I too Intended to join a Security NGO (period) and I was proved wrong.

I too Intended to join a Security NGO (period) and I was proved wrong.

I came to know about HANS when one of my friends joined it,and eventually I was interested. Hence I thought some research shall suffice before joining one.
PS : bear with me, I am on my android and my thumbs hurt :| Also, in some places, the formatting might not be correct, android blogging issues .
I actually visited their site http://www.indianhans.org had a look at it and found that it had -

  1. A non working Facebook login api system which actually logs you out when you do try to log in, tested it on chrome 14.0.835.163 m / Windows 7 (office PC after hours). Also, a flawed login system that allows you to login inside the side without email confirmation, also PHP code is vulnerable.
  2. Some outdated references to outdated CVE's and nothing of particular interest.
  3. Some 0days which have been patched up long time ago
  4. Whitepapers that on google hacking and mobiles which have been published like wildfire in late 2000's, again nothing of particular interest here
  5. The "Team" that comprises less of experts and more of management folks. No one with any background of security here.
  6. Link to Indian HANS youtube channel.
  7. Pretty crap and old flash games about hacking. LAME !
  8. Backtrack introduction (mainly) and no technical tutorials in short
  9. Zero original research.

Disillusioned,  I wrote a mail to Indian HANS team and  queried Indian HANS team regarding the services they provide and what they do -
Subject : Queries for Indian Hans team from a Security Enthusiastic
Dear Indian HANS Team,

I have some queries which I would like to be answered -
  • What is the ultimate motive of HANS ? Are you consultants ? If YES then on what grounds ? If NO, then ,
Can you provide links to your -
  • Original research
  • ORIGINAL technical advisories/papers
  • Tools that you wrote
  • Code that you released
  • Configurations of exotic software
  • Exploits and modules
  • 0day/0hour vulnerabilities
  • Vulnerabilities what you found
  • Cases of complexity that were solved
  • CVE
  • Documentation of exploits 
  • Original findings
  • Which fellow infosec researchers are working at HANS? All i found was more of management guys (seriously?) volunteers,executives,technical experts,naive girls,inexperienced folks but no security folks or self confessed hackers with known security experience and expertise.
  • What is the symbiotic influence of joining Indian Hans ? Or Why SHALL we join HANS ?
--
Warm Regards,

Rishabh Dangwal
Network Security Analyst
TheProhack.com | Rish.co.in
India

"0x72697368 was here, 2620796f75206172652077617374696e6720796f75722074696d65202e2e2064756d62617373"

 and waited.
 A day passed and the reply came.

Subject : reply to an abuse mail

Warm Greets,

First of all I would like to say thanks, for being so concerned about our organization.

Following are the thoughts I would like to share about our organization.

1)      Our motive is to fill the gap between the cyber victims and the security experts, as many times we felt that in spite of  availability to many security experts in market still victims are not able to get there answers.
2)      Yes, we are consultants/Knowledge Sharers as we guide the common measures to cyber victims and government bodies [maharasthra/Punjab police]such that they can overcome a cyber crime rate.
3)      I have written 2 International Papers :
·        In response to Google Hacking
·        Future Email Security

And 2 national papers:
·        Mobile Security and upcoming challenges
·        Acknowledgement based System for Mobile Security.
4)      I have not written any security tool/configurations yet But, I write other Business applications for Accenture as an Associate Software Engineer.
5)      We have solved numerous cases  which deals with daily cyber problems including ATM cloning case [chandigarh], Source code theft case [Pune], Abuse email, fake profiles, email threatening and other hundreds.  www.youtube.com/theindianhans
6)      Ya, you are right 90% of our Organization members have managerial skills, because we strongly believe that having only technical knowledge is not enough to cease the cyber crime rate, because solving a cyber crime is thinking out of the box process.
7)      Joining a HANS, shows your commitment towards our society, that you have a zeal to help others with your knowledge and skills.


I also wish to bring to your notice without hurting your ego and sentiments that,

We are not competitors of any private owned body who work only for money. Many times we get such mails which prove that really HANS is doing a greats job. These kinds of mails show our Power of being united and our influence on other private organization. It is my humble requests kindly don’t compare our NGO with other private organizations as our motto is different. we don’t believe in writing the viruses, exploits, tools and other stuff because these things wont help a common man who is not IT literate, to overcome a cyber problem. I wont ask you same the questions as I have nothing to do with same.  I hope I have given your answers without hurting you and your team members feelings. I highly apologize if I did so.

Thanks

Happy Hacking

HANS TEAM.
Now that was interesting, my mail has been treated as an abuse email, well..nevermind. A rather to-the-point approach may be confused with that. Well, what they said -

1)      Our motive is to fill the gap between the cyber victims and the security experts, as many times we felt that in spite of  availability to many security experts in market still victims are not able to get there answers.2)      Yes, we are consultants/Knowledge Sharers as we guide the common measures to cyber victims and government bodies [maharasthra/Punjab police]such that they can overcome a cyber crime rate. I actually expected that HANS shall justify itself as a for-profit/not-for-profit organisation and why it requires money to join it when the elite organisations for example Null is a self sustained, free and aimed at the very thing HANS intends to achieve. helping naive people ? Ofcourse..thats why a lot of organisations has been growing like mushrooms (kaizen ?) and making money from it by joining it.  The core thing is that i am 100% sure that volunteers / infosec reserachers wont learn anything new and will waste their time here.
moving on ,

3)      I have written 2 International Papers :·In response to Google Hacking·Future Email Security And 2 national papers:·Mobile Security and upcoming challenges·Acknowledgement based System for Mobile Security.Great..i disregard them as recycled content, already checked it. 4)      I have not written any security tool/configurations yet But, I write other Business applications for Accenture as an Associate Software Engineer. that was fine with me.  5)      We have solved numerous cases  which deals with daily cyber problems including ATM cloning case [chandigarh], Source code theft case [Pune], Abuse email, fake profiles, email threatening and other hundreds.  www.youtube.com/theindianhansAgain, they have solved a lot of cases and hundreds , i would regard it as weasel terms. no journal on how they were solved, the method, instrumental techniques, research employed, tools/techniquies deployed, the collaboration, nothing covered, nothing said, just distorted videos at youtube. Again..no references to it. 6)      Ya, you are right 90% of our Organization members have managerial skills, because we strongly believe that having only technical knowledge is not enough to cease the cyber crime rate, because solving a cyber crime is thinking out of the box process.7)      Joining a HANS, shows your commitment towards our society, that you have a zeal to help others with your knowledge and skills.
How management can help decrease cybercrime rates is beyond me unless they really have the skills to get it in their heads. All aboard the failboat here.

I also wish to bring to your notice without hurting your ego and sentiments that,

We are not competitors of any private owned body who work only for money. Many times we get such mails which prove that really HANS is doing a greats job. These kinds of mails show our Power of being united and our influence on other private organization. It is my humble requests kindly don’t compare our NGO with other private organizations as our motto is different. we don’t believe in writing the viruses, exploits, tools and other stuff because these things wont help a common man who is not IT literate, to overcome a cyber problem. I wont ask you same the questions as I have nothing to do with same.  I hope I have given your answers without hurting you and your team members feelings. I highly apologize if I did so.

thats nice of you,and encouraging, but since you dont write viruses,exploits,0days or anything remotely related with it, then -

  • Why they are linked in your website at http://www.indianhans.org/index-4.html  ?
  • How do you decipher complex hack jobs them when most of your team is management one with no background of security

Anyways..i fired up my android and wrote a reply.

Subject  - Re: reply to an abuse mail
Dear Indian Hans,

The email was not an intended as an abuse email as indicated by your subject,  I would rather pass your defenses as plain excuses for hiding underlying incompetence since it requires Money to join and still no viable, updated information/code/application (as you said you develop it as associate software engineer for organisations , yet saying that you bridge the gap) , accurate information (I studied the Google hacking and mobile whitepaper, the stuff has been published before a million times, hence I would just regard it something to enhance resume) and would consider your organization nothing but a money making enterprise run by homebrew entrepreneurs without any credible research, what you solved in cases what nothing I shall say of technical callibre or "hacking ", its in more generic sense called as tech support for those who know nothing about cyber security,  while earning fame and money in the process.
I earlier thought to join it, hence inquired about it in a rather direct & to the point manner,but your response, links, references and treatment of it as an abuse email (?) makes me guess its in my best interest to stay away and convey the same to intended audience.
Stay superb

-sent from my android-

call me harsh, but that is the reality. And I am waiting for the reply. Now, I can say that I too Intended to join a Security NGO (period) and I now I am thinking otherwise.

Training on Unified Threat Management and Corporate Security

Training on Unified Threat Management and Corporate Security
A while back I gave training on UTM devices and Security Issues with Amarjit Singh at Tulip Telecom , here are the slides of the session. It was an enjoyable session with emphasis on security awareness and discussing network security as a whole, and how we can protect them by deploying UTM devices and configuring them for maximum security. You can also read my previous posts on Unified Threat management Systems if you haven't read them already -

  1. Unified Threat Management Systems Explained
  2. Unified Threat Management Systems - Single User vs Multi User
  3. Comparison of Unified Threat Management Products

Corporate Security Issues and countering them using Unified Threat Management Systems and SSL VPN


As usual , the presentation is uploaded at Slideshare and Scribd...Hope you enjoy it.