Authors Posts by Ayush Saraswat

Ayush Saraswat

426 POSTS 1 COMMENTS
Founder and Editor-in-Chief of 'Professional Hackers India'. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

Anand Prakash, a product security engineer at Flipkart, wrote in a blog post on February 22 that he had found a simple vulnerability on Facebook that could have been used to hack into any user’s account to get access to credit or debit card details, personal pictures, and messages without any user interaction. The 22-year-old earned around Rs 1.3 crore just by reporting bugs for Facebook, Twitter and a host of other US-based companies. For his recent contribution, he was awarded close to Rs 10 lakh.

In an email interview with Rohan Laik of the EconomicTimes.com, Anand Prakash talks about his passion, obsession and digital expertise at 22. He also spells out his lofty ambitions that include starting work on his own to secure Indian companies.

Congratulations. Are you a seasoned bounty hunter? How did you start doing this type of error-killing?

Thank you. No, I am not a seasoned bounty hunter. I started doing this back in 2013 after completing my graduation in B.Tech. It all started with free Internet from a network operator for a year. This is an interesting field.

How did you sense such a security breach on Facebook’s part? Do you keep checking such websites for security leaks?

I keep testing Facebook (FB) on a regular basis for bugs. Yes, in general, I always keep an eye out for such websites to test security vulnerabilities.

90 bugs for Facebook and 30 for Twitter: those are no small numbers. Do you want to hunt for FB or Twitter on a regular basis? Shed some light on these bugs and the potential threat they carried. Are there any more grey areas of concern?

Yes, I hunt for bugs on Facebook and Twitter on a regular basis. One of my best finds was to know that I was capable of hacking into accounts of 1.6 billion FB users (the recent one). But as a whitehat hacker, one should never do this. I believe in making the Internet a safer place for all.

Why did you want to help websites like Facebook and Twitter? Was it curiosity, professional ability or just the bounty involved?

It had to do more about data security. Facebook has 1.6 billion users and Twitter has 320 million monthly active users. So data security was my key concern — not the bounty or professional ability.

Considering that you are a product security engineer at Flipkart, what is it about cyber security that gives you the kick? Why did made you take it up as your vocation?

It all started with a bet. One of my friends challenged me to hack (of course ethically!) his/her own Orkut account and I did this using phishing. I had no technical knowledge at that time. I won the bet at the time and interestingly, it also became the profession that I wanted to pursue.

How does it feel to be in such command over cyber security?

It is still a process of regular learning for me. I plan to absorb everything for more clarity in what I do. Every day newer practices, malice and solutions are being coined. Staying aware and up-to-date is pivotal.

Today, with the digital boom, one of the biggest concerns for all the people online is personal security. How compromised are we? Are our actions actually being monitored round the clock?

The majority of Indian startups don’t care about security. An example is the Zomato hack where one could see the personal data of 63 million users. The company should never compromise with user data and should have adequate security measures to avoid such breaches.

Indian Startups are vulnerable. I suggest users ask the CTOs/CEOs if they really have a security team of their own. All startups must have a security page on the website. I personally don’t think that actions are monitored.

What are the safety measures regular users should ascertain at a personal level? How are we making ourselves more prone to cybercrime on a regular basis?

a) Always make sure you type your credentials over https.

b) People should actually ask the company if they have an in-house security team. Making HTTPs also doesn’t make sure your data is safe and secure. There are application level attacks such as SQL injection which can be used to extract users’ data.

What is the bigger picture of cyber security in general, the way you look at it? What are the imminent problems and solutions?

VCs should force companies to take care of the customer database. Proactive security is not just essential, it is mandatory. Consultancy companies are not good enough to secure these websites and there are glaring loopholes as a result. Companies should have in-house security teams of their own to avoid circumstances where hackers can have it easy.

‘You could have hacked all FB accounts’ like your blog says. You chose to be on the green side of things but were you ever tempted to set a foot on the red end?

No never, the sense of making something secure gives me the kick not to misuse my own abilities to jeopardize.

Has fixing bugs/defect/ issues become routine work for you or does it offer a kick every time you scavenge for some new threat and try to tame it?

I don’t fix them, I find the bugs. It gives me great pleasure to do it and never does a sense of boredom creep in.

What do you do when you are not spotting bugs?

I work as the full-time security engineer at Flipkart. Personally, for me, it is the best place to work in the country.

Who are your favourite tech writers?

I enjoy reading Aditya Bhushan Dwivedi of YourStory and Matt Navarra of THE NEXT WEB.

What does your bug-detecting arsenal comprise? What system do you use?

I use Mac OS and Burp Suite.

Do you create your own tools or use existing ones? And what is your language of preference?

There are no tools involved as such. I use an intercepting proxy known as Burp Suite (the best friend of all hackers).

Have you ever got in touch with Mark Zuckerberg or Jack Dorsey personally?

No, not yet. But I look forward to.

How much are you worth now?

I have earned something around Rs 1.3 crore. I am planning to start something of my own soon – which won’t be just another security consultancy firm – and hopefully help Indian companies become more secure.

Are You an Employee?

It’s quite possible that someone has been reading your messages, emails, listening to your phone calls, and monitoring your activities at work.

No, it’s not a spy agency or any hacker…

…Oops! It’s your Boss.

Recently, European Court had ruled that the Employers can legally monitor as well as read workers’ private messages sent via chat software like WhatsApp or Facebook Messenger and webmail accounts like Gmail or Yahoo during working hours.

So, if you own a company or are an Employer, then you no need to worry about tracking your employees because you have right to take care of things that could highly affect your company and its reputation, and that is Your Employees!

Since there are several reasons such as Financial Need, Revenge, Divided Loyalty or Ego, why a loyal employee might turn into an INSIDER THREAT.

Insider Threat is a nightmare for Millions of Employers. Your employees could collect and leak all your professional, confidential data, upcoming project details to your Rivals and much more that could result in significant loss to the company.

According to the latest threat report conducted by the Vormetric, it is analyzed that 40% of organizations experienced a data breach last year, out of which 89% felt that their organizations were vulnerable to insider attacks.

In March 2010, an IT Developer in the British Airways had been accused of leaking the Airport Security procedures for terrorist-related activities. From this example, you could figure out that the Insider Threat may take up its devilish dimension to lead to a dangerous situation.

How Can Companies Monitor their Employees iPhone?

Some strategies could be benefited for the employers by tailing up employee’s daily activities during the work hours.

Major tech companies like Symantec and IBM have a history of maintaining a threat report to their employees by a dedicated device (BYOD) that regularly updates the Employee’s Professional Network usage, such as downloads or other social networking sessions, in a statistical method.

Apple also provides a similar feature to companies for monitoring their employee’s activities via work-issued iPhones that are set up with an organization’s Mobile Device Management (MDM) server.

This allows employers to remotely upgrade, control, track and supervise various aspects of the iPhone’s software.

iOS 9.3 Offers Companies to Monitor Employees Like Never Before

With the release of its upcoming iOS 9.3 version, Apple will provide a bunch of new features to employers, allowing companies to monitor their employees activities more deeply.

The new mobile operating system would let the company’s IT administrators enforce home screen layouts on your work-issued iPhones as well as lock apps to your home screen so that you can not be moved to a different folder or a page.

The upcoming iOS 9.3 will also allow companies to hide or blacklist specific applications that it does not want their employees to download.

So in short, your favorite games like Candy Crush or Angry Birds that your organization does not wish you to play during work hours could be blocked.

If this is not enough, your company will now also be able to enforce notification settings so that you will not be able to ignore your employers notifications.

So next time if your company calls you to report in a short notice period, you just can not say you have not read the message, neither you can give excuses that you missed it somehow.

These are some pretty significant changes the upcoming iOS 9.3 will bring in employers perspective.

Interestingly, the upcoming iOS 9.3 operating system empowers the employees as well. Let’s talk about what features the OS will offer employees.

iPhone will Notify if Your Company is Tracking You

The iOS 9.3 version will tell employees whether their employers are monitoring their company-issued iPhones.

This warning will now be displayed in two places on the work-issued iPhones:

  1. Your iPhone’s lock-screen will display “This iPhone is managed by your organization” near the bottom of the screen, hindering you to use your phone for personal choice apart from professional usage.
  2. Additionally, If you’ll check the “About” menu in the Setting, it will reveal what all data had been supervised by your Employer.

Such notification was not available in the previous version of iOS. This is the first time Apple is allowing its users to check whether their organization is keeping tabs on them.

Surely employees will love this new feature in upcoming iOS 9.3, but the companies may hate this features as their stand will be exposed for tracking their employees.

These new features would mark its presence in the upcoming iOS 9.3 release on March 21, 2016.

by -
0 26

In what came as a shock to Railways Minister Suresh Prabhu, a microsite of the Railnet page of the Indian Railways was found allegedly hacked by Al Qaeda.

The hacked page belonged to Bhusawal division of Personnel Department of Central Railways and is also a part of the large intranet created for administrative needs of Indian Railways.

And they left a message for Indian Muslims.

The message read, ‘Why is there no storm in your ocean? A message for Muslims of India from Maulana Aasim Umar (May Allah protect him).’

An 11-page document was attached on the hacked page, which now is unavailable. But if the media reports are to be believed, the message read, ‘Will the land of Delhi not give birth to a Shah Muhadith Delhvi who may once again teach the Muslims of India the forgotten lesson of Jihad and inspire them to take to the battlefields of Jihad? Is there no successor left of the group that drenched itself in blood at Balakot, who possesses the spirit of rising in rebellion against a system based on disbelief and offering one’s life for Allah?’

They were encouraging people to participate in jihad and help defeat the US and its allies.

The message from the site was replaced by ‘DOWNTIME MESSAGE

DUE TO MAINTENANCE ACTIVITY E-TICKETING SERVICE WILL NOT BE AVAILABLE. INCONVENIENCE CAUSED IS DEEPLY REGRETTED.’

 

Are you also the one who downloaded Linux Mint on February 20th? You may have been Infected!
Linux Mint is one of the best and popular distros available today, but if you have downloaded and installed the operating system recently you might have done so using a malicious ISO image.
Here’s why:
Last night, Some unknown hacker or group of hackers had managed to hack into the Linux Mint website and manipulated the download links on the site that pointed to one of their servers offering a malicious ISO images for the Linux Mint 17.3 Cinnamon Edition.

“Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it,” the head of Linux Mint project Clement Lefebvre said in a surprising announcement dated February 21, 2016.

Who are affected?

As far as the Linux Mint team knows, the issue only affects the one edition, and that is Linux Mint 17.3 Cinnamon edition.
The situation happened last night, so the issue only impacts people who downloaded the above-mentioned version of Linux Mint on February 20th.
However, if you have downloaded the Cinnamon edition or release before Saturday 20th, February, the issue does not affect you. Even if you downloaded a different edition including Mint 17.3 Cinnamon via Torrent or direct HTTP link, this does not affect you either.

What had Happened?

Hackers believed to have accessed the underlying server via the team’s WordPress blog and then got shell access to www-data.
From there, the hackers manipulated the Linux Mint download page and pointed it to a malicious FTP (File Transfer Protocol) server hosted in Bulgaria (IP: 5.104.175.212), the investigative team discovered.
The infected ISO images installed the complete OS with the Internet Relay Chat (IRC) backdoorTsunami, giving the attackers access to the system via IRC servers.
Tsunami is a well-known Linux ELF trojan that is a simple IRC bot used for launching Distributed Denial of Service (DDoS) attacks.

Hackers Re-gained Access to Linux Mint Website

However, the Linux Mint team managed to discover the hack, cleaned up the links from their website quickly, announced the data breach on their official blog, and then it appears that the hackers compromised its download page again.
Knowing that it has failed to eliminate the exact point of entry of hackers, the Linux Mint team took the entire linuxmint.com domain offline to prevent the ISO images from spreading to its users.
The Linux Mint official website is currently offline until the team investigates the issue entirely. However, the hackers’ motive behind the hack is not clear yet.

“What we don’t know is the motivation behind this attack. If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this,” Lefebvre added.

Hackers Selling Linux Mint Full Website’s Database Online for $85

The hackers are selling the Linux Mint full website’s database for a just $85, which shows a sign of their lack of knowledge.
The hack seems to be a work of some script kiddies or an inexperienced group as they opted to infect a top-shelf Linux distro with a silly IRC bot that is considered to be outdated in early 2010. Instead, they would have used more dangerous malware like Banking Trojans.
Also, even after the hack was initially discovered, the hackers re-compromised the site, which again shows the hackers’ lack of experience.

Here’s What You Can Do

Users with the ISO image can check its signature in an effort to make sure it is valid.
To check for an infected download, you can compare the MD5 signature with the official versions, included in Lefebvre’s blog post.
If found infected, users are advised to follow these steps:
  • Take the computer offline.
  • Backup all your personal data.
  • Reinstall the operating system (with a clean ISO) or format the partition.
  • Change passwords for sensitive websites and emails.
You can read full detail about the hack here. The official website is not accessible at the time of writing. We’ll update the story when we hear more.

by -
0 23

Noida-based firm Ringing Bells officially launched the Freedom 251 smartphone in New Delhi on Wednesday. At the launch, the company said you can buy the Rs. 251 smartphone by heading to the official website freedom251.com and book your unit for delivery.

On Friday, Ringing Bells issued a statement saying there has been unprecedented demand for the Freedom 251 and it has temporarily suspended bookings. Earlier on Thursday, many users reported problems while trying to buy the smartphone. When we tried to buy a Freedom 251 unit, we were thrown back to the screen that asks for shipping details, and based on reports on social media we are not alone.

Things to remember before you buy the Freedom 251

A general rule in life – if something sounds too good to be true, it usually is.
Ringing Bells is an unknown brand with no track record in electronics, so it’s difficult to ascertain at this point what the quality of the final product and the after-sales will be like.
We noted other concerns with our Freedom 251 review unit, though the company later told us it does not represent the final unit that will ship to customers.
The company says it may take up to 4 months for your unit to ship – so keep that in mind before you book a Freedom 251. Given the company’s lack of any kind of a track record, there’s an outside chance that it may never ship at all.
There seems to be no kind of return policy on the website, though it does say your Freedom 251 unit is covered by a one-year warranty.

Ringing Bells says bookings for the Freedom 251 will reopen on Friday. Now that you hopefully know what you are getting into, here are the steps to book your Freedom 251 unit:

  • Head to the official website freedom251.com.
  • Click on Buy Now button.
  • Note that the Ringing Bells is charging Rs. 40 for shipping Freedom 251 to your home so the total you will need to pay is Rs. 291.
  • Enter your shipping address, accept the terms and conditions and click on Pay Now to proceed to the payment page.
  • Note that the Freedom 251 cannot be shipped to an address outside India.

To refresh, the Freedom 251 is a Rs. 251 smartphone that comes with a 4-inch display, a 1.3GHz quad-core processor, 1GB of RAM, and 8GB of storage (expandable by up to 32GB), and runs Android 5.1.

 

Source : NDTV

by -
0 34

When talking about the latest Android 6.0 Marshmallow update, Moto phones are among the first ones to receive it. It was only recently when the Moto G Turbo Edition, that was recently launched in India, was given the Android 6.0 update by Motorola. Following the trend, theMoto G (2nd Gen) Marshmallow update has been released in India. The hit budget smartphone is now receiving the update, and most users have reportedly already updated their devices.

Launched in September 2014, the Moto G 2nd Gen originally came with Android 4.4 KitKat. The Android 5.0 Lollipop update was given to the phone in January last year. And now, the phone has skipped the Android 5.1 Lollipop update to jump to Android 6.0 Marshmallow directly.

 

For those who own the Moto G (2nd Gen), you will get the Marshmallow update notification soon. Do remember that some users might get the update notification soon, while others might get it a few hours or a couple of days later. Either way, you can manually check for the update too by going to Settings and checking the System Updates section.

The Moto G (Gen 2) features a 5-inch HD display, quad-core Snapdragon 400 CPU clocked at 1.2GHz, front-firing speakers, 1GB RAM, 8MP camera, a 2070mAh battery, and a microSD card slot. Just for the record, the Moto G (3rd Gen) received the Marshmallow update last month.

by -
0 47

Myntra’s offers are misleading their customers

One security researcher Abhishek Singh inform Professional Hackers India about a huge mistake which was left by  Myntra. According to Abhishek :

I was looking for a shoe, and the price on the main screen was 1649 INR after 50% off, but when I clicked on the shoe to buy then the price changed to 3299 INR. This was really shocking then I tried on several shoe and the mistake was same, the price on the first page was different then on the second page.

 

He also shared some screen shots with PHI as a proof which we are as below :

 

 

 

At the time of posting itself the problem was unfixed.

What can you do with Facebook Messenger?

  • Chat with your friends
  • Send GIFs, stickers, and photos
  • Make video calls
  • Send people money in Messenger

Have you ever wondered to Play a game while you chat with friends?

 

Yes, it is possible.

 

Facebook had made it to the reality by building a hidden built-in functionality in Facebook Messenger that lets you play Chess with your friends without having to install a third-party app.

 

It just takes one simple step to unlock this hidden game.

 

All you need to do is: type “@fbchess play” and hit Enter, during a conversation, and a small square box would appear in the chat box.

 

Here’s how to play: The person who initiated the game would be assigned “White” side, to make the first movement.

 

Although there is some standard algebraic notation like:-

  • B for “Bishop”
  • R for “Rook”
  • Q for “Queen”
  • K for “King”
  • N for “Knight”
  • P for “Pawn”

Pawns could be moved by issuing the simple commands with numbers (along with the vertical axes).

 

For, e.g. If your first play would take the second pawn from the left and move it up one block, you would write: ‘@fbchess Pb3,’ or simply ‘@fbchess b3.’

 

You could refer to the help section by issuing the command “@fbchess help” for the possible commands to assist you throughout the game.

 

It turns out that the commands are case sensitive. The board will update and notify you whether it is your turn to play.

 

You can undo a move with “@fbchess undo” command or by clicking the “undo” button — but your opponent has to accept the request to undo.

 

The game would also allow you to have a conversation during the game with your friend, resumes the game by issuing the game commands.

 

FB Chess is currently available for both mobile and web platforms, eliminating the need to download it separately.

 

This new Productive Time Killer Game initiated to entertain its users by sharpening brain while having a chat with your mate equally.

Source : THN

SOCIAL CONNECTIONS

1,073FansLike
10Subscribers+1
1,000FollowersFollow
543FollowersFollow