Centre for Internet and Society

Hackers Take Protest to Indian Streets and Cyberspace

praskrishna — 2012-06-18T04:02:21Z

First there was self-styled Gandhian activist Anna Hazare who took to the streets to protest corruption. Now a group agitating against censorship on the Internet has arrived in India.

This article by Shreya Shah was published in the Wall Street Journal on June 8, 2012 Pranesh Prakash is quoted in this article.

Only this time, the location is cyberspace and their modus operandi hacking.

In the last few months, Anonymous –a group of hackers, or hacktivists as they like to call themselves –has gone after Web sites of political parties, government sites and Internet service providers, the latest being MTNL, to protest censorship on the Internet.

The group says they are opposing laws including the 2008 Information Technology (Amendment) Act and the Information Technology (Intermediaries Guidelines) Rules of 2011, which they say unfairly restrict Internet freedom.

On Saturday, the hackers will take their protest to the streets, with an Occupy Wall Street-style march called ”Operation Occupy India” planned in 17 cities including Mumbai, Delhi, Indore in Madhya Pradesh, Nagpur in Maharashtra and Kundapur in Karnataka. The group has requested all protestors to wear Guy Fawkes masks, the symbol of Anonymous.

“This time the common man wants to help us,” an “anon,” which is what members of the group call themselves, told India Real Time.

Anonymous, which has a global presence, catapulted to fame with its attacks on Visa, Mastercard and Paypal.

This is how the group attacks Web sites: It overwhelms them with thousands of requests from different computer systems simultaneously. The Web site is unable to handle the load and crashes.

The group intensified its attacks after Internet Service Providers like Reliance, MTNL and Airtel temporarily blocked file sharing sites like Vimeo, Dailymotion, Patebin and Pirate bay, citing a Court order.

But many question the method used by Anonymous.

“I don’t believe in defacing or hacking government Web sites to prove a point,” says Ankit Fadia, a cyber security expert. “You can’t hold the government ransom,” he adds.

In an open letter to the government, Anonymous India defended its actions. It wrote that traditional ways of protesting are losing meaning and this is a new method to pressure the politicians.

Members of the group say that like a regular protest on the street, they too block the infrastructure of their opponents. Except in this case, the infrastructure is located in cyberspace.

This is a “geek method of attacking,” said the anon who spoke to India Real Time. The group does not plan to attacks sites like that of the Indian railways, for instance, which is used by the masses, he explained.

But not everyone is convinced.

The group attacked the Web site of India’s Supreme Court even when it says it does not attack Web sites used by the common man, says Pranesh Prakash, Program Director of the Center for Internet and Society.

The IT Act is another reason Anonymous is protesting. The Act gives the government the power to remove content it finds offensive. The government can also restrict public access to a Web site.

Anonymous is also protesting the Intermediary Guidelines of 2011. According to this Act, a site that hosts offensive content will have to remove it within 36 hours of a complaint against it.

As a result, Web sites like Google and Facebook are facing criminal cases for hosting objectionable content on their site.

“This government does not stand for censorship; this government does not stand for infringement of free speech. Indeed, this government does not stand for regulation of free speech,” Kapil Sibal, the Communications and Information Technology Minister told the Rajya Sabha, or the upper house of the Indian Parliament, last month.

Pranesh Prakash, of the Center for Internet and Society told India Real Time that he does not believe that Anonymous will influence policy makers. He says that the main aim of a protest is to get media attention, and in turn get the attention of the people.

But he agrees that India’s cyber laws are “hopelessly flawed” and create a framework by which not only the government but everyone can censor.

He adds, “The laws are a greater threat than Anonymous.”

Photo Source: Joel Saget/Agence France-Presse/Getty Images

For more details visit http://editors.cis-india.org/news/hackers-take-protest-to-indian-streets-and-cyberspace

Hackers

praskrishna — 2011-04-25T09:07:03Z

Hackers use their technology skills to make public interventions to resolve a crisis in their environments.

For more details visit http://editors.cis-india.org/home-images/hackers.jpg

Hacker steals 17 million Zomato users’ data, briefly puts it on dark web

praskrishna — 2017-05-20T05:57:14Z

Records of 17 million users were stolen from online restaurant search platform Zomato, the company said in a blog post on Thursday.

The article by Kim Arora and Digbijay Mishra with inputs from Ranjani Ayyar in Chenna was published in the Times of India on May 19, 2017. Pranesh Prakash was quoted.

According to information security blog and news website HackRead, the data was being peddled online on the "dark web" for about $1,000. The company, also a food delivery platform, advised users to change passwords. However, late on Thursday night, Zomato claimed it had contacted the hacker and persuaded him/her to not only destroy all copies of the data, but also to take the database off the dark web marketplace. The company said it will post an update on how the breach happened once they "close the loopholes".

In an official blog updated with this information, Zomato said, "The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers." Bug bounties are a standard program among tech companies, where they reward outsiders to highlight bugs and flaws in their software systems.

The number of user accounts compromised was pegged at 17 million earlier in the day. In the late night update, Zomato said password hashes (passwords in a scrambled, encrypted form) of 6.6 million users was compromised. It wasn't immediately clear whether this 6.6 million was part of the 17 million records stolen.

Zomato tried assuring users that payment information was safe. "Please note that only 5 data points were exposed - user IDs, names, usernames, email addresses, and password hashes with salt- that is, passwords that were encrypted and would be unintelligible. No other information was exposed to anyone (we have a copy of the 'leaked' database with us). Your payment information is absolutely safe, and there's no need to panic," said the late night update.

However, the information security community raised concerns over the technique used for "hashing" or encrypting the passwords. A screenshot of the vendor's sale page for stolen data posted on HackRead identifies the hashing algorithm as "MD5", which experts say is "outdated" and "insecure". The research team at infySEC -- a cyber security company from Chennai -- tried to access user information in Zomato's database, as part of its bug bounty program. "We were able to access user names, email IDs, addresses and history of transactions. We highlighted this to Zomato but we have not heard from them," said Karthick Vigneshwar, director, infySEC.

Zomato joins a long list of tech-enabled businesses that have recently had user data stolen. Such data can ostensibly be used by malicious actors to send phishing mails, or even by hackers to carry out cyber attacks. In February 2017, content delivery network CloudFlare's customer data was leaked. The data leaked had not just password hashes, but even customers' IP addresses and private messages. In June 2015, online password management service LastPass was hacked and had its data leaked online.

"We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We, however, strongly advise you to change your password for any other services where you are using the same password," Zomato's chief technology officer Gunjan Patidar said in the blog which was updated twice through the day. Affected users have been logged out of the website and the app.

Password "hashing" is an encryption technique usually used for large online user databases. The strength of the encryption depends on the algorithm employed to do the same. "Salting" is the addition of a string of characters to the passwords when stored on such a database, which adds another layer of difficulty in cracking them.

In an email to TOI, a company spokesperson said, "Over the next couple of days, we'll be actively working to improve our security systems — we'll be further enhancing security measures for all user information stored within our database, and will also add a layer of authorisation for internal teams having access to this data to avoid any human breach."

HackRead, a security blog and news website, found the stolen Zomato database of 17 million users for sale on what is called the "dark web". This can be described as a portion of the content available on the World Wide Web, away from the public internet. This content is not indexed on search engines like Google, and can only be accessed using software that can route around the public internet to get there.

According to the screenshots of the sale posted on HackRead, the Zomato database used a hashing technique called "MD5", which security experts say is inappropriate for encrypting passwords. "If MD5 was used, it shows bad security practices were in place. It isn't industry standard to use this algorithm for password hashing. Algorithms like bcrypt, scrypt, are more secure," says Pranesh Prakash, policy director at Bengaluru's Centre for Internet and Society.

What if a user does not use an exclusive Zomato account to sign into the service, but signs in through a Google or Facebook account? "In that case, just to be safe, you can delink your Zomato from the account you use to sign in, although your password will not be at risk," says Prakash. Zomato says, 60% of its users use such third party authorisation, and they are at "zero risk."

Would Zomato be liable to compensate end users for loss of sensitive data? Supreme Court advocate Pavan Duggal says, "Such players, referred to as intermediaries under the IT Act hold sensitive data and are expected to have reasonable security protocols in place. Should an end user face any loss/damage due to a data breach, they can sue Zomato and seek compensation." While most players have end user agreements and disclaimers in place, Duggal adds that the IT Act will prevail over any other law or contract to the extent it is inconsistent.

For more details visit http://editors.cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web

Hackathon at Bangalore

praskrishna — 2012-12-10T07:01:02Z

Hackathon at Bangalore

For more details visit http://editors.cis-india.org/home-images/Hackathon.png

Hack exposes Zomato's weak protection of customer data, say Cyber experts

praskrishna — 2017-05-19T09:11:40Z

Online restaurant aggregator says it will beef up security after 17 million user details were stolen.

The article by Alnoor Peermohamed was published in the Business Standard on May 19, 2017. Pranesh Prakash was quoted.

After details of over 17 million users was stolen and sold online, restaurants discovery and food ordering service Zomato has vowed to beef up security measures, including adding a layer of authentication for its own employees to access user data.

The company in a blog post claimed that the leak appeared to be an internal (human) security breach with an employee's development account getting compromised.

However, cyber security experts pointed out that Zomato was clearly lacking in its technique to protect customer data from unwanted elements .

Sajal Thomas, a cyber security consultant, claimed on Twitter that he verified the sample data being sold on the dark web and found that Zomato had used MD5 to hash passwords. MD5 is neither encryption nor encoding, and was known to be easily cracked by attacks and suffered from major vulnerabilities.

Further, he said Zomato had not used salting, a technique where random data was used as additional input to make cracking a hashed password much harder. Thomas said that it took just a few seconds to crack the hashed passwords to turn them into plain text.

Zomato in its blog post, however, claimed that it protected "passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password."

It said that this was to ensure that passwords could not be easily converted back to plain text. The firm claimed no credit or debit card information of users were leaked.

While Zomato says it has reset passwords of all the affected accounts, experts say that users whose data were leaked are still under threat.

"If you had a password for Zomato that you used elsewhere (on facebook or email), immediately change that password across all those accounts," tweeted Pranesh Prakash, policy director at the Centre for Internet and Society.

If you had a password for Zomato that you used elsewhere, then IMMEDIATELY change that password across ALL those accounts. Use a pw manager! https://t.co/CbhtxCwlnD
— Pranesh Prakash (@pranesh) May 18, 2017

According to Prakash, a statement by Zomato misled people on how serious the security breach was by providing a false sense of security.

Subsequently, the company reworded its blog post to prompt users to change passwords of other services where they might have used the same password as their Zomato account.

The leak was first detected by security blog HackRead when it came across an online handle going by the name of "nclay" claiming to have hacked Zomato's database and selling its data on the dark web. Upon testing some of the data made public by the hacker, HackRead found that each account actually existed on Zomato.

"The database includes emails and password hashes of registered Zomato users while the price set for the whole package is $1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit," HackRead wrote in its post.

For more details visit http://editors.cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-may-19-2017-hack-exposes-zomatos-weak-protection-of-customer-data-say-cyber-experts