Non-Sense or Over-Confidence? TRAI chairman's personal data leaked after he threw the Challenge

So finally some proof has been shown on personal data leakage to the Indian Bureaucrats . As per Government of India, "There is nothing called absolute right to privacy" and the privacy “should be subject to reasonable restrictions.” Read my previous post on Why India needs a Stringent Data Privacy Law? Here.
Citizen's personal data has been shared with various organizations those are in sectors like Telecom, Service, retailers, E-commerce etc. In my opinion, before implementing the data sharing, the government must implement some data privacy laws and standards like the European GDPR in India. Once it is implemented and audited properly for the compliance, then the government can consider about data sharing. Currently there is no stringent laws and policies on data leak. The penalty is there for a few clauses but considering the value of the data, the penalty is negligibly small.

 

The Reply came within hours , Sweet Sour !!!

The TRAI chairman challenged A french security expert named Elliot Alderson on Aadhaar Data by sharing his Aadhaar number on twitter. Today, on 28th July 2018, Mr.Elliot exposed the TRAI chairman's personal information in a series of tweets. Though it is not sure on how he has obtained his personal information, he was able to get the victims data so quickly. I personally believe that he might have obtained the data through some public sources/websites and not by hacking UIDAI.

However, this is a very serious issue on data privacy especially lacking of a stringent Data Privacy law.We have been seen a series of such leaks and unauthorized usage of citizens data by some E-commerce/Telecom companies. Even there was an incident on data leak from a government website itself.

When it comes to Information security Governance, there are two major factors. Due Care and Due Diligence. In my personal opinion, both factors are violated here. There is no Privacy for the data which is shared to the government and other private sector companies and there is no due diligence from the government and the organizations on providing privacy and security for the data. Until the implementation of a Data Privacy law with Stringent penalty and punishment, the citizen's personal data can be considered as public.

Also the citizens expect an explanation from the Government on this incident and data security.

Read More

Part 2-InfoSec Scribbling : ISO/IEC 27001:2013

:: InfoSec Study Notes : Scribbling on ISO/IEC 27001:2013 Standard Part-2:: 

For Part-1 of this series , Go here.

Context of the Organization

The organization needs to identify the Internal and external issues that can affect the expected outcome. Hence context becomes an important consideration and helps to ensure that the ISMS is designed and adapted for your organization.

-External Issues-external to the organization

    External issues may include:
    government regulations and changes in the law, Political conditions
    economic shifts in your market
    Partner,Vendors and competitor.
    events that may affect your corporate image
    Trends and changes in technology

-Internal issues-within the organization and under direct control of the organization.

    Internal issues can include :
    regulatory requirements for the organization
    strategies to conform to your policies and achieve your objectives
    relationship with your staff and stakeholders, including partners and suppliers
    resources and knowledge including people, processes, budget, technology etc.
    assets
    product or service
    standards, guidelines and models adopted by the organization

-Interested parties and their needs and expectations.-client, end-users, employees, partners, suppliers etc.

 When developing your ISMS, consider interested parties that can affect the organizations':
 -ability to consistently provide a product or service that meets your customers' needs and any statutory requirements and regulations

-ability to enhance customer satisfaction and standards/regulations.

-Document Everything.

For internal issues, document the relevant ones as part of the organization's information security objectives and results of the risk assessment, and maintain records of the competence of your employees.
For external issues, it is mandatory to have a list of relevant legislative, statutory, regulatory, and contractual requirements;.

Scope of ISMS

-The scope should be documented.
-Scope means where are you going to plan/implement the ISMS and what you are trying to protect. This document clearly define the boundaries of the Information Security Management System (ISMS).
-The organization should define the scope of its ISMS in relation to its business needs, the structure of the organization, its location, its information assets and its technologies.

Read More

Part 1-InfoSec Scribbling : ISO/IEC 27001:2013

:: InfoSec Study Notes : Scribbling on ISO/IEC 27001:2013 Standard Part-1::
 
ISO/IEC 27001:2013 is an information security management standard. Organizations use it to manage and control the information security risks, to protect and preserve the confidentiality,integrity, and availability of information, and to establish your information security management system (ISMS).

-Is a systematic framework to manage information security related risks and protect important information.
-Also consists of requirements for an ISMS Annex A- a list of control objectives and controls for information security.

-Annex A provides an essential tool for managing security. A list of security controls (or safeguards) that are to be used to improve security of information.
-In brief, the Annex A lists the following control objective. This is a very large list which have more sub-topics/controls.
    -Security Policy Management
    -Corporate Security Management
    -Personnel Security Management
    -Organizational Asset Management
    -Information Access Management
    -Cryptography Policy Management
    -Physical Security Management
    -Operational Security Management
    -Network Security Management
    -System Security Management
    -Supplier Relationship Management
    -Security Incident Management
    -Security Continuity Management
    -Security Compliance Management

ISO 27000 family of standards:

ISO/IEC 27001 –specifies the requirements for an ISMS
ISO/IEC 27002 –guideline for the implementation of the controls in Annex A
ISO/IEC 27000 – a general overview of information security and terms and definitions
ISO/IEC 27003 –general guidance for the implementation of an ISMS
ISO/IEC 27004 –advice on how organizations can monitor and measure the performance of their ISMS
ISO/IEC 27005 –guidance on risk management and
ISO/IEC 27006 –for audit and certification of ISMS
ISO/IEC 27007 - guideline on how to audit an ISMS
-sector specific -
ISO/IEC 27011 –application of security controls in telecommunication
ISO/IEC TR 27015 –information security management in financial services

To continue on this series Part-2, Click here.

Read More

Cisco Modular Policy Framework (MPF) : A brief Introduction

Modular Policy Framework (MPF) configuration defines set of rules for applying firewall features, such as traffic inspection, QoS etc. to the traffic transiting the firewall
There are 3 main components in creating a MPF.
1) Class Map
Class map is used to identify the type of traffic. This can be done by creating an ACL.
2) Policy Map
Policy Map specifies what action the ASA should take against the traffic identified by the Class Map.
3) Service Policy
Finally Service policy specifies where to apply it. The policy is applied to an interface or Globally.

Sample Illustration

Consider the following Command lines.

access-list OUTSIDE-TO-INSIDE permit tcp any any eq ftp
<--- The above ACL will allow FTP traffic. This ACL can be different than the Interface ACL--->
class-map FTP-CLASS-MAP
    match access-list OUTSIDE-TO-INSIDE
<--- The class map FTP-CLASS-MAP will look for the FTP traffic based on ACL --->
policy-map FTP-POLICY-MAP
    class FTP-CLASS-MAP
        inspect ftp
<--- What action need to be done? here inspect the ftp. --->
service-policy FTP-POLICY-MAP interface outside
<--- Apply the policy in the outside interface --->


The above illustration is just an example. MPF enables the administrator to assign different network policies to different traffic flows in a flexible and granular manner.

Read More

Crossover or Straight-through Cable? Its Auto-MDIX

On older devices, we should choose the type of cables for connectivity. If it's same kind of device, then a crossover cable and if they are different, then a Straight-through cable. To overcome this inconvenience , there is a feature introduced on network devices , Auto-MDIX.
This feature automatically detects the required cable connection type for a connection. That is, whether to use straight or Crossover. If either one of the connection device supports Auto-MDIX, then no matter the device, you can use a crossover or a straight-through cable. It also needs the speed and duplex auto-negotiation feature being enabled on the device. 

In other words, with this feature enabled, the interface automatically corrects for any incorrect cabling.
And Automatic medium-dependent interface crossover (Auto-MDIX) is enabled by default (from IOS 12.2(20)SE on-wards).

Sample Manual configuration is shown below.

Read More

Top 5 Accounts : Review and Adjust your Privacy Settings

So, May 2018 was a remarkable month in the world of data security. European GDPR is now in effect and almost all tech giants are adjusting themselves in order to comply with the data privacy standards.

I have consolidated the Privacy policies of the top 5 companies and the link for adjusting/controlling your data privacy. Review your privacy settings and control your own privacy.

Google

Privacy Policy : https://privacy.google.com/take-control.html
Adjust Privacy Settings : https://myaccount.google.com/intro/privacy

Facebook

Privacy Policy : https://www.facebook.com/privacy/explanation
Adjust Privacy Setting : https://www.facebook.com/settings?tab=privacy

Instagram

Privacy Policy : https://help.instagram.com/519522125107875
Adjust Privacy Settings : https://help.instagram.com/196883487377501

Yahoo

Privacy Policy : https://policies.oath.com/ie/en/oath/privacy/index.html
Adjust Privacy Settings  : https://policies.oath.com/us/en/oath/privacy/controls/index.html

Twitter

Privacy Policy : https://twitter.com/en/privacy
Adjust Privacy Settings : https://twitter.com/settings/account

Controlling your own public information on the internet is your own responsibility. Review your privacy settings frequently.

Read More

CEHv10 Exam Blueprint : Effective 1st October 2018

 An exam blueprint is a break down the sections of the Exam Syllabus and makes it easier for the test taker to  prepare for the exam. It helps the test taker to understand how many questions in various areas of practice should go on an exam.

Effective 1st October 2018, EC-Council will be introducing a new version of the CEH exam blueprint and it is mentioned below.

The current CEH blueprint is valid till September 30th 2018. You can find the current blueprint here :https://cert.eccouncil.org/images/doc/CEH-Exam-Blueprint-v2.0.pdf

Read More

DoS Attacks : Smurf,Fraggle,Land

Smurf attack.

Smurf is a DoS attacking method. In this flood attack, it floods the victim with the ICMP echo packets instead of TCP SYN packets. Also, it is a spoofed broadcast ping request using the victim IP address as the Source IP.
Most of the modern devices can deter these kind of attacks and SMURF is rarely a threat today.
#hping3 -1 --flood --spoof <target> <broadcast_address>

Fraggle attack.

Similar to Smurf attack, but instead of using ICMP, Fraggle uses UDP packets over UDP ports 7 and 19. Also will broadcast a UDP packet using spoofed IP address of the victim. All the devices on the network will then respond to the victim similar to the Smurf attack.

Land attack

In this, the attacker sends spoofed SYN packets to the victim using the Victim's IP address and both source and destination IP. This results in the system constantly replying to itself can  crash the system.
#hping3 -c <packet_count> -s <src_port> -d <dst_port> --flood -a <victim_IP source spoof> <victim_IP>

Read More

Nmap : Basic overview on Scanning Techniques

Nmap. One of the top scanning tool used in Cyber/Networking. There are plenty of scanning techniques that can be used in Nmap. This post is intended to provide a the basic overview on NMap scanning techniques.

1) Ping Scan [-sP]

This types of scan is used to detect which computers or devices are online, rather than which ports are open.In this, NMap sends an ICMP ECHO REQUEST packet to the destination system. If an ICMP ECHO REPLY is received, the system is considered as up, and ICMP packets are not blocked.If there is no response to the ICMP ping request, Nmap will try a "TCP Ping", to determine whether ICMP is blocked, or if the host is really not online.
A TCP Ping sends either a SYN or an ACK packet to any port (80 is the default) on the remote system. If RST, or a SYN/ACK, is returned, then the remote system is online. If the remote system does not respond, either it is offline, or the chosen port is filtered, and hence it won't be responding to anything. When you run an Nmap ping scan as root, the default is to use the ICMP and ACK methods.Non-root users will use the connect() method, which attempts to connect to a machine, waiting for a response, and tearing down the connection as soon as it has been established and thus it will result in a full TCP scan.
eg: #nmap -sP 192.168.1.1

2) Full Connect/TCP connect() Scan [-sT]

This type of scan will try to establish a full TCP connection and a 3-way handshake will happen. Hence the Full connect scan is noisy and the connection info will be logged by the IDS/Firewalls. If the scan result is open, then we can definitely able to connect to that particular port.
eg: #nmap -sT 192.168.1.1

3) Stealth Scan/ SYN scan [-sS]

This type of scan wont establish a TCP connection. It will scan by sending a SYN flag packet and if the port is open, then a SYN/ACK will be send back as a response by the target machine, thus result in a half embryo connection. Since a full connection wont establish, the connection info will not be logged by the Firewalls/IDSs and hence it is widely known as Stealth scan. If a RST pack is received as a response, then probably the post is closed.
eg: #nmap -sS 192.168.1.1

4)UDP scan [-sU]

Useful in very particular cases since most of the services uses TCP widely. UDP scan works by sending a UDP packet to the targeted port. If no response is received, then the port will be considered as Open | filtered. Filtered because some firewalls wont respond to the blocked UDP ports.If the port is closed, then an ICMP response(ICMP port unreachable error type 3, code 3) will be send by the target device.
eg: #nmap -sU 192.168.1.1

5) TCP NULL [-sN], FIN [-sF], and Xmas scans [-sX]

Null scan (-sN) - Does not set any bits (TCP flag header is 0)
FIN scan (-sF) - Sets just the TCP FIN bit.
Xmas scan (-sX) - Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.   
If a RST packet is received, the port is considered closed, while no response means it is open|filtered.
The port is marked filtered if an ICMP unreachable error is received.
eg: #nmap -sN 192.168.1.1
      #nmap -sF 192.168.1.1
      #nmap -sX 192.168.1.1

6)TCP ACK scan [-sA]

This type of scan uses the ACK flags. Unlike other scans, ACK scan is not used to determine whether the port is Open or Closed.It is used to map out firewall rule-sets, determining whether they are stateful or not and which ports are filtered.Stateful Firewalls, will respond with a RST packet as the sequence is not in order.
eg: #nmap -sA 192.168.1.1

7)Version Detection [-sV]

Version Detection collects information about the specific service running on an open port, including the product name and version number. This information can be used in determining an entry point for an attack. The -sV option enables version detection, and the -A option enables both OS fingerprinting and version detection
eg: #nmap -sV 192.168.1.1

[Learn more and download the tool @ https://nmap.org/ ]

Read More

Why you should not believe in Online Reviews and Social networking sites?

Most of us, before buying a product from Amazon/Flipkart, or before booking a movie ticket, we might go through the review section to see what others think about it, how good it is?, what are the pros and cons? etc.

Let me tell you a fact. Though there are genuine reviews written by genuine customers/users, majority of the reviews are paid reviews. Similarly paid opinions can be seen in forums like Quora, Yahoo Answers.When it comes to social networking websites, there are big companies working for corporate, political parties, ideological institutions.

Many of us are addicted to these social networking sites and we like and share things which we are not sure about. All want to monetize their profit and for that they will do even the worst methods to make things viral.These institutions pay millions of money to distribute and publicize their propaganda. In short, to brainwash the audience.

When thousands write a good review of a bad product, that product automatically becomes good in the public.

Most of the companies are running affiliate programs. Which means, you promote us and if someone buys a product through you, we will give a commission to you. One of the Site defines it's affiliate program as,

"You can use various promotional methods to earn easy commissions including placing banners, links, and writing product reviews on your website or blog. You will receive customized links for all the promotions, through which we will track sales. When any customer, referred by you, makes a purchase, you get paid."

There are plenty of online job sites serves over the internet. If you signup, you can see many online job offerings such as harvesting likes,up-votes, review writings, data entry etc.

It's funny that, you don't even need to find words to write a review. The review content is also provided by the marketing company and all you need to do is copy and paste it on relevant blogs, forums websites under your account (even from multiple accounts).

I have taken few screenshots from one of those site. Lets go through that and understand how companies can brainwash you with reviews and posts. When thousands write a good review of a bad product, that product automatically becomes good in the public.

The following screenshots are job advertisements , the employer is paying money to publicize their hashtag and their product.

 

 Another job, the worker need to signup, comment and give a link to the product website.

See the instructions. Just follow this and get paid. Spread the propaganda, or publicize a product no matter how good or bad it is.

This job is to do the up-votes..lol.

Due to the large influence of Social Networking sites on common people, any one can throw money to circulate and publicize their propaganda. Even the Visual medias are also working like that.

So with this article, i remind each and everyone that Use your Brain, Think and Act. Don't blindly believe everything on the Internet. Don't blindly believe in what others says.

Everything around us are trying to brainwash our thoughts. So again, Use your Brain ! Always!

Read More