Category: Uncategorized

Posted on

ICICI Bank’s stupid “feature” introduces privacy concerns

A couple of days back, I received an sms from ICICI bank informing me that I can view my credit card statement without logging into my account. As you may expect, it blew me away. It still beats me why someone would like to access her/his credit card statement without any password.

No Privacy

No Privacy :'(

To be fair to ICICI, this doesn’t mean that one can simply access the information using the credit card number. It does put three fields forward.

Field 1- Card Number: The problem here is that most of the swipe machines that you come across, at least in India, will print your complete card number on the receipts. One copy is left with merchant where you shop. Moreover, in all probability, you keep you credit card in your purse which is easily accessible to your parents, wi[fe|ves], girl|boy-friend[s], and even friends. Hell, the waiter could jot it down. So let’s face it, it’s not really a secret anymore in the current scenario.

Field 2- Date Of Birth: Doh!

Field 3- Card valid from: Now this one might sound a bit tricky, considering that only the expiry date of your credit card is specified on the receipts. However, please note that:
(1) this date can be noticed by a cursory glance on the card,
(2) the from and end months alomst always are the same, i.e., if your card expiry is 05/2015, the start month, in all it’s probabilty will be 05 (May). Just try a few combinations, and bang.

…and if all this sounds too complex and useless, consider that all of the above information is easily accessible to your family members and close friends. I am not sure about you, but I prefer a certain degree of privacy.

…and if the cynic in you is still not convinced, consider this –the total effort of keystrokes and clicks combing your card number+date of birth (via a date picker)+card valid from will most probably exceed the keystrokes for ICICI userid+password. Unless of course, you are paranoid who writes a poem in 1337 for the password. 😉

So although there could be a debate on the level of privacy concern that it raises, there can’t be any debate on the sheer stupidity of this feature. Uh!

Posted on

OWASP AppSec Conf Delhi – Day 1

Special Note: I don’t have my Canon EOS 350D with me nowadays, so I had to borrow my roomates Canon Powershot. 🙁 The quality sucks, but still, the pictures are here.

I’ll be honest, going by the conf prices and some of the talk titles; I was expecting OWASP AppSec Delhi to be targeted mainly for managers. Moreover, I didn’t really have enough hopes for the first day talks, at least. It felt even worse when I realized that Dinis Cruz hasn’t been able to make it. I was looking forward to his workshop in App Sec Code Review. But boy, what a day! 🙂

The registration was scheduled to begin at 8:15 AM and I reached at 7:45. As if that was not enough, the registration was delayed by another 40-45 minutes. I like to be punctual, but end up playing the endless wait-game more than often.  However, on the bright side I got to interact with a couple of great guys, like Amit Parekh (MPS). Quite surprisingly, I also came across Manjula (Aujas Networks). I say surprisingly because when we had discussed about the conference at a previous OWASP Bangalore chapter meet, she had no plans to visit. I am glad she decided at the last moment. 🙂

Before I mention about the talks, I feel obligated to thank Nitin of OWASP Delhi chapter for letting me attend the conference even though my company has failed to pay the conference fees at the moment due to some strange procedural issues.

Bipin & Amit

Bipin & Amit

The day began with the keynote speeches by Dhruv Soni and Puneet Mehta (OWASP Delhi Chapter), Murli Krishna(HP), Dr. Kamlesh Bajaj (DSCI), Jason Li(OWASP), and Mano Paul(ISC^2). The welcome notes by Dhruv and Puneet were followed by Dr. Bajaj and Murli Krishna’s keynotes. I couldn’t help but wish I could get seniors from the network management unit of my firm. I would love to believe that they would have had a heart change with respect to application security after the keynote 😉 . Jason spoke on behalf of Dinis and introduced the newbies to OWASP and a couple of its projects. In case you are unaware (like me), there has been an interesting addition to the OWASP projects called ESAPI. It looks good at first glance. Hopefully, I’ll be having a closer look pretty soon. Finally, Mano Paul provided some interesting metaphors to the security scenario, and also introduced the youngest hacker in the crowd, his two year old son. It’ll surely be fun to attend his workshop on Advanced Thread Modelling.

Following the Keynote speeches, Jason Li introduced the crowd to his AntiSamy project. I especially liked the way he’d organized his talk to compare several XSS mitigation techniques and then prove why AntiSamy’s (or HTMLPurifier’s) approach is better 😉 . His talk was followed by Rajesh Nayak’s (HP) talk titled Web App Security: Too costly to ignore. Although, it was more of a sales pitch, it did have some valid points; and we did manage to have our share of fun. When a certain demo of his failed a couple of times and he had to restart his system, I couldn’t control my tendency to pass on loud remarks and asked whether it was an HP laptop 😛 .

Bipin & Amit

Manjula, Sheeraj, & Amit

The much awaited Sheeraj Shah’s talk on Web 2.0 Security came after the lunch. As expected of him, the talk was pretty technical and wasn’t really for the noobs. He also talked about his home-brewed scripts to analyze Web 2.0 enabled/hyped portals. Later, Roshan Chandran of Paladion presented a very interesting case study on Testing 200+ applications in a $10 Billion Enterprise. This talk provoked a lot of techies in the crowd who were silent till now. Finally, Nischal Bhalla delivered a talk on Building Enterprise AppSec Program. This is something I’ve been trying to do at my workplace (with the help of my Bosses) and I guess I’ll be mailing Nischal for the presentation.

To summarize, none of the talks were any ground breaking research that we were not aware of, but the difference always comes in with experience; and that’s what made it an amazing day. It was great to look at things from the perception of these uber hackers. I am eagerly looking forward for tomorrows workshop’s – Advanced Threat Modelling by Mano Paul, and App Sec Code Review by Gaurav Kumar (which was originally scheduled by Dinis Cruz.

Oh and yes! The food was pretty good too. 🙂

Posted on

Bittu’s back :)

Bittu, my wife, got revamped. For unemotional people, it simply means I bought a new laptop 🙂

She is red, and she’s hot!

Bittu

She’s a Dell XPS M1330. Other features include:

1. Intel Core-2 Duo, 2.1 GHz (My first intel. I used to be with AMD)
2. 200GB HD , 7200rpm
3. 128 MB Nvidia graphics card (the games run awesomely, and I have re-entered the gaming arena. Currently re-re-replaying Serious Sam, Second Encounter)
4. Pre-Loaded Vista 🙁  (I am still a little confused, whether I go ahead with OpenSuse 10.3 or wait 6 more days for OpenSuse 11 to arrive. 😉 )
5. and other regular features like DVD writer, fingerprint scanner, built-in webcam, etc. etc. etc.

I should have updated about her by now, but have been very very busy with an official work involving OpenSocial till yesterday. Hoping to publish other draftified articles soon.

Posted on

Slashdot, uh! :|

Slashdot is supposed to be a respectable (news) portal for geeks and nerds. It’s punch line says News for nerds, Stuff that matters. I must admit that there was a time when I used to start my day with Slashdot, trying not to miss even a single news. That phase, however, is over. The two biggest problems with Slashdot today are:

1. The Slashdot community, which is getting reduced to people who lurk around to post comic and sarcastic comments. It’s very seldom that you come across an intelligent and insightful comment.
2. The news, if I may say so, itself.



By flickr.com/photos/nesster/



This rant is a direct result of a news titled Google Assists In Arrest Of Indian Man, posted on 19th. First of all this is an Old News. In fact I’d used the context to post a legal analysis of the impact of another Orkut worm, as per my knowledge and belief. I have nothing against reading old news, but for God’s sake, don’t claim it to be new.

Secondly, the post cites Shivaji as a saint. He was not a saint. He was a king and a warrior. Do your homework before posting, or rather approving such news.

Thirdly, the tone in which the post is written is as vague, if not more, as the point the post tries to make. If you wish to blame Google, get proper info before doing that. Google has a pact with Indian law enforcement. They are bound to provide such info. If you wish to convey the news that a false person was convicted, say it. If you wish to bring about the role of Yahoo! and Google in such cases, do it properly.

Being said all that, I don’t think I’ll completely stop reading /. . However, the prestige of being Slashdotted now seems to be just about traffic now.

Posted on

A new home for us :)

Link

People who know me, know that I desist Social networking portals. Don’t worry, this post isn’t another rant. It’s more of an announcement that I’ve joined a Social Network 🙂

Yup! The guys at GNUCitizen have started a social network for hackers, and very intelligently named it House of Hackers. I’d like to call it HoH (as in Hah!) 🙂

House of Hackers

A few motives cited for creation of the network are:

  • To provide platform for hackers to exchange ideas, communicate, or/and even form groups -elite or otherwise. Although Slackers is an amazing place to communicate, web is never big enough for two similar houses. Moreover, they aren’t same, just similar
  • Create a Hacker recruitment market. Recruiters could advertise to recruit/hire people from here. The best part of this, as cited, would be that HoH would eliminate any middleman (or you employer), and hence help you earn more. Pretty obviously, this holds meaning for elite ones only. But then I have always believe that you can learn only to the extent you can challenge yourself… and good company definitely challenges you 🙂
  • Fund Research programs from time to time. Not so long ago, Ronald came up with idea of Router Hacking Challenge, where you had to hack your own router and make the findings public. The _cutest_ hack would be regarded the best. GNUCitizen (Ronald is now a part of GNUCitizen) hosted the contest. I mention this just to affirm that I really like the guys at GNUCitizen, and I am really excited to know that they’d be encouraging the community (and funding them too). The money is expected to come from the recruitment advertisements.

Needless to summarize that I am keeping my eyes open, fingers crossed and hoping that this turns out to be a great venture for the community.

Just one concern, these %*^*@#$ hackers will keep screwing the portal networking portal, you know. 😉

My profile link.

Posted on

iHacker

I have a special likeness for T-Shirt with quotes. More Geeky the quote, more geekier… I mean better.
I got this T-Shirt made for myself a couple of days ago.
I case you didn’t get, it’s a mockery of the crippled iPhone.

iHcaker

Oh by the way, this is my first post on the new blog, and this pic is a response to Swenny’s post on Adding an “i” 🙂

Posted on

"COLUKABKI – AOL – MSN – YAHOO – RED CROSS"….. aaah Comm’n Gimme a break.

It’s really interesting that even enginieering students, who are supposed to have a very ANALYTIC are least bothered in verifying anything before believing it…… and that too when they have access to GOOGLE.

This blog of mine is in response to the hundreds and thousands of mails that are forwarded so that somewhere, somebody’s LIFE COULD BE SAVED BY FORWARDING THE BLOODY MAIL.
AOL, Yahoo, Red Cross, MSN etc. etc .etc. donated certain amount of money FOR EACH TIME THE MAIL IS FORWARDED (generally 1 cent).
Isn’t that interesting???? I mean what these sites could do generously (if they wished to), do it when some BIG HEARTED person forwards the mail.
And guess what??? They do it without attaching any kind of tracker in the mail… Not to mention that doing any thing even near to attaching a tracker would be a threat to an individuals privacy… 🙂

I cannot stop myself from sharing one other similar interesting mail. The mail said that an INDIAN BOY HAS CHALLENGED BILL GATES BY DEVELOPING AN O/S CALLED “O! YES”, which very Robust, Secure, blah blah blah… And HP has proposed to purchase it.
Now, the first thing… making such an O/S is no joke. This has nothing to do with the crappy nature of WINDOWS (hehehhe), it’s just means that it’s very difficult for a young child to do so.
Secondly, if someone succeeds in doing so, this news would be the hottest one around…. not one which has to be informed via email. 😛 And the most interesting part….. This mail has been doing rounds since 5 years (at least) :))

These mails are generally used for two reasons:

  1. For fun…. or to make mockery of someone.
  2. For stealing your mail id for spamming……. I know this is strange, but it’s true. If you have any such mail in your mail box, just try to count the number of email ids in it…. and then imagine what would you do with them if you were a spammer. These mails are infact sent by spammers so that they can have a reasonably beautiful number of such mail ids.

JUNTA, please don’t feel bad if you have been forwarding such mails.
Obviously, nobody knows everything… but you can be a little careful when you recieve such mails.

  1. Ignore such mails.
  2. If you really feel that the mail is genuine and need to be forwarded, GOOGLE some keywords contained in the mail,
  3. or forward it after removing all the previous email addresses.
  4. ALTERNATELY, YOU MAY ALSO DISTRIBUTE THE LINK OF THIS ARTICLE FOR SPREADING AWARENESS 🙂