[Owasp-delhi] [OWASP-Bangalore] Rediff Astrology

Subhash Dutta subhash.dutta at kriss.in
Sat Jun 19 00:49:22 EDT 2010


There are guidelines issued by CERT-In for govt websites. Also, these sites have to be hosted on govt server (either NIC, ERNET or other state agencies). I know for a fact that NIC carries out a very stringent security audit before the site is hosted on a production server. However the agency responsible for pointing out mistakes subsequently, CERT-In, has no mandate for awarding punishments . 


Subhash Dutta 


----- Original Message ----- 
From: "Neelu Tripathy" <neelu.tripathy at tcs.com> 
To: "Rajesh Suryavanshi" <rajesh_suryavanshi at uhc.com> 
Cc: owasp-delhi at lists.owasp.org, owasp-delhi-bounces at lists.owasp.org 
Sent: Friday, June 18, 2010 2:31:13 PM GMT +05:30 Chennai, Kolkata, Mumbai, New Delhi 
Subject: Re: [Owasp-delhi] [OWASP-Bangalore] Rediff Astrology 


For the government sites .. :) It should be made mandatory for them to comply with respective regulatory (security) requirements. Also there should be an independent body for security audit and monitoring(for both applications and networks). This is not easy for the government considering budget bottlenecks, but sooner or later has to be implemented. 
'Security' once in a while.. not enough (for the Govt) cause there might be thousands out there waiting for that one moment when we(govt) are not alert. 

Regards, 
Neelu Tripathy 
Security Analyst, TCS 



	From: 	"Suryavanshi, Rajesh" <rajesh_suryavanshi at uhc.com> 
	To: 	"Neelu Tripathy" <neelu.tripathy at tcs.com>, <nileshkumar83 at gmail.com>, <owasp-delhi at lists.owasp.org>, <owasp-mumbai at lists.owasp.org>, <owasp-bangalore at lists.owasp.org>, <owasp-delhi-bounces at lists.owasp.org> 
	Date: 	06/18/2010 01:38 PM 
	Subject: 	RE: [Owasp-delhi] [OWASP-Bangalore] Rediff Astrology 




What about the government sites.. there are many sites are vulnerable to SQL injection, XSS, Parameter Manipulation.. 

Do not want to specify any one of them.. but still there are no security measure and controls in place.. 

Hope so once in a while government realize the importance of information and will take Preventive Action to mitigate risk... 


Regards, 

RS 




From: owasp-delhi-bounces at lists.owasp.org [ mailto:owasp-delhi-bounces at lists.owasp.org ] On Behalf Of Neelu Tripathy 
Sent: Friday, June 18, 2010 12:26 PM 
To: nileshkumar83 at gmail.com 
Cc: owasp-delhi at lists.owasp.org; owasp-mumbai at lists.owasp.org; owasp-bangalore at lists.owasp.org; owasp-delhi-bounces at lists.owasp.org 
Subject: Re: [Owasp-delhi] [OWASP-Bangalore] Rediff Astrology 


>From one perspective this is illegal while from another 'service done for FREE'. Though for the latter, there must be responsible disclosure of vulnerabilities. 

Regards, 
Neelu Tripathy 
Security Analyst, TEG 
Tata Consultancy Services 

	From: 	nileshkumar83 at gmail.com 
	To: 	owasp-bangalore at lists.owasp.org 
	Cc: 	owasp-delhi at lists.owasp.org, owasp-mumbai at lists.owasp.org 
	Date: 	06/15/2010 06:43 PM 
	Subject: 	Re: [Owasp-delhi] [OWASP-Bangalore] Rediff Astrology 
	Sent by: 	owasp-delhi-bounces at lists.owasp.org 





I think ringing the only door bell is not illegal, until unless you do something that can harm them financially. I have several times informed them about various vulns but they took action after a very long time. 

On Tue, Jun 15, 2010 at 5:32 PM, Vikram GR < grv.567 at gmail.com > wrote: 
Is it legal to hack websites without any authorization from the owner? If you hack sites like rediff/indiatimes, they might take legal action against you right? Even you inform them about vulnerabilities, will this kind of act be legal or illegal? Could you throw your opinions. 

Thanks and Regards, 

VIKRAM.G.R 
Information Security Consultant, 
Paladion Networks. 
http://www.paladion.net/ 
http://www.linkedin.com/in/vikramgr 
Ph: +91-916-486-3322 


On 15 June 2010 09:34, < nileshkumar83 at gmail.com > wrote: 
Rediff had several vulnerabilities at many pages. I had informed them last year itself. They didn't care until some senior guy from Rediff asked them to fix them. So its old trend in Rediff. Similar is the case of Indiatimes. 

-- 
Thanks & Regards, 
Nilesh Kumar, 
Engineer-Security| Honeywell Technology Solutions 
www.nileshkumar83.blogspot.com 
www.linkedin.com/in/nileshkumar83 
Mobile- +91-9019076487 


_______________________________________________ 
OWASP-Bangalore mailing list 
OWASP-Bangalore at lists.owasp.org 
https://lists.owasp.org/mailman/listinfo/owasp-bangalore 



_______________________________________________ 
OWASP-Bangalore mailing list 
OWASP-Bangalore at lists.owasp.org 
https://lists.owasp.org/mailman/listinfo/owasp-bangalore 




-- 
Thanks & Regards, 
Nilesh Kumar, 
Engineer-Security| Honeywell Technology Solutions 
www.nileshkumar83.blogspot.com 
www.linkedin.com/in/nileshkumar83 
Mobile- +91-9019076487 
_______________________________________________ 
Owasp-delhi mailing list 
Owasp-delhi at lists.owasp.org 
https://lists.owasp.org/mailman/listinfo/owasp-delhi 


=====-----=====-----===== 
Notice: The information contained in this e-mail 
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you 



This e-mail, including attachments, may include confidential and/or 
proprietary information, and may be used only by the person or entity 
to which it is addressed. If the reader of this e-mail is not the intended 
recipient or his or her authorized agent, the reader is hereby notified 
that any dissemination, distribution or copying of this e-mail is 
prohibited. If you have received this e-mail in error, please notify the 
sender by replying to this message and delete this e-mail immediately. 

=====-----=====-----===== 
Notice: The information contained in this e-mail 
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you 



_______________________________________________ Owasp-delhi mailing list Owasp-delhi at lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-delhi 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20100619/93d7c954/attachment-0001.html 


More information about the Owasp-delhi mailing list