Security through obscurity and fear

Slides:

Advertisements

Similar presentations

W alkie Doggie is a web application that allows dog owners to help each other with their dog walks. It’s main feature is the walkies, which are the user’s.

Advertisements

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

CLOUD COMPUTING.  It is a collection of integrated and networked hardware, software and Internet infrastructure (called a platform).  One can use.

Addition to Networking.  There is no unique and standard definition out there  Cloud Computing is a general term used to describe a new class of network.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

© NeoAccel, Inc. TWO FACTOR AUTHENTICATION Corporate Presentation.

ESCCO Data Security Training David Dixon September 2014.

CIS 375—Web App Dev II Microsoft’s.NET. 2 Introduction to.NET Steve Ballmer (January 2000): Steve Ballmer "Delivering an Internet-based platform of Next.

SwopUrCard Your digital business card library. Cloud Storage SwopUrCard is a brand new initiative into cloud based data storage. We intend to offer the.

Architecture Planning and designing a successful system Use tried and tested techniques Easy to maintain Robust and long lasting.

● Agenda 2 What is TNet? Why Adopt TNet? How it Works Timeline The Two Goals Steps for Implementation.

Cloud Project. SaaS: Software-as-a-Service Also known as an on-demand software, SaaS is an application that can be accessed from anywhere on the world.

Case Study.  Client needed to build data collection agents for various mobile platform  This needs to be integrated with the existing J2ee server 

OARN Database UPDATE – SEPTEMBER We’re Live – and Testing  The site is up and running in Google’s data centers:  The site has been secured: 

Convenience product security Collin Busch. What is a convenience product? A convenience product is a device or application that makes your life easier.

Using Open Data to Create Value for Citizens. Data.gov Provides instant access to ~400,000 datasets in easy to use formats Contributions from UN, World.

Internet Flow By: Terry Hernandez. Getting from the customers computer onto the internet Internet Browser

 There are many android hack tool given on the internet that promises to give you best performance. But unfortunately most of the android hack tool are.

Sukha Payana Carpooling gamified! Play with your friends!

APIs for My Account, Search, and Library Card Registration Intermediate, Polaris, Public Libraries Presented by Mark W. Jarrell Online Applications Developer.

START Application Spencer Johnson Jonathan Barella Cohner Marker.

Stuff to memorise… "A method tells an object to perform an action. A property allows us to read or change the settings of the object."

Stuff to memorise… "A method tells an object to perform an action. A property allows us to read or change the settings of the object."

1-way String Encryption Rainbows (a.k.a. Spectrums) Public Private Key Encryption HTTPS Encryption.

WELCOME FEATURING: DAVID RAFANAN ONCE UPON A TIME… Many people spend so much time in social media (i.e. Facebook, Twitter, Instagram)

Why Does The Site Need an SSL Certification?. Security should always be a high concern for your website, but do you need an SSL certificate? A secure.

How to Enable Account Key Sign Instead Of Password In Yahoo? For more details:

An introduction to the Rapport admin system

Data Virtualization Tutorial… SSL with CIS Web Data Sources

Redefining governance

ESign Aashutosh.

Azure Mobile Services + Windows Phone 8

How to use the internet safely and How to protect my personal data?

Encryption 1-way String Encryption Rainbows (a.k.a. Spectrums)

Information Security.

Secure Software Confidentiality Integrity Data Security Authentication

Digital Awareness Zilla Parishad Rural

2N Helios IP - News May 11th 2017.

Real quick, just to understand the audience, how many of you:

Networking Made Simple.

E-commerce Application Security

EMV® 3-D Secure - High Level Overview

reporting on event attendance using a simple yet effective method

What Is Tapestry? An Online learning journal system.

Mohammed Alhusein.

Infinite exciting times…infinite possibilities..

Improving Form Accessibility

Trezor Support Phone Number For You!! Round The Clock

Ways to Secure CMS Websites. The most widely used Content Management Systems are Wordpress, Joomla and Drupal as per statistics. The highest CMS platforms.

Protect crypto exchange website from hackers

A Real Problem % 5,000 #1 $2,100 12% 6% Identity Fraud

We provide an easy-to-use online accounts platform that empowers micro and small business owners to manage and run sustainable and more profitable enterprises.

How to Set up Remote Access to Personal U: drive

UCO BANK HONOURS YOUR TRUST

K. HAAS, J. HUISMAN, P. KAPOOR, T. SZOCS

ARCHITECTURE OVERVIEW

Mendeley Overview VISHAL GUPTA Customer Consultant South Asia

Securing Android Apps using Trusted Execution Environment (TEE) - 07/08/14 Presented by: Mike Hendrick VP Product Sequitur Labs.

Simplify the way you collect, integrate and share field data.

Who am I?. Information Security and You: Identity Theft and Credit Card Encryption.

Electronic Payment Security Technologies

Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

What is Bitcoin?.

Data Portability It’s Mine, Mine, Mine!

Gayatri Institute of Computer and Management, HINJILICUT

Mendeley Overview VISHAL GUPTA Customer Consultant South Asia

CS101 Security.

Hazelwood Schools Wednesday 2nd October 2019.

Presentation transcript:

Security through obscurity and fear Abhinav Srivastava

Who am I ? IIT Kharagpur graduate 2009, started career as Security researcher at iViZ Security Founded Qarth Technologies with Govt funding and incubation support at IIT Madras 2011 Developed first version of secure UPI architecture in 2012 Startup acquired by Ola 2016. Now works at Ola Innovation labs on connected cars platform Unified payment interface : Infrastructure of BHIM app/wahts app app

Why I am here? Victim of media hype

What exactly happened ? An android app was discovered on play store providing aadhaar data via an OTP The publisher of the app (my personal email) was not an authorised Aadhaar eKYC agency FUD !!!

How was the app working ? App was using a publicly available API developed by NIC which was used in one of their app named eHospital

What was the Security Vulnerability ? No HTTPS, No SSL Pinning in eHospital App No request and response payload encryption Password stored in android app No demographic validation and rate limiting on server Basically an insecure public API over the globe for providing aadhaar details through OTP

Why developed such an app?

Why developed such an app? Fake Aadhar is a serious problem Need an easy way to validate the Aadhar number A simple android app can empower the citizens to verify an Aadhaar Card in seconds Never save user’s aadhaar data in any form in the process. Help people to validate their own Aadhar data

Why was the hype? Case tagged as a network security issue Hyped up by media as national security breach Nobody - media/police understood the technology behind the app Overaggressive approach by police and judiciary - State vs Abhinav Srivastava

Key Questions? Does Aadhaar database got hacked ? - NO Was it a National Security Issue ? - NO Is Aadhar ecosystem secure? NO Is there any other security loophole ? MAYBE Govt has created fear in the mind of security researchers, even if they find something they won’t report. Like Google and facebook encourage vulnerability and reward them, our Govt is taking a strikingly opposite position for such a important national issue.

Q & A ?