Follow by Email

Saturday, October 3, 2015

Making everyone as developer the Github's next move

This interview with GitHub CEO Chris Wanstrath and product VP Kakul Srivastava explains a little more what GitHub is planning for the future — and how the company is trying to live up to its $2 billion valuation. Basically, if every developer in the world uses and loves GitHub, the next logical step is to turn more people into developers. "Even today, Wanstrath says, there are journalists and scientists who are using GitHub to find, build, and share data-driven applications that assist with research or interactive projects. The goal, then, is to gradually make it a lot easier for anybody to get started on the platform. As more and more people get educated as programmers from an early age, Wanstrath wants GitHub to be the service of choice for the next generation to really get their feet wet.

Sunday, September 27, 2015

Running out of IPV4 address

The BBC is reporting that the American Registry for Internet Numbers (ARIN) ran out of spare IP addresses yesterday. "Companies in North America should now accelerate their move to the latest version of the net's addressing system. Now Africa is the only region with any significant blocks of the older version 4 internet addresses available." A British networking company that supplies schools has done an analysis on how concerned IT managers should be. This comes almost exactly 3 years after Europe ran out.

Breaking the Grid Authentication for NEFT transaction ICICI

As I stated in my previous post  I was facing a grief with the grid authentication for the completion of a NEFT transaction. Later after a R&D with the entire web and apps of the ICICI found a workaround to bypass this system for a successful money transfer without any silos.

Its been almost 2 days I posted the trouble faced due to this grid system associated.@ICICI care team reached me out in twitter and DM me that the concern team will call me and still waiting for their call.
Firstly I would not be a naysayer for the security system implemented. I do know how much security matters as I germinated from a security domain. I am more skeptical towards the info shared by every executive they defy with ( the only answer was we are deeply sorry for the inconvenience caused you could not proceed the transaction without a grid authentication).

There is a contrary in the workflow :

The major flaw is in when a user initiates a transaction the system couldn't update the users debit card details in real time if the user is not associated to any debit card the system should analyze and authenticate by the alternative means to complete the transaction.

This should happen else leave the end user wait till they receive the debit card for important transactions.

Workaround for this which I used:

When I explored the web login there was no way allowed to complete the transaction , suddenly a  spark came into my mind that we are in "apps world" why cant we try the existing apps in my gadget.

Tried would there be a way in imobile and failed miserable , but the tenacity gave me the last trump card app that was pockets .  The pockets app acts like a personal wallet where I can add funds from my ICICI account. New user can create a new account (non ICICI user) Existing user can login using the net banking credentials. Once done the way is out add the funds to wallet and now access the registered user with the account from the app and complete your transfer via NEFT with OTP.

MORAL / CONCLUSION: The financial institution who we rely on should educate the customers about the process that's secondary before that the employees inside the bank should know the process and the possibilities to overcome the issues caused. 

Do they conduct regular meetings and update whats new they launch what all procedures gets changed and stay update ??

Waiting for a response from #ICICI  Hope things will change.

Thursday, September 24, 2015

Silos of Grid security authentication ICICI Bank

Today I am a very disappointed 6-yr customer with ICICI Bank ICICI Bank - Security systems ! Since last night I was trying to make a online transaction to another account and The transaction could not be completed due to the unavailability of the debit card grid value. Day by day technologies grow We use Net banking Mobile banking etc. Even ICICI proudly says cardless cash withdrawals.

Since my debit card has become too old and damaged I have applied for a new one and its under process. Meanwhile if I wish to do a online transaction the ICICI Bank states that
I could not proceed because grid authentication is mandate. Its good that they have implemented a extra layer of security but that security system should not be a grief to customers transaction.This would not be a better option in a longer run. When a customer applied a new card they are unlinking the old card from the account so they can enable the other security options like OTP as an alternate and by not mandating both are required.  I hope even the Head of the ICICI would not prefer to use their banking facilities if they face this kind of issues. In a crucial situations to pay your bills the customer care executives are responding that without a grid value we cant help you to proceed is really frustrating they are not not thinking in the lines of a customer or go an extra mile to check what best can be done. When they link the customer's mobile number they can make that as primary and the grid option as secondary if customer further opts during transactions. What are the plan B options if a disaster occurs ??

The customer should be helpless till he receives a new card again. If they comply to various regulatory laws I'm sure they will be aware what BO  states.

The grid authentication was first introduced to avoid cyber crooks in credit card transactions. This may work for credit cards but linking this to internet banking and debit card will be a failing factor. However there should be certain measures to be taken by ICICI to provide a Plan B for continuing the services without interruption by authenticating them by other security parameters.

Saturday, September 19, 2015

Homegrown linux distro by M$

Microsoft has built a Linux distro, and is using it for their Azure data centers. From their blog post: "It is a cross-platform modular operating system for data center networking built on Linux." Apparently, the existing SDN (Software Defined Network) implementations didn't fit Microsoft's plans for the ACS (Azure Cloud Switch), so they decided to roll their own infrastructure. No explanation why they settled on Linux.

Its own Linux-based operating system called Azure Cloud Switch (ACS) and believe me, under Satya Nadella, Microsoft has become more open than ever.
The Purpose of developing Linux-based Azure Cloud Switch (ACS) operating system at Microsoft is to make it simpler to control the hardware from multiple vendors (such as Switches) that powers their cloud-based services.


Saturday, September 12, 2015

BitTorrent based DOS DNS- attacks proved

New research from City University London has demonstrated the practicability of using highly popular file-sharing clients based on the BitTorrent protocol to accomplish Denial of Service (DOS) attacks that are orders of magnitude more aggressive and powerful than conventional techniques currently in use.
The paper [PDF], entitled P2P File-Sharing in Hell: Exploiting BitTorrent Vulnerabilities to Launch Distributed Reflective DoS Attacks, details the efforts of researcher Florian Adamsky (along with fellows Syed Ali Khayam of Santa Clara-based security outfit PLUMgrid and Rudolf J├Ąger of The Mittelhessen University of Applied Sciences in Germany) to prove that attackers can exploit vulnerabilities in BitTorrent clients in order to effect Distributed Reflective Denial of Service (DRDoS) attacks.
The paper states “Our protocol analysis shows that BitTorrent is highly vulnerable to DRDoS attacks. An attacker is able to amplify the traffic beginning from 4–54.3 times.”
DRDoS attacks rely on the misconfiguration of Domain Name System (DNS) servers to help attackers spoof the apparent originating source of a ‘request flood’ – the type of information overload that can bring down a website or organizational infrastructure for days, or weeks.
A DRDoS attack routes the aggressive traffic through ‘amplifiers’, and these reflect the traffic to the victim. In the case of a BitTorrent-based attack the protocols exploited are Distributed Hash Table (DHT), Micro Transport Protocol (uTP), BitTorrent Sync (BTSync) and Message Stream Encryption (MSE). “Since these protocols do not include mechanisms to prevent IP source address spoofing,” the paper explains “an attacker can use peer-discovery techniques like trackers, DHT or Peer Exchange (PEX) to collect millions of possible amplifiers.”
Apparently the BitTorrent clients that are most susceptible to the attack are also those that are most widely-used; the report observes that ‘the most widely-used BitTorrent clients like uTorrent, Mainline and Vuze are also the most vulnerable ones.” Three years ago the number of users of uTorrent alone was estimated at 150 million, making the potential devastation of Torrent-based DOS attack a formidable one.
In terms of security for the attacking actor, this attack method has the advantage of being undetectable by standard firewalls due to the encrypted nature of the protocol, and would require deep packet inspection to identify. Additionally a BitTorrent-based DRDoS attack has the advantage of being launchable from a single computer. The potency of this attack format is further reinforced by the multiple connections that BitTorrent is able to leverage; clients operate separate connection threads on multiple ports, which can result in a client dominating available bandwidth.

BitTorrent has since responded to the Adamsky paper. In a blog post today the company outlines how its engineering teams have been working to mitigate the possibility of DrDoS attacks. To find out more see here.

Friday, September 11, 2015

Fireye tries to stifle its vulnerabilities in its suite from public disclosure

Felix Wilhelm, a security researcher for ERNW GmBH, made FireEye aware of the vulnerabilities five months ago, and reportedly worked with the company to help them resolve the issues successfully. But FireEye eventually decided that no disclosure of the vulnerabilities should be allowed to take place.
FireEye, founded in 2004, is a leading network security company focused on protecting businesses from malware, zero-day exploits and other cyber attacks. The U.S.-based firm has over 2,500 customers globally, including Fortune 500 companies and many federal departments. FireEye was tightly involved in cyber investigations following the high-profile attacks on Sony Pictures and Anthem.
Leading network security company FireEye, which has customers in government and the Fortune 500 list, has caused a controversy at a London security conference today after its legal attempts to stop a keynote speech detailing the repair of major security loopholes in its customer-facing systems this year. Reported among these now-fixed vulnerabilities were the running of a significant number of FireEye's Apache-based security servers as 'root' — meaning that any attacker able to compromise the servers would have had absolute power over all its operations and commercial connections.