[Owasp-delhi] Pakistan Hackers Respond To Indian Hackers

Sun Dec 5 05:13:06 EST 2010

Not sure what others on the list feel, but sorry to state that I completely disagree with your points. Hope nothing goes personal here but will try to share my thought process.

1.       This billion people country doesn’t follow security analyst’s vocabulary, or do they? When I used the word like “shame for the country”, I didn’t count in few 1000s of security experts like you and me who understand the meaning of “website defacement”. Be it aimed international publicity or intentionally hyped story, for a common man of the country this instance means “Hacking” Be it cleaner or the sweeper, who is awaited for Monday, no one is bothered about. Question ends at who is accountable? Builder, Designer, Painter, Survey team, or the Security Guard who is responsible to ensure the security of the building. Or one should keep waiting for a new Monday every time?

2.       Be it html marquee tags,  bold or italic tags, first principle of information security “CIA” is self-explanatory. If something is unavailable due to lame or sophisticated cyber attack, be it CISA/CISM/CISSP, it is called as security breach, and there comes the rapid incidence response before thinking on mitigation. “Reputational Loss” is much higher than “Financial Loss” and Defacement is enough to make that loss. Yeah, it is lamest act of publicity but we have to accept it. 

3.       As you said, Turnover requirement is to mitigate the risk. Do you think a company with turnover of over 3Cr. would declare bankruptcy for a small project of 10L? Why do we need a company with 40Crs.? The point I tried to make was, qualification criteria for the tenders should be pre-defined rather putting that in ad-hoc manner into the tenders. Ideally, turnover of 10 times of total project value should ensures execution of the project by mitigating risks, it could be 20 times or 30 times, law makers are the best judge to decide, but again it should be defined somewhere on the records so that it doesn’t open doors for corruption. For a project requirement that raises the need for just 2-3 InfoSec resources, do we really care for a larger organization that can rally the resources faster?  Today’s every large enterprise started with a small 10-20 member shop few years back, be it Google, Facebook, Microsoft, or IBM. Secondly, SMB is the largest segment in India and by making such ridiculous qualification conditions, govt. is only going to increase the monopoly of larger organization, discouraging innovation and degrading quality of services. Healthy qualification criteria invites more bidders, improves competition and increases quality of services.

4.       A matured CMS product and that too community driven is much secured than trying to develop own CMS. Think about writing own operating system rather using a matured and community driven like Debian?? Money should actually be spent in hardening the CMS with in-depth security code review of core engine with approved plugins, followed by pen-test exercise to make it a standard hardened CMS product for the all the govt. websites, much like OpenBSD in OS category. It could save tax payers’ hard earned money being spoiled by the government on reiterating the web-development, security testing process of every website out of those 1000s of government websites those still carry tons of vulnerabilities.

5.       Tarun mentioned to hire ex-Google, ex-Yahoo, I am sure he didn’t mean (@Tarun, correct me if I am wrong) to hire developers from those companies, rather he pointed to hire the top leadership who can lead the entire show with accountability and well defined quality gates. Just like Nandan Nilekani from InfoSys is now the Chairman for UIDAI.

6.       Defacement of a flowershop’s website doesn’t bother anyone, but defacement of prime websites make a big difference. Just like a bomb blast in some slum area killing 100s didn’t bother much, but few gun fires at Hotel Taj/Trident created war like conditions. Pimple on the face principle is as good as , “Asset Identification and Valuation” principle in Risk Assessment which can be located in CISSP/CISA 

Thank god it was Sunday and I could share my opinion in detail J

From: owasp-delhi-bounces at lists.owasp.org [mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Vinil Menon
Sent: 05 December 2010 11:57
To: owasp-delhi at lists.owasp.org
Subject: Re: [Owasp-delhi] Pakistan Hackers Respond To Indian Hackers

Let's take a couple of steps back and start looking at things from a slightly elevated (pun intended) perspective.

1. Website defacement need not be taken at an emotional level - I'd encourage all of you to do some introspection and ponder that do words like "shame for the country" have place in a security analyst's vocabulary? For argument's sake let's say it does - but does it really apply to "website defacement", which is one of the lamest acts of publicity mongering - all hyped up in today's ignorant, publicity scavenging, news hungry environment. 

In the physical world, what would you do to graffiti on a building - you'd wait till the cleaner comes back on Monday and get the chance to clean it up. You don't have the CEO spending sleepless nights over it - unless of course he's the cleaner himself. I was going through the CISA and CISSP body of knowledge and trying to locate the disaster planning/mitigation one should undertake for graffiti.

2.  FWIW, most of these websites are static and host only some public documents and html marquee tags - which is how they should be ;) If there's nothing worthwhile, then wasn't the entire exercise in futility? 

3. The concept of "if you graffiti my wall - i will graffiti your wall" (what all these nags and sheshnags and kyabakis are upto) has an entertainment value but beyond that does it really deserve the time and bandwidth we are consuming in discussing it. Of course, systems can be hardened and services like pingdom etc. can be utilized, but that's utopia :)

4. Addressing the point about (turnover of above 40Crs) - for many organizations who are new to a process (in this case security review)  it is a safety mechanism to put in vendor size. That is one way of mitigating risks, both from a process as well as ability to handle legal liability point of view. Also, a larger org can rally resources much faster by throwing money at the problem than a small 10-20 member shop who will be asking for advance even before the project begins. So, it may not always be favoritism - it is simply an act of CYA. Credibility helps for small vendors but when faced with people whose jobs are on the line - they'd rather vote for their job security than application security ;)

5. Another argument I read was about using popular consumer CMS like wordpress/drupal etc. One of my wordpress sites (duly updated, security scanned etc.) was susceptible to a mass defacement attack about a few weeks back using vulnerability in the blog post editor component (the web still has wrong information on how to fix the issue). My point being: using a popular cms is not going to fix the problem. 

6. Ah! the age old logic: ex-popular company developer can fix it. The knight in shining armour! Absolute load of whatever. Working at any of the top software companies IS NOT same as being a good security analyst. Most of the developers world over (including folks at companies you mentioned) don't know about secure coding. Show me one good coder with a firm grasp of security and I can show you millions without! Most guys in the interviews start waxing eloquent about SQL injection and tell me about their favorite tools go numb when asked about out of band channeling. Just like any other field, software is teeming with folks who are in it for the money - which doesn't guarantee depth of knowledge! In fact, being good at C (which most of these shops prefer) is inversely proportional to their security quotient.

Just let these defacements be line items in your daily news. Don't ponder too much over it - there are much deeper issues to solve. It is like giving prime importance to a pimple because it is on your face (which is not quite pretty to begin with :p ), when your innards are actually decaying.

For each defacement that is reported, I wonder how many compromised servers running botnets waging a proxy war against your own servers from your own soil are going unnoticed. (had to put that in - what's an email without some sensationalism, correct?)

Enjoy your Sunday - and remember the wise always said, attachment of any kind (in life or in email) is not good for you.

Vinil

  _____  

From: Tarun Dua <tarundua at gmail.com>
To: dhruv.soi at owasp.org
Cc: owasp-delhi at lists.owasp.org
Sent: Sun, December 5, 2010 7:53:42 AM
Subject: Re: [Owasp-delhi] Pakistan Hackers Respond To Indian Hackers

I have heard this before. More often than not its the large vendors who do not directly bid, but help establish a tender criteria in which they would benefit regardless of the implementer.

-Tarun

On Sat, Dec 4, 2010 at 11:23 PM, Soi, Dhruv <dhruv.soi at owasp.org> wrote:

Since, we pursued few govt. projects available via biddings to public tenders so I would comment in a complete business centric approach here:

Most of such tenders are already fixed before going out to the public and most of the times, those are prepared by the company, which ultimately wins at the end. Such are biased tenders with the conditions which can only be fulfilled only by the company who has prepared it and other capable companies get automatically rejected from the bidding process.

Providing such favours to the company gives personal benefits to the person at govt. department who is responsible to look after the project. I am certainly not trying to comment, nor I am aware of how the CBI website security audit work was provided to the auditor and whether it involved fixing or not. But it is strange to know that the company which conducted the audit for CBI website could not find a simple SQL injection, even it would have been under limited budgets.

Just to give away an example: Last week, we met a govt. dept. who wished to outsource auditing work worth 10L and we were surprised to know that they kept the condition for the qualification for the bidders who have turnover of above 40Crs. which makes absolutely no sense and clearly indicates a biasness.  

Apart from setting up other standards and including empanelment process for the auditors, I think CERT-IN also needs to ensure that for critical work like InfoSec such qualification criteria should fall under some pre-defined standards else there would be biased tenders involving corruption, leading to worthless audit and resulting into shame for the country.

From: owasp-delhi-bounces at lists.owasp.org [mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Chintan Dave
Sent: 04 December 2010 21:01
To: Tarun Dua

Cc: owasp-delhi at lists.owasp.org
Subject: Re: [Owasp-delhi] Pakistan Hackers Respond To Indian Hackers

Guys,

Apologies however i beg to differ a bit here. we should also understand NIC's constraints. They do scan sites for vulnerabilities, however with limited budget, so that does hurt a bit. I'd still say that it's not completely NIC's fault. If respective application focals dont fix things on their end even after seeing high risk issues whom to blame?

Govt officials can't really push (ideally they should have the power, however I doubt if they are delegated that much authority)

Again consider the case of shared servers which have poor config because some legacy application running on it needs FTP/telent! Sucks.... But these are practical challenges! You can't force the business to go down because of these hiccups. If you push them harder, believe me you'll find a tough time justifying your actions. 

End result weak server configurations, unpatched and wide open apps invite people to hack in!

Now that something like this is witnessed, I am hoping that folks at NIC can use this as an opportunity to push respective app focal's and tighten their security. It's only when brand is tarnished that people take things seriously! 

Hope things change soon.... Fingers crossed!

Sorry for brevity, sent from my iPod,

Thanks,

Chintan

On 04-Dec-2010, at 7:03 PM, Tarun Dua <tarundua at gmail.com> wrote:

Your statement makes me worried at multiple levels. 

1. Does nobody do website scanning for user input verification before they make it live ? I think apart from the contact form there was hardly any user-input in the whole website ? Close out the user-input related pages and SQL injection issues go away for a while, the rest of the website can be back.

2. Why don't they rely on robust open source like wordpress/drupal for simple content based sites which anyway don't have any useful information. Atleast the patches get released regularly and can be easily applied. Ofcourse if they contract out theme building the likelihood is the 90's style themes would have vulnerabilities built into it by newbies who code it, there a few things that don't work well with a tendering process and building web applications is one of them. Otherwise its monstrosities like the MCA21 website is what it results in at a huge cost to the taxpayers. 

3. What prevents them from putting up a static page that website is being restored instead of just doing a disappearing act.

4. This is not the first time it has happened to NIC, how many heads have rolled till now.

5. The below mentioned link makes for a real sad reading, its not hard for a big spender like Government to hire a few ex-Google,ex-Yahoo! , ex-Amazon folks in India these days to fix web security from the ground up.

-Tarun

On Sat, Dec 4, 2010 at 6:41 PM, Soi, Dhruv <dhruv.soi at owasp.org> wrote:

If you read the article just shared by me, it mentions that CBI website had SQL injection on their website so can’t be restored without programming changes. I also underwent another article on Indian National Cyber Security policy which literally made me go into laughter, its available here: http://www.hackerregiment.com/indias-national-cyber-security-policy-or-corporate-information-security-policy.html

From: owasp-delhi-bounces at lists.owasp.org [mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Tarun Dua
Sent: 04 December 2010 18:35
To: amar wakharkar
Cc: owasp-delhi at lists.owasp.org
Subject: Re: [Owasp-delhi] Pakistan Hackers Respond To Indian Hackers

If NIC was a hosting company they wouldn't be getting any business for managed services for their legendary incompetence, do they have an SLA to restore stuff in finite time, I mean the napakis hosted their websites in US so understable they were fiddling with ftp to upload stuff from their blazing fast cheaper than India DSL lines, but what sort of 'enterprise' tape drive backups do these folks at NIC use that they can't restore a static website no more than a few megabytes for so long.

Shit happens all the time its the MTTR that matters more. 

India seems to have its fill of incompetent bureaucrats like the ones at CERT-IN  ( where some sweater knitting ladies pick up the official phone mentioned on their website with responses like CERT-IN woh kya hai type answers when you call them up to verify their PGP key fingerprint as recommended on their website )

-Tarun

On Sat, Dec 4, 2010 at 4:19 PM, amar wakharkar <amarsuhas at hotmail.com> wrote:

Hi Jack,

What do you have to say about CBI Website hack ?

  _____  

>> ____________________________________________
>>
>> -----owasp-delhi-bounces at lists.owasp.org wrote: -----
>>
>> To: "owasp-delhi at lists.owasp.org" <owasp-delhi at lists.owasp.org>
>> From: Jack H4xor <j4ckh4xor at gmail.com>
>> Sent by: owasp-delhi-bounces at lists.owasp.org
>> Date: 11/30/2010 03:13PM
>> Subject: [Owasp-delhi] Indian Hackers Respond to 26/11 Terrorist Attack
>>
>>
>> 26th November 2010, two years from the dark day for the Indians when
>> few Islamic terrorists from Pakistan opened fire at few key public
>> places of Mumbai, killing around 175 people and wounding many.
>>
>> A group of young and enthusiastic Indian hackers, tagged as Indian
>> Cyber Army (ICA) powered by indishell.in, carried a mass defacement
>> operation against many public and official websites belonging to
>> Pakistan in order to pay their homage to the martyr of the terrorist
>> incident. Hacker Regiment sources talked to few hackers belonging to
>> ICA to understand their modus operandi behind such cyber attacks.
>> Jackh4x0r and LuCkY told that most of the group members are already
>> well settled and earning good money out of their professions.
>> "Monetary benefits is not the motivation for any of the group members
>> to carry out such cyber attacks, this particular attack was to convey
>> a message to the Pakistani citizens on opposing the terror route being
>> followed by their nation to disturb neighbours. And 26/11 was the
>> ideal time for conveying this message when our brave soldiers laid
>> their precious life for the country people" said Jackh4x0r.
>>
>> Source :
>>
>>
>>
http://www.hackerregiment.com/indian-hackers-respond-to-26-11-terrorist-atta
ck.html
>>
>>
>> Peace
>> Jack
>> _______________________________________________
>> Owasp-delhi mailing list
>> Owasp-delhi at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>>
>>
>> =====-----=====-----=====
>> Notice: The information contained in this e-mail
>> message and/or attachments to it may contain
>> confidential or privileged information. If you are
>> not the intended recipient, any dissemination, use,
>> review, distribution, printing or copying of the
>> information contained in this e-mail message
>> and/or attachments to it are strictly prohibited. If
>> you have received this communication in error,
>> please notify us by reply e-mail or telephone and
>> immediately and permanently delete the message
>> and any attachments. Thank you
>>
>>
>>
>> _______________________________________________
>> Owasp-delhi mailing list
>> Owasp-delhi at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>>
>>
>
>
> --
> Regards,
> Chintan Dave,
>
> LinkedIn: http://in.linkedin.com/in/chintandave
> Blog:http://www.chintandave.com
>
_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi

_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi

_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi

_______________________________________________ Owasp-delhi mailing list Owasp-delhi at lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-delhi 

_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi

_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20101205/c8cfcebf/attachment-0001.html 