Social Icons

Showing posts with label INFORMATION SECURITY. Show all posts
Showing posts with label INFORMATION SECURITY. Show all posts

Sunday, September 09, 2018

Aadhaar on Blockchain : Consider or not? - Post 1/2

[This post builds upon introducing Aadhaar,its size,current way of handling the data sets,discuss its problems and subsequently followed by proposing Blockchain as a solution]

1.   When Aadhaar was originally introduced around 2009-10 by the Unique Identification Authority of India (UIDAI),it would not have envisaged the kind of Data juggling,analytics and security threats it would be subjected to in times to come.And here we are around the third quarter of 2018,wherein Aadhaar is central to so many authentications in the country ,being exploited in so many public utility services and also at the same time being subjected to all kind of threats and claims of data theft and leaks.For a record,it is estimated that around 1.2 billion citizens record are held in the CENTRAL servers and thus forms the worlds largest bio-metric identity repository in the world.UIDAI claims that the same is protected by layers of state of art cryptography in central servers located in the country. 

2.  Now in the world of IT,wherein claiming to be 100% secure is likely to remain a myth for ages ahead,can something like un-hackable really exist on this earth? We may harden something,we may actually add layers of security, we may do every possible hard encryption on this earth,but can we imagine a fool-proof IT domain anywhere. The question here attains severe importance when a Bio-metric repository data of 1.2 billion plus population of a country is at stake.

3.  Now what do we have on the platter here,if we consider the size of data,we can have the following assumptions :

(a) Per person biometric data size : 4-6 MB (Maximum I take)

(b) Approx data populated for : Around 1.25 billion plus ie 1,250,000,000 count

Total data ie to say 6 MB x 1,250,000,000 = 7500000000 MB Data ie around 7.5 Petabyte.....that's it...extrapolate the same with on-site backup and mirrors around...disaster recovery sites...we may just be discussing around 20 PB of data.

Even if we consider,augmenting data with the remaining population and generations ahead,we will be at max around 40-45PB of data to suffice around next few decades.That's all from point of view of the scalability of data and size.

4.  Now for this amount data, what are our security options in the present scenario.

Firstly we keep doing permutations and combinations and applying layers of hard coded security to the central servers that we have at various locations mirrored to each other.This presently includes the following : [SOURCE : http://www.cse.iitd.ernet.in/~suban/reports/aadhaar.pdf]

- 2048 bit PKI  encryption of biometric data in transit. End-to-end encryption from enrollment/POS to CIDR.

-   Trusted network carriers.

Effective precaution against denial of service (DOS) attacks.

- HMAC(
keyed-hash message authentication code) based tamper detection of PID (Personal Identity Data) blocks,  which encapsulate bio-metric and other data at the field devices.

Registration and authentication of AUAs.

-  Within CIDR only a SHA-n Hash of Aadhaar number is stored.

Audit trails are stored SHA-n encrypted, possibly also with HMAC based tamper detection.

Only hashes of passwords and PINs are stored

-  Biometric data are stored in original form though.

Authentication requests have unique session keys and HMAC.

- Protection against replay attacks.

-  Resident data stored using 100 way sharding (vertical partitioning).First two digits of Aadhaar number are used as shared keys.

-  All system accesses, including administration, through a hardware security module (HSM) which maintains an audit trail.

All analytics carried out only on anonymized data.

From the IT guys perspectives,don't we actually know that above are all individual knitted layers and tools of security wherein we are creating a very complex network of solution for ourselves which might get even more complex to handle and manage in times to come with more severe security threats in pipelines. 

At the same time, above all solutions and knits combinations are looking and bracing for external threats while we take the insider threats as negligible or taken for granted any day.

So do we have any other ecosystem of architecture that turns the tables upside down from the security and immutability point of view while OFFERING A MORE ROBUST SECURE IMMUTABLE AND TRANSPARENT ARCHITECTURE...whether BLOCKCHAIN can be a solution?

So,we have the above scenario which discusses what do we have on the platter and what are we actually doing to negate the threats....the next post will discuss how BLOCKCHAIN can assist to negate the security threats Aadhaar faces as on date.

Sunday, October 29, 2017

BITCOIN FORENSICS AGAIN : Bsides Delhi 2017

1. I have been on a spree like something giving presentations in the domain of BITCOIN FORENSICS for past few months...and more or less talking discussing around the same terms of references but to a new audience always though.Recently participated at Bsides Delhi. Security BSides is a community driven framework for building events by and for information security community members. These events are already happening in major cities all over the world!

The idea behind the Security BSides Delhi is to organise an Information Security gathering where professionals, experts, researchers, and InfoSec enthusiasts come together to discuss. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.

2.  Details on the event and about me at https://bsidesdelhi.in/anupam-tiwari/


Monday, August 17, 2015

Kali Linux 2.0 : The new release has arrived

Kali Linux ,is a well known Penetration testing distro and also contains a plethora for digital forensics, is widely used by ethical hacker community across the globe and is maintained and developed by the organization known as “Offensive Security”. It comes with over 650 tools pre-installed that help  perform tasks like network analysis, ethical hacking, load & crash testing etc. It is powered by Linux kernel 4.0 and has enhanced support for different graphics cards and desktop environments.The most recent version of Kali has just been released few days back and here I bring you the installation step by step screen shot being installed in Virtual Box.








 Choose Install above



















The desktop boots to the following screen...thats it... You are ready to go....

Sunday, February 15, 2015

ANTHEM INC Data Breach : What is it all about?

1.   January 29, 2015,has gone down to record one of the greatest data breaches in the history of breaches and will be long a case study for students to learn of how it all happened.This particular breach relates to  Anthem Inc,the largest for-profit managed health care company in the Blue Cross and Blue Shield Association, that discovered that cyber attackers executed a sophisticated attack to gain unauthorized access to its IT system and obtained personal information relating to consumers who were or are currently covered by Anthem.It is believed that this suspicious activity may have occurred over a course of several weeks beginning December, 2014.

2.    Anthem disclosed that it potentially got stolen over 37.5 million records that contain personally identifiable information from its servers. According to The New York Times about 80 million company records were hacked, and there is fear that the stolen data will be used for identity theft

3.  This post brings out few key points of what ever has been discovered and revealed till now...

-   The compromised information contained names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information, including income data.

- Till now credit card ,banking information,financial,medical information  compromise has not been validated.

-   As per site...“With nearly 80 million people served by its affiliated companies including more than 37.5 million enrolled in its family of health plans, Anthem is one of the nation’s leading health benefits companies.”....shows the quantifed prone customers effected likely...and thats huge....

-   Once the attack was discovered, the company immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.

-   Analysis of open source information on the cyber criminal infrastructure likely used to siphon 80 million Social Security numbers and other sensitive data from health insurance giant.

-   Less than 6 months ago a similar breach effected CHS(Community Health Systems, Inc.) of 4.5 million patient records that was attributed to “highly sophisticated malware”.

-   The Company and its forensic expert believe the attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack the Anthem Inc Company'’s systems. 

-   According to the Associated Press, the attackers who targeted and exfiltrated more than 80 million customer records from Anthem Inc, were able to commandeer the credentials of at least five different employees.  We know from Anthem themselves that at least one admin account was compromised, as the admin himself noticed his credentials being used to query their data warehouse.


HOW IT COULD HAVE HAPPENED?

"Looking at job postings and employee LinkedIn profiles it appears that the data warehouse in use at Anthem was TeraData. By doing some quick searches on LinkedIn I was able to find more than 100 matches for TeraData in profiles of current employees at Anthem, including, CXOs, system architects and DBAs. Discovering these employees emails is trivial and would be the first step attackers could take to identify who to target for spear-phishing campaigns.

Once they are able to compromise a few high level employee systems through a phishing campaign either through malware attachments or through a browser exploit, gaining access to a user’s database credentials would be trivial. This would be where the “sophisticated malware” that is being reported would be utilized, if the malware was designed specifically for this attack it would evade most anti-virus products.

What may be a key weakness here is that it appears there were no additional authentication mechanisms in place, only a login/password or key, with administrative level access to the entire data warehouse. Anthem’s primary security sin may not have been the lack of encryption, but instead improper access controls. Although it appears the user data was not encrypted, in Anthem’s defense if the attackers had admin level credentials encryption would have been moot anyway.

I should note that TeraData provides quite a few security controls, including encryption, as well as additional data masking features, even specifically called out for protecting Social Security Numbers and related data. So odds are the actual vulnerability here is not in the software, operating system or hardware, but how the system and access controls were configured based on business and operational requirements."


Source : http://www.tripwire.com/state-of-security/incident-detection/how-the-anthem-breach-could-have-happened/
Another set of possibilities vide The Hacker News THN Post refers at http://thehackernews.com/2015/02/anthem-data-breach.html

Tuesday, July 23, 2013

Best IT SECURITY INFO & NEWS SItes

1.         IT Security enthusiasts guys/girls always keep looking forwards to discovering new sites that keep them enriched with latest happenings in the buzzing IT SECURITY world...I am listing out a list of sites that I keep abuzz with.These are not necessarily in the order of my preference or have any kind of ratings or ranking....but a whole lot of enriching info is available for every cyber security guy!!!

http://www.schneier.com/

http://thehackernews.com/

https://www.privacyrights.org/

https://www.owasp.org is specific to web application security subjects

http://www.itsecurity.com/

http://technet.microsoft.com has more of MS related aspects

http://csrc.nist.gov/

http://www.sans.org/

http://www.securityfocus.com/ : by Symantec

http://www.cert.org/

http://www.scmagazine.com/

http://www.securityweek.com/

http://nakedsecurity.sophos.com/

http://www.darkreading.com/

....surf few of them and enrich your self!!!!all the best

Tuesday, July 09, 2013

Wednesday, May 08, 2013

Central Monitoring System : Another step in the Wrong Direction ?


1.    The month of "May" has become started with a "Will" from Indian Government.Now after so many still unresolved issues on Facebook posts and similar things in respect of issues of privacy,it has come up now with Central Monitoring System(CMS).The concept was placed in parliament  some time in December 2012 by the then information technology minister Milind Deora on which the government plans to spend Rs 400 crore and this would "lawfully intercept internet and telephone services"

2.  Now this means that everything we say or text over the phone, write, post or browse over the Internet will be centrally monitored by Indian authorities.Every byte of what is being exchanged by you over the net would be monitored.....but is it actually required?I have doubts per-se owing to the amount of further investment it would require.At a time when Big Data analytics is still maturing,investing so much on monitoring and storing some portion of it pan India would be a herculean task.The key points that I found interesting are dotted below :

- With the lack of privacy laws to protect Indian citizens against potential abuse,this would set another example of wrong feather in the cap.

- CMS has been prepared by the Telecom Enforcement, Resource and Monitoring (TREM) and the Centre for Development of Telematics (C-DoT) and is being manned by the Intelligence Bureau. 

- Without any manual intervention from telecom service providers, CMS will equip government agencies with Direct Electronic Provisioning, filter and provide Call Data Records (CDR) analysis and data mining to identify the personal information and provide alerts of the target numbers.

- The estimated cost of CMS is Rs. 4 billion. It will be connected with the Telephone Call Interception System (TCIS) which will help monitor voice calls, SMS and MMS, fax communications on landlines, CDMA, video calls, GSM and 3G networks. Is their any thing on Mother India Earth left to monitor?

3. Now I fail to understand that how Government expects to monitor cyber criminals by this CMS? Does government actually intend to find out the actual potent and dangerous Cyber Criminals or are they only interested in finding love affairs of local boys and girls!!!coz if the intention is former,would the cyber gang do it without tricks?...without encryption?...without spoofing?...when things like stegnography,TOR,Anonymous etc are still to be deciphered....the cyber crime would go on as it is.The focus should have been on analyzing of what is floating around rather then monitoring open text and messages.

4.  For example if a person with malicious intent,uses Whonix or anonymous kind of OS from a local cyber cafe and then places his message vide a steganographed image that is encrypted,is their any way that this can be deciphered?....technology does not exist today to decipher all this quickly ..still time is there when we reach such a stage....few months back in Dec 2012 when torrent was apparently blocked on directives from Govt Of India,anonymous group had given a open letter shared at http://www.geektech.in/archives/9924.

5. Well it is very clear that the decision makers in such moves are unclear on technological reality but also provisions for a scenario like WAR within....each step in such a direction has to be taken carefully because these are really critical.Additionally,outsourcing such moves to unreliable or may be foreign firms may become a serious threat.....

6.  Well at the end of the day,it is just my view per-sewhich no body is bothered...but the repercussions are serious to be avoided and ignored

Friday, December 21, 2012

Need of Encryption : Your files - Your Data


1.   In today's times when every spying eye,every hacker on the web is eyeing your info.... apart from hardening your OS and configuring your system securely what else can you do to secure your info after some one gate crashes into your system?.....I mean after someone gets your root privileges via remote access...what are the options to save your self from sharing your critical data with him?The answer is ENCRYPTION...

2.   Encryption is the process of encoding your information) in such a way that hackers cannot read it, but that authorized parties can.So without getting into the nitty gritties of what is Encryption and how it works..i am focusing here of what all opensource and free applications are available for encryption...

3.   First I would mention about TrueCrypt,this is the one I have been using for years...the reliability of this application can be gauged from the fact that in 2008, the FBI attempted to break encryption on hard drives using a program called TrueCrypt, but the equipment was finally returned after a year of failed tries.(Source : http://www.webcitation.org/query?url=g1.globo.com/English/noticia/2010/06/not-even-fbi-can-de-crypt-files-daniel-dantas.html)

4.   The other strong opensource software's available for encryption are :

    - E4M ie ENCRYPTION for MASSES)
    - Free OTFE
    - Scramdisk

5.   TrueCrypt remains the best bet for all present users.The popularity can be gauged from another fact that this is being used by cyber criminals to!!

Monday, August 27, 2012

Cloud Computing : The Darker Side


1.            Cloud computing…the word has generated enough buzz already across the corporate…the techies…the possibilities in future but all this comes at a backend question on security. If there is one thing that stops 80% of possible users using this powerful technology,it is only one aspect of it and that’s SECURITY….The question that comes in an auto mode to any possible cloud service enthusiast like how safe will be my data stored with them…even if its private who controls the key generation algorithms code…who is the single point of contact and so many…but perhaps evry question on this comes under one umbrella by the name of SECURITY…..

2.            So …are they right in thinking so?…when a technology that’s coming up so strong and so globally accepted  is it possible that the giant rise comes without an inbuilt security module? Actually it goes like right they are…the users…their fears stand right when they think about their data ownership.Released by https://cloudsecurityalliance.org,  in Dec 2010,they have identified few imminent threats in the sphere of cloud computing which they have meticulously covered under few major heads as identified below.These are not in the sequence of severity of threat as no seniority levels in this have been identified by the CSA.The original version of this paper by the Cloud Security Aalliance is at https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf

Threat  1: Shared Technology Issues
Threat  2: Insecure Interfaces and APIs
Threat  3: Unknown Risk Profile
Threat  4: Malicious Insiders
Threat  5: Data Loss or Leakage
Threat  6: Abuse and Nefarious Use of Cloud Computing
Threat  7: Account or Service Hijacking

3.            Each of these security threats, I plan to discuss further in other posts within the week or as I am able to spare time….read some from CSA and put it in the manner I understand that.Thanks https://cloudsecurityalliance.org

Sunday, October 31, 2010

VIRUS in Boot Sector in Hard Disk fresh from OEM!!!!

Have recently heard of this in reputed makes and model of Top list hard disks OEMs.Would like to know if some has ever encountered this or has any form of info on this?
Powered By Blogger