Centre for Internet and Society

Hans Verghese Mathews

praskrishna — 2011-04-28T09:18:57Z

For more details visit http://editors.cis-india.org/home-images/hans.jpg

Hans Varghese Mathews

praskrishna — 2014-10-23T06:50:13Z

Hans Varghese Mathews read philosophy as an undergraduate, at the University of Southern California, studying logic and aesthetics; and went on to obtain a doctorate in mathematics, from the University of Wisconsin, studying algebraic topology primarily, with mathematical logic and philosophy as subsidiary subjects. He has been a research associate with the Indian Statistical Institute, and has written extensively on visual art for Frontline; he currently directs mathematical modelling for an analytics firm. He has an abiding interest in the formal understanding of painting and poetry; and a more recent and dominating interest in the mathematization of the social sciences.

For more details visit http://editors.cis-india.org/internet-governance/hans-varghese-mathews

Hans Foundation

praskrishna — 2012-07-19T05:17:14Z

For more details visit http://editors.cis-india.org/home-images/Hans.jpg

Handcuffs

praskrishna — 2018-08-22T00:41:33Z

Handcuffs

For more details visit http://editors.cis-india.org/home-images/Handcuffs.png

Hakon 2016

praskrishna — 2016-10-15T10:04:41Z

Udbhav Tiwari attended attended Hakon 2016, a conference held between September 30 and October 2, 2016 at Indore, Madhya Pradesh, India,on behalf of CIS under the Hewlett Cyber Security Project.

Hakon 2016 was the third edition of the conference which has been organised by Ninja Information Security Systems, an ISO 27001:2013 & 9001:2008 certified training organisation and the primary sponsor of the conference from Indore. The conference was efficiently organised, had about 150 to 200 people attending overall and provided an unique window into the non-tech hub/big city ethical hacker ecosystem and their place within the cyber security setup in India. The agenda of this year's conference was the Underground Digital Black Market & Digital Terrorism, with a fair mix of participants from the industry, academia and the government. The conference website can be looked up at http://www.hakonindia.org/ for further details, including a look at past editions of the conference.

The technical workshops held during the first two days of the conference were well organised and networking with the teachers during and mostly at the end of the conference was very helpful in understanding a practitioners perspective on cutting edge aspects of cyber security. This was particularly true for Chuck Easttom Williams, an accomplished cyber security expert from the USA who regularly trains government agencies and in a fairly reputed industry veteran who has been an invited speaker at DEFCON and even has a couple of patents to his name.

For more details visit http://editors.cis-india.org/internet-governance/news/hakon-2016

Hacktivists deface BSNL website

praskrishna — 2012-12-14T05:20:56Z

The Bharat Sanchar Nigam Limited (BSNL) website, www.bsnl.co.in, was hacked and defaced on Thursday afternoon.

The article by Kim Arora was published in the Times of India on December 13, 2012. Sunil Abraham is quoted.

A message on the home page said the attack was carried out by the hacktivist group, Anonymous India, as a protest against section 66 A of the IT Act and in support of cartoonist Aseem Trivedi, on an indefinite hunger strike at Jantar Mantar since Dec 8 for the same. The website was restored around 7 pm.

Trivedi said he had received a call from Anonymous around 1.30 in the afternoon informing him that the website has been defaced. On being asked if such a form of protest was valid, Trivedi said, "When the government doesn't pay heed to people's protests against its laws and arrests innocent people for Facebook posts, then such a protest is absolutely valid."

For most of the afternoon and early evening, the BSNL website wasn't available directly. A cached version of the BSNL home page showed an image of cartoonist Trivedi with text that read "Hacked by Anonymous India. support Aseem trivedi (cartoonist) and alok dixit on the hunger strike. remove IT Act 66a databases of all 250 bsnl site has been d Hacked by Anonymous India (sic)". While this message was repeated over and over on the page, it ended with the line "Proof are (sic) here" followed by a link to a page containing the passwords to BSNL databases. BSNL officials were unaware of the attack until Thursday evening.

Late in the evening, Anonymous India tweeted from their account @opindia_revenge: "BSNL Websites hacked, passwords and database leaked... Anonymous India demands withdrawal of Sec 66A of IT Act."

In an open letter to the Government of India posted on alternate media website Kafila in June this year, Anonymous had explained they only carried out Distributed Denial of Service (DDoS) attacks on Indian government websites, which is different from the act of hacking per se.

Contrary views too exist. Sunil Abraham, executive director, Centre for Internet and Society, says the attack was unwarranted. "Speech regulation in India is not a lost cause, the Minister is holding consultations, MPs are raising the issue in Parliament, courts have been approached and there is massive public outcry on social media. Therefore I would request Anonymous India to desist from defacing websites," said Abraham. A group of MPs, including Baijayant Jay Panda from Odisha, are scheduled to present a motion in Parliament on Friday morning for the amendment of section 66A of the IT Act.

Last month, two young girls were arrested in Palghar, Maharashtra, for criticizing on Facebook the bandh that followed the death of Shiv Sena supremo Balasaheb Thackeray. Before that, Karti Chidambaram, son of finance minister P Chidambaram, took a man to court for commenting on his financial assets on Twitter. In both cases, the complainant 'used' section 66 A of the IT Act. The section and the Act have since come in for wide debate regarding freedom of speech.

For more details visit http://editors.cis-india.org/news/times-of-india-india-times-december-13-2012-kim-arora-hacktivists-deface-bsnl-website

Hackschools

praskrishna — 2010-09-07T12:04:43Z

For more details visit http://editors.cis-india.org/home-images/Hackschools.jpg

Hacking, Modding & Making

praskrishna — 2012-04-09T09:51:41Z

Seeber's electronics laboratory is a room in a unit he shares with his mother. Every available space is taken up with teetering towers of electronic parts, writes Brendan Shanahan for GQ.

Like subprime lending or the line at the motor registry, patent and copyright laws control all our lives but no one really understands them. In the world of DIY Tech, however, it is not a subject that can be ignored.

" If they are infringing on patents then it's a question you have to ask within the individual jurisdiction," says Abraham. "In many jurisdictions design many not have protection. Whether it's legal or illegal is an open question."

At its heart Abraham's argument is pragmatic: the developing world, especially China, is too big to stop. Companies can fight patent wars in every world territory, hire private detectives, pressure governments and prosecute consumers who buy rip-off products, but, ultimately, they won't win. The genie is out of the bottle.

"If something has been made technologically possible, we cannot make it illegal and hope that everyone will now pretend that this is no longer technologically possible," says Abraham. "We can't have the government checking everyone's iPod and laptop. The better move is to change the model."

Abraham has many suggestions for making copyright law more flexible to benefit manufacturers and consumers. One thing is certain: in a world in which Amazon, not even five years after the launch of the Kindle, is now selling more e-books than all hard copy books combined, and technology such as 3D printing will soon be standard, it would be unwise to cling to old certainities. The music industry may come to be regarded as merely the canary in a digital coalmine of failed industries.

Read the full post here

For more details visit http://editors.cis-india.org/news/hacking-modding-making

Hacking of SIM card by spy agencies raises fears of sensitive documents being leaked

praskrishna — 2015-03-09T01:31:39Z

The hacking of SIM-card and digital security services provider Gemalto by American and British spy agencies has raised fears that sensitive communications, by the Indian government and hundreds of domestic companies, may have been at the risk of being spied on.

The article by PK Jayadevan and Neha Alawadhi was published in the Economic Times on February 25, 2015. Pranesh Prakash and Sunil Abraham were quoted.

The Netherlands-based Gemalto was jointly hacked by the US National Security Agency and Britain's Government Communications Headquarters, and encryption keys were stolen to monitor mobile communications, according to a news report published last week.

India's largest telecom vendors including Airtel, Vodafone and Idea Cellular use SIM cards supplied by Gemalto, the world's biggest maker of mobile-phone chips and provider of secure devices such as smart cards and tokens. Online publisher The Intercept in its report named Idea Cellular as one of the networks from which the spy agencies accessed encryption keys.

"Phone calls and text messages by military, government, diplomats, spy corporations and by ordinary citizen of India - all of those get affected by this hack," said Pranesh Prakash, Policy Director at research and advocacy firm Centre for Internet and Society.

The Intercept, which accessed top secret documents provided by NSA whistleblower Edward Snowden, said American and British spies dug into the private communications of Gemalto engineers and other employees to steal encryption keys.

Gemalto provides security services such as two-factor authentication and access management, and has hundreds of clients in India. The company in 2012 said it provided 25 million e-driver's licences and vehicle registration certificates in India that let the government "consolidate driver and vehicle registration information across the population in a central repository".

"We believe that the biggest risk stands for the large number of Vodafone users in the country as the company has deployed Gemalto's Near Field Communication services solutions to provide secure and convenient 'wave and pay' contactless transactions via mobile phone," said Sanchit Vir Gogia, Chief Analyst and Group CEO, Greyhound Research.

"We have no further details of these allegations, which are industry-wide in nature and are not focused on any one mobile operator. We will support industry bodies and Gemalto in their investigations," said a Vodafone spokesperson in an email response.

Emails to Idea and Airtel were unanswered till the time of going to Press.

"Indian operators typically go for cheaper Chinese vendors that are anyway low on security. Among the European SIM vendors, Gemalto has the largest share in India," said a senior mobile services executive, requesting anonymity.

The report on the hack comes at a time when Gemalto was looking to tap the Indian market, including e-governance initiatives. The company in a recent email to ET said it had plans to expand its center of excellence in India to develop multiple products, offer tech support and provide security solutions for the domestic market.

"We take this (breach) very seriously and will devote all resources necessary to fully investigate and understand the scope of such highly sophisticated attacks to obtain SIM card data," a Gemalto spokesperson said. "The target was not Gemalto, per se - it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible."

Initial investigations indicate that SIM products as well as banking cards, passports and other products and platforms are secure, the company said. Gemalto is expected to announce the results of its investigation on Wednesday. British and US spy agencies have been under fire for hacking and spying on citizens after Snowden in mid-2013 began leaking documents that revealed massive surveillance programmes by the two governments. At the time, the Indian government said the NSA was only collecting meta-data and had no access to the actual contents of phone calls or text messages.

Experts suggest a multinational consensus or treaty that strikes a balance between national security concerns and privacy.

"Governments will have to debate this in the United Nations and some kind of rules for surveillance, maybe treaties, are relevant in the future," said Kamlesh Bajaj, Chief Executive at Data Security Council of India. "They shall have to have some kind of a limit to surveillance. They can't be vacuuming all data in the name of finding a needle in the haystack."

Sunil Abraham, Executive Director at Center for Internet and Society, suggested the Indian government should replace proprietary operating systems and Android on phones with pure free software projects, use of virtual private network on phones to carry voice and data traffic, and encrypt voice and data payloads separately.

"When it comes to all the other services provided by Gemalto, the India government should insist that they will do key management on their own. This will also mitigate the compromise of Gemalto's enterprise networks by the NSA," he said.

For more details visit http://editors.cis-india.org/internet-governance/news/economic-times-jayadevan-pk-neha-alawadhi-february-25-2015-hacking-of-sim-card-by-spy-agencies-raises-fears-of-sensitive-documents-being-leaked

Hacking

praskrishna — 2011-04-25T09:09:20Z

For more details visit http://editors.cis-india.org/home-images/hacking.jpg

Hackers Take Protest to Indian Streets and Cyberspace

praskrishna — 2012-06-18T04:02:21Z

First there was self-styled Gandhian activist Anna Hazare who took to the streets to protest corruption. Now a group agitating against censorship on the Internet has arrived in India.

This article by Shreya Shah was published in the Wall Street Journal on June 8, 2012 Pranesh Prakash is quoted in this article.

Only this time, the location is cyberspace and their modus operandi hacking.

In the last few months, Anonymous –a group of hackers, or hacktivists as they like to call themselves –has gone after Web sites of political parties, government sites and Internet service providers, the latest being MTNL, to protest censorship on the Internet.

The group says they are opposing laws including the 2008 Information Technology (Amendment) Act and the Information Technology (Intermediaries Guidelines) Rules of 2011, which they say unfairly restrict Internet freedom.

On Saturday, the hackers will take their protest to the streets, with an Occupy Wall Street-style march called ”Operation Occupy India” planned in 17 cities including Mumbai, Delhi, Indore in Madhya Pradesh, Nagpur in Maharashtra and Kundapur in Karnataka. The group has requested all protestors to wear Guy Fawkes masks, the symbol of Anonymous.

“This time the common man wants to help us,” an “anon,” which is what members of the group call themselves, told India Real Time.

Anonymous, which has a global presence, catapulted to fame with its attacks on Visa, Mastercard and Paypal.

This is how the group attacks Web sites: It overwhelms them with thousands of requests from different computer systems simultaneously. The Web site is unable to handle the load and crashes.

The group intensified its attacks after Internet Service Providers like Reliance, MTNL and Airtel temporarily blocked file sharing sites like Vimeo, Dailymotion, Patebin and Pirate bay, citing a Court order.

But many question the method used by Anonymous.

“I don’t believe in defacing or hacking government Web sites to prove a point,” says Ankit Fadia, a cyber security expert. “You can’t hold the government ransom,” he adds.

In an open letter to the government, Anonymous India defended its actions. It wrote that traditional ways of protesting are losing meaning and this is a new method to pressure the politicians.

Members of the group say that like a regular protest on the street, they too block the infrastructure of their opponents. Except in this case, the infrastructure is located in cyberspace.

This is a “geek method of attacking,” said the anon who spoke to India Real Time. The group does not plan to attacks sites like that of the Indian railways, for instance, which is used by the masses, he explained.

But not everyone is convinced.

The group attacked the Web site of India’s Supreme Court even when it says it does not attack Web sites used by the common man, says Pranesh Prakash, Program Director of the Center for Internet and Society.

The IT Act is another reason Anonymous is protesting. The Act gives the government the power to remove content it finds offensive. The government can also restrict public access to a Web site.

Anonymous is also protesting the Intermediary Guidelines of 2011. According to this Act, a site that hosts offensive content will have to remove it within 36 hours of a complaint against it.

As a result, Web sites like Google and Facebook are facing criminal cases for hosting objectionable content on their site.

“This government does not stand for censorship; this government does not stand for infringement of free speech. Indeed, this government does not stand for regulation of free speech,” Kapil Sibal, the Communications and Information Technology Minister told the Rajya Sabha, or the upper house of the Indian Parliament, last month.

Pranesh Prakash, of the Center for Internet and Society told India Real Time that he does not believe that Anonymous will influence policy makers. He says that the main aim of a protest is to get media attention, and in turn get the attention of the people.

But he agrees that India’s cyber laws are “hopelessly flawed” and create a framework by which not only the government but everyone can censor.

He adds, “The laws are a greater threat than Anonymous.”

Photo Source: Joel Saget/Agence France-Presse/Getty Images

For more details visit http://editors.cis-india.org/news/hackers-take-protest-to-indian-streets-and-cyberspace

Hackers

praskrishna — 2011-04-25T09:07:03Z

Hackers use their technology skills to make public interventions to resolve a crisis in their environments.

For more details visit http://editors.cis-india.org/home-images/hackers.jpg

Hacker steals 17 million Zomato users’ data, briefly puts it on dark web

praskrishna — 2017-05-20T05:57:14Z

Records of 17 million users were stolen from online restaurant search platform Zomato, the company said in a blog post on Thursday.

The article by Kim Arora and Digbijay Mishra with inputs from Ranjani Ayyar in Chenna was published in the Times of India on May 19, 2017. Pranesh Prakash was quoted.

According to information security blog and news website HackRead, the data was being peddled online on the "dark web" for about $1,000. The company, also a food delivery platform, advised users to change passwords. However, late on Thursday night, Zomato claimed it had contacted the hacker and persuaded him/her to not only destroy all copies of the data, but also to take the database off the dark web marketplace. The company said it will post an update on how the breach happened once they "close the loopholes".

In an official blog updated with this information, Zomato said, "The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers." Bug bounties are a standard program among tech companies, where they reward outsiders to highlight bugs and flaws in their software systems.

The number of user accounts compromised was pegged at 17 million earlier in the day. In the late night update, Zomato said password hashes (passwords in a scrambled, encrypted form) of 6.6 million users was compromised. It wasn't immediately clear whether this 6.6 million was part of the 17 million records stolen.

Zomato tried assuring users that payment information was safe. "Please note that only 5 data points were exposed - user IDs, names, usernames, email addresses, and password hashes with salt- that is, passwords that were encrypted and would be unintelligible. No other information was exposed to anyone (we have a copy of the 'leaked' database with us). Your payment information is absolutely safe, and there's no need to panic," said the late night update.

However, the information security community raised concerns over the technique used for "hashing" or encrypting the passwords. A screenshot of the vendor's sale page for stolen data posted on HackRead identifies the hashing algorithm as "MD5", which experts say is "outdated" and "insecure". The research team at infySEC -- a cyber security company from Chennai -- tried to access user information in Zomato's database, as part of its bug bounty program. "We were able to access user names, email IDs, addresses and history of transactions. We highlighted this to Zomato but we have not heard from them," said Karthick Vigneshwar, director, infySEC.

Zomato joins a long list of tech-enabled businesses that have recently had user data stolen. Such data can ostensibly be used by malicious actors to send phishing mails, or even by hackers to carry out cyber attacks. In February 2017, content delivery network CloudFlare's customer data was leaked. The data leaked had not just password hashes, but even customers' IP addresses and private messages. In June 2015, online password management service LastPass was hacked and had its data leaked online.

"We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We, however, strongly advise you to change your password for any other services where you are using the same password," Zomato's chief technology officer Gunjan Patidar said in the blog which was updated twice through the day. Affected users have been logged out of the website and the app.

Password "hashing" is an encryption technique usually used for large online user databases. The strength of the encryption depends on the algorithm employed to do the same. "Salting" is the addition of a string of characters to the passwords when stored on such a database, which adds another layer of difficulty in cracking them.

In an email to TOI, a company spokesperson said, "Over the next couple of days, we'll be actively working to improve our security systems — we'll be further enhancing security measures for all user information stored within our database, and will also add a layer of authorisation for internal teams having access to this data to avoid any human breach."

HackRead, a security blog and news website, found the stolen Zomato database of 17 million users for sale on what is called the "dark web". This can be described as a portion of the content available on the World Wide Web, away from the public internet. This content is not indexed on search engines like Google, and can only be accessed using software that can route around the public internet to get there.

According to the screenshots of the sale posted on HackRead, the Zomato database used a hashing technique called "MD5", which security experts say is inappropriate for encrypting passwords. "If MD5 was used, it shows bad security practices were in place. It isn't industry standard to use this algorithm for password hashing. Algorithms like bcrypt, scrypt, are more secure," says Pranesh Prakash, policy director at Bengaluru's Centre for Internet and Society.

What if a user does not use an exclusive Zomato account to sign into the service, but signs in through a Google or Facebook account? "In that case, just to be safe, you can delink your Zomato from the account you use to sign in, although your password will not be at risk," says Prakash. Zomato says, 60% of its users use such third party authorisation, and they are at "zero risk."

Would Zomato be liable to compensate end users for loss of sensitive data? Supreme Court advocate Pavan Duggal says, "Such players, referred to as intermediaries under the IT Act hold sensitive data and are expected to have reasonable security protocols in place. Should an end user face any loss/damage due to a data breach, they can sue Zomato and seek compensation." While most players have end user agreements and disclaimers in place, Duggal adds that the IT Act will prevail over any other law or contract to the extent it is inconsistent.

For more details visit http://editors.cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web

Hackathon at Bangalore

praskrishna — 2012-12-10T07:01:02Z

Hackathon at Bangalore

For more details visit http://editors.cis-india.org/home-images/Hackathon.png

Hack exposes Zomato's weak protection of customer data, say Cyber experts

praskrishna — 2017-05-19T09:11:40Z

Online restaurant aggregator says it will beef up security after 17 million user details were stolen.

The article by Alnoor Peermohamed was published in the Business Standard on May 19, 2017. Pranesh Prakash was quoted.

After details of over 17 million users was stolen and sold online, restaurants discovery and food ordering service Zomato has vowed to beef up security measures, including adding a layer of authentication for its own employees to access user data.

The company in a blog post claimed that the leak appeared to be an internal (human) security breach with an employee's development account getting compromised.

However, cyber security experts pointed out that Zomato was clearly lacking in its technique to protect customer data from unwanted elements .

Sajal Thomas, a cyber security consultant, claimed on Twitter that he verified the sample data being sold on the dark web and found that Zomato had used MD5 to hash passwords. MD5 is neither encryption nor encoding, and was known to be easily cracked by attacks and suffered from major vulnerabilities.

Further, he said Zomato had not used salting, a technique where random data was used as additional input to make cracking a hashed password much harder. Thomas said that it took just a few seconds to crack the hashed passwords to turn them into plain text.

Zomato in its blog post, however, claimed that it protected "passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password."

It said that this was to ensure that passwords could not be easily converted back to plain text. The firm claimed no credit or debit card information of users were leaked.

While Zomato says it has reset passwords of all the affected accounts, experts say that users whose data were leaked are still under threat.

"If you had a password for Zomato that you used elsewhere (on facebook or email), immediately change that password across all those accounts," tweeted Pranesh Prakash, policy director at the Centre for Internet and Society.

If you had a password for Zomato that you used elsewhere, then IMMEDIATELY change that password across ALL those accounts. Use a pw manager! https://t.co/CbhtxCwlnD
— Pranesh Prakash (@pranesh) May 18, 2017

According to Prakash, a statement by Zomato misled people on how serious the security breach was by providing a false sense of security.

Subsequently, the company reworded its blog post to prompt users to change passwords of other services where they might have used the same password as their Zomato account.

The leak was first detected by security blog HackRead when it came across an online handle going by the name of "nclay" claiming to have hacked Zomato's database and selling its data on the dark web. Upon testing some of the data made public by the hacker, HackRead found that each account actually existed on Zomato.

"The database includes emails and password hashes of registered Zomato users while the price set for the whole package is $1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit," HackRead wrote in its post.

For more details visit http://editors.cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-may-19-2017-hack-exposes-zomatos-weak-protection-of-customer-data-say-cyber-experts