An IT Professional’s Blog

The Indian government has set in motion an ambitious plan to develop its own software & operating systems after the spurt in cyber attacks on Indian establishments. I think this is a bad idea and being an Indian i thought of contributing.

The Problem is not with the OS or software, it is with the way IT is managed.

Indian government should look at addressing the management of IT; developing a OS (or software) is not the solution. I am sure existing players can do a better job because they have matured their processes over time and it is really a mammoth task.

If i were to address this problem, i would start with this to-do list:

Do a risk assessment and then develop a risk management system
Develop an security management system or adopt some existing system like ISMS
Create a security plan & include specific plans for departments/units
Develop security evangelists in government departments
Implement technical systems like standard hardening like US Fed's or have special a government build

Posted via email from Ramki's posterous

Thursday, May 13, 2010

Hacking "Time"

Who is not fascinated by traveling over time to future or past? this may be possible.

Reason: Time runs at different rates in different places in universe you just have to travel fast almost 186k miles/sec to endup in future

Good article from Stephen Hawking

Posted via email from Ramki's posterous

Sunday, January 24, 2010

Current high focus area for CISOs should be APT

These APTs has been getting lot of attention recently and reasons why CISOs should focus on this threat now are:

a) These are essentially a type of targeted attack

b) And if they miss they reload and fire again till they hit the target

c) These are “Advanced” meaning they use publicly available exploits as well as develop custom ones

Draw up action items like; more focus on log analysis and checking out the reason behind the traffic to that xyz country IP(s) where your company has no business, more aggressive SPAM filtering, etc... And it helps to do things like network pruning and review of your IT policies & procedures

Posted via email from Ramki's posterous

Sunday, December 20, 2009

Odds of losing confidential personal data is increasing

This article Electronic Medical Records: The Good, Bad, And Ugly was a trigger to this post.

If you lose your medical record along with 10 or 1000 others will it make any difference to you? I think it will be more traumatic if you are amongst few as the redress modes will be different.

What about losing credit card details?

Imagine now even malware can have QA and botnet is an industry they even run help desk. Added to this (probably) unethical practices like this and sophisticated attacks like this the chances of losing confidential information is increasing.

What are the odds does an average citizen have against these? Maybe high in places like USA & Europe but in a developing country they are pretty low.

Posted via email from Ramki's posterous

Saturday, December 12, 2009

Hacking thoughts - Insecure ATM port

Warning: These are just random thoughts and with lot of presumptions; readers are advised that trying/doing similar activity would be a serious criminal offense and finally I am not a native speaker of English and may have used colloquial words hence no arguments on English usage.

I used an ATM today; this machine of a major Indian private bank was located on the premise of its branch. As I finished and turned to exit I noticed network patch cords connected to the ATM NIC were exposed; it shouldn’t be like this … someone could

a) Take a picture (like I did) and shout at the bank about the lack of cable security
b) Yank out the cord and get the ATM out of order temporarily
c) Rig the I/O (network socket) by connecting a HUB & AP (power socket was inches away) and hack into the bank network

Third is serious stuff, I wondered how one could accomplish this task? here is a possible way...

Requirements:

HUB & Pocket wireless AP, Laptop…
Tools (NMAP, Cain and Abel, Wireshark,…)
A quiet day, companion, crutches,…

Steps:

1) Select a Sunday night
a) Not much of traffic b) Detection may happen only well into business hours on Monday.

2) Get into the ATM with a companion on crutches
He needs help and this takes care of the security guard.

3) Let the companion use the ATM (just fiddling around like operating) meanwhile do something like dropping papers on the floor and under the pretext of gathering them up; quickly connect the equipment (HUB, AP & power) move something inconspicuous like wastepaper bin (there is usually one) to hide them from normal view.
This takes care of the camera (you are out of the view and just picking up some papers) and the casual glance of anyone (wastepaper bin blocks the gear)

4) Sit in a parked car within range of the AP (I saw a good quiet lane across the road), and…

4a) Check for vulnerable hosts online, PWN and get data, plant back-doors, c&c,…

4b) Or simply capture packets from the ATM interface to check for valuable information

Idea of this post is just to look at the possibility hence kept simple; but this requires lot of skill (which I don’t have :-) ) and may turn out to be taken as FUD phenomenon.

I plan to inform the bank about this weakness let me see how they view it.

Posted via email from Ramki's posterous

Wednesday, December 9, 2009

Automated tool assisted vulnerability assessments

ISO27001 requirements 15.2.2: Technical compliance checking Control states - "Information systems shall be regularly checked for compliance with security implementation standards"

Code of practice ISO27002 states "Technical compliance checking should be performed either manually (supported by appropriate software tools, if necessary) by an experienced system engineer, and/or with the assistance of automated tools, which generate a technical report for subsequent interpretation by a technical specialist"

ISO27k certified companies need to conduct periodic vulnerability assessment and hence employ consultants for this. Mostly the scope is to run a series of predominantly automated tests using vulnerability scanners and provide a report & recommendations.

This makes them comply but Is this enough? NO

This post was triggered by thoughts after

> Reading Information Escapology, part five – Careful with That Proxy, Eugene... Will a standard vulnerability assessment address this? i guess no. It depends on who is doing? depth? methodology? etc.

> After hearing this from a consultant (someone i trust). It seems after a capability presentation session to a large company, the company's CISO asked him if they were the Authorized Scanning Vendor for the scanning tools & was the consulting company PCI DSS compliant... these were the only questions he had on the vulnerability assessment service process; nothing on things like what is the typical approach, methodology, depth, etc. Is it enough if your consultant is an ASV for a tool? Do you need to be PCI DSS compliant to do a vulnerability scan?

Conclusion: For most of them it looks like only compliance matters (or) they want a testing service that is so cookie cutter that the scope will be automatically limited to the basic scan-and-patch kind of findings

Posted via email from Ramki's posterous

An IT Professional’s Blog

Sunday, May 23, 2010

Few links i found worth sharing from the week (Wk.20/2010):

Friday, May 14, 2010

Advice to Govt. of India after the decision to develop their own version of OS & Software

Thursday, May 13, 2010

Hacking "Time"

Sunday, January 24, 2010

Current high focus area for CISOs should be APT

Sunday, December 20, 2009

Odds of losing confidential personal data is increasing

Saturday, December 12, 2009

Hacking thoughts - Insecure ATM port

Wednesday, December 9, 2009

Automated tool assisted vulnerability assessments

Followers

Blog Archive

About Me