Authors Posts by Ayush Saraswat

Ayush Saraswat

Founder and Editor-in-Chief of 'Professional Hackers India'. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

Organising under #opISIS and #opParis, the group is attempting to take down the websites and social media accounts of people associated with the group — as well as apparently release personal details of those involved in recruitment


Anonymous has begun leaking the personal information of suspected extremists, after it “declared war” on Isis in the wake of the deadly attacks in Paris.

The activist collective is assembling lists of the Twitter accounts and websites of extremists, in an attempt to have them taken down. At least one post seen by The Independent contains details including the physical address of a person it claims is an Isis recruiter in Europe.

Anonymous vs Isis: Twitter has become a battleground

Activists claim to have successfully had accounts and sites taken down already. Accounts associated with the group claimed that it was responsible for the removal of more than 5,500 accounts.

The group appears to have stepped up its tactics for what it called its “biggest operation” ever, in response to the attacks that left 129 dead. Previously it had largely focused on social media accounts.

Anonymous began its campaign against Isis in earnest after the killings at Charlie Hebdo in January. That work included launching attacks on extremist websites and finding extremist accounts on Twitter so that the social network could take them down.

It has continued that work this time around. Its attacks on websites seem to use a distributed denial of service, a technique that overloads a site’s servers until they go offline. The Twitter accounts are taken down by the network itself, in response to requests the activists make once they are found.

Terrorist groups are increasingly using high-grade, advanced end-to-end encryption technologies so that no law enforcement can catch them.
The deadliest terror attacks in Paris that killed 129 people were the latest example of it.

How did the Terrorists Communicate and Organize the Plot?

The Paris terrorists almost certainly used difficult-to-crack encryption technologies to organize the plot – locking law enforcement out, FBI Director James B. Comey told Congress Wednesday.
The ISIS mastermind behind the Friday’s Paris massacre is identified to be Abdelhamid Abaaoud, who is based in Syria. So to transmit his plans to the suicide bombers and gunmen, he would have made use of secure communication to keep law enforcement out.
FBI’s Comey believes ISIS is making use of popular social media platforms to reach out to potential recruits and smartphone messaging applications that are end-to-end encrypted, meaning even the company cannot read the messages.

Blame Game: Ex-CIA Director Blames Edward Snowden For Paris Attack

Ex-CIA Director James Woolsey, who once said Snowden “should be hanged by his neck until he is dead,”has blamed NSA whistleblower Edward Snowden for revealing the agency’s efforts to break encryption and for teaching terrorists how to avoid being caught.
Woolsey said, Snowden, who leaked a vast trove of classified files detailing the extent and workings of the United States intelligence system, is responsible for the Paris terror attacks and now has ‘blood on his hands.’
According to Woolsey, it was Snowden’s leak of top-secret documents about how American and British spy agencies monitor and track people worldwide that led terrorist groups like…
ISIS and Al-Qaeda to adopt new communication methods, including end-to-end encryption channels, to avoid surveillance.

But, Why Blaming Snowden? It’s Intelligence Failure

The tougher and more important question here is – If terrorists used encryption to plan the strikes in Paris, did they circumvent our spying agencies’ Bulk Interception tools and offensive cyber operations?

“I was a bit surprised just by how quickly and blatantly – how shamelessly – some of them jumped to exploit the emotions prompted by the carnage in France to blame Snowden: doing so literally as the bodies still lay on the streets of Paris,” the journalist Glenn Greenwald said, who has worked with Snowden to expose NSA secrets.

Bulk interception is the collection of the vast quantity of internet data, sometimes from thick undersea cables and then storing it in databases for a limited time.
However, the government’s claims about the NSA bulk surveillance of email and phone records that the operations are to keep the country safe from terrorism are overblown and even misleading.
Surveillance of phone metadata has had no visible impact on preventing terrorist attacks, so it is a total failure of our intelligence agencies, and not Snowden.
The fact that, long before Snowden’s leaks, our so-called intelligence agencies around the world failed to prevent many terrorist attacks, including:
  • The Bali bombing in 2002
  • The Madrid train bombing in 2004
  • The 7/7 London attacks in 2005
  • The series of attacks in Mumbai in 2008
  • The Boston Marathon bombing in 2013 that took place in the intense security at the leading annual event in a major American city
However, after all these terrorist attacks, the government response has been uniform – Give the intelligence agencies more powers and greater abilities to track, surveil and monitor anyone they believe is suspicious.

“The Snowden revelations were not significant because they told The Terrorists their communications were being monitored; everyone  especially The Terrorists  has known that forever,” Greenwald said.

Moreover, one of the leaked GCHQ documents contains what the agency calls a “Jihadist Handbook” of security measures, which was written in 2003, that instructs terrorists to learn and use sophisticated, strong encryption techniques to avoid government surveillance.
So, how could we blame Snowden, who exposed law enforcement’s mass surveillance operations in 2013; almost 10 years after the Jihadist Handbook was written.

After Paris Attack, Government’s arguments about Encryption and Backdoor

Now in the wake of the recent Paris terrorist attacks, the US government has renewed their assault on encryption and revived their efforts to force tech companies to install backdoors in their products, like encrypted messaging apps.
The intelligence agencies have gotten it all wrong. Due to the bulk collection and interception, the overall volume of encrypted internet traffic has gone up and up, that the intercepted data has become inaccessible even to intelligence agencies.

So, it’s not Snowden who is responsible for the Paris attacks, it’s the Failure of our government and intelligence agencies.

Source : THN

E-commerce giant Flipkart launched an app-like mobile Web browser experience on Monday called Flipkart Lite, optimised for low-bandwidth connections and offering app-like features like push notifications and home screen access.

The mobile browser experience, which went live on Monday, works exclusively on Google Chrome – and is a return to the mobile Web for the company after it was shut in April as the first step in the company’s app-only model.

The browser-app hybrid experience – called Flipkart Lite – can be added to the home screen, and has a fluid and dynamic user experience that feels like an app. Product listings on the mobile Web experience trail with a notification box that says offers will be available exclusively on Flipkart’s app, with a link to it. Features like Ping, its internal messenger, were not available on the browser version.

Flipkart partnered with Google to build the mobile website, optimising it to make use of Google Chrome’s newly supported notifications feature, alongside home screen access. Re/code reportsFlipkart had access to three new tools from Google’s Chrome team, including Service Workers, meant to aid development for poor Internet connections .

The report quotes Rahul Roy-Chowdhury, a Chrome product manager, to say Flipkart is the first to take advantage of all the new tools, adding Google hopes other websites will follow suit.

E-commerce companies have been harping about higher retention rates on app-using customers, but it remains to be seen how it compares to the browser Web experience – and whether the consumer will choose one in particular over the other.

Flipkart’s fashion brand Myntra, which went app-only recently, hasn’t gone live with the Chrome experience yet, and may very well be next in line, along with other brands and businesses.

The mobile site launch seems to have been on the cards since April, when Flipkart hired former Google-executive Peeyush Ranjan as CTO and Head of Engineering.

The move puts a new spin on the app vs Web argument that Flipkart had been mired in all year – and was reportedly looking to shut down the desktop version of the e-commerce website as well. In a recent interview, Chief Product Officer Punit Soni, had clarified that Flipkart will not be going app-only.

Smartphones have easily become the most important devices on the planet. Since their inception, they’ve ruled the way we live, becoming more like an appendage than a gadget. These devices store all of our personal information: our social media accounts, our credit card information, everything that you would ever want to keep safe from the outside world. It’s this high level of sensitivity in our smartphones that make people like Steve Lord, 15 year white hat hacker, so terrifying.

WhatMobile did an interview with Steve Lord, talking about what a white hat hacker does, why they’re important, and what the state of cyber security in the world is. It’s something that is, without a doubt, highly enlightening to anyone who lives their life through the screen of their smartphone. What should be especially interesting, however, is what Steve had to say about which smartphones are currently the most secure.


“All have benefits and drawbacks. Currently Windows Phone seems to be the hardest nut to crack. Blackberry has a long history of being very security-focused. If I have physical access to the device, I find Android’s usually the easiest target. Then comes iPhone, then older versions of BlackBerry. If it’s over a network or I have to attack via email or message, Android’s usually the softest target.”

It’s good to hear that Windows Phones are currently more secure than their competitors, though it’s not really that big of a surprise. Microsoft has always been a company that focuses on keeping phones secure – for a company whose audience consists largely of business executives, that security is absolutely vital. When you’re sporting the “most secure Windows ever,” you should always feel safe from hackers.

This doesn’t mean that Windows Phone is perfect, or entirely impenetrable. No device will ever be safe from hackers, and you should always take care to keep your information safe with your own precautions. That said, with Microsoft at your back, you should always feel like you’re one step ahead of the people who would want to take your personal information.

HACKING APPLE’S IOS isn’t easy. But in the world of cybersecurity, even the hardest target isn’t impossible—only expensive. And the price of a working attack that can compromise the latest iPhone is apparently somewhere around $1 million.

On Monday, the security startup Zerodium announced that it’s agreed to pay out that seven-figure sum to a team of hackers who have successfully developed a technique that can hack any iPhone or iPad that can be tricked into visiting a carefully crafted web site. Zerodium describes that technique as a “jailbreak”—a term used by iPhone owners to hack their own phones to install unauthorized apps. But make no mistake: Zerodium and its founder Chaouki Bekrar have made clear that its customers include governments who no doubt use such “zero-day” hacking techniques on unwitting surveillance targets.

In fact, Bekrar tells that two teams of hackers had attempted to claim the bounty, which was announced in September with an October 31st deadline. Only one proved to have developed a complete, working iOS attack. “Two teams have been actively working on the challenge but only one has made a full and remote jailbreak,” Bekrar writes. “The other team made a partial jailbreak and they may qualify for a partial bounty (unconfirmed at this time).”

Bekrar confirmed that Zerodium plans to reveal the technical details of the technique to its customers, whom the company has described as “major corporations in defense, technology, and finance” seeking zero-day attack protection as well as “government organizations in need of specific and tailored cybersecurity capabilities.” Zerodium’s founder also notes that the company won’t immediately report the vulnerabilities to Apple, though it may “later” tell Apple’s engineers the details of the technique to help them develop a patch against the attack.

Source: Wired

What if someone could access your graduation results and alter the same at will? Students of the region’s prestigious Gauhati University aren’t aware that their marksheets stored on the servers of the university could be easily accessed by a mid-level cyber expert with chances of serious compromise to the data. A Bongaigaon-based class XII student found flaws in the network server of the university and has access to their backend and complete database. Sounds scary?

Rony Das, a class XII student of Bongaigaon Railway HS School hacked into the servers of the Gauhati University website through his Android phone in December last year and informed the university registrar through a mail immediately. While Rony thought the vulnerabilities he pointed out to the university was rectified, he was shocked to find that the issue wasn’t resolved till last week. Rony again mailed to the university, but nothing was done.

“I am a web security enthusiast and while researching on security faults, I managed to access the Gauhati University control panel with ease through my Android phone. What if someone with bad intentions exploits the vulnerabilities and play with the future of thousands of students studying in the university?” Ronny said while talking to TOI.

When contacted, Gauhati University officials were caught unaware on the issue. While the system admin at the university said they will look into the matter on Thursday, VC Mridul Hazarika told TOI that he will take action at the earliest. “I should thank you for intimating me about the issue. I am not informed about the same but I am happy that the ethical hacker choose to inform us about the vulnerability beforehand,” Hazarika said. He added that if needed the hacker’s opinion in securing the servers will be sought and students shouldn’t worry as their data will be secured on priority.

Rony shared a video with TOI which showed how easily he could access the database of the university and everything – including marks – could be altered through a mobile device. While surfing for similar vulnerability, the information security enthusiast also managed to find flaws in the content management system of a political party’s website.

Rony’s father is a tailor in Bongaigaon. The young prodigy wishes to pursue higher education in information security from Mumbai/Pune. “I am a self-learner and hope that with proper education I will be able to be an information security expert and serve the country. With regular news of web hacks by hackers from other countries, India should better its stealth. Hope I achieve my aim some day,” he said.

Source : TOI


While talking to Professional Hackers India, Rony Shared the self captured image of TOI news paper cutting.

by -
0 17
The world’s most popular Free Web Hosting company 000Webhost has suffered a major data breach, exposing more than 13.5 Million of its customers’ personal records online.
The stolen data includes usernames, passwords in plain text, email addresses, IP addresses and last names of around 13.5 Million of 000Webhost’s customers.
According to a recent report published by Forbes, the Free Hosting service provider 000Webhost was hacked in March 2015 by an anonymous hacker.
In a post on its official Facebook page, the hosting company has acknowledged the data breach and posted the following statement:

“We have witnessed a database breach on our main server. A hacker used an exploit in old PHP version to upload some files, gaining access to our systems. Although the whole database has been compromised, we are mostly concerned about the leaked client information.”

The stolen data was obtained by Troy Hunt, an Australian security researcher, who received the data from an anonymous source and also confirmed the authenticity of the data.

“By now there’s no remaining doubt that the breach is legitimate and that impacted users will have to know,” Hunt wrote in a blog post published Wednesday. “I’d prefer that 000webhost be the ones to notify [its customer] though.”

000Webhost Ignored Data Breach Warnings Continuously

000Webhost web Hosting company repeatedly failed to pay attention to the early warnings by Troy Hunt and the Forbes journalist, but the company ultimately decided to ignore them.
What’s even Worse?
The Web Hosting company did not even follow fundamental and standard security practices to ensure the security of its customers.
Data breaches are common these days. Just a few days back, we reported about a serious data breach at TalkTalk – the biggest phone and broadband provider in the UK that put the personal data of its 4 Million customers at risk.
But, What could a Security Breach lead to?
  • Severe damage to company’s reputation
  • Loss of consumer trust
  • Thousands of dollars in penalties and fines
  • Personal data loss cost infinite
  • Temporary or Permanent Closure

What should you do Now?

For security reasons, the team at Free Hosting service has changed all customers’ passwords to the random values and implemented encryption, without giving any direct notice to its affected customers.
That means, if you are one of those 13.5 Million 000webhost clients, then you need to follow the password reset process to generate a new password in order to access your account.
However, 000Webhost said: “We removed all illegally uploaded pages as soon as we became aware of the [data] breach. Next, we changed all the passwords and increased their encryption to avoid such mishaps in the future.”
Storing customers passwords in plain text, ignoring early warnings, and then implementing encryption to prevent further damages.
Update : At the time of news posting 000webhost is not working and displays the screen attached below.

Facebook has been continuously working towards improving the overall experience of browsing on the social platform on slow Internet connections. Earlier this month, the company updated its News Feed making it easier to load content on 2G connections.

Now, Facebook has announced an internal initiative called “2G Tuesdays” that will help employees better understand how hard it is to use the social platform on slow Internet connections, like the kind prevalent in India and other emerging markets. Announcing the news, Product Manager Chris Marra in a blog post explained the whole idea behind 2G Tuesdays.

“People are coming online at a fast rate in emerging markets. In most cases, they are doing so on mobile via 2G connections. But on a typical 2G network, it can take several minutes to download a webpage. That doesn’t make for a great experience when sharing content with friends and family. To build for a global audience like ours, we know that we need to design features that work seamlessly even on a 2G network,” Marra said.

Under Facebook’s 2G Tuesdays, employees will have to use the social platform as well as other related apps such as Messenger on slow Internet connection. Notably, the new initiative has an opt-in option and employees will only have the slow Internet connection for an hour.

“We’re taking another step toward better understanding by implementing ‘2G Tuesdays’ for Facebook employees. On Tuesdays employees will get a pop-up that gives them the option to simulate a 2G connection. We hope this will help us understand how people with 2G connectivity use our product, so we can address issues and pain points in future builds,” added Marra.

Detailing how the new initiative will work, Tom Alison, Facebook’s Director of Engineering, told Business Insider, “For that next hour, their experience on Facebook will be very much like the experience that millions of people around the world have on Facebook on a 2G connection. They’re going to see the places that we need to improve our product, but they’re also going to see the places where we have made a lot of progress.”

Facebook back in June had rolled out a new Android app called Facebook Lite, which was available in countries across Asia and was also planned to roll out in parts of Latin America, Africa and Europe.

Facebook CEO Mark Zuckerberg is in India and hosted a townhall at IIT Delhi earlier today. The townhall had it all, from advice to students over building things and reminiscing his older days to questions on irritating Candy Crush requests to even supernatural powers! But most of us were waiting for the most obvious and highlight of the Q&A – Net Neutrality in India and how the newly rebranded Free Basics by Facebook violates it.

One of the questions at the townhall was about: Does support Net Neutrality fully? To that, Zuckerberg quickly chirped, “Absolutely”. He spoke about being an open platform on which any developer can build. But he quickly added how network providers and operators have spent billions of dollars in infrastructure, and so the Internet could never be completely free. “So with Free Basics, we are letting developers offer zero-rated services,” he added. Zuckerberg believes Net Neutrality is an important principle and Facebook is working at giving it a push. But how? By implementing zero-rated plans.

If you remember, it’s the zero rated plans that have received massive outcry in India. Those not in the know-how, zero-rated plans allow Internet companies (who have a lot of money to throw around) to grant access to their apps and services or websites absolutely free of charge, by making a deal with telecom providers. Net neutrality means – equal Internet to all – without any discrimination about which service will be available for free. It is essential for innovation and creating job opportunities. Big companies such as Google, Twitter and several others are born out of net neutrality. Moreover, for those who hop onto the Internet should know that Facebook or a few services don’t make up the Internet.

But Zuckerberg says that or Free Basics is simply to get billions of people online who do not have access to the Internet. While the thought is noble, but the way the social network plans to implement it hints at vested interests. At the townhall, Zuckerberg yet again tried to justify how net neutrality and can co-exist, which has now been conveniently repackaged as Free Basics.

Ironically, he said he supports net neutrality, but there is need for stricter regulation so that the Internet is equal to all and India should lay down strong rules in support of net neutrality. “In terms of regulation, countries are just going around and figuring out what their regulations must be. In the US, there are pretty strong rules regarding net neutrality. We are generally supportive of that,” he said.

So, looks like Facebook wants regulators like TRAI and DoT to work out plans and rules that will help fit and net neutrality in the Indian web space. Free Basics is in a very uncertain position because of the way the platform works, and it’s going to take a lot more than a townhall meet and visits to India to convenience that both can go hand in hand. Not convinced, are we?

A 15-year-old boy has been arrested in Northern Ireland in connection with the TalkTalk hacking attack, Scotland Yard has said.

Metropolitan Police said a house had been searched in County Antrim on Monday afternoon at about 16:20 GMT.

The boy was arrested on suspicion of Computer Misuse Act offences.

He has been taken into custody at Antrim police station and is being questioned by detectives from the Police Service of Northern Ireland.

A search of the address is ongoing and inquiries continue.

A police statement said this was a joint investigation involving the Police Service of Northern Ireland (PSNI), and detectives from the Metropolitan Police Cyber Crime Unit (MPCCU).

News that the TalkTalk website had been hit by a “significant and sustained cyber-attack” broke last week.

The phone and broadband provider, which has over four million UK customers, said banking details and personal information could have been accessed.

A criminal investigation was launched on Thursday.

The company said it did not know how much of their customer information had been encrypted.

At the weekend, TalkTalk’s chief executive said the attack was “smaller” than originally thought.

Dido Harding said any credit card details taken would have been partial and the information may not have been enough to withdraw money “on its own”.

Card details accessed were incomplete – with many numbers appearing as an x – and “not usable” for financial transactions, it added.

Business leaders have called for urgent action to tackle cyber crime in the wake of the TalkTalk attack.

On Monday, MPs said an inquiry would be launched into the cyber-attack that could have put customers’ details at risk.

Culture minister Ed Vaizey told the House of Commons the government was not against compulsory encryption for firms holding customer data.

Shares in the telecoms company fell more than 12% in Monday trading, extending its losses from last week, when news of the attack first emerged.


Source : BBC News