Aadhaar detail leak in Jharkhand sign of deep cyber security flaws: Experts
The leak of confidential information of more than a million citizens from a Jharkhand government website exposes systemic vulnerabilities in India’s much-touted e-governance framework, experts have said.
The warnings come after the Jharkhand Directorate of Social Security published on its website 1.4 million names, addresses, bank account details and Aadhaar numbers. Twenty-four hours after the breach was noticed by media outlets, officials had no idea how the details made it onto the website unsecured, but they had taken the page offline.
“User education is not adequate at this point in time to match the rate at which security-related risks are growing,” said Subhashis Banerjee, professor of Computer Science at the Indian Institute of Technology, Delhi.
Banerjee explained that while the Centre and states are gathering more and more data about citizens to ensure government schemes reach intended beneficiaries, departments that hold this information are ill-equipped to maintain and safeguard these sensitive databases. “Even the government is not fully aware of what it is doing,” he said.
The introduction of Aadhaar-seeding, to inter-link these discreet databases, has only exacerbated this vulnerability as a leak in one database could leave a citizen’s entire digital life vulnerable to a hack.
“It [Aadhaar] can be used to correlate and find out the identity of an individual very easily,” said Banerjee, “Availability of these databases enables adversaries to keep a tab on individuals unless special precautions are taken to prevent this.”
The Unique Identification Authority of India (UIDAI), which oversees the Aadhaar framework, insists that its servers are impervious to attack, but most leaks are likely to come from an attack on the weakest link of the Aadhaar chain: thousands of insecure computers maintained by rickety block-level government offices across the country.
In Jharkhand, for instance, cyber security experts had long warned that many websites maintained by the state government were insecure.
“We had demonstrated these vulnerabilities to the state government in December,” said Vineet Kumar, a former member of Jharkhand police’s cyber cell, who has since set up the Cyber Peace Foundation, an NGO.
Officials at the Jharkhand IT department acknowledged the vulnerabilities of their websites, but pointed out that this particular lapse occurred on a website managed by the National Informatics Centre, India’s premier e-governance provider.
“The NIC has been taking care of all the technical aspects of Aadhaar related issues for us. They have been doing it since 2014, but this is the first time that such a leak has occurred on the website,” said Ram Parvesh, Director for Social Security, adding that his department had called for a meeting with NIC on Monday to solve the problem.
“Jharkhand-type leaks could happen anywhere,” said an official who works closely with the Ministry of Rural Development, “In many states, each department has its own IT vendors who build the software that stores this information. There is no common security standard across states and departments.”
This multiplicity of software solutions and private service providers, the official said, also made it difficult to implement nation-wide fixes once vulnerability had been discovered in one state.
“So even if we fix Jharkhand’s problem, we can’t simply upgrade all systems to ensure a similar problem does not occur in a different department in a different state,” he said. The UIDAI declined comment on this story. An official statement on the Jharkhand leak is expected on Monday. (Source: Hindustan Times)
Spirent Extends Security and Performance Testing Leadership with CyberFlood
Industry’s First Server-Response Fuzzing Raises Security Standards for Testing Against Malicious Attack Vectors
Spirent Communications, an industry leader in test and measurement, today extended its lead in security and performance testing by introducing the industry’s first server-response fuzzing capability within CyberFlood, its premier security test solution. A breakthrough in security and performance testing, CyberFlood’s server-response fuzzing functionality tests the ability of security devices—firewalls, intrusion prevention systems (IPS), secure web gateways and others—to handle malformed traffic sent from a server on the Internet to a client device using a single test solution. This is achieved without the time, effort and cost of building a complex test environment, allowing the user to get up and running more quickly with better results than ever before.
“We launched CyberFlood last year with SmartMutation™, the first-of-its-kind, true intelligence-driven fuzzing strategy. This set a new benchmark for security testing, allowing testing to go deeper, wider and across more code paths than any other solution in the industry,” said David DeSanto, director, products and threat research at Spirent Communications. “Other fuzzing solutions today only offer users the ability to fuzz the client definition of the network protocol when testing a device.
“Leveraging CyberFlood’s unique technology, users can now fuzz the server definition of the network protocol, confirming that a device can handle malformed responses from a server on the Internet targeting a client device, one of the most common and malicious attack vectors leveraged by hackers today. This gives enterprises, service providers and equipment manufacturers a fast and easy way to test security devices with no test environment to set up, and with no false positives during testing”.
The latest CyberFlood update includes several new features while enhancing CyberFlood’s ease of use:
New Attacks-Only and Client-Only DDoS attack modes add greater flexibility to DDoS attack emulation and enable customers to quickly go from the login screen of CyberFlood to a large-scale DDoS attack emulation in a few clicks.
New Network Resiliency tests cover the full range of RFC 2544 verification, including measuring maximum throughput, latency, jitter and burstability.
Tests can be organized in groups focused around a specific goal, such as an upcoming software release or enterprise product evaluation, enhancing collaboration within teams.
Additional fuzzing protocols allow CyberFlood to test devices across the entire Layers 2 through 7 stack and across multiple industry verticals, including industrial control, healthcare, finance, IoT and automotive.
CyberFlood continues to set the industry standard for malware testing with the only near-zero-day malware offering available in the industry, allowing enterprises to find the holes in their threat landscape, service providers to validate their SLAs and equipment manufacturers to confirm and extend their signature as well as heuristic detection functionality. (Source: Convergence Plus)
Kratikal Tech raises close to $500,000 in seed funding
Kratikal aims to use the funds for product development and building training modules
Cybersecurity start-up Kratikal Tech Pvt. Ltd. on Monday said it has raised seed funding from former director of Microsoft India Praveen Dubey, along with Amajit Gupta, former managing director Juniper Networks India and J.P. Bhatt, chief executive of ImpactQA.
Kratikal has raised close to $500,000, said a company executive, who did not want to be identified. The company will use the funds for product development and building training modules.
The company was founded in 2013 by five alumni of National Institute of Technology, Allahabad—Pavan Kushwaha, Paratosh Bansal, Dip Jung Thapa, Prashant Pandey and Ankit Singh—after Kushwaha’s email account was hacked.
Kratikal provides cyber security services such as vulnerability assessment, security auditing, among others.
“We aim to provide world class cybersecurity solutions globally and work on building the environment and train the IT (information technology) professionals and digital community in India about how to build secure systems,” Kratikal said in a statement.
Kratikal claims to provide training sessions to corporates, law enforcement agencies and education institutes. It claims to have trained over 5,000 candidates from over 131 countries through its online modules.
With a team of 15 employees, Kratikal services over 20 clients across corporate houses, police departments, law enforcement agencies and individuals in India, US, Australia, New Zealand and South Africa.
The Delhi-based company is also developing a software-as-a-service (Saas) tool to automate its security testing services with the help of built-in artificial technology. “This automated tool will bring down the high cost of security testing and make it economically feasible for all the SMEs (small and medium enterprises) to be secure,” said the company.
The company competes with Chandigarh-based TAC InfoSec Pvt. Ltd and Delhi-based Lucideus Tech Pvt. Ltd. In 2016, TAC raised an undisclosed amount of pre-series A funding in August, while Lucideus had received an undisclosed angel funding from Amit Choudhary, director of Motilal Oswal Private Equity Advisors Pvt. Ltd.
A report published by MarketsandMarkets in July 2016 forecasts the global cybersecurity market to grow from $122.45 billion in 2016 to $202.36 billion by 2021, growing at a compound annual growth rate of 10.6%. (Source: Mint)
Government asks banks to share IT breach info within 2 hrs
The government has sounded an alert with all the top banks, including State Bank of India, Punjab National Bank, ICICI and HDFC, and instructed them to inform about any breach in their IT systems within 120 minutes as the firewall against cyber hackers is strengthened in view of the large number of digital transactions. Also, steps are being taken on an urgent basis to ensure that the vast amount of financial information - including confidential, personal, and financial data - is not leaked out by financial intermediaries for monetary gains, IT Secretary Aruna Sundarajan said.
"Any information collected about consumers cannot be shared at all without seeking the permission of the individual," Sundarajan told TOI as she spoke about measures that are undertaken to ensure that the government's digital transformation push does not result in large-scale leakage of private and financial information.
Among the various steps planned by the government is to make laws that are more stringent and penalty-laden and guard against leakage. "More regulation is needed to make them tougher, especially to fix liabilities and responsibilities of the service providers towards their customers," the IT Secretary said.
"Stringent penal provisions will be mandated for any breach," Sundarajan said, adding that steps have been initiated to overhaul the IT Law of the country to make provisions in tune with the present-day requirements. The review is being undertaken in consultation with the Finance and Home Ministries.
The Modi government's sudden push towards having a digital and a less-cash economy has resulted in a massive surge in digital payments, including through mobile wallets, credit/debit cards, and other point-of-sale (POS) methods. The government is also taking steps to sync the payment methods to the Aadhar number which is being linked to the bank accounts.
However, certain breaches in the system have resulted in urgent measures to thwart cyber-attacks. Sundarajan said that the government may come out with technical standards that will spell out the responsibilities as well as liabilities for various financial intermediaries. It would also give details about how to address consumer grievances while also mandating customer awareness measures.
"This is one the highest priority and on a fast-track. We are also taking the help of legal and cyber security+ experts, as well as the industry."
Regarding the alert to the banking system, Sundarajan said that they have been ordered to ensure that cyber attacks are contained as early as possible.
A full-fledged advisory has been issued to the banks so that they are on a 24X7 vigil. "We have asked them to carry out an audit of their IT security systems, while also appointing chief information security officers. Also, any breach in their IT systems have to be reported almost immediately, in under two hours, to us." (Source: Times of India)
Hacking on the internet keeps getting bigger and nastier
On Friday, epic cyberattacks crippled a major internet firm, repeatedly disrupting the availability of popular websites across the US.
Could millions of connected cameras, thermostats and kids' toys bring the internet to its knees? It's beginning to look that way. On Friday, epic cyberattacks crippled a major internet firm, repeatedly disrupting the availability of popular websites across the United States. The hacker group claiming responsibility says that the day's antics were just a dry run and that it has its sights set on a much bigger target. And the attackers now have a secret weapon in the increasing array of internet-enabled household devices they can subvert and use to wreak havoc.
Meet the fire hose
Manchester, New Hampshire-based Dyn Inc. said its server infrastructure was hit by distributed denial-of-service, or DDoS, attacks. These work by overwhelming targeted machines with junk data traffic _ sort of like knocking someone over by blasting them with a fire hose. The attack temporarily blocked some access to popular websites from across America and Europe such as Twitter, Netflix and PayPal.
Jason Read, founder of the internet performance monitoring firm CloudHarmony, owned by Gartner Inc., said his company tracked a half-hour-long disruption early Friday affecting access to many sites from the East Coast. A second attack later in the day spread disruption to the West Coast as well as some users in Europe.
Members of a shadowy hacker group that calls itself New World Hackers claimed responsibility for the attack via Twitter, though that claim could not be verified. They said they organized networks of connected devices to create a massive botnet that threw a monstrous 1.2 trillion bits of data every second at Dyn's servers. Dyn officials wouldn't confirm the figure during a conference call later Friday with reporters. (source: Economic Times)
WhatsApp must scrub data when users delete app: HC
The court issued the directions as WhatsApp, while launching its app initially, had provided complete security and protection of privacy.
"It is a path-breaking judgement protecting the interest of WhatsApp users. It is a major dent on their policy, definitely ," said senior advocate Prathiba Singh, who argued for the petitioners."WhatsApp will have to make changes to its policy to incorporate the directions of the court.For the future it will create a sensitivity among people that all their data could be shared with Facebook. If users make a conscious choice to share, then it's fine." WhatsApp and its counsel could not immediately be reached for comment. Trai Chairman RS Sharma declined to comment saying that he was yet to go through the court order.
On Friday , the judges asked WhatsApp to completely delete information of users who do not want to remain on it and not share any information with Facebook after the account is deleted. It also said the service shouldn't share information of existing WhatsApp users with Facebook until September 25. (Source: ET Telecom)
Trai Chairman R S Sharma's Twitter account hacked
Twitter account of Trai Chairman R S Sharma was hacked today and some obscene comments making fun of him were posted on the microblogging site.
"I like dum ways to die because it is most funny," one of the tweets posted from his twitter handle said.
Another tweet carried obscene comment and a link of Apple Appstore prompting to subscribe itune news. "This is to inform that Twitter handle of Chairman Trai has been hacked and absurd posts are being put out. Please ignore indecent messages being put out from his handle," a Trai official said.
Sharma is on an official trip to Fiji and Australia. He is to attend a conference on regulator's role in Financial inclusion and will be meeting telecom firms in Australia. (Source: New Indian Express)
Cyberattacks on banks globally leave financial sector anxious
A series of spectacular cyber attacks against banks, resulting in the theft of tens of millions of dollars, has heightened fears for an industry becoming an increasingly attractive target for hackers. Banks in Bangladesh, the Philippines, Vietnam and Ecuador have been victimized over the past year in the attacks on the global interbank service known as SWIFT, and some analysts expect more attacks to become public.
After news of the $81 million heist from Bangladesh's central bank became public in May, SWIFT said the incident was "not a single occurrence, but part of a wider and highly adaptive campaign targeting banks."
Since then, officials said banks have also been hit in the Philippines and Vietnam. Meanwhile Ecuador's Banco del Austro claimed in a lawsuit that hackers made off with more than $9 million through fraudulent SWIFT transfer requests. Cyber security specialists say these attacks are likely just the tip of the iceberg, and expect more revelations. "Cyber criminals are no longer targeting grandmothers at home for small amounts, but going directly where the money is," said Juan Andres Guerrero-Saade, a researcher with the security firm Kaspersky.
Guerrero-Saade said it's not clear where the attacks are coming from, but that the hackers are using techniques similar to those developed for cyber espionage. "I don't think this implies it's nation-states, it's more of an evolution," the analyst said. "It's criminal actors taking on some of those techniques." Kaspersky researchers last year uncovered a hacker group which targeted banks in Eastern Europe, estimating losses totaling up to $1 billion. (source: Times of India)
New smartphone app to simplify your privacy settings
Researchers are developing a personalised privacy assistant app that can simplify the task of setting permissions for your smartphone applications. That is a job that requires well over a hundred decisions, an unmanageable number for the typical user, researchers from Carnegie Mellon University (CMU) in the US said. The privacy assistant can learn the user's preferences and quickly recommend the most appropriate settings, such as with which app to share the user's location, or contact list.
In the field test, people accepted almost 80 per cent of the recommendations made by the privacy assistant and, at the end of the study, these people indicated they were more comfortable with their privacy settings than users who did not have a privacy assistant, researchers said. "It is clear that people just cannot cope with the complexities of privacy settings associated with the apps they have on their smartphones," said Norman Sadeh from CMU. "And its not just smartphone apps. The growing number of sensors and other smart devices that make up the so-called internet of things will impact privacy and make it even more challenging for users to retain control over their data and how it is being used," said Sadeh. (source: Economic Times)