Blog

now browsing by category

 

साइबर लॉ के क्षेत्र में है कैरियर के साथ असीम संभावनायें

आज भारत में जिस तरह इंटरनेट का विस्तार हो रहा है, उसी तरह यहाँ साइबर लॉ की जरूरत भी महसूस की जाने लगी है। वास्तव में साइबर लॉ की जरूरत हर उस देश में महसूस की जा रही है जहाँ भी साइबर अपराध हो रहे हैं। ऐसे में ज्यादातर सभी विकासशील देशों जहाँ इंटरनेट अभी पूरी तरह से जड़ें जमा नहीं पाया है, वहाँ भी साइबर लॉ की जरुरत महसूस की जा रही है। साइबर अपराध को निपटाने और न्याय दिलाने के लिए इसके विशेषज्ञों की माँग लगातार बढ़ रही है। इसी जरुरत को ध्यान में रखते हुए साइबर लॉ से संबंधित पाठयक्रमों की शुरुआत अब ज्यादातर इंस्टीट्यूट में कर दी गई है। कहीं स्पेशलाइज्ड रूप में, तो कहीं एलएलबी के साथ इसकी पढ़ाई होती है।

 

आए दिन साइट हैकिंग से लेकर ऑनलाइन बैंकिंग फ्रॉड अथवा साइबर बुलिंग एवं साइबर स्टाकिंग की खबरें सुनने को मिलती रहती हैं। यही है साइबर क्राइम और इन कामों को अँजाम देता है कम्प्यूटर तकनीक के जरिए एक हाइटेक अपराधी। इसे रोकने के लिए जरुरत होती है साइबर सिक्योरिटी एक्सपर्ट की। एक ऐसा साइबर एक्सपर्ट जो हाइटेक अपराधी की तरह सोच सकता हो और साथ ही में कानून की भाषा का ज्ञाता भी हो। ऐसे साइबर एक्सपर्ट्स की मदद से साइबर क्राइम की रोकथाम की जा सकती है और साथ ही में आवश्यकता पड़ने पर पीड़ित को परामर्श देने का कार्य भी करता है।

सवाल यह उठता है कि आखिर में ‘साइबर क्राइम’ है क्या ? सरल शब्‍दों में हम कह सकते हैं कि साइबर अपराध गैरकानूनी कृत्‍य हैं जिसमें कंप्यूटर या तो एक उपकरण या लक्ष्य या दोनों है। साइबर अपराध पारंपारिक प्रकृति के होते हैं जैसे चोरी, धोखाधड़ी, जालसाजी, मानहानि और शरारत, जो भारतीय दंड संहिता के अधीन हैं। कंप्यूटर के दुरुपयोग ने भी आपराधिक गतिविधियों में समाविष्‍ट होकर नवयुगीन अपराधों के एक स्वर को जन्म दिया है जिन्‍हें सूचना प्रौद्योगिकी अधिनियम, २००० एवं तत्पश्चात सूचना प्रोधोगिकी संशोधन २००८ द्वारा संबोधित किया जा रहा है।

cyber-law-india-courts

पूरी दुनिया में साइबरस्पेस का अपना कानून है, जिसका उपयोग इंटरनेट के माध्यम से होने वाले अपराधों से निपटने के लिए किया जाता है। मशहूर कंप्यूटर सुरक्षा विशेषज्ञों, साइबर आतंकवाद गुरुओं और विशेषज्ञों का भी मानना है कि निकट भविष्य में साइबर लॉ विशेषज्ञों की बड़ी संख्या में भारत में जरूरत होगी। ऐसे में इस क्षेत्र में कोर्स करने वालों को सामने विश्व के सामने अपने काम के जरिए अपनी चमक बिखेरने का मौका होगा और वह भी लुभावनी सैलरी (तनख्वाह) पर। साइबर विशेषज्ञ किसी संस्थान से जुड़कर या फिर स्वतंत्र रूप से सलाहकार के रूप में काम करके भी कमाई कर सकते हैं जो कि एक उत्तम जरिया है अतिरिक्त कमाई का।

वैसे तो इन दिनों भारत के आई.टी. विशेषज्ञों का डंका पूरी दुनिया में बज रहा है, भले ही मंदी से यह कुछ घबड़ा भी गया था। लेकिन साइबर क्राइम से निपटने के जो भी प्रयास अब तक यहाँ हुए हैं, उन्हें पर्याप्त नहीं कहा जा सकता। आने वाले दिनों में जैसे-जैसे कंप्यूटर, मोबाइल फ़ोन और स्मार्टफोन पर हमारी निर्भरता और बढ़ती जाएगी, वैसे-वैसे इस तरह के क्राइम बढ़ने की आशंका भी बढ़ती जाएगी। ऐसे में उन एक्सपर्ट्स की आवश्यकता होगी जो इस नए तरह के अपराध से निपटने में माहिर हों।

दरअसल, सामान्य कानून और पुलिस इस तरह के अपराधों से निपटने में सक्षम नहीं है। ऐसी स्थिति में साइबर क्राइम से निपटने वाले माहिर खिलाड़ी वहीं होंगे, जो साइबर लॉ के विशेषज्ञ हों और साइबर क्रिमिनल्स की हाइटेक तकनीक को भी आसानी से भेदना जानते हों। इसलिए मानना पड़ेगा कि आने वाले दिनों में साइबर लॉ कोर्स किए हुए कैंडिडेट्स के लिए जॉब के अनगिनत अवसर पैदा होंगे।

साइबर लॉ विशेषज्ञों के अनुसार, साइबर लॉ करियर के लिहाज से आज एक बढ़िया विकल्प है। साइबर लॉ भविष्य में उज्जवल करियर विकल्प साबित हो सकता है। इसलिए लॉ, टेक्नोलॉजी मैनेजमेंट, अकाउंट आदि क्षेत्रों से जुड़े छात्र या पेशेवर व्यक्ति भी यह कोर्स कर सकते हैं। यह क्षेत्र उनके लिए विशेष रूप से उपयोगी है, जिन्होंने पहले से लॉ कोर्स किया है। उन्हें लॉ के बेसिक्स नहीं पढ़ने होंगे, केवल साइबर क्राइम और इससे निपटने के तरीके सीखने होंगे।

Incident Response Case Study: Bitly Account Compromise

There is an important update from the Bitly Account Users from the Bitly Team. The Bitly Team is having some strong reasons to believe that Bitly account credentials may have been compromised; however, they have no indication at this time that the user’s account has been accessed without permission.
Whenever a service provider is having some suspicion of account compromising incident, it is better to take precautions. In the same manner, to play safe in the cyberspace The Bitly Team had proactively disconnected any connections one might had done with Facebook and Twitter to publish the posts by using the URL Shortening Links using bit.ly or bitly.com . Once can safely reconnect these accounts in the next login.
If someone will login to their bitly account and if a user sees that their Facebook and Twitter accounts are still connected to their Bitly account, then this information is important for them:
“Those accounts are connected but the Bitly Team had disconnected the rights to publish to these accounts. To start republishing / to ensure the security of your Bitly account, the user must do the following steps:
  1. Go to Your Settings Profile tab and reset your password.
  2. Go to Your Settings Connected Accounts tab to disconnect and reconnect any Twitter or Facebook accounts. If you have any connected applications, disconnect and reconnect through the third-party application.
  3. Go to Your Settings Advanced tab to reset your API key. If you are a developer using your API key, copy the new API key and change it in all applications. These can include social publishers, share buttons and mobile apps.
The Bitly Team had already taken proactive measures and steps to secure all paths that led to the compromise and had ensured the security of all account credentials going forward. Rarely companies provides the insight that how the compromise happened. But the way The Bitly Team is taking it ahead is an interesting step to watch out. And to learn for that how to perform the incident response.

In one of the blog, the Bitly Team shares the insights as: 
“On May 8, the Bitly security team learned of the potential compromise of Bitly user credentials from the security team of another technology company. We immediately began operating under the assumption that we had a breach and started the search for all possible compromise vectors. Over the course of the next few hours, the Security Team determined with a high degree of confidence that there had been no external connections to our production user database or any unauthorized access of our production network or servers. They observed that we had an unusually high amount of traffic originating from our offsite database backup storage that was not initiated by Bitly. At this point, it was clear that the best path forward was to assume the user database was compromised and immediately initiate our response plan, which included steps to protect our user’s connected Facebook and Twitter accounts.
We audited the security history for our hosted source code repository that contains the credentials for access to the offsite  database backup storage and discovered an unauthorized access on an employee’s account. We immediately enabled two-factor authentication for all Bitly accounts on the source code repository and began the process of securing the system against any additional vulnerabilities.”

The way Bitly Team initiated their security assessments and later launched the proactive measures in itself hints that they are having a robust documented approach for carrying out incident handling and incident response plans in case of cyber security breach. The way Bitly Security Team had worked and provided the insight is applaudable.

Looking on to the some of the security measures implemented since the breach incident information received by the Bitly Team are:
  1. Invalidated all Twitter and Facebook credentials.
  2. Rotated all credentials for their offsite storage systems.
  3. Enabled detailed logging on their offsite storage systems. 
  4. Rotated all SSL certificates.
  5. Reset credentials used for code deployment.
  6. GPG encryption of all sensitive credentials.
  7. Enforced two-factor authentication on all 3rd party services company-wide.
  8. Accelerated development of our work to support two-factor authentication for Bitly.com
  9. Accelerated developmet for email confirmation of password changes.
  10. Added additional audit details to user security pages. This can be seen from the Security tab. This provides all the detailed logging e.g., the IP address of the last login, revoking shared account, adding shared account etc. alongwith the approximation in hours of the actions taken (say, 5 hours ago, 8 hours ago, …).
  11. Updated iPhone App to support updated OAuth tokens.

The interesting part is that they had stored the passwords as salted and hashed. Generally, the larger organizations do claim that they had stored the passwords as salted and hashed but later on when the hackers expose the hacked/ stolen information on the Internet, it is found that the credentials were instead stored as a plain text. The very case that comes in mind is the Microsoft India Store Account Hack case. Here also, the Microsoft India informed to all the Microsoft India store users that the passwords were encrypted, hence, their is no loss of data. But when the hacker opened the details in a public forum along with the screenshots of the database it was observed that the user’s credentials (e.g., passwords, credit card numbers etc.) were stored in as a plain text. Hence, this part is yet to be seen that whether the company Bitly had really stored the passwords as salted and hashed or not.
According to the Bitly Team’s Blog, if someone had registered, logged in or changed the password after January 8th 2014, the password was converted with BCrypt and HMAC (Hash-based Message Authentication Code)  using an unique salt. However, if someone had not logged in since 8th January, 2014 then their account was hashed with MD5 – a big security risk!! 
 
According to TechTarget article titled “MD5 Security: Time to migrate to SHA-1 hash algorithm?” dated May 2010:
 
“…hash algorithms create a short, fixed-length hash value to represent data of any size, it means that there are far more possible input values than there are unique hash values. This means there have to be multiple input values that will produce the same hash value. This is known as a collision and for a hash function to be deemed cryptographically secure and collision resistant, it has to be hard to find two inputs that hash to the same output. In March 2005, two researchers created two X.509 digital certificates with different public keys but with the same MD5 hash; since then various methods have been published that can find an MD5 collision in under a minute. This is why MD5 is considered cryptographically broken and is being replaced by the SHA-2 family of hash functions.”

 
Hence, MD5 security is certainly not suitable for security-based applications and services. Hence, if someone is having bitly.com account then the user is encouraged to login immediately and change their passwords so that the risk factor because of MD5 hashing is eliminated.
 
Read more about BCrypt from here (Wikipedia), and HMAC from here (Wikipedia) and here (RFC 2104 from IETF).

 

 
 


Neelabh Rai
Cyber Entrepreneur
Independent Cyber Security Researcher
CYBER COPS India
www.cybercops.in

“Protect your software from Piracy, IT Systems from Sabotage by using ‘patented’ Validy Technology”

EC Council official website hacked (http://www.eccouncil.org/)

The official website of International Council of E-Commerce Consultants, popularly known as EC-Council, is hacked. The hacker had inserted an image showing Edward Snowden’s Passport and left following message on the www.ec-council.org website:


owned by certified unethical software security professional
-Eugene Belford

The name used by the hacker – Eugene Belford – is taken from the movie Hackers (1995) . The picture inserted is:

KDS Fig.1: Defaced image taken from the EC-Council Official website

The above image shows the email message supposedly written by Edward Snowden to cehapp . CEHAPP is meant for international applicants to go for the Application Process Eligibility:

KDS Fig.2: Screenshot of the Google Search of CEHAPP

Now visiting the same website is showing the following message:

Malwarebytes Anti-malware blocked access to a potentially malicious website: 93.174.95.82Type: outgoing
Port: 52145, Process: avp.exe

KDS Fig. 3: Malwarebytes Anti-malware message popped when tried to open www.eccouncil.org

EC-Council’s website is again hacked and following image is posted now:

KDS Fig. 4: EC Council Website Hacked and Defaced Once Again

Further recommended readings:


Neelabh Rai
Cyber Entrepreneur
Independent Cyber Security Researcher
CYBER COPS India
www.cybercops.in

“Protect your software from Piracy, IT Systems from Sabotage by using ‘patented’ Validy Technology”

Could the computer in your car be hacked?

As vehicles are increasingly computerized, researchers and industry officials consider it inevitable that cars will face the same vulnerabilities as PCs. Internal computer networks monitor and control everything from brakes, engines and transmissions to air bags and keyless-entry functions. Wireless connections, meanwhile, are becoming more common in reporting a vehicle’s position or providing information about the car’s functions. Some auto companies are creating applications to allow users to control some features in their car with their smart phone.

On 10 March, 2011 there was a news update that “Researchers had found that Cars can be hacked and remotely controlled“. In this regard, these are some of the news collections that are covering it extensively:car-hack-to-the-future
Key findings of the research work carried out by Stefan Savage, a University of California, San Diego, computer science professor and Yoshi Kohno, a computer science professor at the University of Washington are:
  • able to “bypass rudimentary network security protections within the car”
  • “adversarially cont” adversarially control a wide range of automotive functions and completely ignore driver input — including disabling the brakes, selectively braking individual wheels on demand, stopping the engine and so on”
  • an attack could embed malicious code in a vehicle and then erase any evidence of its presence after a crash
  • found ways to compromise security remotely, through wireless interfaces like Bluetooth, mechanics’ tools and even audio files.
  • In one example, a modified song in a digital audio format could compromise the car’s CD player and infect other systems in the vehicle.
  • Researchers were able to “obtain complete control” over the car by placing a call to the vehicle’s cell phone number and playing an audio signal that compromised the vehicle.
Key findings of Research teams at Rutgers University and the University of South Carolina:
  • showed vulnerabilities of in-car wireless networks that operate tire-pressure monitoring systems that tell motorists if their tire needs more air. From a distance of 40 meters, they bypassed security to tap into information identifying the tire and tire pressure of cars driving down the road.
Some important quotes to be noted are:
  • “I hope it’s more of a warning for the engineering groups that certain systems are vulnerable,” said Ivan Seskar, associate director for information technology at the Wireless Information Network Laboratory at Rutgers University.
  • “When people first started connecting their PCs to the Internet, there wasn’t any threat, and then over time it manifests,” said Stefan Savage, a University of California, San Diego, computer science professor who conducted the research. “The automotive industry, I think, has the benefit of the experience of what we went through.”
The United States Council for Automotive Research, a group funded by Detroit’s auto companies, is also forming a task force to study the issue, said spokeswoman Susan Bairley.
Research Papers can be accessed from here. The project Electronic Vehicle Controls and Unintended Acceleration has been completed and the reports have been generated that can be read from here:


======================

Looking for a Solution

======================

Security in automobile is becoming priority number one for the manufacturers. The share of electronic components inside cars is larger than ever and the reliability of these software components has become of prime concern. Consortia (Autosar, Jaspar,…) between manufacturers are created in order to standardize the management software of the electronic systems for the automobile industry.
Different security needs have been explored by the automobile industry including:
  • the need to secure the security software components on board the cars (starting system, braking system, and ABS urgency braking system…)
  • the securing of the control station updates for the manufacturer car dealers.
  • the need for quality control by software certification especially for subcontracted software.
Validy Technology, by ensuring the integrity of the embedded software, protects all the equipments from all possible forms of piracy.

Cyber Security Roadmap / Strategy (draft version 1.0.0)

It’s an attempt by Neelabh Rai to create a cyber security roadmap / strategy that can be implemented by any organization / country / corporate bodies. All its minute details are also in the development stage and will be hopefully completed at the earliest possible. The cyber security roadmap is created single-handedly by Neelabh Rai.

Since CYBER COPS India is a knowledge-sharing platform among the cyber security researchers, practitioners and experts hence, this very document is made available as a copyleft to all the esteemed readers and viewers.


Kindly have a look on this very document titled as “Cyber Security Roadmap / Strategy (draft version 1.0.0)” from here: 

http://www.cybercops.in/cyber-security-roadmap_pwp-neelabhrai-cybercopsindia.pdf

Your comments are welcome on this. Please feel free to comment via Contact Me webpage.

PS: 

  1. This cyber security roadmap is available to the public as a copyleft with a disclaimer policy. For the disclaimer policy details, kindly visit Cyber Security Framework / Strategy Disclaimer Policy.
  2. This was created in leisure/free time (i.e., when I am not employed anywhere) only so that my employers cannot claim their copyright on it.


Neelabh Rai
Cyber Entrepreneur
Independent Cyber Security Researcher
CYBER COPS India
www.cybercops.in

“Protect your software from Piracy, IT Systems from Sabotage by using ‘patented’ Validy Technology”

^