Monday, February 15, 2010

I Know What You Did Last Summer (Worked Guest Relations at ITC?)

Just saw an example of lax security implementations and an appalling lack of understanding the nature of Internet among Indian companies.

Check out the CSV files at this link for detailed email addresses, designations and other details of executives at some of India's best companies. We know this was extracted from a jobsite, like or, because of the "job site" specific fields. Each CSV has 20,000 records! is a brilliant website when it comes to matching your skills to great jobs. The nature of their service requires that we share our contact details, work life details and location details with them. For a spammer or scammer, all it takes is an easy tool to scrape through their pages and voila! they can build a valuable database of the Great Indian Middle Class. This working, web-friendly population is also the who's who of most likely e-commerce users.

Unfortunately, and have no incentive to invest in stronger systems and processes that prevent their pages from becoming a watering hole, where spammers can hunt without fear. There is neither loss of revenue nor any penalties being imposed. In most cases, it is impossible to even prove that the data was leaked from them. After every attack, our toothless regulators get busy chasing after phantom "cyber terrorists". In fact, amateur mistakes in the sites/pages being attacked are large part of the problem.

They are not alone. Airtel, BSNL and Rediff are among critical sites that reveal personal data without remorse. Frustratingly, their help desk does not even acknowledge this criminal negligence, so I've rarely succeeded in getting them to take it off. For me, it took little more than a Google search to spot these lapses. A penetration test may reveal more-- especially around how they store our credit card data (in clear text? easily copied to an employee's USB disk? You'll be surprised!). If they have nothing to hide, they must make results of such tests public.

The way things are, the law punishes anyone who exposes criminal security holes in corporate infrastructure (the ethical hackers) while letting the offending corporation go scot-free. To add insult to injury, the Flashwala website is protected by another service called Privacy Protect. That means you cannot identify who is behind this abusive domain using
Once again, the criminals have all the "rights" :-)

Notwithstanding the number of "Do Not Disturb" registries you subscribed to, those pesky calls (and worse, phishing attempts) won't stop till the legitimate keepers of sensitive data are forced to own some responsibility. Ironically, even the so-called "best Internet companies" believe their job ends at slapping together a few pages of HTML code to build a "website". In the absence of any effective regulatory and penal mechanism, they are as careful with our credit card and personal information as a monkey with a Swaroski vase.