Resultados 1 a 6 de 6
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    [EN] APNIC resets passwords after whois credentials spill

    APNIC upgraded its whois database - which carries information about organisations and people who have been allocated internet-numbered networks, and who can alter the data published in it - in June this year.

    In the process, APNIC accidentally included hashed authentication details for the whois Maintainer and Incident Response Team (IRT) objects in the database in the downloadable data feed the registry publishes.

    But the passwords were hashed with relatively weak cryptographical authentication methods such as the UNIX crypt-pw, which limits passwords to just eight characters in length. APNIC admitted there was a "possibility that passwords could have been derived from the hash if a malicious actor had the right tools".

    If an attacker had cracked the hashes and obtained the passwords for the objects in the database, they could have altered whois details and temporarily transferred IP-numbered networks from their owners.

    The error was only discovered this month after security researchers from eBay's red team reported it to APNIC.

    APNIC removed the passwords from the whois data feed and reset all Maintainer and IRT passwords earlier this month.

    The registry continues to analyse its log files for network resource holder activity, and said it has not found evidence of any irregularities.

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    Whois Maintainer and IRT objects error resolved

    Oct 2017

    In the interests of full transparency to the community I wanted to share the details of a whois security incident that APNIC fully resolved today.

    Due to a technical error during the upgrade of APNIC’s whois database in June 2017, hashed authentication details for APNIC whois Maintainer and IRT objects were inadvertently included in downloadable whois data, which is released to certain external parties under an Acceptable Use Policy.

    APNIC became aware of the issue on 12 October 2017 after Chris Barcellos from eBay’s Red Team reported that the downloadable whois data was being republished on a third party website.

    We fixed the error to prevent further inclusion of the Maintainer and IRT hashes in the whois downloads on 13 October, and as a precaution, worked with resource holders to reset all Maintainer and IRT passwords in the subsequent days.

    APNIC apologises for any inconvenience and concern that this error has caused. There are certainly lessons for APNIC after this error and we have now begun a post-incident review to determine how our processes failed and where we can improve to ensure this doesn’t happen again.

    What was the issue?

    A Maintainer (mntner) is an object in the APNIC Whois Database. Every object in the APNIC Whois Database is protected by a Maintainer via the ‘mnt-by’ attribute. This ensures that only authorized people that have access to this Maintainer can make changes to other objects that are protected by this Maintainer.

    An Incident Response Team (IRT) object is an object in the APNIC Whois Database that contains contact information for an organization’s administrators responsible for receiving reports of network abuse activities.

    The ‘auth’ attribute in a Maintainer or IRT object specifies the hashing format used and stores the password in its hashed format.

    The error that occurred saw the ‘auth’ hashes included in the downloadable whois data feed (not published on APNIC’s whois itself).

    Although password details are hashed, there is a possibility that passwords could have been derived from the hash if a malicious actor had the right tools.

    If that occurred, whois data could potentially be corrupted or falsified for misuse. Our investigations to date have found no evidence of this occurring.

    It is important to note, however, that any public misrepresentation of registry contents on whois would not result in a permanent transfer of IP resources, as the authoritative registry data is held internally by APNIC.

    What action did APNIC take?

    Firstly, we corrected the error to prevent the hashes from being included in future whois data downloads.

    To eliminate any risk of the exposed hashes from being used, APNIC then decided to reset all Maintainer and IRT object passwords.

    Most resource holders make updates using these objects very rarely (over 12 months between updates), and many use MyAPNIC to manage the process which means the passwords are invisible to the user when making updates. For these resource holders, APNIC reset all passwords immediately.

    A smaller group of resource holders (around 60) very actively submit updates to APNIC via email. APNIC’s risk assessment determined it would be better to not reset these passwords remotely, but instead guide the active resource holders through the password reset process so to minimise disruption to their network operations.

    This process was completed today, and we are sharing this full report now that there is no further risk to resource holders by doing so.

    Do resource holders need to take any action?

    APNIC is continuing to analyse its logs to search for any signs of misuse as a result of this error. So far, we have found no evidence of irregularities. However, we would recommend that resource holders check the whois details of their holdings to make sure that all is correct.

    All Maintainer and IRT passwords have now been reset, so there is no need to change them again if you are an APNIC resource holder. However, if you wish to change the new passwords to something more memorable, you should not choose the previous password (and if the old password was being used elsewhere on other systems, you should change those passwords).

    Please note, this issue is completely unrelated to MyAPNIC login credentials. If you have a MyAPNIC account, there is no need to change your MyAPNIC password.

    If you are making updates with your Maintainer via email, APNIC recommends using PGP.

    Of course, if you have any questions or concerns, our Helpdesk is happy to assist.

    What will APNIC now do?

    As I mentioned, APNIC’s post incident review is now underway to understand how this occurred and put in place improvements to prevent reoccurrence during whois upgrades.

    As part of our review, the availability of the whois data download and the terms and conditions for its use will also be examined.

    APNIC thanks resource holders for their patience and support during the resolution of this incident.

  3. #3
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

  4. #4
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    Massive data breach hits 6,000 Indian organisations

    The seller claims to have the ability to tamper the IP allocation pool. An attack on the system could disrupt Internet IP allocation and affect Internet services in India. This could impact various CDN and hosting providers as well.

    October 4, 2017

    Information from servers of more than 6,000 Indian enterprises was reportedly put up for sale on dark net in one of the biggest data breach reported in the country. Seqrite, the enterprise arm of IT security firm Quick Heal, came across an advertisement on dark net which claims to have access to data from over 6,000 Indian businesses including government organisations, internet service providers, banks and enterprises, said an IANS report.

    "We have alerted the government authorities well within time. If someone gets control over this massive data that is currently up for sale on DarkNet, the above mentioned organisations and enterprises can get affected," Rohit Srivastwa, Senior Director, Cyber Education and Services at Quick Heal, was quoted in the report.

    The unidentified hacker behind the data leak has asked for 15 Bitcoins for the information and is even offering network takedown of these 6,000 organisations for an unspecified amount, mentioned Seqrite Cyber Intelligence Labs, and its partner seQtree InfoServices, in a statement.

    "Along with the access, the hacker is also selling credentials, PII and various contractual business documents and claims to have access to a large database of Asia Pacific Network Information Centre (APNIC)," the statement further said.

    On detailed inspection, investigators found that the hackers have attacked Indian Registry for Internet Names and Numbers (IRINN), which comes under National Internet Exchange of India (NIXI). IRINN is the national internet registry agency which is tasked with coordinating IP address allocation, along with managing internet resources across the country.

    According to researchers, the hackers claimed to have the ability to manipulate IP address allocation pool, which could trigger a serious outage or Denial of Service attack-like condition, said the IANS report.

    "This could impact various content delivery network (CDN) and hosting providers as well. If the hacker gets an interested buyer, then an attack on the system could disrupt Internet IP allocation and affect Internet services in India," Seqrite said.

    With IRINN under attack, key government enterprises including Unique Identification Authority of India (UIDAI), Defence Research and Development Organisation (DRDO), Indian Space Research Organisation (ISRO), Reserve Bank of India (RBI), Employees' Provident Fund Organisation (EPFO), State Bank of India (SBI), Bharat Sanchar Nigam Limited (BSNL), and several others now face the risk of data leaks, said the IANS report.

    Bombay Stock Exchange (BSE), Idea Telecom, Flipkart, Aircel, TCS, and ICICI Prudential Mutual Fund are some of the major Indian organisations which have been threatened by this massive data breach, along with many others. Official websites of several Indian state government websites have also been put at risk.

    To prevent any damage, Seqrite has urged government bodies as well as APNIC to alert potentially threatened organisations to be on the lookout for any signs of trouble. These bodies have also been asked to change their passwords and update security protocols for their servers and systems.

  5. #5
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    off-topic: Biometric data, unlike passwords, can never be changed

    Watch out, Aadhaar biometrics are an easy target for hackers

    Ankush Johar
    Oct 23, 2017

    Aadhaar is a 12-digit unique identification number issued by the Indian government to each Indian citizen. The Unique Identification Authority of India (UDAI), which functions under the Planning Commission of India, is responsible for managing Aadhaar numbers and Aadhaar identification cards.

    The purpose of Aadhaar cards is to have a single, unique identification document or number that links a consumer’s entire details including demographic and biometric information.

    The Aadhaar card/UID does not replace the other identification documents but can be used as the sole identification proof when applying services that require identification. It also serves as the basis for Know Your Customer (KYC) norms used by banks, financial institutions and other businesses that maintain customer profiles.

    Risk of Aadhaar biometrics

    Biometric data, unlike passwords, can never be changed, so if hackers successfully impersonate a fingerprint then they can cause serious havoc, and there is not much the victim will be able to do about it.

    With the recent government policies making biometrics the central identity verifier via Aadhaar information, a billion consumers could be walking a thin line between security and convenience. Though it becomes extremely convenient to make transactions via a single touch on your smartphone, it also means that all a malicious hacker needs to get is your fingerprint. Once he gets that, there’s no stopping. Identity theft and fraudulent transactions may just be the beginning.

    A simple fact: You cannot just change your fingerprint like you change your password in case of a hack. Even closing your account won’t solve your problems. Your fingerprint, wherever valid, can be used to steal your accounts.

    Government's claims about Aadhaar security

    The government claimed that Aadhaar is completely secure, and the data of the consumers was absolutely safe from any malicious party until a severe flaw was detected in the system. The bug allowed a malicious operator to save a user’s biometrics and simply use it to carry out transactions on the victim’s behalf via replaying the saved biometrics.

    In February this year, a Youtube video showed a demo of such a replay attack. Later that month, UIDAI filed a case against an employee of Suvidhaa Infoserve, saying that an Axis Bank's gateway was used to carry out around 400 transactions via replaying Aadhaar information that was saved earlier.

    To resolve these, the government decided to roll out new policies to ensure that critical Personal Identifiable Information (PII) of its citizen does not fall into wrong hands and get misused. On January 25, the Registered Device notification made the registration and encryption mandatory of every single biometric reader currently in use.

    According to the guidelines issued by Ministry of Electronics and Information Technology, sensitive personal data such as passwords, financial information (bank account, credit card, debit card and other payment instrument details), medical records and history, sexual orientation, physical and mental health and biometric information cannot be stored by agencies without encryption.

    Basically, the host computer can no longer store user’s biometrics which will eliminate the risk of using the stored biometrics without individual’s consent for authentication.

    How easy is it steal fingerprints?

    Hackers can easily clone your fingerprints to gain access to your life. What's scarier is that it's neither too costly nor too difficult.

    Fingerprints can be picked up from daily objects easily or mass attacks are possible if the servers of UIDAI are hacked. Hackers can also skim fingerprints via malicious biometric devices just as with infected credit card machines. The problem here though is that you can block your credit card but not your fingerprint.

    Using the stolen print

    This can be done via digitally replaying the print to authenticate applications and transactions. Another possibility is to use 3D-model printers to simply make a physical copy of the print. It is even possible to make physical fingerprint replicas using simple dental moulds and some playing dough. According to a research at theDepartment of Computer Science and Engineering at Michigan State University in the US, fingerprints can be replicated in less than $500 with conductive ink fed through a normal inkjet printer, in a procedure that takes less than 15 minutes. According to researchers at CITER, the disturbing thing about fingerprints is they can be hacked just by using everyday items like some dental mould to take a cast, some playing dough to fill it. All they need is an impression of a person's fingerprint. Using the cloned fingerprint, the hacker can enter every mobile application or devices that use the fingerprint as a security measure.

    What about retina, voice and facial recognition?

    Besides fingerprint, some applications also use facial and voice recognition techniques. The general methodology on which all the facial recognition app works is, the person stares into the camera on their smartphone and the app captures images of the face. According to a research lab in Germany which specialises in cyber security, the hacker can use several pictures of the victim which can be easily found via social networking websites and use those pictures to bypass the security.

    However many applications using facial recognition claim to have 'liveness' technology which can distinguish a photograph from a real person. A hacker might bypass this by simply making a movement in front of the camera which might be interpreted by the app as a facial movement of the person if the app is not using some 3D face scanning.

    Voice recognition technology can analyse accents, pronunciation and the sounds of someone's mouth and tongue. Some apps use voice recognition by asking a person to repeat a certain phrase each time. If the app is more advanced, it can randomly generate new phrase each time a person logs in.

    To bypass this, hackers can record the voice of a person saying the exact phrase that is required by the application or they can take advantage of software apps that allow a person to record someone's voice and get that voice to say phrases which the person may have never said before.

    Even IRIS scanner fails to secure the user's privacy. According to a security researcher at Chaos Computer Club (CCC), Europe's largest association of hackers, a similar technique that bypasses facial recognition is used to bypass IRIS scan as well, i.e. a standard photo camera. CCC researcher told Forbes: "We have managed to fool a commercial system with a printout down to an iris. I did tests with different people and can say that an iris image with a diameter down to 75 pixels worked on our tests."

    How big is the threat?

    The government has made Aadhaar mandatory for Indian citizens to avail of many government services. Aadhaar is being used almost everywhere now. If the data gets leaked, unlike changing your passwords or creating a new account, people won’t be able to change their fingerprints or their facial structure. The digital infrastructure that the government is trying to push all across the country can come crumbling down if proper security measures are not at place.

    The glorious dream of Digital India could simply be a disaster if a billion countrymen finally get digitalised and a single hack gives malicious hackers a lifetime access to their digital assets and identity.

    What are the security measures?

    UIDAI provides a simple mechanism for Indian citizens to lock their biometric information and prevent them from being misused.

    Once the Aadhaar holder has locked his/her biometrics data, no one including the Aadhaar cardholder will be able to use the biometrics data for authentication purpose. Once locked, the biometric will get locked only for 10 minutes. The process of locking and unlocking biometrics is very simple. All a person is required to do is, visit the URL: Provide Aadhaar card number. Enter a security code. Receive the OTP (which will be sent to the registered mobile number) and lock Aadhaar card.

    How can Aadhaar be made more secure?

    Biometrics is an acceptable form of security but depending solely on that can be risky. The best way to make apps or devices secure is using biometrics security along with another unique customizable token such as a password. This might be more of a hassle but at least it adds an extra layer of security to your information. The bottom line is: you cannot use a biometric as a primary authenticator; it can only act as an extra layer of security for your applications or devices just like an OTP.

    Organisations, instead of making a fingerprint as the sole identification for a consumer, can use it as a second or even third factor to further strengthen their application infrastructure.

    Ver também:

    [EN] India’s biometric database: dystopian nightmare
    Última edição por 5ms; 24-10-2017 às 01:14.

  6. #6
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    off-topic: MSc graduate hacked Aadhaar data through Digital India app

    Some 50,000 people used Aadhar e-KYC verification from Google Play Store

    Johnson TA
    August 4, 2017

    An IIT Kharagpur graduate who has been accused of hacking into the central identities data repository of the Unique Identification Development Authority of India’s (UIDAI) Aadhaar project gained access to the repository through the Digital India e-hospital initiative of the Ministry of Electronics and Information Technology, police investigation has revealed. Bengaluru Police on Thursday formally announced the arrest of Abhinav Srivastava — a 31-year-old hailing from Uttar Pradesh — in connection with a complaint of unauthorised access of the central identities data repository filed by the UIDAI on July 26.

    The complaint to the police stated said that Srivastava had accessed UIDAI data without authorisation between January 1 and July 26 for an app called ‘eKYC Verification’. The app delivered demographic data like name, address, phone number of individuals from the central identities data depository of Aadhaar to authenticate unique identity numbers. It was placed on Google Play Store with the claim that it was developed by an entity called myGov linked to the start-up Qarth Technologies, which had been acquired by the taxi hailing service Ola in 2016.

    Investigations by the police cyber crime unit since the detention of the software engineer revealed that Srivastava hacked into the Aadhaar-enabled e-hospital system created under the Digital India project of the Government of India to access the central identities data repository of UIDAI for verification of Aadhaar numbers for his ‘eKYC Verification’ app.

    “As a highly qualified technical expert, Srivastava had a deep interest in developing Android mobile apps. He developed the Aadhaar e-KYC verification mobile application in January 2017 and earned about Rs 40,000 from advertisements,’’ Bengaluru Police Commissioner T Suneel Kumar said on Wednesday. “The accused accessed UIDAI data through the e-hospital application and its server. He provided Aadhaar information to people through the app.’’

    “He managed to hack into the server of the e-hospital system and, using this system, he used to send verification requests to the UIDAI database for his own app. The UIDAI system allowed access under the impression that the authentication requests were coming from the e-hospital system and it was not apparent that the query was unauthorised,’’ a police source said.

    At the time of his arrest, Srivastava was employed with Ola after the start-up Qarth Technologies he created, with a IIT Kharagpur batchmate Prerit Srivastava, was acquired by Ola in March 2016 in order to take over an e-wallet app called X-pay developed by the start-up. Srivastava was earning Rs 40 lakh a year at Ola, Kumar said. The source said, “He has developed as many as five mobile apps. We are investigating if the eKYC Verification app he developed was used in any form by Ola. The app was used by around 50,000 people after it was placed on Google Play Store.”

    Police sources said they were also probing if Srivastava had been aided by anyone in hacking into the e-hospital system. The e-hospital system was created by the government to allow people to make electronic appointments in government hospitals. It has been used in three hospitals in New Delhi — AIIMS, Dr Ram Manohar Lohia Hospital and Safdarjung Hospital.

    The e-hospital app, which is hosted on the cloud services of NIC, facilitates online appointments at hospitals “using eKYC data of Aadhaar number, the if patient’s mobile number is registered with UIDAI. In case the mobile number is not registered, it uses the patient’s name”. Srivastava’s eKYC Verification app mimicked the e-hospital app in accessing the identity authentication services of UIDAI.
    Última edição por 5ms; 24-10-2017 às 01:08.

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens