Toka Poisa, A big security disaster ?

 

 

Disclaimer:


This is not a hacking attack. Yesterday ( 11/1/2017) government of assam launched an e-Wallet, Tokapoisa.in, to enable the people of the state for hassle-free online transactions in local language.

I have found a serious security flaw in it yesterday itself ,which could be used to completely take over anyone's account. I reported it to Amtron through Special Branch of Police,  Assam as the email id that was mentioned in the official website ( http://tokapoisa.in/ ) was not working and i also tried to contact amtron from the email id that was provided in amtron's official website ( http://amtron.in/ ) which too was surprising not working. 

The flaw is fixed now . Since the flaw is fixed I'm making a public disclosure here so that others in the community can learn from it . This is ethical hacking ( healthy and legal ). Please do not misunderstand it to be hacking attack. 




On 11th January 2017, Assam Government launched an e-wallet Tokapoisa.in, to enable the people of the state for hassle-free online transactions in local language. The e-wallet is a joint venture developed by State's Assam Electronics Development Corporation Limited ( Amtron ), and ICICI Bank. Soon many news portals covered the news . So as a security researcher I too was curious to see how this platform works.

Since it involves money transaction I was sure that it will be secured one but i was mistaken. The security level of the platform was too poor. Anyone with a little knowledge of hacking could easily bypass its security features and misuse it. Such flaws can be considered if the app is in testing phase but the app was launched and made public which clearly indicates that they failed to recognise such basic flaws during their testing phase !

So here are the flaws : 


( I have reported the flaws and it has been fixed today )

Flaw 1 ( Serious )


Flaw name : Bypass OTP Verification while sign in

The best thing about the site is that there is no password verification, user needs to enter their phone number and an OTP is sent to their phone and once they enter the OTP, user can sign in.

Only one level of authentication is used which is OTP. So if an attacker bypass the otp he can have access to anyone's wallet and misuse it. Once he is inside , he can make payments , steal money etc.
While registering it does not ask the user to verify, which means an attacker can register anyone's number.

Now let us assume that an user have already created an account ,then an  attacker can  login to a specific user's account to make payments on his behalf or steal money etc.

Here is the Proof of concept 




This was possible because there is no limit set for the number of times an attacker can enter invalid otp due to which an attacker can easily brute force it and get full access to anyone's account and money.


Flaw 2 ( low impact )


Flaw name : Directory listing

There was a directory listing flaw in the website by which an attacker can see all the files that are in the directory . this flaw can be used to know about files that are inside the directory even if they are not mentioned anywhere in the site. So it gives a good idea about all the files that are hosted in the directory.



Flaw 3 ( medium)


There is no SSl certificates in the site. The site deals with money and transaction and yet it runs on http and not https. SSL Certificates provide secure, encrypted communications between a website and an internet browser. SSL stands for Secure Sockets Layer, the protocol which provides the encryption. SSL Certificates are typically installed on pages that require end-users to submit sensitive information over the internet like credit card details or passwords. But here in tokapoisa site there is no SSL which means that the connection is not secured and is unencrypted and anyone can perform a man in the middle attack and get sensitive information from it.  This is the first website i have seen which deals with money and dont have a SSL certificate.

Miscellaneous


Tokapoisa have launched an Android app which is not exactly an app because it is just an web viewer which displays the site. there is nothing special in the android app. When you open the app it just shows you the webpage thats all, which means anyone can create the exact same app. This can be dangerous because they have not yet launched it in any app store so if an attacker creates an app which displays the website inside the app no one can differentiate it with the original one and the attacker can take this advantage and add malicious codes in his version.


When I Found the flaw I first prepared a report on it and mailed it to the email ID that was provided in the tokapoisa website ( appsupport@amtron.in ) but the delivery failed as they have not configured the mail service.

Then I mailed it to the General Manager of Amtron (



30.94 million ( population of assam - 2012 ) could be at risk .

So I did my bit to secure the platform. Hope it benifits the people of assam.

Security Risk of Cashless Economy in India



8th November,2016 was a great date for the entire world. On the one hand, Us election results were announced and on the other hand Prime Minister of India, Shri Narendra Modi Announced Demonetization in the country ( India ). If you are not from India, you might be thinking what do I mean by it. Well on 8th November the prime minister of the country Announced that from 9th November Rs 500 and Rs 1000 notes will no longer be used as legal tender and all the citizens needs to deposit it in their bank. Soon after the announcement, there was a big rush in banks as  Millions of people went to Exchange Old Currency Notes.

Long queue in banks


But soon after the announcement the government of India started setting up various rules. One of the major rule was that the citizen could only withdraw Rs 2000 per day. This became a huge problem as Rs 2000 is not enough and also as everyone was depositing their money there was a scarcity of physical notes. Government launched rs 2000 notes but since no one had change so it was almost useless at that time.

The Solution ?


Many started using online transactions as there were no restrictions in it. many people started using Third party apps like PayTm and Mobiwik etc to make payments. Over the past week, digital payments have hit record transactions: PayTM said there was a 200 per cent increase in its mobile application downloads and a 250 per cent increase in overall transactions; MobiKwik said its user traffic and merchant queries increased by 200 per cent within a few days of the government’s announcement. Companies such as Oxigen and PayU have also seen a rise in their service usage.


Demonetization came as a good news for these apps. Soon after few days of Demonetization, Paytm went to almost all the shops and local business firms and made them join Paytm by which they can take money from customers via the app.

Now Even the government is focusing on cashless economy. Many banks have already come up with their apps by which customers can make transactions. here in India everyday we can see ads by government where they ask people to use these app based service so that the country can go full cashless.

But is this a good step ?

Well I don't know at this point of time how successful or useful it will be but are we ready for a full cashless economy here in India ?

Lets see the security aspect of cashless economy.

The Risk.


The first ATM in India was setup In the year 1987 but still most of the people don't know to use it due to which we see a lot of fraud done in ATMs.  The weakest security link in any transaction is not the technology system, but the user, and their lack of understanding of security issues. To get a sense of this, to withdraw money from ATM’s, some people were giving others their card and PIN numbers. 

Now imagine if we ask those people to switch to these mobile based apps all in just 1-2 months how will they do it ? Now since their is a limit in cash withdraw, people are forced to use these apps .

One of the biggest financial data breaches in India, exposed in late October, had compromised the financial data of over three million users and victimized major banking companies. The breach occurred when a network of Hitachi ATMs infected with malware enabled hackers to steal users’ login credentials and make illegal transactions. Following this, companies issued new cards and asked customers to limit their ATM usage to those operated by their banks. However, a few weeks after the breach, the demonetization announcement pushed people to do just the opposite — rush to withdraw money from just any functioning ATM. Till date, there has been no communication from banks or the Reserve Bank of India assuring the public that the infected ATMs have been taken out of service or fixed to prevent further breaches.

Now since all are new to this mobile transactions and use of apps, it have become easy for hackers and fraudsters to fool these people and take away their money . I'll give you a small example here.

One of the fast food joint near my home have started accepting PayTm payments. Earlier he use to take only cash but now he accepts paytm payments too. But here is the risk. He is not much educated and he don't know much about security. Now if a fraudster calls him up and says that he is from PayTm and say him to transfer 20% of his money to that number else his account will get deleted. I'm 100% sure that he will do it.

This is the problem that we are facing right now. People of the country lacks awareness. We must first aware them about how to use it, what are the risk only then we can start using it.


These are the Physical risk. Now lets come to technical risk.

Now since everyone is dependent on these app based payment systems, it has become a prime target of hackers. One flaw in these apps and all our money is gone. Also since users are now aware it become very easy to hack them.

Last year Popular Bollywood singer papon mahanta's Official Facebook page was hacked and i helped him get back the page. While working on it I got to know that the hacker actually sent him a phishing page and his social media manager thought it was a legitimate one and gave away his login details. 


Now think if his social media manager who deals with online stuffs most of the time failed to recognize it was a phishing page then how can you expect a normal guy to distinguish between a normal login page of these money based apps and phishing page ?

Also Recently we have seen in that a hacker group called "Legion" is hacking into all high profile people like Rahul Gandhi ( Vice-President of the Indian National Congress party ), Indian National Congress, Barkha Dutt ( Indian television journalist ), Ravish Kumar ( Indian television journalist ) etc. In one of their interview they have said that Indian banking systems can be easily hacked. So how can we be sure that the apps that all the banks launched in the last 1 month are secure. How safe are our money ?

Conclusion


Demonetization is a good step by the government but I think this is not the right time to go cashless. today we use apps likes Ola and Uber because we like it and not because we are forced to use it. Right now people are using these payment apps because they don't have any other choice.  I think Government should focus on how they can aware  people on how to use it, its security and benefits etc and let the people them self decide if they want to go cashless or not.

Beware! Hackers are using Facebook Messenger to Spread Locky Ransomware



Have you came across any Facebook Message with an image file of .SVG file format ? If not then you are lucky and if you received it then avoid clicking it.

If clicked, the file would eventually infect your PC with the nasty Locky Ransomware, a family of malware. In a short period of time, Locky has become one of the favorite ransomware tools of spammers. It usually spreads via spam emails with a disguised downloader.

This attack was first discovered by malware researcher Bart Blaze. Surprisingly, the malware manages to bypass Facebook’s file extension filter.

But Why SVG File Format ?


The answer is simple. SVG files have the ability to contain embedded content such as javascript which can be opened in the browser directly.

So hackers have added a JavaScript code inside the image file which redirects you to a malicious website mimicking YouTube.Then the site push a popup, asking you to download and install a certain codec extension in Google Chrome in order to view the video. The malicious extension used two names, Ubo and One.



Once installed, the extension gives the attackers ability to alter your data regarding websites they visit, as well as takes advantage of browser's access to your Facebook account in order to secretly message all your Facebook friends with the same SVG image file.

The worst thing here is that according to a malware researcher, the SVG file redirects to a malicious website which downloads a copy of Locky ransomeware on the victim's PC.
In case if you dont know what is a ransomeware. A  Ransomware is actually a  type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a good amount of money is paid to the attacker.

Locky ransomware is one of the most popular ransomware that locks all files on a victim's computer with RSA-2048 and AES-1024 encryption algorithms and unlocks them until the ransom is paid to attackers.

Remove the malicious extension immediately


If you are one of those who have already  installed one of the two malicious extensions, you can remove it by doing the following.

To remove the extension, just go to Menu → More Tools → Extensions and check for the extension and remove it.

Internet Safety program by Google and DSCI in Guwahati



Few days back I got invited by Google and Data Security Council of India for their Internet safety program which they organized in Radisson Blu, guwahati. It was first of a kind event here in Guwahati. Data Security Council of India (DSCI) is a not-for-profit organization set up by NASSCOM and is focused exclusively on data security, cyber security and privacy protection. 



There has been increasing attention to the MSME sector in the ‘Make-In-India’ initiative. There are 51 million SMEs in India. However, only 5 to 6 % of them are online. The country is witnessing a serious attempt to bring them online. It has been estimated that by 2017, 20 million of them would be online. Apart from online presence, these companies will be spending on IT products that include mobility, social media and cloud in order to increase their customer reach, manage customer relationships better, and ensure efficiency in operations. This drive to digitization is not immune from cyber security threats. Without due consideration to cyber security, the momentum of online and digitization would face serious hindrances. DSCI in partnership with Google India, hence, conceived a focused ‘Internet Safety Program’ for Micro, Small and Medium Enterprises (MSMEs).

Many people from both government sector and business sector were present in the event. The event started with the welcome Speech by Mr. Rahul Sharma, Senior Consultant DSCI where he discussed why cyber security is important for preople and companies.

Shri Mukesh Sahay, IPS DGP, Assam Police was the chief guest of the event. He discussed various cyber security threads that the state are facing and how police and government is taking steps in solving these issue. He also shared few case studies and how they face various challenges.

Mr. Abhas Tripathi, Strategist - Google India did a session on Internet Safety. He shoed how various organizations suffer when they are hacked and he also demonstrated how google is helping organizations to stay protected. we had a great question and answer session with him. where developers and startup founders clear their doubts regarding various security and development related queries.

Dr. K.K Dwivedi, IAS, IT Commissioner & secretary, Assam gave a talk on various steps that the govt is taking in the field of security in the region. He discussed few of his own experiences and also discussed various steps that the government is looking to.



We had a session on the topic Development in the field of Internet safety & cyber security. There were 4 panelist :

1. Mr. Diganta Barman, Senior technical Director ,NIC
2. Mr. Indrajeet Bhuyan ( Me )
3. Dr. Ferdous Ahmed, Asst. Professor, IIIT Guwahati
4. Mr. Nirmal Baishya, Addl. SP, CID

It was a very informative session. Mr. Diganta Barman talked about how NIC is trying to secure government sites and challenges that they face. I mainly spoke about the Barriers in Developments in the field of Cyber Security.

Most of the IT companies of the Assam and northeast like Zaloni, Zantrik etc, and technical institutes were present.Few people from NASSCOM including east region head Nirupam Chaudhuri was also present there. Also , I got a job Offer By NASSCOM.

It was a great learning experience. These days most of the cyber attacks are done mostly on tier 2,3 cities as here the people are not aware of the issue and they dont know how to  protect themselves  from these attacks. 

I believe it is a good step by Google and DSCI that they did not neglect the Northeaster part of the country. I hope many more such events take place in future too.

NoobSecToolkit V3 – A Security Students Playground



It is important to learn how to do things manually but tools saves our time. NoobSecToolkit is a Python Based Tool kit that brings together powerful security and anonymity tools and scripts with predefined security configurations and modifications. Making it very simple for students to get started with offensive security!


This third release of the Toolkit comes included with the following options:

Toolkit Options:


  • (sqli)SQL Injector
  • (vulscan) Vulnerability Scanner
  • (dinfo) Gather Basic Domain Info
  • (apf) Admin Page Finder
  • (discover) Information Harvester
  • (hashtype) Identify Hash Type
  • (hexconv) Hex encoder and decoder!
  • (converters) Web Converters
  • (dping) DOS/Ping Target For 1,000 Seconds
  • (stegattack) Steghide Dictionary Attacker
  • (steghide) Install, Learn and Use Steghide
  • (uihanalysis) Intrusion Analysis (URL,IP,HASH)
  • *Options For Deploying an SSH Backdoor (COMING SOON)
  • (osint) aids in the process of information gathering
  • (toolbox) Extra Set of Tools
This tool kit also have various Security options.

Security Options:


  • (macspoof) Spoof Mac Address
  • (itor) install Tor
  • (stor) Start Tor
  • (tors) Check Tor Status
  • (vpn) VPN Launcher (COMING SOON)
  • (encdns) Encrypt DNS
  • (quit) – (home) – (clear)-(update)






The Kit  Features scripts for all sorts of tasks including:
  • Vulnerability Scanner
  • Sql Injector
  • Domain Info
  • DNS Encryption
  • Admin Page Finder
  • VPN Downloader (Provider is DOWN) Tor Installer
  •  Mac Address Spoofing

 Install Instructions

The installation process is very easy and straight forward. You need to do the following to install it.

(1) CTRL + ALT + T (Open Terminal)
(2) git clone https://github.com/krintoxi/NoobSec-Toolkit.git
(3) cd NoobSecToolkit/NoobSec-Toolkit/
(4) python NSToolkit.py

How to Figure Out If You’re a Workaholic - by Wrike project management tools



Working hard at your job is important. Except when you feel compelled to do it all the time, to the detriment of your personal life and relationships. Then it becomes workaholism, which is an actual addiction and compulsive behavior. Here is a quick quiz to find out if you are on the road to becoming a workaholic.

Infographic brought to you by Wrike student collaboration tools

How to Figure Out If You’re a Workaholic - by Wrike project management tools