NATIONAL CYBER SECURITY POLICY : DRAFT

1.    Finally we are working on a national cyber policy....infact late but ...IT'S NEVER TOO LATE....the thing that we have started on this is a good sign.The draft of the subject policy is available at www.mit.gov.in/sites/upload_files/dit/files/ncsp_060411.pdf and is in fact inviting comments in case u have any!!!

2.   The draft is a 21 page report.After going through the same I have given the following points at the desired email address available in the draft report.

PARA 3.3 (I) C
GOVERNMENT SECURED INTRANET :
Addition point :

“ In addition to the emphasis on creation of such kind of intranet, efforts at the design stage should be made to exclude all possible options of internet connectivity with this intranet to avoid any kind of imminent threats. This intranet may need internet for various updates etc ,but this should be a privilege access point and no node should be allowed a free access. Any attempts to connect the same may invite action as a threat to nation. The limited internet connectivity to this is required for the following purpose :

- It is the most common action by any user to browse the net. Once given a opportunity he/she is always eager to access emails and download malware or infected software or any third party application. This is the point where command and control centre of a Botnet can be established by a cyber criminal. To avoid such practices it would always be the endeavor of the designer and the super administrator to ensure physical separation of Intranet and Internet. This Intranet should also be subject to regular cyber /IT audits by govt recognized penetration testers and forensic experts to maintain a cyber secure working environment.

PARA 3.3(D) @ Page 12
OPEN STANDARDS

The strength and power of open standards and applications remains unexploited in our country. Other developed nations who have realized the potential of this standard are already contributing significantly to their positive growth in cyber space. This has largely been possible owing to the lack of exposure of such standards by the new generation who is only exposed to the windows environment. Policy should be in place to ensure growth of open standards at school level curriculum.

PARA 3.5.2
COMBATING HIGH TECH CRIME/CYBER CRIME

Though the cat and mouse race between the good and the bad cyber guy would remain on always,it is worth noting that cyber crime if not controlled at such a nascent stage of induction and growth, has the full potential to become a cyber threat.No single policy would be able to achieve a CYBER CRIME FREE CYBER SPACE.It remains the onus of the common man how he tackles the cime himself.It is here that the National Cyber Policy can contribute in the following manner :

- Cyber Huntsville is a collaborative cyber community with the aim of attracting and developing the brightest minds, attacking the most complex problems, and providing the best solutions of national and international significance. Cyber Huntsville is an integral part of the National Cyber Initiative. Similar establishments should be encouraged at India level. More info at http://www.hsvcity.com/cyber/

4.2.3
Thrust areas of R&D  : 

-  Thrust areas of R&D should majorly focus on inducing maximum SRS and QRs at the DESIGN STAGE. Because, if not done at this stage, whatever work follows is patch work that remains a cover up action.
- Analysis of data flow in a network
- Pentration testing
- Storage solutions with backup, archiving, recovery provisioning of entire data.

5.1.1
ENABLING PEOPLE

Promoting a comprehensive national awareness program to include organizing seminars, events, webinars, guest lecture’s in tie up with established societies like IETE,Institution of  Engineers, Computer Society of India etc

Besides,these points I would suggest to include ensuring information security by managing the flow of information to the citizens as well as on securing its physical information infrastructure.The policy should call for the following :

- Popularize e- government
- Optimize the cyber industry structure.
- Provide a rugged 24x7 nationwide cyber infrastructure.
- Promote innovation of cyber technologies.
- Build a cyber oriented national economy.
- Design way to advanced internet culture.

TOOLS & SITES OFFERING EFFECTIVE PASSWORD CRACKING

Below is a list of sites that offer tools and ways to crack passwords.The idea behind posting all these sites at one place is not to attract and promote users to try password cracking.The idea is to always remember ways and means to create and promote stronger passwords which can not be cracked.All these sites do have limitations to crack the stronger passwords and related info...

http://defaultpassword.com/

http://md5.rednoize.com/

http://ophcrack.sourceforge.net/

Ophcrack is a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.

http://www.routerpasswords.com/

http://www.openwall.com/john/

http://thc.org/thc-hydra/

http://www.aircrack-ng.org/

http://www.l0phtcrack.com/

http://www.aircrack-ng.org/doku.php

http://www.solarwinds.com/products/solarwinds_free_tools/

https://www.foofus.net/error/foo.html

http://project-rainbowcrack.com/

http://www.hoobie.net/brutus/

Brutus is one of the fastest, most flexible remote password crackers you can get your hands on - it's also free. It is available for Windows 9x, NT and 2000, there is no UN*X version available although it is a possibility at some point in the future. Brutus was first made publicly available in October 1998 and since that time there have been at least 70,000 downloads and over 175,000 visitors to this page. Development continues so new releases will be available in the near future. Brutus was written originally to help me check routers etc. for default and common passwords

http://www.whatsmypass.com/

http://www.password-crackers.com/

The source of independent information about cryptosystem weakness and password recovery.

http://www.oxid.it/cain.html

CONTROL COOKIES TAKING CONTROL FROM UR BROWSERS

1.  In my earlier post here about cookies and types,I had mentioned about types and some relevant details.Now this one mentions about the steers and control available in prominent browsers to disable cookies digging into ur privacy !!!

Google Chrome

Go to 'Tools Menu'

Click on 'Options'

Click on 'Under the Hood'

'Cookie Setting' should be selected. Once done select 'Block all Cookies'

Now all cookies should be blocked on your Google Chrome

To clear existing cookies:

Go to 'Tools Menu'

Click on 'Options'

Click on 'Under the Hood'

Under 'Privacy' section select "Show Cookies'

A new window should open called 'Cookies' In here you can see all the cookies within your Google Chrome Browser.

Click on "Remove All" to remove all traces of cookies

If you wish to only remove a certain cookie, simply highlight and click "Remove"

Firefox

Go to 'Tools' in the menu bar

Click on 'Options'

Click on 'Privacy Tab'

Disable the box that says 'Accept Cookies From sites'

To clear existing cookies:

Go to 'Tools' in the menu bar

Click on 'Options'

Click on 'Privacy Tab'

Click on "Clear Now"

Select "Cookies"

Click on "Clear Private Data Now"

Internet Explorer (IE) 9.0+

Go to 'Tools' in the menu bar which should drop down then click on 'Internet Options'

Click on 'Privacy' Tab on top

Move the slider up to the 'Block all Cookies' button

Important Notice: Blocking all cookies may prevent you from entering alot of sites.

The next two Internet Explorer privacy levels, High and Medium High, may be more suitable.

To delete existing cookies:

Go to 'Tools' in the menu bar which should drop down then click on 'Internet Options'

Click on 'General' tab which should be under 'Browsing History' and click 'Delete'

2.  Thanks http://www.allaboutcookies.org

FLIRT BOTS

1.   I am sure most of you at at some point of time in your cyber surfing would have come across chat/messenging softwares like MSN or yahoo to mention a few....now although pretty old for the regular security guys, but thought of mentioning it here in my blog of how many of us succumb to the meanly desires of hackers via FLIRT BOTS.....u heard it correctly they are known as FLIRT BOTS.... 

2.  Here's how Flirt Bots work:

- The Bot strikes up a conversation in a chat room

- The Bots use a series of easily configurable "dialogue scenarios" with pre-programmed questions and discussion topics to compile a report on every person it meets

E.g.: ilovyou@yahoo.com says: "hey, whats up?" and further to this conversation they are invited to visit a website which could be used for any variety of malicious activity.

E.g.: ilovyou@yahoo.com says: "Ok go to http://??????.??/?????? and accept the invite on the page baby"

3.   In this case the victim is sent to a website "?????????.com" and is asked to provide personal information including credit card details in order to view the "webcam."

4.   The site can be used for many things - to host malicious downloads, or to try to sell you Fake AntiVirus software. The URL can do and host whatever the "bot master" specifies it to be .Frequently cyber-criminals collect a database of personal information and sell it to the highest bidder or anyone who will pay

5.   These "Flirt Bots", were first reported as a proof of concept(Evidence that demonstrates that a business model or idea is feasible.) by PC Tools in 2007.Thanks http://www.pctools.com

The Gawker case : EXPERIENCING A HACK

1.   A six-letter password in lower-case text takes a hacker's computer just 10 minutes to crack. But make those letters upper-case and it takes 10 hours for it to randomly work out your password. Thus simply upper-casing your password can minimise a hacker's chance of finding out your account.Add numbers and/or symbols to your password and the hacker's computer has to work for 18 days.Despite widespread warning, 50 per cent of people choose a common word or simple key combination for their password.The most used passwords are 123456, password, 12345678, qwerty and abc123. 

2.   I read about the Gawker case recently wherein the subject media firm Gawker urged subscribers to change their passwords after its user database was hacked and more than 1.3 million passwords were stolen.Now imagine some one like Yahoo or Google requesting one fine day on a similar line....won't our heart come out????

3.   The exact Gawker announce ment goes like this 

“Our user databases appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you’ve used the same passwords. We’re deeply embarrassed by this breach. We should not be in the position of relying on the goodwill of the hackers who identified the weakness in our systems. And, yes, the irony is not lost on us.”

4.   The problem emanated when Gawker recently launched a multi-site redesign thatthat failed spectacularly, leading visitors to blank pages. The culprit was a misbehaving piece of JavaScript, but when a single line of JavaScript causes your entire suite of sites to fail you no longer have websites, you have, well, nothing.The problem with Gawker’s redesign is that it uses JavaScript to load everything. That means that, not only is there no chance for the site to degrade gracefully in browsers that don’t have JavaScript enabled, the smallest JavaScript typo can crash the entire website.

5.   Now we all have seen it personally as we sometimes tend to have the same password for multiple accounts on the web.....this could be a simple fall like a pack of cards...one point failure leads to the complete fort coming down.....so guys...take care....change ur passwords for better and stronger security.....

Y2K Bug!!!!Do u remember the time?

1. I was just wondering about the time when the much-hyped Y2K crisis had come in with a long, sustained roar and went out with a mewl.While the world excogitated dire predictions of massive global infrastructure failures -- everything from elevators to air traffic control systems was rumored to be vulnerable , the specter of a total paralysis of business operations resulting from cascading Y2K failures galvanized organizations into a frenzy of activity. For many CIOs, the unprecedented size and scope of addressing Y2K problems was the biggest project of their careers.

And then it was over. On Dec. 31, 1999, the world held its breath and nothing happened. Jan. 1, 2000 came in just like any other day. There were no major failures to report anywhere.

2. Today after 10 years....I feel the time has just rolled like a ball....so quickly we are a decade ahead of that night....the night that was a wakeup call for every one who felt that there is no need of IT then....the night that showed how heavily we r banked on the IT......

3. Thanks to http://www.computerworld.com for making me remember that.

THE LINK : BJP & OPEN SOURCE!!

1. Rajnitee and IT ?Do they share a relation in our country? Do they meet anywhere in Indian scenario?Have you ever heard a technical IT buzz word shooting from any of the mantri’s mouth.I am sure in most cases the answer would be NO. 

2. Recently I read this article at the http://infotech.indiatimes.com/articleshow/4272163.cms wherein it adverted that Mr L.K.Advani has said that if his party comes to power, it will actively promote opensource software and internet telephony. Now irrespective of  whether Mr Advani knows what open source software is or not,or whether he just recited what he was told to by IT savvy speech writer,the good good news is that IT is buzzing now in politics.

 3. The power of open source software is still lying completely unexploited in our country for most of us don’t know what opensource has in store for us.All paid softwares ex any Software developer viz Microsoft,Corel etc to name a few has an equivalent in opensource costing free which unfortunately now one is aware.Did you still not understand ? Read on for what is open source? 

4. Open source software (OSS) is defined as computer software for which the source code and certain other rights normally reserved for copyright holders are provided under a software license that meets the Open Source Definition or that is in the public domain. This permits users to use, change, and improve the software, and to redistribute it in modified or unmodified forms. It is very often developed in a public, collaborative manner. The term open source software originated as part of a marketing campaign for free software. A report  states that adoption of open source software models has resulted in savings of about $60 billion per year to consumers.(…thanks wiki) 

5. So Mr L K Advani’s party seems to be the first to realize the power hidden in this.Good!Isn’t it…….Now why open source doesn’t seem to be a success in India?One line answer….may I attempt?........”because Microsoft’s Cracked Windows Xp and Vista are available for free in any gali,mohalla of the Hindustan.So the next motto for a political party would be to crack those crackers!!!!!!!!!!For now its INDIA SHINING!

DETRITUS...(I mean dust) vs IT

1. People ask me about why I choose words like “detritus” when I could have chosen a simple word like Dust which is more familiar to the aam Indian janta…well….even I don’t know why I sometimes try to make simple thing complex….so that’s not the subject I am going to discourse here….the subject relates to the kinship, the affinity and the relationship between IT in India and dust.

2. Not so long back I remember in my school computer classes we were made to remove shoes and then countenanced to enter the consecrated Mandir ie the computer lab of the school. Be it the school principle or the vice patron/patron or be it any Hifi panjandrum..(I mean a VIP)..he would only enter the sacred mandir of the school after removing his/her shoes. There on, I was made clear in the mind that dust and IT share a typical gali ka majnu(Dust) and a pulchritudinous or more simply a beautiful girl(IT) relation….where the majnu will be always after the girl and girl would try make a vague attempt to repudiate the undesired advances from the majnu…..and the winner will be majnu.

3. In came so many IT giants in India viz SONY, Samsung, Philips, Moser Bair and the list goes on…they introduced Zero Dust Labs in there respective manufacturing units. I have been fortunate to visit most of these wherein I was made to look like an astronaut covered in beautiful, neat, clean white tailored cloths with boots of snowman before I could enter these labs.It was an exercise beyond doubt for an employee who would go through this drill of changing clothes in the morning as he enters,in the afternoon twice as he breaks of for lunch and then rejoins to again finally breakoff in the evening.All said and done the IT giants made every ounce of effort to make the ZERO DUST LAB a success…but the moment the test tube babies came out of the lab…I mean as the manufactured units in form of CDs,DVDs or harddisks etc..they would again be exposed to DUST and that’s where it would again go out of control…..the dust interacts again……

4. So off late when I read articles like a recent one where SONY has kept Indian demographics and usage environments in mind and has introduced the AD-7220S-ID DVD-RW drive with 'dust proof' technology. This drive offers 22x DVD read/write speed and has six sponges in the inside of the bottom cover and bezel and PWB to make it dust-proof; a 20 percent increase in product life is claimed by Sony due to this. The drive is available in SATA format and supports 48x CD read/write speed and maximum 12x DVD-RAM write speed.

5. The sponges might make a fringy & marginal difference by absorbing dust and keeping the drive clean but the madhur Milan of the majnu would never fail and the dust would always be there at the end to meet the IT.