Tuesday, March 13, 2018

Can your aadhaar card be hacked / misused?

Yes, Your aadhaar card can be hacked and it can result in data theft, monetary loss, identity theft / cybercrime. So, hold your breath and count to ten, no swearing / no bad words here... ;)

Aadhaar - One Nation, One Card :D
It is well known now that Aadhaar has become synonymous with a person's identity in India. Thank You, Narendra Modi (PMO). I liked him better when he opposed aadhaar as Gujarat's CM, when Congress Party was ruling the country.

Constitutional Validity of Aadhaar
The face of Narendra Modi, post-2015 where he openly defied Supreme Court verdict to link Aadhaar to more than 100 schemes, both public and private, while passing off the Aadhaar Act, 2016 as a money bill in Lok Sabha, where BJP had majority, I started disliking him further when his government and cabinet of ministers, made the Aadhaar card mandatory for both public and private services instead of its original purpose as envisioned. (viz a viz, DBT, govt subsidy and tracking leakages / tracking corruption)

Contempt of Court
When any act outlives its original purpose, becomes draconian and violates constitutional principles like fundamental rights and right to live a dignified life (Article 21, which also includes right to privacy as interpreted by Supreme Court of India) it must be scrapped or repealed as nobody is above the constitution. The Supreme Court is considered to be the apex court, in charge of interpretation of law and they (supreme court judges) are ALSO bound by the constitution.

Where's the Security?
The question is NOT something pertaining to an individual's opinion or my right to privacy, it concerns every *single* citizen of India. If they can't provide maximum security in terms of physical, electronic and digital security, they should at least have the decency to admit that their security is NOT up to the mark. Security won't "magically" happen, when UIDAI  / Modi govt says aadhaar database is secure. Something has to be shown like improvement to the aadhaar public database, aadhaar verification, e-hospital portal? (which was used to hack aadhaar once), recently disclosed details through verity infosol, hyderabad... What are these people doing to "really" improve security, by implementing safeguards / security standards??

Where's the transparency?
All too frequently, people lament about transparency and corruption (transparency in THIS product / THAT service); let me ask you, what is the level of security for UIDAI / aadhaar cards as a database?? Where's the transparency? You expect me to file a RTI?? 

Aadhaar Card - Not So Secure 
And all this ranting about Aadhaar card is for naught, if I can NOT make you understand the implication of losing your privacy, right? Here are the problems with Aadhaar Card,

1) I can NOT change my fingerprint, or iris (if it is lost)
- Like a credit card, debit card, sim card

2) Single point of failure
-Some judge and some panelist on some TV channel said, Government already has all of this information about you. Why are you uncomfortable sharing this data??
- Goes to show how uninformed the judge / panelist is about "disaster management / disaster recovery"
- aadhaar is a centralized database - which can lead to single point of failure

3) OTP is issued by Aadhaar's Website, hmmm, OK!
- So we are in 2018?? And you're telling me OTP is fool proof :P
- physical attacks / social engineering works

4) Aadhaar's android app called mAadhaar is an APK file
- There's a whole hours' worth of demonstration I can make on android security
- And conduct a full course on how to security test mobile devices / mobile OS
- Android OS, android API, apk and device permissions / settings / the works...

Disclaimer - I do NOT have to perform ANY of the above mentioned attacks...
A valid Aadhaar number is a key that opens multiple locks. Dialing *99*99# connects you to NPCI’s query service on Aadhaar mapper (QSAM), which cheerfully tells you which bank the Aadhaar holder is receiving subsidy deposits in. Indane’s website will tell you the name of the Aadhaar holder and their LPG connection ID, and the history of banks they have received subsidies in. Keep probing services like this, and soon enough one builds a comprehensive profile of an individual containing information that is most certainly not known to Google and Facebook, the Aadhaar ecosystem’s preferred bogeymen. Forget state-level actors, this is now available to common scamsters. Everyone from housemaids to members of Parliament have fallen prey to targeted phishing scams that use private information to convince the victim that they genuinely represent the service provider, only to find that money has been stolen from their bank accounts soon after.
Quoting from LiveMint's Article - http://www.livemint.com/Opinion/iUYT70CSTkEIuu2BDbCCsM/The-Aadhaar-ecosystem-leaks-too-much-data.html

Disclaimer - I do NOT have to perform ANY of the above mentioned attacks... It has all been done before, and it will be done again unless, UIDAI and the Govt of India take concrete steps to "regularly" and I emphasize, "regularly" audit the Aadhaar infrastructure, gain the public's trust and make aadhaar genuinely useful for the public.

(Despite having a bunch of "interesting" and "useful" individual identity cards, essential commodities act, motor vehicles act, passport act - separate means to identify and access govt schemes and services, people are coerced to enroll with UIDAI/Aadhaar, produce the same for public and private services in violation of Supreme Court's August 2017 - verdict. In legal jargon, it is called contempt of court...)

Hacking aadhaar is NOT new / newsworthy
It happens regularly... It is well known to people working in the security industry that Aadhaar database has been breached about half a dozen times, in the last 2 to 3 years, by various eminent individuals... ;))

https://www.thehindubusinessline.com/info-tech/uidai-suspends-airtel-airtel-payments-banks-ekyc-licence/article9995428.ece
https://www.thehindubusinessline.com/info-tech/uidai-suspends-airtel-airtel-payments-banks-ekyc-licence/article9995428.ece
http://www.tribuneindia.com/news/nation/rs-500-10-minutes-and-you-have-access-to-billion-aadhaar-details/523361.html
 https://www.thequint.com/news/india/exclusive-aadhaar-dirty-secret-out-add-anyone-as-data-admin
 https://thewire.in/210954/uidai-aadhaar-security-breach/

Bone of contention?
Unfortunately, Aadhaar card as of now,  serves no additional purpose, that your other identity cards, bank accounts and social welfare schemes fail to provide. Why do we need Aadhaar? For state surveillance on Citizens of India or, to catch a Nirav Modi, a Vijay Mallya (Kingfisher) and/or a Lalit Modi (IPL Scam)??

3 Point Conclusion
1) At present there is no data protection / privacy law in India, we need these laws... ( IT Act does NOT count as a full-fledged privacy law - read up on laws / legalese please!)

2) The Indian govt must have a framework for citizen's identity to be safely accessed via Aadhaar, limit the level of data available to third parties, conduct periodic security assessments / checks, comply with laws of the land, provide an opt-out clause, allow the citizens access to essential services such as direct benefit transfer, food subsidy, bank accounts and mobile phones without coercion to provide aadhaar card.

3) So when Aadhaar becomes congruent with its original vision of distributing benefits, subsidy and leakage / corruption tracking, I will be the first person and the best proponent of aadhar. I will encourage people to enroll and sensitize them about the benefits of aadhaar. Let's safely say, that's 5 to 10 years away... :D

Currently, Aadhaar's constitutional validity is being hotly debated in the Supreme Court of India...

I'll leave it at that... Peace Out!

- Kish

Wednesday, October 19, 2016

ZKSoftware ZEM500 Authentication Bypass - Update

A Brief Update To The Original Post on ZKSoftware ZEM500 Authentication Bypass

First things first, I am now on a sabbatical, pursuing alternate avenues for pleasure, not profit... I am semi-retired from security on my own terms... ;)

Username & Password for the device was "root:solokey" in 2013...

I believe that in addition to getting root, you could play with firmware, packets and the device's OS (busybox) if you are inclined to explore every filetype including elf, bat and sh files for getting a better understanding. You could ALSO use tftp / ftp, ssh or telnet to upload and download files (for reverse engineering the elf files). Firmware for the device comes in gzip or tgz (tarred-gzip) format.

I am NOT very sure or updated on the vulnerability as such. It may have been reported and fixed by now (I saw THIS in 2013) - I could be wrong, too... Since some vendors don't fix the vulnerabilities quickly.

Good luck playing with the device!

Cheers,
Kish

Sunday, March 27, 2016

Why I hate security "experts" (and "trainers")

Why I hate security "experts" (and "trainers")

Disclaimer: This is a pure rant, with no proper grammar, editing & politically (IN)correct logic... I am known to be politically incorrect, but 110% technically astute. I did NOT write this post to please you... You acknowledge that by reading this you will NOT judge the author of this post and Lucideus reputation as a security / service provider :D

Okay, this post was never meant to be written, but hey, every now and then you get a random love letter (e-mail spam) from _some_ company (read: lucideus)

I never wanted to see this page, being a semi-retired professional, hxxp://www.lucideus.com/security_technology_training.html


Then again when you claim to provide security training using funny jargon words like ATOM (Awareness, Technology, Operations, Management?) - you need to integrate that in to your website and company's security model. You should always practice what you preach, or stop preaching (read: selling snake oil), or be like Bill Clinton, [Telling people] "I am full of shit, I sell snake oil and bullshit" but be honest about it!


Your site is plagued with open ports, ranging from ssh to ftp, and what not! Your site has multiple network, web application (vulns like XSS, CSRF and SQL Injection) and server vulnerabilities, yet you claim to teach Web Application Security, IT Infrastructure Security and Cyber Security, apart from Incident Response which I very much doubt you'd be capable of performing; having a badly developed website which can be pwned by anyone with basic skills in under 40 minutes.


The worst part about this whole training page is "so-called" trainers using the words VA (Vulnerability Assessment) and PT (Pen Testing) in the same line / like a single word. This is the last time, I'll put up with this bullshit. If you can't differentiate between two different process maps in a security assessment, how the hell do you expect people to trust you? Take up your course? Are people so badly educated that they fall for a badly coded website running Apache?

The least you can do as a security trainer, you have to put your money where your mouth is?! Or atleast don't claim to be a security "expert" / "trainer" who trains people on a regular basis. I won't be surprised, if those 60,000 students from 200 plus organizations, come looking for a refund... haha! ;))

 

Secure your organization first, then start providing security services and training, be orderly in your business operations. So here's another organization, that can NOT secure themselves, but claim to provide security education, sound like a classic case of Catch-22? Fuel for your brain, haha! :D

Reminds of one meme where vijay kant asks manmohan singh for his "bonafide cetripicate signature" for his "practical ejam dumaaro", ofcourse, he said "bleaaase sir" hahaha! :))

And please spam wisely next time, okay?

Cheers!

Sunday, January 31, 2016

Thank You

Many of my friends and well wishers have been wondering what happened to me and have gotten in touch from time to time in the last year and a half! Thank You! I am alive and well!

>> Originally drafted in December, 2014 <<

I am going to take a long break, an indefinite break from security to pursue alternate avenues and take on new challenges in life. I'd like to take this opportunity to thank my clients, my beloved hard disks, 3 am creativity, caffeine, my laptops, my motorcycle and my first few computers for putting up with me...

On a side note: My love / hate for WhatsApp as always, continues... So when WhatsApp upgrades you to "Life time" validity? Ask yourself what's going on? Free the app? Free that chat?

( HINT: Read free application co. will sell, resell, use your information as means for revenue with multiple companies / corporations / stakeholders )

With two methods to happily hack whatsapp and multiple methods to hack a mobile phone. Think twice before you type 'stuff' on your chat window. Better to be safe than sorry with all those nude selfies floating on the WWW (world's wild web)...

You can still reach me by writing an e-mail... but, you knew that already... haha! ;))

Cheers,
Kish

Monday, December 22, 2014

Hacking...

I identify myself as a hacker... not as an ethical hacker. Hacking is an art, just like martial arts or painting. Hacking is about making a device or system do some thing the designer did not originally have in mind. When you exercise your creativity you can hack anything.


So just like a mechanic, painter or a martial artist... the term hacker is right. There can be a good martial artist and a bad martial artist, you don't call those people with one word or have multiple words mixed up in a haze. Similarly there can be a good hacker and a bad hacker. Like I explained earlier, the decision to adhere to ethics is up to each and every individual. When I became a hacker, I learned that I have to protect the word and clarify our stance to the world. The media has created a bad image about hackers and bad news / press sells faster and better than "normal" news.

As far as learning goes, You can learn the basics and then work on your own - for a few years to achieve good competency. Hacking your own XBox for example to store movies and stream it - on to your LCD Television is legal, provided you paid for the movies and the gaming console... ;) If you don't pay for the movies, but download them from the internet... then it is illegal.

The society / media that waves the "Ethical Hacker" tag must understand - The term is an oxymoron at best and incorrect. I am no lawyer, so I can't comment on Ethics of hacking or any deed. Mahabharata says there is no good or bad deed. Western culture also agrees with the same in multiple scripts that: all deeds are situational, whether good or bad depends on each individual's own judgement and justification. People mix things up badly and have a perception of smoke and mirrors created by the media about hackers.

We're simple people and we like breaking stuff for a living, just like software engineers build stuff for a living. Hacking can therefore be termed as creative destruction of a given system or program.

I'm taking a break from work soon, summer's here yipppeeeee :)

Cheers,
Kish

Saturday, August 16, 2014

And you thought WhatsApp was safe?

All you friends, relatives and well-wishers telling me to install whatsapp... Howzzzhaaat? ;)
Decompilation of Android APK
In case you people don't understand, MOST, if not all mobile applications require 'nearly' GOD level access to your phone. OK, I'll be kind this one time... because, I see  you frown... :D
Get the picture? ;))
Your so-called "smart"phone has SMS/MMS, Phonebook, Contacts, Camera (with photos / videos and god knows what else)... Email, notes, oh whatsapp!

Same goes for viber, truecaller and other junk called 'apps'. A good application should be 'free' without spying or screwing with your Android or iOS. The companies are NOT paying to get your information (privacy) and they are NOT paying for you to sign up and get screwed... Does it hurt? Bitch!
This is a RANT, if you haven't figured it out by now

Think twice about installing an application, next time... And you better listen to me when I talk!

Peace Out!

Saturday, August 09, 2014

Firemon - Security Intelligence Platform (For Networks)

Disclaimer: Normally, I don't write about products or promote anything. This is NOT an endorsement or a promotion for Firemon and/or VMTurbo. The opinions and views scribbled herein must be taken with a grain of salt. My company is strictly vendor neutral !

Firemon - Company Overview

Consider this to be my notes from the session I attended at JW Marriott, Bangalore. 

Product: Appliance
Based on Cent OS 64-bit
DB Used: Postgres 64-bit
Licensing: Depends on Application Server and Number of Devices Required
Enables continual monitoring and understanding of Network Devices for Change, Risk and Compliance

Swag / Product information on Firemon
I had the opportunity to attend a session presented by James Frost, of Firemon EMEA team. Obviously he answered a few of my sensible questions. They gave away some cool swag. You (you as a reseller) are in business because you can do something better and more efficiently than your customer can do it. And you keep your customers because you can prove it. So, when it comes to managing firewalls, don’t just tell your customers that their firewalls are managed correctly. Show them with firemon!

Perks of being strong :D
The limitation of Firemon vs. a traditional SIM / SIEM is the scope of log aggregation and correlation that can be done (limited to Firewalls / Network Devices). Also, Firemon does NOT push policies or modify policies back to the firewall because, most vendors have no API support or Closed API. They plan to integrate Firemon with VMWare vShield which is opening up the debate of SDN (Software Defined Networks), which requires a separate post. With that said, its only fair to mention this product has a considerable edge over other firewall management products taking in to note the client's network context and covering change (in accordance with ITIL), risks and pre-emptive measures for managing change in an enterprise!

Check out their article on Enterprise Monitoring

One would relate this to VMTurbo (For VMWare - Virtualization) as vmturbo shows similar traits in pro-active monitoring and automating a lot of significant datacenter tasks. Not an apple to apple comparison per se, but NEW Products like Firemon and VMTurbo deserve a place in the enterprise where speed, automation and scalability need to be balanced by the IT Manager, productively using his costly IT resources to do other tasks at hand instead of closing tickets on a daily basis for Virtualization / Security.

Check out Firemon @ http://www.firemon.com
Check out VMTurbo @ http://www.vmturbo.com

Cheers,
Kish