Monday, December 22, 2014


I identify myself as a hacker... not as an ethical hacker. Hacking is an art, just like martial arts or painting. Hacking is about making a device or system do some thing the designer did not originally have in mind. When you exercise your creativity you can hack anything.

So just like a mechanic, painter or a martial artist... the term hacker is right. There can be a good martial artist and a bad martial artist, you don't call those people with one word or have multiple words mixed up in a haze. Similarly there can be a good hacker and a bad hacker. Like I explained earlier, the decision to adhere to ethics is up to each and every individual. When I became a hacker, I learned that I have to protect the word and clarify our stance to the world. The media has created a bad image about hackers and bad news / press sells faster and better than "normal" news.

As far as learning goes, You can learn the basics and then work on your own - for a few years to achieve good competency. Hacking your own XBox for example to store movies and stream it - on to your LCD Television is legal, provided you paid for the movies and the gaming console... ;) If you don't pay for the movies, but download them from the internet... then it is illegal.

The society / media that waves the "Ethical Hacker" tag must understand - The term is an oxymoron at best and incorrect. I am no lawyer, so I can't comment on Ethics of hacking or any deed. Mahabharata says there is no good or bad deed. Western culture also agrees with the same in multiple scripts that: all deeds are situational, whether good or bad depends on each individual's own judgement and justification. People mix things up badly and have a perception of smoke and mirrors created by the media about hackers.

We're simple people and we like breaking stuff for a living, just like software engineers build stuff for a living. Hacking can therefore be termed as creative destruction of a given system or program.

I'm taking a break from work soon, summer's here yipppeeeee :)


Saturday, August 16, 2014

And you thought WhatsApp was safe?

All you friends, relatives and well-wishers telling me to install whatsapp... Howzzzhaaat? ;)
Decompilation of Android APK
In case you people don't understand, MOST, if not all mobile applications require 'nearly' GOD level access to your phone. OK, I'll be kind this one time... because, I see  you frown... :D
Get the picture? ;))
Your so-called "smart"phone has SMS/MMS, Phonebook, Contacts, Camera (with photos / videos and god knows what else)... Email, notes, oh whatsapp!

Same goes for viber, truecaller and other junk called 'apps'. A good application should be 'free' without spying or screwing with your Android or iOS. The companies are NOT paying to get your information (privacy) and they are NOT paying for you to sign up and get screwed... Does it hurt? Bitch!
This is a RANT, if you haven't figured it out by now

Think twice about installing an application, next time... And you better listen to me when I talk!

Peace Out!

Saturday, August 09, 2014

Firemon - Security Intelligence Platform (For Networks)

Disclaimer: Normally, I don't write about products or promote anything. This is NOT an endorsement or a promotion for Firemon and/or VMTurbo. The opinions and views scribbled herein must be taken with a grain of salt. My company is strictly vendor neutral !

Firemon - Company Overview

Consider this to be my notes from the session I attended at JW Marriott, Bangalore. 

Product: Appliance
Based on Cent OS 64-bit
DB Used: Postgres 64-bit
Licensing: Depends on Application Server and Number of Devices Required
Enables continual monitoring and understanding of Network Devices for Change, Risk and Compliance

Swag / Product information on Firemon
I had the opportunity to attend a session presented by James Frost, of Firemon EMEA team. Obviously he answered a few of my sensible questions. They gave away some cool swag. You (you as a reseller) are in business because you can do something better and more efficiently than your customer can do it. And you keep your customers because you can prove it. So, when it comes to managing firewalls, don’t just tell your customers that their firewalls are managed correctly. Show them with firemon!

Perks of being strong :D
The limitation of Firemon vs. a traditional SIM / SIEM is the scope of log aggregation and correlation that can be done (limited to Firewalls / Network Devices). Also, Firemon does NOT push policies or modify policies back to the firewall because, most vendors have no API support or Closed API. They plan to integrate Firemon with VMWare vShield which is opening up the debate of SDN (Software Defined Networks), which requires a separate post. With that said, its only fair to mention this product has a considerable edge over other firewall management products taking in to note the client's network context and covering change (in accordance with ITIL), risks and pre-emptive measures for managing change in an enterprise!

Check out their article on Enterprise Monitoring

One would relate this to VMTurbo (For VMWare - Virtualization) as vmturbo shows similar traits in pro-active monitoring and automating a lot of significant datacenter tasks. Not an apple to apple comparison per se, but NEW Products like Firemon and VMTurbo deserve a place in the enterprise where speed, automation and scalability need to be balanced by the IT Manager, productively using his costly IT resources to do other tasks at hand instead of closing tickets on a daily basis for Virtualization / Security.

Check out Firemon @
Check out VMTurbo @


Saturday, April 19, 2014

ICICI Bank - Authentication Bypass Vulnerability


Consider this my opinion on the latest vulnerability discovered in ICICI's Internet Banking portal that allows anybody to read your bank statement without logging in to your account. Yeah, you read that right, "without" logging in...

OK, A friend of mine pointed out this vulnerability to me... Initially my impression was well it must be another SQL injection as I have always been skeptical about the level of security on the Internet provided by private & public banks.

Bug: Authentication Bypass + Direct Insecure Object Reference

Discovered by: Ayush Ghosh, BookMyShow

Disclosed by NDTV to ICICI Bank because the bank didn't bother checking that researcher's email as usual. So much for having those abuse / info e-mail addresses on their website. The banks must start to consider working on a middle-ground with security researchers.

Initially the vulnerability seems innocuous but, when you factor in that a vulnerability like this could lead to money being stolen or could lead to internet fraud. Imagine 20 lakhs get stolen from your bank account straight up by a guy who cons you with an internet scam. Then try to look at this vulnerability in this new light with your money on the table... Scary? Yeah I thought so! ;)
New Delhi-based cyber-security consultant Dominic K. spoke to NDTV Gadgets and discussed the multiple layers of security that banks have in place, which include multi-factor authentication, encryption, secure connectivity - SSL and HTTPS and identity management systems. He added, "We have not heard of any serious attacks that were successful. These are industry practices that meet global standards."
SSL - Broken many times
HTTPS - Broken - Can be stripped and/or hijacked
Certificates can be spoofed and/or stolen

How multi-factor authentication or secure connectivity will help when there's no user logged in? Authentication is the mechanism where a user logs-in to confirm the his / her identity on the bank's website. This is usually achieved with parameters such as Debit card no, Account no, Debit card PIN or Username / Password issued for Internet banking. The authentication mechanism is NOT part of this vulnerability so, all those global standards don't matter in this case.

Our high school teachers have spoiled us by with an example for every damn thing in the world.

Example: A Grifter with very little computer knowledge can write an e-mail with your name (first name, last name), bank account information, your bank balance and a 'mistake' he noticed (a reason to click). Since the dawn of graphical user computing we have always been clicking, you can't get anything done without clicking. You click more than you type and that is a fact, you clicked on this damn page... fact... :D

Mr.Grifter can then systematically make you execute javascript and steal your cookies, pun intended! Cookies here equate to money, but that's just for people who care. If that grifter is savvy and smart, he just might hack your browser and make your life hell. The people who want to sit at home feeling safe, well... good luck, security has always been an illusion.

The original article can be found here


Saturday, April 12, 2014

OpenSSL Heartbleed Vulnerability

Myself and Digi from Crimemachine have whipped up a document to educate the public about this recent vulnerability. With all the information and buzz surrounding this vulnerability, comes a lot of confusion too... We provide this information with the standard disclaimer, this information is for educational purposes only.

Download the Heartbleed - Information Packet (Google Drive)

 You will be responsible for your own actions. Use the information sensibly.

Official Website: 
OpenSSL Advisory:

Update: A simple shell script for those of you who are dabbling with the code,
root@crimemachine:~# while true;do ./ -p 443;sleep2;done >> /tmp/heartbleed.log
You can iterate the loop and record login credentials when a user logs in to the site/server.


Wednesday, March 12, 2014

Talk to the real hackers...

In today's scenario, Every body is a penetration tester... :D
All the "me too" security providers, "engineer" pen-testers, one stop shops and yuppies are going to be mad at me now... An artist should rather let his work speak, if you want to see me in action, call me!


Thursday, November 21, 2013

ZKSoftware ZEM500 Authentication Bypass

# ZKSoftware ZEM500 RFID Card Reader
# Date: 22.11.2013
# Vuln: Authentication bypass / Abuse of Access

In a world which relies on technology heavily, the use of software and/or hardware to track people at office / work isn't new. It is actually quite old and a lot of systems are vulnerable. This is just my observation of ZEM500 hardware on a limited scope of attack.

Typical connectivity diagram from the ZEM500 Hardware to the network...

ZEM500 by ZKSoftware (Sold by ESSL India) is a biometric fingerprint cum smart card system to authenticate and maintain user attendance in corporate offices. The authentication (employee name, employee password) is encoded in a smart card like any other system. The ZEM500 runs a Linux kernel 2.4x. The device runs busybox linux and its based on fingerprinting.

Port Scan of the ZEM 500,

Telnet to ZEM 500,

Malformed packet for ZEM500 using Scapy,

Observing the traffic with Wireshark was not amusing and revealed employee login / log out details... For obvious reasons of confidentiality and safety, I won't post it online!

eSSL Time Track - Hardcoded Password,

Apart from the above mentioned authentication bypass, you can download a copy at  to manage the software like a normal administrator would. eSSL resells the hardware in India. The management software has a hardcoded password for Windows and SQL Authentication. Weak Encryption, anyone?

Default install includes SQL Express for the management software. The software can be used to manage, maintain and fetch reports from the system.

The ZEM500 has WiFi capability and I never hooked my system to the firewire... Food for thought? ;))