indiaa
Security

Abhay Bhargav (India) - Hacktivism and the Indian Enterprise

The security industry has been in a state of flux over the last 1/4 of a year. The early part of 2011 has not been a very good year for enterprise security. In public memory, it all started sometime in early February 2011, when a group called Anonymous hacked a company called HBGary Federal. HBGary Federal is a company that was working with the authorities (like the FBI). The group Anonymous found a web application vulnerability and were able to extract the user information of all the administrators and content providers of the site. Using this access, the group penetrated the email accounts of some of the key members in the company, including the CEO. HBGary Federal is an information security company that does highly confidential work for the US government, but due to a simple flaw in their website, they paid a heavy price, with both their sensitive information and reputation besmirched all over the internet.

What followed was an unprecedented wave of attacks against companies like Sony, the Arizona State Police, Fox News, PBS, The UK’s NHS, Nintendo, the FBI, CIA, Booz Allen Hamilton, and our very own National Informatics Center in India. In fact, the Sony hack was so pervasive that the personal data of over one million users was exposed, including credit card details and sensitive personal information. To add insult to injury, Sony’s most popular PlayStation Network was down for several days.

Most of these attacks have revolved around the web. Hacktivist groups do the most damage to websites/web applications, because it is the most public facing part of the company or the organization. The group’s aim has been to deface the website/web application of an organization and also extract sensitive information from the backend databases and file systems connected to the said website/web application and leak it to the public domain. This has a multi-pronged effect. Firstly, the visitors to the website/web application of the organization see that it has clearly been hacked (because of the defacement) with the help of twitter and other channels. They announce that the security of a particular organization has been compromised. Sometimes they even have a package that users can download containing usernames, passwords, and other sensitive information.

Web security in India is yet to mature. In fact, in the websites and web applications that we test, we see that around 8 out of every 10 are seriously vulnerable to multiple web application attacks. Most of the time these vulnerabilities are easily identified; without having to probe the issue too deeply, or launching highly sophisticated attacks. SQL Injection is a common attack that can launch multiple attacks against websites and web applications in India. SQL Injection is deadly; where an attacker enters database queries into the application’s input, the application will not validate input effectively, and can provide the attacker with access to the backend database. This means the attacker can extract a great deal of information; like usernames, passwords, credit card data or any other sensitive information that is stored in the database used by the application. In fact, a bulk of the attacks carried out by the Hacktivist groups have been SQL Injection, which demonstrates that these websites/web applications don’t filter input effectively, paying a heavy price for their lack of oversight.

Anonymous hacked the Indian National Informatics Center as a protest against corruption in India. This happened at a time when there were rallies against corruption happening across the nation. The National Informatics Center is the apex of IT authority in the country, providing IT for the government and e-governance initiatives. Hacking of such a government body sent a very strong message to the government’s IT infrastructure, and has demonstrated that the web security implementation and infrastructure for companies and government organizations requires a great deal of oversight.

Hacktivism has become a reality for most organizations and governments today. Hacktivists commonly align themselves to a cause and perpetrate attacks against IT infrastructure; but in many cases (like in the case of Sony) there was no activist motivations for the hackers to perpetrate the attacks, their motto is “to have fun at your expense”. In times like these, and with words like those, I would say “Shields up”.

Abhay Bhargav is the CTO of Information Security Company, we45 Solutions India Pvt. Ltd. He can be reached at abhay@we45.com. His company website

PREVIOUS ARTICLE

« Luca Simonelli (Europe) - Secure Your Strategy First

NEXT ARTICLE

Dan Dunford (UK) - Why the Summer Data Breach is Good News for Managed File Transfer »

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies

Poll

Do you think your smartphone is making you a workaholic?