PII collection for cooking gas

Millions of Indians are almost being forced to disclose their PII (Personally Identifiable Information) and their bank account details to get the domestic cooking gas. This information is being collected by the cooking gas dealers through an KYC Form (Know Your Client Form).

The collection of this information seems to be a violation of Section-43A of Indian Information Technology Act, 2000.

The Government of India recently notified the “Information Technology (Reasonable
Security Practices and Procedures and Sensitive Personal Information) Rules, 2011” (the
“Rules”) under Section 43-A of the Information Technology Act, 2000 (the “IT Act”). The
Rules are in effect from April 11, 2011.

Collection of Information:
Rule 5 of this Act deals with respect to the collection of sensitive personal data or information. This rule
states that a body corporate has to first obtain consent in writing either through letter or fax or
email from the provider (the gas consumers) of such information regarding purpose of usage before collection of such information.

The gas dealers, who are collecting this information, must comply with reasonable security practices and procedures. They should have ISO/IEC 27001 certification on “Information
Technology - Security Techniques - Information Security Management System – Requirements”.

The following information are being collected:
Name
Date of Birth
Father's, Mother's & Spouse's Name
Address
Home Phone Number
Mobile Phone Number
Email Id
ID: Permanent Account, Passport Number, Driver License number, Voter Id, Aadhar UIDAI and any other id issued by Central or State govt.
Photo copy of : house registration document, ration card, Life Insurance policy document,
Bank Account Number, Bank Code, Bank Address
Copy of telephone/electricity bill.
Copy of ration card
Copy of passport


Uhhhh.. isn't it too much information? The criminals can see it as a goldmine.

With the help of the information that will be collected in the KYC form, one can empty your bank account in couple of hours. I know how can your bank account be robbed with the help of this information (I'm not going to tell you this ... :) ). But, imagine what will happen if these information come in the hand of criminals - Catastrophic !!!

Before submitting these information to the dealers, we should ask the dealers if they are certified to collect these sensitive information.

LinkedIn password leak

Hackers got access to the 6.5 millions users' unsalted SHA-1 hashed password. We don't know whose accounts got compromised and what was the level of compromise before LinkedIn triggered their incident response process and stopped further compromise.

We still don't have information about how did the hackers manage to get hold of this data. But one thing is certain that it’s an example of absolute negligence. If basic principles of security would have been followed then hacker would not have been able to get the actual password from the hashed password as quickly as they did. They should have at least used salted hash.

So, what is Secure Hash Algorithm -1 (SHA-1): It is an algorithm (cryptographic algorithm) that converts any text/message into unique 160bits (20 bytes or 40 characters representing 20 hex values).
If your password is "MyPassw0rd" then SHA-1 will convert it to something like "e3e5cb40f7fc229ec70d50bc67072dd37ea186c7". This is the way the passwords were stored in the Linkedin database.

Ideally, there is no algorithm that could convert the hash value (like e3e5cb40f7fc229ec70d50bc67072dd37ea186c7) into the actual text (MyPassw0rd). But there is a work-around to get the actual value from the hashed value. 

What if we have a huge table of pre-computed hash values and their corresponding actual value like a sample table shown below?

Hashed Password	Actual Password
e3e5cb40f7fc229ec70d50bc67072dd37ea186c7	MyPassw0rd
e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4	secret
f4e7a8740db0b7a0bfd8e63077261475f61fc2a6	Secret

                       Table -1: The highlighted column shows how did LinkedIn store our passwords.

Such huge pre-computed table is freely available to reveres the hashed password into actual password. This table is known as Rainbow Table. Anyone can search a huge database of pre-computed hash at http://hashlab.info/ . Even if the database does not have an entry for a particular hashed value to get the actual password, the known weaknesses of SHA-1 algorithm would have made hackers tasks easier to reverse the hash value into actual value.

Anyone who follows the security best practices would never hash the passwords without the salt.

So, what is salt? Salt is nothing but a long random number that is added to the actual password before making the hash of the password.

That means, if two users have the same password – secretPassw0rd then it will be hashed with two different randomly generated numbers:

• SHA-1 hash of [secretPassw0rd + 39432] = 3e2a12099ac8762414ea81874b0ef7c82a5106db
• SHA-1 hash of [secretPassw0rd + 42451] = b8c61b002cfb164a99f9421d4a805719e005c5fb

The addition of long random number makes the rainbow tables impractical for getting the actual passwords. Disclosure of actual password would have prevented if Linkedin would have stored their passwords with at least SHA-256 salted hash. SHA-256 is the advanced version of SHA-1 that has resolved the weakness SHA-1 and is more secure.

Security risks of Windows auto login

In this post I want to highlight the risks to the firm's network because of an auto login enabled Windows system on the network.

Sometimes, there are requirements for auto login enabled Windows systems. The reason for this system may be  because of some critical application needs to be started without any human interaction after a reboot. A very common reason for the reboot is the weekly patching of the system by the automated patch management system.


Risks:

1. Any one having physical access to this system may compromise the confidentiality, integrity and availability of the data and services running on the  auto login enabled system.
2. If the resources are proected on the network by Kerberized infrastructure, then the  bad guy would have access to all the resources on the network that are accessable to this auto login user id and protected by the Kerberized infrastructure.
3. This auto login enabled system could be exploited for data leakage or for doing the malicious activities by the bad guy on behalf of the user whose id is used for the auto login. 

Controls to reduce the risk:

1. Keep the screen lockout to as low as possible. This control  would not be enough because the bad guy could take over this user accout by just doing the power reset of the system.
2. The system should be physically secured like keeping it in locked cabinate.

WiFi simplicity (WPS) - A Threat Agent

WPS: The WiFi Alliance had created a computing standard - WiFi Protected Setup (WPS) -  to simplify the setup and securing process of a WiFi home network. This standard has been quite useful for the less technical WiFi network owner who does not need to worry about what security protocol to be used or what encryption standard to be used for their home network.


The WPS enabled routers complete the setup task by just push of a button. But, now with the identification of the vulnerability in the design of WPS, an WPS enabled WiFi network can easily be penetrated in just couple of hours.


Apparently, most WiFi routers not only offer WPS, but have it enabled by default, and unfortunately some WiFi routers settings have option to disable WPS but that does not actually do anything.


At present there is no permanent solution available to this problem, but it has been recommended to disable WPS on WiFi routers. 


So guys.. just wake-up and disable it. And also change the WiFi security key, you may never know that your WiFi network has already been penetrated with the help of this vulnerability.


The process of disabling WPS on some of the routers is described in below links:


Belkin
D-Link
Linksys
Netgear


The vendor of the routers should provide the firmware upgrades fix this vulnerability. 
Keeping in mind that WPS has actually been developed for less technical users, in near future it would be a challenge to make these WPS users aware of this vulnerability so that they could take the necessary steps to protect themselves from this vulnerability.