Monday, February 15, 2010

I Know What You Did Last Summer (Worked Guest Relations at ITC?)

Just saw an example of lax security implementations and an appalling lack of understanding the nature of Internet among Indian companies.


Check out the CSV files at this link for detailed email addresses, designations and other details of executives at some of India's best companies. We know this was extracted from a jobsite, like naukri.com or timesjobs.com, because of the "job site" specific fields. Each CSV has 20,000 records!


naukri.com is a brilliant website when it comes to matching your skills to great jobs. The nature of their service requires that we share our contact details, work life details and location details with them. For a spammer or scammer, all it takes is an easy tool to scrape through their pages and voila! they can build a valuable database of the Great Indian Middle Class. This working, web-friendly population is also the who's who of most likely e-commerce users.

Unfortunately, timesjobs.com and naukri.com have no incentive to invest in stronger systems and processes that prevent their pages from becoming a watering hole, where spammers can hunt without fear. There is neither loss of revenue nor any penalties being imposed. In most cases, it is impossible to even prove that the data was leaked from them. After every attack, our toothless regulators get busy chasing after phantom "cyber terrorists". In fact, amateur mistakes in the sites/pages being attacked are large part of the problem.

They are not alone. Airtel, BSNL and Rediff are among critical sites that reveal personal data without remorse. Frustratingly, their help desk does not even acknowledge this criminal negligence, so I've rarely succeeded in getting them to take it off. For me, it took little more than a Google search to spot these lapses. A penetration test may reveal more-- especially around how they store our credit card data (in clear text? easily copied to an employee's USB disk? You'll be surprised!). If they have nothing to hide, they must make results of such tests public.

The way things are, the law punishes anyone who exposes criminal security holes in corporate infrastructure (the ethical hackers) while letting the offending corporation go scot-free. To add insult to injury, the Flashwala website is protected by another service called Privacy Protect. That means you cannot identify who is behind this abusive domain using WhoIs.com.
Once again, the criminals have all the "rights" :-)

Notwithstanding the number of "Do Not Disturb" registries you subscribed to, those pesky calls (and worse, phishing attempts) won't stop till the legitimate keepers of sensitive data are forced to own some responsibility. Ironically, even the so-called "best Internet companies" believe their job ends at slapping together a few pages of HTML code to build a "website". In the absence of any effective regulatory and penal mechanism, they are as careful with our credit card and personal information as a monkey with a Swaroski vase.

5 comments:

Prashant said...

Sad to hear the details you mentioned. About telecom companies, you can always send an email to the "Nodal Officer" for the concerned telco. (e.g. The contact details for the Nodal officer for BSNL can be found on their website). The Nodal officer is a designate of the TRAI & therefore more probability of any action to be taken against such negligence.

Good luck.
- Prashant

Momo's Ma said...

buddy,.. aa gaya.. tag time..


http://momotales.blogspot.com/2010/03/7-chosen-number-or-what.html

Sandeep said...

good one! ..I had faced recently a similar case where at a 4* Hotel at Lavasa, at the time of booking the call center lady(Sr. Customer Executive!) took my credit card details. Later when they sent me the booking confirmation, the email had all my CC details in it ..the email was copied to few other people in the hotel(who knows who!) ..When I called and told the Sr. Customer Executive that this is not good practice(polite way!) to send details of CC in email(they can always mask the first 12 chars!). She did not get what I said ..even the so called Customer Relationship Manager also did not get! ..I also hate the websites which sends forgot pwd's in email as it is !

chaos said...

i went to the files...
and thankfully the data is same in all the files ...
but yes Qs remains... data so loosely available ...

megha said...

I had faced some same problems.. for solutions you can post like these blogs through our site which is related to mothers including parenting,pregnancy,beauty,health,education...We would like to contact you but we cant get your mail id.I would like to promote my blog through your blog please contact me through my mail id ,for further details check www.chennaimomsinfo@gmail.com