After a recent flood of investigative, forensic and legal support requests... We are back ON-Track to security testing... Always great to have the 'hacker' tag :D
I certainly appreciate my clients who entrusted their resources to me for investigations and forensic work, but nothing like our bread-and-butter, haha.
The headlines from ArsTechnica read "MSE 2.0 arrives with heuristic scanning, network traffic inspection" & "December 2010 Patch Tuesday will come with most bulletins ever"... and ZDNet's headlines include "Microsoft delivers patches for IE, font driver; Puts Stuxnet to bed" & "Apple plugs 15 gaping security holes in QuickTime"
Some surprise that MSE 2.0 has been successful, because it was released earlier for as a pilot - and failed in 1.0 before they learned their lessons and launched 2.0 ;)
Same surprise about Windows Patch Tuesday - I love MS, they help us survive and stay in business... No Wonder, with tools like Metasploit and CANVAS around :D
Stuxnet has been put to bed and that is indeed good news...
We are going to have a blast, 3 pen-tests already lined up :))
Saturday, December 18, 2010
Sunday, August 01, 2010
UIDAI Scheme - Or - Compromising my privacy?
What we know / heard from a few sources?
Basic Information:
The UID itself will collect only standard attributes such as name, date of birth, gender, father/mother/spouse/guardians name, address and a photograph. The only unique information is the biometrics (10 fingerprints and both IRIS scans).
Who / Why / Usage
The UID will be given to all residents who are in India and avail services and not just citizens.
The information in the database will be used only for authentication purposes and will not be shared or transmitted. Anyone seeking to authenticate the identity of another person using the UID database – will only get a response in YES or NO.
About working / operations:
The UIDAI is working on a partnership model with a variety of agencies and service providers ( both government and private sector) to enroll residents for UID Numbers and verify their identity. For e.g. Insurance companies, LPG marketing companies, RSBY, MG-NREGA etc. The UIDAI will also engage with Outreach Groups (essentially CSOs) to target, the homeless, urban poor, tribals, differently-abled population of the country etc.
About security:
The UID database will be guarded both physically and electronically by a few select individuals with high clearance. It will not be available even for many members of the UID staff and will be secured through encryption, and in a highly secure data vault.
Is your security up to the mark ? What is that secure data vault thing? Please don't use such terms, a layman maybe fooled into thinking "ultra secure" when in reality, you're storing it in the most haphazard manner.
Why do they (government) want a person's mother's name, father's name, and their respective UID numbers ?
Check this out ... the picture shows what info they are going to collect for the card. Add the present/permanent address thing to this mix, you can have one of our residing addresses, you are the government, you either choose permanent or present address, because parting with "everything" or too much of my private information to you - from me, a hacker's perspective... looks like asking to be stabbed !
All I'm saying is ... basically, devil knows who's got access to this DB once it is implemented. That's not all, they do say there may be an option for a person to escape their identity theft mechanisms and create a completely false identity and obtain a UID, d'uh !
Murphy's law folks, if you missed it ... "If anything can go wrong, it will"
Security Model for UIDAI Scheme
Always be prepared for the worst case scenarios, stop deducing cyber crime with just audit trails for a change.
Offences under UIDAI Act - Check out the screenshot
Addition about the IT Act 2000, and consequences if you compromise their DB,"All offences under the Information Technology Act shall be deemed to be offences under the UIDAI if directed against the UIDAI or its database."
Small FAQ I built for the readers,
Q. How will they (government) manage and secure 1.20 billion people's information ?
A. They wish to encrypt information and store it in a centralized DB...
Q. What security design will be implemented for Server and the Network/Client?
A. We have Firewall, IDS, IPS - alphabet soup basically, and Encryption with PKI.
Oh, my! the traditional defense-in-depth approach - Lauds the government. What about being proactive and conducting tests regularly? (Pen test, code review, DB security, red teaming, and compliance for the supporting infrastructure)
Q. Will my information be secure in the database?
A. Well, it depends... lol !
"The UID database will be susceptible to attacks and leaks at various levels. The UIDAI must have enough teeth to be able to address and deal with these issues effectively."
Q. What will the basic information and biometrics be integrated with?
A. Banks, Ration shop, Income Tax Dept, Passports, Credit Card/Debit Card, Online accounts. Precisely, enough sensitive data will be integrated with so-cal best practices to leave you stabbed from a lot of angles.
People who define security should not use the abbreviation for et-cetera (etc). Define and then write a document, because you are dealing with national security and a billion plus populous here. Don't be so naive and clueless by mentioning stuff like "Network, Client Security – Encryption, PKI etc"
From the looks of it, The way in which the government is dealing with our information is haphazard, to say the least.
Cheers,
Kish
Basic Information:
The UID itself will collect only standard attributes such as name, date of birth, gender, father/mother/spouse/guardians name, address and a photograph. The only unique information is the biometrics (10 fingerprints and both IRIS scans).
Who / Why / Usage
The UID will be given to all residents who are in India and avail services and not just citizens.
The information in the database will be used only for authentication purposes and will not be shared or transmitted. Anyone seeking to authenticate the identity of another person using the UID database – will only get a response in YES or NO.
About working / operations:
The UIDAI is working on a partnership model with a variety of agencies and service providers ( both government and private sector) to enroll residents for UID Numbers and verify their identity. For e.g. Insurance companies, LPG marketing companies, RSBY, MG-NREGA etc. The UIDAI will also engage with Outreach Groups (essentially CSOs) to target, the homeless, urban poor, tribals, differently-abled population of the country etc.
About security:
The UID database will be guarded both physically and electronically by a few select individuals with high clearance. It will not be available even for many members of the UID staff and will be secured through encryption, and in a highly secure data vault.
Is your security up to the mark ? What is that secure data vault thing? Please don't use such terms, a layman maybe fooled into thinking "ultra secure" when in reality, you're storing it in the most haphazard manner.
Why do they (government) want a person's mother's name, father's name, and their respective UID numbers ?
Check this out ... the picture shows what info they are going to collect for the card. Add the present/permanent address thing to this mix, you can have one of our residing addresses, you are the government, you either choose permanent or present address, because parting with "everything" or too much of my private information to you - from me, a hacker's perspective... looks like asking to be stabbed !
All I'm saying is ... basically, devil knows who's got access to this DB once it is implemented. That's not all, they do say there may be an option for a person to escape their identity theft mechanisms and create a completely false identity and obtain a UID, d'uh !
Murphy's law folks, if you missed it ... "If anything can go wrong, it will"
Security Model for UIDAI Scheme
Always be prepared for the worst case scenarios, stop deducing cyber crime with just audit trails for a change.
Offences under UIDAI Act - Check out the screenshot
Addition about the IT Act 2000, and consequences if you compromise their DB,"All offences under the Information Technology Act shall be deemed to be offences under the UIDAI if directed against the UIDAI or its database."
Small FAQ I built for the readers,
Q. How will they (government) manage and secure 1.20 billion people's information ?
A. They wish to encrypt information and store it in a centralized DB...
Q. What security design will be implemented for Server and the Network/Client?
A. We have Firewall, IDS, IPS - alphabet soup basically, and Encryption with PKI.
Oh, my! the traditional defense-in-depth approach - Lauds the government. What about being proactive and conducting tests regularly? (Pen test, code review, DB security, red teaming, and compliance for the supporting infrastructure)
Q. Will my information be secure in the database?
A. Well, it depends... lol !
"The UID database will be susceptible to attacks and leaks at various levels. The UIDAI must have enough teeth to be able to address and deal with these issues effectively."
Q. What will the basic information and biometrics be integrated with?
A. Banks, Ration shop, Income Tax Dept, Passports, Credit Card/Debit Card, Online accounts. Precisely, enough sensitive data will be integrated with so-cal best practices to leave you stabbed from a lot of angles.
People who define security should not use the abbreviation for et-cetera (etc). Define and then write a document, because you are dealing with national security and a billion plus populous here. Don't be so naive and clueless by mentioning stuff like "Network, Client Security – Encryption, PKI etc"
From the looks of it, The way in which the government is dealing with our information is haphazard, to say the least.
Cheers,
Kish
Friday, July 23, 2010
Xchanging URLs now ;))
The vulnerable page is still there, and there is no fix... but hey, the web developers sure learned to redirect the vulnerable page to home.html... ironic ;))
Web development and Security @ Xchanging - EPIC FAIL... sorry folks... Try harder next time... If you want to contact me for a penetration test, here's my mail: kishfellow at yahoo dot com
Cheers,
Kish
Web development and Security @ Xchanging - EPIC FAIL... sorry folks... Try harder next time... If you want to contact me for a penetration test, here's my mail: kishfellow at yahoo dot com
Cheers,
Kish
Wednesday, July 21, 2010
Xchanging SQL Injections with you...
Xchanging - Xchanging plc (LSE: XCH) is a business processing company, with a wide range of multinational customers in 42 countries and employing over 8,000 people worldwide. It is listed on the London Stock Exchange and is in the FTSE 250 Index. Xchanging is also a member of the FTSE4Good index.
They have a potential SQL injection here, well... someone needs a pen-test?
http://selfservice.xchanging.com/serviceportal/default.aspx?offset=
Cheers,
Kish
They have a potential SQL injection here, well... someone needs a pen-test?
http://selfservice.xchanging.com/serviceportal/default.aspx?offset=
Cheers,
Kish
Tuesday, July 06, 2010
Linux migration SNAFU
Disclaimer: The author is not against windows, the author is not against linux, the author is against "stupid" practices and communication gap while migrating from one OS to another. The author is an ardent Linux and BSD Fan, and supports FOSS/OSS movements.
The inspiration for this post comes from a REAL company whose employees were not so happy and almost resigned their posts owing to a bad migration.
Here is a story of a simple Linux migration gone-all-wrong.
The last thing any employee wants at the office on Monday morning is to turn on their workstation to find Linux instead of their beloved Windows operating system.
How NOT TO MIGRATE from Windows to Linux
- For Lower TCO, access to source code,
- For Economic benefit, Ethical Benefit,
- For Access to Source code,
- For whatever-else-you-deem-fit to trigger a migration
You certainly have to communicate to your employee formally - written as a memo circulated throughout the ranks, or a simple e-mail to all employees notifying the change.
Analysis : Why it went wrong ?
Things that made this particular migration go wrong...
1) The employees were not informed prior to the migration
2) Backup was not in place, only last minute backup was available
3) There was no Linux101, Command Line usage or any induction towards the new operating system at their disposal.
4) No clear planning, and deployment - Old versions of Ubuntu were deployed.
5) There was no consultant or subject matter expert to assist the migration.
How TO MIGRATE from Windows to Linux
- Prior to the transition from one OS to another - inform your employees formally
- Get them involved in the planning and ask for their views & suggestions
- After giving the heads-up, arrange for a backup (through System Administrator)
- To make the transition smooth decide who needs a Linux desktop and how many Windows systems can be retained (to reduce training budget)
- Choose a Linux distribution based on - User competence, prior experience, and business goal (why linux?)
- Engage an external consultant or subject matter expert
- Plan the switch with software used currently and alternate software available for linux
HINT: ptth://www.osalt.com
- Deploy a test bed and introduce the operating system functionality
- Arrange for a formal induction (hands-on) with the consultant
- Clarify doubts and exchange ideas, get tips and tricks and further reading
- Arrange for a dinner (makes employees happy to eat and learn, than just learning)
- Use linux philosophy from time to time - for motivation, increasing productivity, and squeezing employees to the max, hehe !
"The only thing worse than training good employees and losing them is NOT training your employees and keeping them."
- Zig ziglar
Point to be taken from this post: Next time you migrate to any linux distribution, make sure you Communicate the change, engage a subject matter expert, plan, test, and then deploy.
Cheers,
Kish
PS: We offer Linux migration services, and Open Source consulting of the best quality at very nominal pricing. Contact me for more information.
The inspiration for this post comes from a REAL company whose employees were not so happy and almost resigned their posts owing to a bad migration.
Here is a story of a simple Linux migration gone-all-wrong.
The last thing any employee wants at the office on Monday morning is to turn on their workstation to find Linux instead of their beloved Windows operating system.
How NOT TO MIGRATE from Windows to Linux
- For Lower TCO, access to source code,
- For Economic benefit, Ethical Benefit,
- For Access to Source code,
- For whatever-else-you-deem-fit to trigger a migration
You certainly have to communicate to your employee formally - written as a memo circulated throughout the ranks, or a simple e-mail to all employees notifying the change.
Analysis : Why it went wrong ?
Things that made this particular migration go wrong...
1) The employees were not informed prior to the migration
2) Backup was not in place, only last minute backup was available
3) There was no Linux101, Command Line usage or any induction towards the new operating system at their disposal.
4) No clear planning, and deployment - Old versions of Ubuntu were deployed.
5) There was no consultant or subject matter expert to assist the migration.
How TO MIGRATE from Windows to Linux
- Prior to the transition from one OS to another - inform your employees formally
- Get them involved in the planning and ask for their views & suggestions
- After giving the heads-up, arrange for a backup (through System Administrator)
- To make the transition smooth decide who needs a Linux desktop and how many Windows systems can be retained (to reduce training budget)
- Choose a Linux distribution based on - User competence, prior experience, and business goal (why linux?)
- Engage an external consultant or subject matter expert
- Plan the switch with software used currently and alternate software available for linux
HINT: ptth://www.osalt.com
- Deploy a test bed and introduce the operating system functionality
- Arrange for a formal induction (hands-on) with the consultant
- Clarify doubts and exchange ideas, get tips and tricks and further reading
- Arrange for a dinner (makes employees happy to eat and learn, than just learning)
- Use linux philosophy from time to time - for motivation, increasing productivity, and squeezing employees to the max, hehe !
"The only thing worse than training good employees and losing them is NOT training your employees and keeping them."
- Zig ziglar
Point to be taken from this post: Next time you migrate to any linux distribution, make sure you Communicate the change, engage a subject matter expert, plan, test, and then deploy.
Cheers,
Kish
PS: We offer Linux migration services, and Open Source consulting of the best quality at very nominal pricing. Contact me for more information.
Monday, May 31, 2010
U Socket - USB Charging directly from plug points
Quoting from their website,
"U-Socket is a duplex AC receptacle with built-in USB ports that can power any device that is capable of being charged via a 5V power adapter, but without the need for the power adapter! When a U-Socket replaces a traditional 3-prong AC wall socket, you can eliminate the clutter of AC Adapters that stick out & take up space in your home or office. Everything stays neat & organized. In additional, U-Socket's energy efficient design only outputs power through the USB port if something is connected to it. This can save you up to $25 per year in reduced energy costs. Good for you, good for the environment and with our great prices, good for your wallet too!"
Neat little addition to your desk to charge your devices like iPad or mp3 players :)
For more information, click here
Cheers,
Kish
"U-Socket is a duplex AC receptacle with built-in USB ports that can power any device that is capable of being charged via a 5V power adapter, but without the need for the power adapter! When a U-Socket replaces a traditional 3-prong AC wall socket, you can eliminate the clutter of AC Adapters that stick out & take up space in your home or office. Everything stays neat & organized. In additional, U-Socket's energy efficient design only outputs power through the USB port if something is connected to it. This can save you up to $25 per year in reduced energy costs. Good for you, good for the environment and with our great prices, good for your wallet too!"
Neat little addition to your desk to charge your devices like iPad or mp3 players :)
For more information, click here
Cheers,
Kish
Sunday, February 07, 2010
No pun intended
Pen tester1: I have have very less issues related to security compared to my windows laptop
Kish: probably, because people own macs silently ;)
Pen tester1: ...
Kish: probably, because people own macs silently ;)
Pen tester1: ...
Subscribe to:
Posts (Atom)