BHIM app, highly vulnerable



Prime Minister Narendra Modi is pushing India towards cashless money encouraging the use of online transaction and card transaction. To do an online transaction one needs an internet connection, while internet facility is used by only 10 percent people in India.

To overcome this problem Narendra Modi has recently launched the BHIM (Bharat Interface for Money), which does not require any kind of Internet. This app is linked to your Aadhaar number.

The government's first own money transfer app has some serious security flaws which could give a break to the cashless economy. Security researchers have found that a hacker can easily gain access to the data of the user's by just writing some basic codes.

“The BHIM app is written in a very amateur way and the entire code is unprotected, which means it can be easily downloaded and modified by anyone,” said Mumbai-based security expert Prashant Mali.

According to the researcher, to hack the BHIM app,  one just need to download the .apk file of the app and then do some modification in the codes so that it could store the user's bank details when they type in, and then they can have the full control over their account. As one can easily access and modify the code, then one can easily launch a fake app.

“The app also has SQL (Structured Query Language) injection vulnerability, using which hackers can extract bank account details easily,” Mali said. He also discovered that the app is highly vulnerable to a ‘denial of services’ attack.

However, some of the experts believe that the app was written and launched in great hurry,  due to which the coders might not have time to test and rectify the vulnerabilities in the app.

Because of the push of the  Centre for adopting digital payment methods, many companies are launching apps without any sufficient security tests, which has put the users at a great risk. 

India sees massive rise in cybercrimes rise post Demonetisation

As speculated by many cyber-security experts, there has been a huge rise in cybercrime incidents in India post demonetization scheme.

A joint study of ASSOCHAM-PwC reported that there were 39, 730 incidents of cybercrime in the 10 months of 2016. Also, 3.2 million debit cards were compromised during this period across the country when an ATM card hack hit the Indian banks. The incidents were reported till October by Indian Computer Emergency Response Team (CERT-In) as part of a study titled ‘Securing the cashless economy’.

Highlighting the role of application programming interfaces (APIs), the study pointed risk of malware injection through such APIs, it is therefore critical to ensure security of APIs.

As many people were forced to use plastic money and mobile wallets for payments, the hackers saw this as an opportunity and targeted many users. The study noted that there was a growth of upwards 100% in mobile wallet app downloads and 400% increase in wallet recharges.

The smartphone revolution has led to the emergence of e-commerce, m-commerce and other services, including app-based cab aggregators, who encourage digital payments for use of various services.

Cyber crime cops also said that after December 12, cyber fraud cases have witnessed a steady increase. "Now we are getting at least four cases of credit or debit card theft every week. Apart from these cases, we are also getting One-Time Password (OTP) frauds as well," said Raghuveer, ACP, cyber crime cell.

The cyber cops warned that cyber security incidents like phishing, scanning, website intrusions and defacements, virus code and denial of service attacks will continue to grow.

Even cyber security companies like Kaspersky Labs has also noted that there has been a spurt in various programs and games, which have a modified virus strain or Trojan aimed at stealing credentials from more than 2,000 Android financial applications across 27 countries, including India.
ASSOCHAM also reported that the number of mobile frauds is expected to grow by 65 % by 2017. Credit and debit card fraud cases have topped the charts of cyber crime and increased six times during the last three years.

The body observed that the data-encryption capability is unusual in most mobile ransom ware, as it focuses on blocking the device rather than the data, backed-up to the cloud. During the initial infection process, the Trojan demands administrator rights, permission to overlay other apps or to be a default SMS application - often leaving users with little or no choice but to comply. Among other things, these rights enable Faketoken to steal data, both directly, by contacts and files, and indirectly through phishing pages.

Earlier cyber threats in India were not as disruptive as they have become now and their ferocity will increase in future.

Hence, efforts are needed to enhance cyber security as businesses and citizens embrace this new digital wave. More intelligent transaction monitoring, crisis response, recovery strategies, increased digital footprints and security awareness of all the stakeholders will have to be carried out for a secure cashless society.

 Security assessment and testing will need to be embedded into the agile development life cycle. Agile security testing methods based on automation will have to be adopted. In many ways, a paradigm shift is needed in the way security testing is undertaken today.

Aadhaar Payment is more vulnerable than any digital mode

After the dust settled over Indian government’s demonetization scheme, the discussions on security systems of digital payments started making rounds.

One alternative system of cash that government has launched is Aadhaar-based payments which could potentially allow citizens to pay anytime anywhere with the tap of a finger.

The Aadhaar-based payment system runs on the existing Aadhaar infrastructure through which a person’s biometrics are used to authenticate the user. Once authenticated, the user can transfer funds directly from one bank account to another without going through a mobile wallet or a card.

The payment system requires a smartphone, a working internet connection and a biometric authentication device with the merchant. The customer needn’t have a card or a phone as long as he or she has an Aadhaar-seeded bank account.

This system was developed by National Payments Corporation of India and the chief executive officer of the government policy think tank NITI Aayog, Amitabh Kant, said that all cards and point-of-sale machines will become redundant in the country in the next two-and-a-half years as Aadhaar-based payments become popular.

This system is expected to launch in the next few months which will work through government’s BHIM app.

With this digital payment system, there are fears that integrating biometrics with digital payments could prove to be a security headache. Firstly, Aadhaar is not a fool-proof method of authentication and identification failures are not uncommon. Building a payment system atop the Aadhaar system will simply transfer some of these vulnerabilities.

With the launch of this system, there could be transaction failures due to a biometric mismatch. Additionally, newer security threats may also emerge if the scope of Aadhaar is widened. These include identity theft if a person’s biometrics are compromised from the payment system, phishing attempts, and the difficulty in revoking access once biometric information is compromised.

Sunil Abraham, executive director of Bangalore based research organisation Center for Internet and Society (CIS) said to BloombergQuint that the fingerprint can be duplicated by “the gummy finger method which requires some Fevicol or gum to duplicate someone’s fingerprint which can be enough to transact on someone’s behalf without them being there.”

Other vulnerability concerns include theft of personal information through devices used for Aadhaar identification.

To top all this, India does not have the necessary laws to deal with a decentralised, biometrically-authenticated, mobile payments system. The minimal data security under the Section 43A of the Information and Technology Act also applies to the private sector. There’s no law that applies to the government. So, if your identity is stolen, there is no place to go and report it.

All in all, if a smart card is compromised, it can be re-secured unlike biometrics, which if stolen, remains vulnerable for lifelong.

Rudy Giuliani to defend US from hackers


Last week on January 12, US president-elect Donald Trump named former New York City mayor, Rudolph Giuliani as the head of cybersecurity advisory group and the decision was followed by an instant kerfuffle questioning his digital defense chops.

On January 10, Trump claimed he would soon assemble “some of the greatest computer minds anywhere in the world” to tackle the US government’s cybersecurity problem but two days later he went on an opposite route by hiring Giuliani.

Giuliani will coordinate “cybersecurity” issues between the federal government and the private sector.

Giuliani doesn’t seem to be fit for the position though due to his lack of knowledge in the field of cybersecurity which may not prove beneficial for hardening America’s infrastructure against attacks.

The former New York City Mayor originally aspired to the rank of Secretary of State as part of Trump's White House. Giuliani bowed out of the running last year when it became clear he would not land the one job he coveted.

Giuliani may be best remembered for helping to unify New York City in aftermath of the September 11 2001 attacks on the World Trade Center. He’d personally chosen the World Trade Center to house New York’s emergency command center, even after it had been attacked by terrorists in 1993—overriding NYPD experts advised by the Secret Service. The command center itself was destroyed on 9/11, making it worthless in New York’s greatest emergency.

More recently, Giuliani has emerged as one of America’s fiercer voices in favor of more aggressive surveillance of Muslims. So it wasn’t a shock that he became one of candidate Trump’s most prominent early supporters, serving up a red-meat Republican convention speech and rushing to Trump’s side after October’s exposure of Trump’s notorious woman-groping tapes. Some observers expected Giuliani to get a plum cabinet role like Secretary of State or Homeland Security, but it didn’t happen.

Industry pros questioned Trump’s decision stating that the website advertising Giuliani’s own security and crisis management consultancy, Giuliani Partners, had glaring vulnerabilities, including an expired cryptographic certification, lack of encryption, an exposed remote login, outdated software and scripting languages, open server ports and Adobe Flash, a notoriously insecure bit of software. The site may as well have been a honeypot for hackers which could be attacked even with SQL injection technique. As soon as computer sleuths took to twitter to point out the shortcomings in the site, it was taken down.

Appearing on Fox & Friends, a Fox News morning show, to reveal his appointment, Giuliani said that we basically don't have a cyber defense, which is actually true in some sense.

Italian siblings arrested for cyberattack

Italian police have arrested a nuclear engineer, Giulio Occhionero, 45 and his sister, Francesca Maria Occhionero, 49 for hacking into 18,000 high-profile email accounts, including the former Prime Minister.

Authorities suspect that the siblings may have ties to the Freemasons, because the malware used in the hack was called “Eye Pyramid,” believed to be a reference to the all-seeing eye of God, or Eye of Providence, a symbol typically associated with Freemasonry. The name of the software may also have been a play on his own surname – Occhionero means “black eye” in Italian.

The widespread cyber-attack compromised communications of prominent Italian institutions and individuals, including Vatican’s two former Prime Ministers, Vatican cardinals, bank executives and other high profile targets, which prosecutors claim was used to conduct insider trading. Mario Draghi, the president of the European Central Bank was also among the targeted individuals. Former Prime Minister, Matteo Renzi was also one who resigned in December last year after losing a constitutional reform referendum.


The attackers, who have dual residencies in London and Rome, are accused of spearphishing attacks using malware to gain access to victims' email accounts and illegally accessing classified information and breaching and intercepting information technology systems and data communications since 2012. The siblings were most recently living in Italy.

Vatican officials have not yet commented on the attack and it is yet unknown to what extent sensitive Vatican information may have been compromised.

There are indications the malware campaign may have been running from as early as 2008. In total, just under 1800 passwords were allegedly captured by the Occhionero siblings, who exfiltrated around 87 gigabytes of data to servers in the United States.

Mr Occhionero who had strong links to the Masonic movement allegedly developed software that infected email accounts, enabling him to access the information. Several of the compromised accounts belonged to Mason members.

Whether or not there are ties to the Masons, cyber security experts believe it is highly unlikely that the sibling pair acted alone.

The illegally accessed information was stored on servers in the United States, leading to an ongoing investigation with the assistance of the FBI’s cyberdivision. The stolen data has been seized by Italian police and the FBI.


Italian police believe the siblings used the stolen confidential information to make investments through a firm operated by Mr Occhionero, a nuclear engineer by profession.

Supreme Court issue notice to WhatsApp and Facebook over privacy policy


The Supreme Court of India has issued notices to central government,  Telecom Regulatory Authority of India (TRAI), WhatsApp, and Facebook over a plea seeking privacy on data.

The petition was filed by two law students against the  WhatsApp's proposal to start sharing some of the user data with the parent company, Facebook.

The Delhi High Court had earlier denied the petition and refused to interfere with matter. However, the Apex court has directed the companies to reply to the notices within two weeks.

"What is disturbing here is you want to continue using this private service and at the same time want to protect your privacy... You can choose not avail of it [WhatsApp], you walk out of it,” Chief Justice of India J.S. Khehar said.

According to the petitioner, there are 157 million users on WhatsApp and Facebook.

It's not that Facebook and WhatsApp are facing privacy issue in India only, the even European Union has raised questions about Facebook's privacy policy.

Last month the European Union  Commissioner, Margrethe Vestager,   had said that "Facebook was misleading it about WhatsApp.Companies are obliged to give the Commission accurate information during merger investigations... In this specific case, the Commission's preliminary view is that Facebook gave us incorrect or misleading information during the investigation into its acquisition of WhatsApp. Facebook now has the opportunity to respond."

Trump's appoints a cybersecurity adviser whose own website is a mess


President-elect Donald Trump has nominated former New York mayor Rudolph W. Giuliani as an informal adviser on cybersecurity.

According to the Presidential transition office,  Trump's transition team will include Giuliani as a cyber security adviser.

"This is a rapidly evolving field both as to intrusions and solutions and it is critically important to get timely information from all sources," the transition team said in a statement.

"Mr. Giuliani was asked to initiate this process because of his long and very successful government career in law enforcement and his now sixteen years of work providing security solutions in the private sector," the statement continued.

Giuliani is the CEO of his own cybersecurity consulting firm Giuliani Partners, will assist in finding solutions to cyber security issues and will help the government to tackle the different cybersecurity issues.

As he was selected as an adviser of the cyber security, people started visiting his website "www.giulianisecurity.com" and found that the site has no cyber security itself and is very vulnerable to attacks.

The website runs on an old version of Joomla, which is aa free, open-source content management system (CMS). It also uses an outdated version of the script language PHP, uses an expired SSL certificate, runs over a 10-year-old version of FreeBSD OS server and even fails to follow other basic security practices.

A security researcher at Errata Security, Robert Graham said that Giuliani did not build the site himself; instead he "contracted with some generic web designer to put up a simple page with just some basic content."

"There's nothing on Giuliani's server worth hacking. The drama over his security, while an amazing joke, is actually meaningless," Graham said in a blog post. "All this tells us is that Verio/NTT.net is a crappy hosting provider, not that Giuliani has done anything wrong."

WhatsApp’s encrypted messages can be vulnerable to MITM attacks


This week, an article by Guardian reported that Whatsapp’s encrypted messages are vulnerable to hacks. The encryption keys in social messenger leave users wide open to man-in-the-middle attacks, enabling third-parties to tap their communications.

Last spring, Whatsapp announced that every message on its service is delivered with end-to-end encryption which means not even Whatsapp can tell what's inside.

In the MITM attack, if an attacker gains access to a WhatsApp server, he could forcibly reset the keys used to encrypt messages and install himself as a relay point, intercepting any future messages sent between the parties. The recipient of the message would not be alerted to the change in keys, and the sender will only be alerted if they’ve opted into the app’s “Show security notifications” setting.

The underlying weakness has to do with alerts rather than cryptography. Although they share the same underlying encryption, the Signal app by Open Whisper Systems isn’t vulnerable to the same attack. If the Signal client detects a new key, it will block the message rather than risk sending it insecurely.

WhatsApp will send that message anyway. Since the key alert isn’t on by default, most users would have no idea.

Based on its Signal Protocol (also used for encrypted messaging in Google's Allo), each client is identified by a public key that's shared with other people, and a private key on the device. Because people change phones or uninstall and reinstall apps, the pair of keys can change. Users can ensure their communication is secure by checking the security code displayed on each end, if it matches, then they can be sure their messages aren't subject to MITM attack by a third party.

The attack cannot be exploited by many criminals because it requires server access but still an unusually skilled attacker or a court order could compel WhatsApp to break its own security.

The messenger was quick to push back against the allegation saying that “WhatsApp does not give governments a ‘backdoor’ into its systems and would fight any government request to create a backdoor.” WhatsApp team and people who helped design the implementation defended the flaw saying that the design decision isn’t putting users at risk.

The bug reported in the article had long been known to security professionals, and there’s no evidence WhatsApp ever tried to conceal it. The persistence of the weakness shows how hard it is to balance security with the demands of everyday users.

The flaw has been described as a "security back door" by The Guardian and privacy campaigners but more sober voices have described it as a minor bug and criticised the media outlet for going over the top. A number of security professionals have chimed in to agree, including Frederic Jacobs, who helped design the protocol being used.

The vulnerabilities in key handling were first discovered by German computer scientist Tobias Boelter in April 2016. In his blog, Boelter blamed the bug on the use of closed-source software, rather than a deliberately inserted back door.

The Guardian raised the urgency of this flaw by pointing to the UK’s recently passed Investigatory Powers Bill, which gives that government significant new legal powers for aggressive data collection. But it would be very hard to use this vulnerability for mass surveillance. A successful attack would allow WhatsApp servers to break a given conversation’s encryption, but to provide data en masse to the government, the servers would have to perform that attack continuously on every conversation in the UK, sending out a cascade of pings to anyone with security notifications enabled.

If WhatsApp were to leverage this bug to fulfil lawful access demands, the company would have to implement the attack continually on every user in the country, which would be extremely noisy and extremely visible. The end result wouldn’t be much different from shipping an update and announcing that the service is no longer encrypted.

For users, the most responsible thing to do seems to be to turn on notifications and check your security codes regularly.

5000 Web databases hit in ransom attack

Cyber thieves have taken down thousands of web-based databases and are now seeking a ransom to restore the data.

Security researchers have found that attackers deleted the MongoDB databases which consist of gigabytes of medical, payroll and other data.

The attack was possible because their administrators left the systems easily accessible through the internet.

 As a result, the attackers attacked the systems and are now charging a few bitcoins to restore.

An ethical hacker who works with the Dutch government, Victor Gevers, is the first one to notice  the hack which was targeting the database.

According to the researcher, the attack was started much before Christmas but it accelerated after the holidays were over. An automated scanning tools were used by the attackers to a telltale signature of unsecured MongoDB systems.

Once the hackers identify the potential victims, they attack first check the database, if it contains valuable data, then they delete that data and replace it with a ransom note.

Mr. Gevers said, "I am being flooded with requests for help." It is expected that there are more than 5000 victims which include hospitals, small businesses, and educational institutions.

Ransom fees range from 0.2 bitcoins (£155) to 0.5 bitcoins (£390).

St. Jude releases software update for heart devices


The Homeland Security Department warned Tuesday (January 10) about an unusual cybersecurity flaw for St. Jude Medical’s implantable heart devices which could allow hackers to remotely take control of a person’s defibrillator or pacemaker.

A day before, on Monday the Food and Drug Administration also said that the Minnesota-based medical device company’s pacemakers, defibrillators and other heart devices may have put patients at risk for cybersecurity concerns. Thereafter, Abbott Laboratories (ABT.N) moved to protect patients with its St. Jude heart implants against possible cyber attacks by releasing a software patch that it claimed would reduce the "extremely low" chance of them being hacked. Information on the security flaw, identified by researchers at MedSec Holdings was made public five months after the U.S. government launched a probe, only after the software repair was made. The federal investigation into the problem started in August.

While no hacking has been reported, the concern for possible tampering is high enough that the FDA is issuing warning for hacking threats. The devices contained configurable embedded computer systems which have potential of life-threatening hacks that could cause implanted devices to pace at potentially dangerous rates or cause them to fail by draining their batteries.

The government advisory said security patches will be rolled out automatically over months to patients with a device transmitter at home, as long as it is plugged in and connected to the company’s network. The transmitters send heart device data back to medical professionals.

FDA and DHS said that the software update addresses some, but not all, known cyber security problems in its heart devices. The update addresses vulnerabilities that present the greatest risk to patients and prevent hackers from accessing the device.

MedSec CEO, Justine Bone also tweeted that St. Jude’s software fix did not address all problems in the devices. They include the ability to issue an unauthorized command to a cardiac implant from a device other than St. Jude's Merlin@Home device.

St. Jude spokeswoman Candace Steele Flippin said:

"St. Jude Medical has worked with, and continues to work with, the FDA and DHS to update and improve the security of our technology."

The FDA also showed support for treating the vulnerabilities. In an email to Motherboard, St. Jude said that it would implement updates to its devices in 2017 to ensure patient safety. St. Jude’s devices treat dangerous irregular heart rhythms that can cause cardiac failure or arrest. The devices work by being implanted in the skin and being connected to the heart via insulated wires. The device works with the Merlin@home Transmitter, which sends a patient's information to their doctor. The FDA warned that the hackers could exploit the transmitter and "modify programming commands to the implanted device." The threat to the device is no less.

The FDA’s review is ongoing.

Meanwhile, patients who use the transmitter are encouraged to continue a normal routine of checkups with their healthcare provider. The FDA said that the benefits of continuing treatment outweighed cyber risks.

As more and more medical devices get connected to the internet, they become vulnerable to hackers who could play with the heart and life of a person by changing the heart rate, administering shocks, or even depleting the battery.