, the website encrypts the session with a digital certificate. HTTP provides almost no security features; it contains only basic Authentication mechanisms, and no support for privacy.  HTTPS allows secure ecommerce transactions, such as online banking. A user can know if they are connected to a secure website if the website URL begins with https:// instead of http://.  HTTPS and SSL support the use of X.509 digital certificates from the server so that, if necessary, a user can authenticate the sender. HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer, TCP/IP.

HTTPS is the use of Secure Socket Layer (SSL) or Transport Layer Security (TLS) as a sub layer under regular HTTP application layering. The browser uses SSL or TLS when connecting to a secure part of a website indicated by an HTTPS URL. Suppose you visit a Web site to view their online shopping website. When you're ready to order, you will be given a Web page order form with a Uniform Resource Locator (URL) that starts with https://. When you click "Send," to send the page back to the online shop retailer, your browser's HTTPS layer will encrypt it. The acknowledgement you receive from the server will also travel in encrypted form, arrive with an https:// URL, and be decrypted for you by your browser's HTTPS sub layer. The use of HTTPS protects against eavesdropping and man-in-the-middle attacks.

Secure Hypertext Transfer Protocol

S-HTTP (Secure HTTP) is an extension to the Hypertext Transfer Protocol (HTTP) that allows the secure exchange of files on the World Wide Web. Each S-HTTP file is either encrypted, contains a digital certificate, or both. S-HTTP provides a wide variety of mechanisms to provide for confidentiality, authentication, and integrity. Separation of policy from mechanism was an explicit goal. The system is not tied to any particular cryptographic system, key infrastructure, or cryptographic format, but it does support the Rivest-Shamir-Adleman (RSA) public key infrastructure encryption system. S-HTTP is an alternative to another well-known security protocol, Secure Sockets Layer (SSL). A major difference is that S-HTTP allows the client to send a certificate to authenticate the user whereas, using SSL, only the server can be authenticated. S-HTTP is more likely to be used in situations where the server represents a bank and requires authentication from the user that is more secure than a user id and password.

S-HTTP is a superset of HTTP, which allows messages to be encapsulated in various ways. Encapsulations can include encryption, signing, or MAC based authentication. This encapsulation can be recursive, and a message can have several security transformations applied to it. S-HTTP also includes header definitions to provide key transfer, certificate transfer, and similar administrative functions. S-HTTP appears to be extremely flexible in what it will allow the programmer to do.

Secure Sockets Layer

SSL is an acronym for Secure Sockets Layer, an encryption technology that was created by Netscape. SSL creates an encrypted connection between web servers and web browsers allowing for private information to be transmitted without the problems of eavesdropping, data tampering, or message forgery. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. SSL uses a cryptographic system that uses two keys to encrypt data a public key known to everyone and a private or secret key known only to the recipient of the message. SSL is supported as part of the Microsoft, Netscape browser, and many web server products. Many Web sites use the protocol to obtain confidential user information, such as credit card numbers. By convention, URLs that require an SSL connection start with https: instead of http. Typically an SSL Certificate will contain your domain name, your company name, your address, your city, your state and your country. It will also contain the expiration date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate. When a browser connects to a secure site it will retrieve the site's SSL Certificate and check that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user letting them know that the site is not secured by SSL. 

Identification and authentication Systems

Identification is the process by which the identity of a user is established, and authentication is the process by which a service confirms the claim of a user to use a specific identity by the use of credentials (usually a password or a certificate).

Identification

Identification is the process that enables recognition of a user described to an automated data processing system. This is generally by the use of unique machine readable names. In human terms, client and merchant engage in mutual identification when they, for example, tell each other their names over the phone. With identification, one’s identity is asserted and accepted without further proof. Apart from anonymity, where one’s identity is not known at all, identification is the lowest form of recognition. Identification is a weak and generally unreliable way of relating an asserted name to an individual. This is because anyone knowing someone else’s identity can assert his or her as that individual. But that is what identification is. This is why there is a way to prove one’s identity with authentication.

Authentication

Authentication is "A positive identification, with a degree of certainty sufficient for permitting certain rights or privileges to the person or thing positively identified." In simpler terms, it is "The act of verifying the claimed identity of an individual, station or originator". In a human contact by phone, the client and merchant might recognize (authenticate) each other by their familiar voices. In the context of information systems, authentication is most often accepted with a user id or user name and a password or pass phrase. It is assumed that, while many individuals may know a person’s user id or user name, only the person associated with the user id or user name will know the password. When the person furnishes his or her user id and password, the system to which they are identifying themselves knows that this person is in fact who they claim to be.

IT Security: Threats and vulnerabilities

The risks associated with information security can be classified into two categories, threats and vulnerabilities. Threats refer to the actions of people and nature that endanger an organization’s information assets and infrastructure. Vulnerabilities are the weaknesses in the assets and infrastructure that are at risk of unintended and unwanted events. Rather than being unrelated, threats and vulnerabilities are two sides of the same coin, threats are the potential actions that will follow the path of least resistance to the greatest vulnerabilities.

THREATS

A security threat is the wilful intention on someone’s part to inflict injury or damage to an individual’s or organization’s networks, computers, software or data. Threats come from people in the organization itself: employees, contractors and visitors. People outside the organization also threaten it. The types of injury or damage that could occur are practically limitless. A few examples include:

Ø  Sabotage of computer hardware or software

Ø  Theft and subsequent disclosure of proprietary or personally sensitive information

Ø  Attacks on information infrastructure to render it unavailable for legitimate uses

Ø  Development and release of a virus or worm intended to cause widespread damage.

VULNERABILITIES

Vulnerability is any weakness in computer or network hardware or software that makes it open to attack or damage. Vulnerability can be the result of an imperfection in design, implementation or configuration. While vulnerability is generally thought of as an oversight, the existence of vulnerability can be the result of a deliberate act. Some examples of vulnerabilities include:

Ø  A flaw in a software program that permits an intruder to cause the program to malfunction, generally with the intention of breaking into the system running the program

Ø  An operating system misconfigurations that permits an ordinary user to switch to privileged mode, which gives the user full administrative control over the system

Ø  A flaw in a business process that permits an employee to log in using a new employee’s account by entering a well-known default/initial password

Ø  A recently installed system with default administrative passwords, permitting anyone with knowledge of the password to gain full access to the system

Ø  Servers in the enterprise that individuals set up on their own that lack anti-virus protection and security patches.

Different Types of Network Address Translation

Three basic types of NAT 

Static mapping 

The network address translation has a pool of public IP addresses configured. Each private address is statically mapped to a specific public address. So computer A always receives the public address x, computer B always receives the public address y, and so on. This is generally used for servers that need to keep the same public address at all times.

Dynamic mapping 

The network address translation has a pool of IP addresses, but instead of statically mapping a public address to a specific private address, it works on a first-come, first-served basis. So if A needs to communicate over the Internet, his system makes a request to the NAT server. The NAT server takes the first IP on the list and maps it to A is private address. The balancing act is to estimate how many computers will most likely need to communicate outside the internal network at one time. This estimate is the number of public addresses the company purchases, instead of purchasing one public address for each computer.

Port Address Translation

Port Address Translation (PAT), is an extension to network address translation (NAT) that permits multiple devices on a local area network (LAN) to be mapped to a single public IP address. The goal of PAT is to conserve IP addresses.

Most home networks use PAT. In such a scenario, the Internet Service Provider (ISP) assigns a single IP address to the home network's router. When Computer X logs on the Internet, the router assigns the client a port number, which is appended to the internal IP address. This, in effect, gives Computer X a unique address. If Computer Z logs on the Internet at the same time, the router assigns it the same local IP address with a different port number. Although both computers are sharing the same public IP address and accessing the Internet at the same time, the router knows exactly which computer to send specific packets to because each computer has a unique internal address.

Port Address Translation is also called porting; port overloading, port-level multiplexed NAT and single address NAT.

Network Address Translation Basics 

Definition: I have one address I would like to share with everyone.

IP addresses have become hardly until the full adoption of IPv6 and expensive. So some smart people came up with network address translation (NAT), which enables a network that does not follow the internet’s addressing scheme to communicate over the internet. Private IP addresses have been reserved for internal LAN address use. These addresses can be used within the boundaries of a company, but they cannot be used on the internet. NAT enables a company to use these private addresses and still be able to communicate transparently with the computer on the internet.

Private IP address ranges

10.0.0.0—10.255.255.255                Class A networks

172.16.0.0—172.31.255.255             Class B networks

192.168.0.0—192.168.255.255        Class C networks

Many firewall vendors have implemented NAT into their products, and it has been found that NAT actually provides a great security benefit. When attackers want to hack a network, they first do what they can to learn all about the network and its topology, services, and addresses. Attackers cannot easily find out a company’s address scheme and its topology when NAT is in place, because NAT act as security guard by standing in front of the network and hiding the true IP scheme.

Network Address Translation (NAT)

The internet is expanding faster than anyone ever imagined.  A computer with communicate with other computers and web servers on the internet; it must have an IP address. An IP address is unique 32 bit number that identifies the location of your computer on a network. 

The total number of IP addresses 4,294,967,296 unique addresses (2³²). The actual number of addresses is smaller. These addresses are separated into classes, and because some addresses are set aside for multicasting, testing or research purpose. With the explosion of the Internet and the increase in home networks and business networks, the number of available IP addresses is simply not enough.

As the amount of information and resources increases, it is becoming a requirement for even the smallest businesses and homes to connect to the Internet. The obvious solution is to redesign the address format to allow for more possible addresses. This is being developed (called IPv6), but will take several years to implement because it requires modification of the entire infrastructure of the Internet. This is where NAT comes to the rescue part. Network Address Translation (NAT) is a method of connecting multiple computers to the Internet using one IP address. 

Rootkit Detection: Rootkit Revealer

RootkitRevealer uses a cross view approach and focuses only on the File system and Registry. The benefit of this tool is fast, simple and effective. It does not scan for loaded kernel modules; it quickly detects both the hidden registry keys and the files being hidden by the rootkit.

Installation:

Ø  Download the Rootkit Revealer.exe (231 KB) file copy into the computer.

Ø  Double Click à Agree à Agree, that’s it.

Usage:

Ø  Click File à Scan, it will show number of discrepancies.

Ø  Click File à Save.

It is necessary to examine all discrepancies.