[Owasp-delhi] Pakistan Hackers Respond To Indian Hackers

Tarun Dua tarundua at gmail.com
Sat Dec 4 21:23:42 EST 2010 

I have heard this before. More often than not its the large vendors who do
not directly bid, but help establish a tender criteria in which they would
benefit regardless of the implementer.

-Tarun

On Sat, Dec 4, 2010 at 11:23 PM, Soi, Dhruv <dhruv.soi at owasp.org> wrote:

> Since, we pursued few govt. projects available via biddings to public
> tenders so I would comment in a complete business centric approach here:
>
>
>
> Most of such tenders are already fixed before going out to the public and
> most of the times, those are prepared by the company, which ultimately wins
> at the end. Such are biased tenders with the conditions which can only be
> fulfilled only by the company who has prepared it and other capable
> companies get automatically rejected from the bidding process.
>
>
>
> Providing such favours to the company gives personal benefits to the person
> at govt. department who is responsible to look after the project. I am
> certainly not trying to comment, nor I am aware of how the CBI website
> security audit work was provided to the auditor and whether it involved
> fixing or not. But it is strange to know that the company which conducted
> the audit for CBI website could not find a simple SQL injection, even it
> would have been under limited budgets.
>
>
>
> Just to give away an example: Last week, we met a govt. dept. who wished to
> outsource auditing work worth 10L and we were surprised to know that they
> kept the condition for the qualification for the bidders who have turnover
> of above 40Crs. which makes absolutely no sense and clearly indicates a
> biasness.
>
>
>
> Apart from setting up other standards and including empanelment process for
> the auditors, I think CERT-IN also needs to ensure that for critical work
> like InfoSec such qualification criteria should fall under some pre-defined
> standards else there would be biased tenders involving corruption, leading
> to worthless audit and resulting into shame for the country.
>
>
>
>
>
> *From:* owasp-delhi-bounces at lists.owasp.org [mailto:
> owasp-delhi-bounces at lists.owasp.org] *On Behalf Of *Chintan Dave
> *Sent:* 04 December 2010 21:01
> *To:* Tarun Dua
>
> *Cc:* owasp-delhi at lists.owasp.org
> *Subject:* Re: [Owasp-delhi] Pakistan Hackers Respond To Indian Hackers
>
>
>
> Guys,
>
> Apologies however i beg to differ a bit here. we should also understand
> NIC's constraints. They do scan sites for vulnerabilities, however with
> limited budget, so that does hurt a bit. I'd still say that it's not
> completely NIC's fault. If respective application focals dont fix things on
> their end even after seeing high risk issues whom to blame?
>
>
>
> Govt officials can't really push (ideally they should have the power,
> however I doubt if they are delegated that much authority)
>
>
>
> Again consider the case of shared servers which have poor config because
> some legacy application running on it needs FTP/telent! Sucks.... But these
> are practical challenges! You can't force the business to go down because of
> these hiccups. If you push them harder, believe me you'll find a tough time
> justifying your actions.
>
>
>
> End result weak server configurations, unpatched and wide open apps invite
> people to hack in!
>
>
>
> Now that something like this is witnessed, I am hoping that folks at NIC
> can use this as an opportunity to push respective app focal's and tighten
> their security. It's only when brand is tarnished that people take things
> seriously!
>
>
>
> Hope things change soon.... Fingers crossed!
>
>
> Sorry for brevity, sent from my iPod,
>
>
>
> Thanks,
>
> Chintan
>
>
> On 04-Dec-2010, at 7:03 PM, Tarun Dua <tarundua at gmail.com> wrote:
>
> Your statement makes me worried at multiple levels.
>
> 1. Does nobody do website scanning for user input verification before they
> make it live ? I think apart from the contact form there was hardly any
> user-input in the whole website ? Close out the user-input related pages and
> SQL injection issues go away for a while, the rest of the website can be
> back.
>
> 2. Why don't they rely on robust open source like wordpress/drupal for
> simple content based sites which anyway don't have any useful information.
> Atleast the patches get released regularly and can be easily applied.
> Ofcourse if they contract out theme building the likelihood is the 90's
> style themes would have vulnerabilities built into it by newbies who code
> it, there a few things that don't work well with a tendering process and
> building web applications is one of them. Otherwise its monstrosities like
> the MCA21 website is what it results in at a huge cost to the taxpayers.
>
> 3. What prevents them from putting up a static page that website is being
> restored instead of just doing a disappearing act.
>
> 4. This is not the first time it has happened to NIC, how many heads have
> rolled till now.
>
> 5. The below mentioned link makes for a real sad reading, its not hard for
> a big spender like Government to hire a few ex-Google,ex-Yahoo! , ex-Amazon
> folks in India these days to fix web security from the ground up.
>
> -Tarun
>
> On Sat, Dec 4, 2010 at 6:41 PM, Soi, Dhruv <dhruv.soi at owasp.org> wrote:
>
> If you read the article just shared by me, it mentions that CBI website had
> SQL injection on their website so can’t be restored without programming
> changes. I also underwent another article on Indian National Cyber Security
> policy which literally made me go into laughter, its available here:
> http://www.hackerregiment.com/indias-national-cyber-security-policy-or-corporate-information-security-policy.html
>
>
>
>
>
> *From:* owasp-delhi-bounces at lists.owasp.org [mailto:
> owasp-delhi-bounces at lists.owasp.org] *On Behalf Of *Tarun Dua
> *Sent:* 04 December 2010 18:35
> *To:* amar wakharkar
> *Cc:* owasp-delhi at lists.owasp.org
> *Subject:* Re: [Owasp-delhi] Pakistan Hackers Respond To Indian Hackers
>
>
>
> If NIC was a hosting company they wouldn't be getting any business for
> managed services for their legendary incompetence, do they have an SLA to
> restore stuff in finite time, I mean the napakis hosted their websites in US
> so understable they were fiddling with ftp to upload stuff from their
> blazing fast cheaper than India DSL lines, but what sort of 'enterprise'
> tape drive backups do these folks at NIC use that they can't restore a
> static website no more than a few megabytes for so long.
>
> Shit happens all the time its the MTTR that matters more.
>
> India seems to have its fill of incompetent bureaucrats like the ones at
> CERT-IN  ( where some sweater knitting ladies pick up the official phone
> mentioned on their website with responses like CERT-IN woh kya hai type
> answers when you call them up to verify their PGP key fingerprint as
> recommended on their website )
>
> -Tarun
>
> On Sat, Dec 4, 2010 at 4:19 PM, amar wakharkar <amarsuhas at hotmail.com>
> wrote:
>
>
> Hi Jack,
>
> What do you have to say about CBI Website hack ?
>
>
> ------------------------------
>
>
>
> >> ____________________________________________
> >>
> >> -----owasp-delhi-bounces at lists.owasp.org wrote: -----
> >>
> >> To: "owasp-delhi at lists.owasp.org" <owasp-delhi at lists.owasp.org>
> >> From: Jack H4xor <j4ckh4xor at gmail.com>
> >> Sent by: owasp-delhi-bounces at lists.owasp.org
> >> Date: 11/30/2010 03:13PM
> >> Subject: [Owasp-delhi] Indian Hackers Respond to 26/11 Terrorist Attack
> >>
> >>
> >> 26th November 2010, two years from the dark day for the Indians when
> >> few Islamic terrorists from Pakistan opened fire at few key public
> >> places of Mumbai, killing around 175 people and wounding many.
> >>
> >> A group of young and enthusiastic Indian hackers, tagged as Indian
> >> Cyber Army (ICA) powered by indishell.in, carried a mass defacement
> >> operation against many public and official websites belonging to
> >> Pakistan in order to pay their homage to the martyr of the terrorist
> >> incident. Hacker Regiment sources talked to few hackers belonging to
> >> ICA to understand their modus operandi behind such cyber attacks.
> >> Jackh4x0r and LuCkY told that most of the group members are already
> >> well settled and earning good money out of their professions.
> >> "Monetary benefits is not the motivation for any of the group members
> >> to carry out such cyber attacks, this particular attack was to convey
> >> a message to the Pakistani citizens on opposing the terror route being
> >> followed by their nation to disturb neighbours. And 26/11 was the
> >> ideal time for conveying this message when our brave soldiers laid
> >> their precious life for the country people" said Jackh4x0r.
> >>
> >> Source :
> >>
> >>
> >>
>
> http://www.hackerregiment.com/indian-hackers-respond-to-26-11-terrorist-atta
> ck.html
> >>
> >>
> >> Peace
> >> Jack
> >> _______________________________________________
> >> Owasp-delhi mailing list
> >> Owasp-delhi at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-delhi
> >>
> >>
> >> =====-----=====-----=====
> >> Notice: The information contained in this e-mail
> >> message and/or attachments to it may contain
> >> confidential or privileged information. If you are
> >> not the intended recipient, any dissemination, use,
> >> review, distribution, printing or copying of the
> >> information contained in this e-mail message
> >> and/or attachments to it are strictly prohibited. If
> >> you have received this communication in error,
> >> please notify us by reply e-mail or telephone and
> >> immediately and permanently delete the message
> >> and any attachments. Thank you
> >>
> >>
> >>
> >> _______________________________________________
> >> Owasp-delhi mailing list
> >> Owasp-delhi at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-delhi
> >>
> >>
> >
> >
> > --
> > Regards,
> > Chintan Dave,
> >
> > LinkedIn: http://in.linkedin.com/in/chintandave
> > Blog:http://www.chintandave.com
> >
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
>
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
>
> _______________________________________________ Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
>
>
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20101205/839ecef2/attachment-0001.html

More information about the Owasp-delhi mailing list