- > As recently seen with Intel, there seems to be a trend where developers will do this pointless client-side decryption. When the client has the key, it’s strange that anyone would think that would be secure.
I stay and work in India. Yesterday, as part of a VAPT audit by a third party auditor, the auditors "recommended" that we do exactly this. I wonder if this directive comes as part of some outdated cyber security guidelines that are passed around here? Not entirely sure.
When I asked them about how I'd pass the secret to the client to do the client side encryption/decryption without that key being accessible to someone who is able to MITM intercept our HTTPS only API calls anyway, the guy basically couldn't understand my question and fumbled around in his 'Burp' suite pointing exasperatedly to how he is able to see the JSON body in POST requests.
Most of the security people we've met here, from what I can tell are really clueless. Internally, we call these guys "burp babies" (worse than "script kiddies") who just seem to know how to follow some cookie cutter instructions on using the Burp suite.
- I am a pretty cookie cutter developer. We just make glorified CRUDs and I have tried to convince the engineering director hundreds of times that "There is no use of encrypting and decrypting localstorage with a key thats sitting right inside the client code." Yet they keep insisting on it in the code-quality checklist.
- Assuming that youve been mitm'd is a different violation of trust. And when you break your own assumptions, well of course nothing makes sense. Were i the burp baby i would've asked why you think we should not defend against literally any other side channel because maybe they broke tls.
- You’re right, of course, but this reminds me of when Chrome didn’t obscure your passwords when looking at its autofill settings. The developers argued that it would just be security by obscurity -- if somebody has access to your computer when it’s unlocked, they can do anything they want, so obscuring your passwords does nothing.
The counter-argument is, even if it’s not perfectly secure, that extra bit of friction before you can see the passwords is useful, and may just save your bacon if a casual thief has access to your computer for a few seconds.
The Chrome team eventually saw sense and added some client-side password protection.
As long as you don’t only have client-side protections, of course (and maybe your clueless auditors were making that mistake).
- He's definitely wrong. If you want to see why this is wrong you should look at what Kaspersky had to do to unravel Operation Triangulation. They did, eventually, succeed but the absolute nightmare they went through should simply inform you why its a good thing.
- Appreciate the insight!
- lmao
burp suite babies is crazy work
- Related: Jaguar Land Rover hack cost UK economy an estimated $2.5 billion, report says: https://news.ycombinator.com/item?id=45668008
The 'tech' for both these is by guess who? TCS!
Edit: For those who don't know the relation. Tata[1] is a conglomerate, which owns both Tata Motors (Jaguar, Land Rover) and also TCS (Tata Consultancy Services)
- TCS also contracts for Marks & Spencer, and the Co-op, both of which were also taken offline by hacking earlier this year.
- Note that M&S dropped TCS in July following the recovery. https://www.ft.com/content/289ec371-2ed4-425a-9bd0-c34e6db39... and elsewhere.
- > M&S chair, told MPs that hackers had used “sophisticated impersonation” to gain entry “involving a third party.”
20 bucks says this sophisticated impersonation was social engineering a $5/hour outsourced customer support employee
> The attack is expected to lower operating profits by up to £300mn this year.
that's not counting the reputation and brand damage. M&S is seen as a premium retailer and this whole hack made them seem utterly incompetent and unreliable
> had decided to opt for another service provider after the process had completed
i wonder where this other provider is based. i think i'm gonna place another 20 bucks on this.
> The retailer continues to use the Indian group for other services.
lol.
- I doubt many people shopping for a sandwich and an unfashionable suit will be thinking about the M&S hack.
- > M&S is seen as a premium retailer and this whole hack made them seem utterly incompetent and unreliable
Hiring TCS to begin with made them seem utterly incompetent and unreliable.
Let them fail and be a warning to other companies trying to cheap out on IT.
- >20 bucks says this sophisticated impersonation was social engineering a $5/hour outsourced customer support employee
0 bucks says this below list of data breaches is much much more devastating. 0 bucks, because I don't have to bet on it, unlike you, because it's true:
>https://en.wikipedia.org/wiki/List_of_data_breaches
>This is a list of reports about data breaches, using data compiled from various sources, including press reports, government news releases, and mainstream news articles. The list includes those involving the theft or compromise of 30,000 or more records, although many smaller breaches occur continually. Breaches of large organizations where the number of records is still unknown are also listed. In addition, the various methods used in the breaches are listed, with hacking being the most common.
>Most reported breaches are in North America, at least in part because of relatively strict disclosure laws in North American countries.[citation needed] 95% of data breaches come from government, retail, or technology industries.[1] It is estimated that the average cost of a data breach will be over $150 million by 2020, with the global annual cost forecast to be $2.1 trillion.[2][3] As a result of data breaches, it is estimated that in first half of 2018 alone, about 4.5 billion records were exposed.[4] In 2019, a collection of 2.7 billion identity records, consisting of 774 million unique email addresses and 21 million unique passwords, was posted on the web for sale.[5] In January 2024, a data breach dubbed the "mother of all breaches" was uncovered.[6] Over 26 billion records, including some from Twitter, Adobe, Canva, LinkedIn, and Dropbox, were found in the database.[7][8] No organization immediately claimed responsibility.[9]
>In August 2024, one of the largest data security breaches was revealed. It involved the background check databroker, National Public Data and exposed the personal information of nearly 3 billion people.[10]
- >that's not counting the reputation and brand damage. M&S is seen as a premium retailer and this whole hack made them seem utterly incompetent and unreliable
>>The retailer continues to use the Indian group for other services.
>lol.
>is seen
lol. a lot of things are seen as blah blah. doesn't mean they are blah blah.
google is seen as a world leading tech company. yet see how HNers regard them (except those desperate for FAANG salaries).
If they hired their vendors without due diligence, they may be incompetent and unreliable themselves. On the other hand:
>> M&S chair, told MPs that hackers had used “sophisticated impersonation” to gain entry “involving a third party.”
If the impersonation was sophisticated, maybe it was not so much the fault of TCS?
If it was a Western company, would you talk / think the same?
Nahi. Non. Nein. Nyet. Nada.
lol.
- At what point is it more believable that these are inside jobs done on purpose vs. incompetence? I guess that’s just Hanlon’s Razor though.
- Based on my experience working alongside TCS, incompetence seems far more likely. If we'd asked for a back door, we'd have gotten a solid wall.
Then again, my experience may have left me a little jaded.
- It's perfectly believable. Whether it is more believable or not is a toss up. If you employ such a large number of people there are bound to be a couple of bad apples, and unless you have very good internal processes and monitoring it isn't all that hard to imagine someone doing something they shouldn't be doing. But absent hard evidence that it happened that way it interesting speculation but no more than that, besides, it can be impossible to distinguish between the two even if you have evidence of an inside job that looks like incompetence!
- I have heard there is a growing trend of hackers paying kickbacks to insiders, certainly makes hacking easier.
- Having worked with Indian consultancy firms for over 10 years. I can safely say security attitudes and practices haven't changed much.
There's always this culture of taking shortcuts at the expense of security and quality.
- The challenge is this though: companies that are outsourcing to these consultancy firms put them against each other in RFPs that incentivise whatever behaviour can get them to the lowest bid.
Inevitably quality suffers. Until customers start awarding business based on something other than the number at the bottom, this kind of thing will continue.
- One of the problems with incompetence, of which there are many, is that it gives bad actors space to operate. From a security point of view I don’t think the distinction matters all that much.
That said, the situations I’ve head about were from affiliate ransomware attacks that didn’t make the news because the backup worked. It’s difficult to keep things secure from highly motivated internal bad actors. I’ve been told it’s an increasing trend but have not heard much about it publicly.
- When you pay your support employees so little, it's not difficult for someone from a wealthier place to bribe them.
- Very realistically, why shouldn't these developers be replaced by AI? The anti-AI argument I've always seen here is that AI is bad at security. But human developers at orgs like TCS don't seem...any better?
- The issue with folks like TCS is organizational. They don’t have to be this terrible, they intentionally structure what they are doing so their end product is terrible this way.
And people hire them and pay them for it!
The real issue is the last part. It’s why they can also get away with what they do.
Maybe they’ll replace their line devs with AI, but Indian devs are pretty cheap and are much more satisfying to yell at by Indian managers, so….
- > October 23, 2023: They confirm receipt and are working on taking action. After this date and up until January 2, 2024, there were various back and forth emails trying to get Tata Motors to revoke the AWS keys. I am not sure if something was lost in translation, but it took a lot of pestering and specific instructions to get it done.
Wow, they had to go out of their way and plead with Tata Motors to fix their own shit. I can only admire their patience. Can't say I would be that patient.
- The fact that they put their AWS secret keys on their website is incredible.
- The fact that it's nicely commented is even more so. Check out the other environment configs commented out, are they doing this by hand? Wild.
- Even more importantly, why do the root keys expose EVERYTHING? Do they just have one account for all of their infra?
- That’s exactly the kind of work I’d expect from TCS, I’m not sure why you are surprised.
- Sending it with AES encryption(with the key that the client has access to) makes it even worse, as someone knew this shouldn't be shared to client yet they shared it anyway.
- If you’ve ever worked with Indian outsourcing firms it’s not
- Security for most Indian companies - even conglomerates is a joke.
Look at the websites - most look like they've not been upgraded since the 90s, with endless popups
- The customer portal of India's largest insurer with a marketcap of $63B has literally not changed even once in the 14 years that I've been using it to pay my policy premiums
- It's a side effect of pay. Like every other company, you get what you pay for, and for organizations that view web security as a [edit:] Cost Center (eg. Tata Motors) there's no incentive to pay market rate for a Security Engineer - who in India can now demand $60k-100k TCs.
Heck, firms that provide offensive security capabilities to Indian PDs can pay $40k-50k after poaching a junior pentester or exploit developer from a PD.
- I understand why someone might this this is a pay issue, but it's goes beyond that.
Culturually, doing something "well"(quality oriented, mindful of end-users) vs. "got it done" (transaction, pragmatic way of looking at things) is the heart of why outsourcing to many different geographical areas (India included) often results in something different than expected.
Also condemning every one in one part of the world as thinking one way is certainly not fair or true, but there are definitely unmistakable trends.
- I dont think there's much culture when the population is just overloaded with work and traffic and stress
- It's absolutely the culture, "Chalta Hai" attitude is the culture. (Take it easy, let it go)
- Cyber insurance or the threat of litigation after facing a severe breach will be the biggest driver for better security outcomes organizationally.
For example, both Zerodha and Razorpay have cyber insurance and PhonePe and Paytm both cleaned house after major incidents years ago.
It's also the same reason CapitalOne revamped security after the 2019 breach due to a misconfigured WAF.
Essentially, only the risk of either litigation or inability to secure cyber liability insurance will motivate Tata Motors to better manage security. And based on the JLR incident and their inability to secure sufficient cyber insurance, I think Tata Motors will clean house internally.
- Everyone is saying it’s about pay, but India is a low trust country (so far as large datasets saying as much can be trusted). Anecdotally I have heard the same from my expat friends as well.
I’m not saying pay has no influence, but saying culture has no influence makes no sense. Even if it was all about pay, wealthy Indians choosing to horde their wealth instead of distribute it (caste system, etc) is a cultural root for the pay problem. The two are so intertwined that it’s impossible to claim it’s black and white.
The current western trend of outsourcing and/or importing labor is the real source of this issue. Western businesses care only for profit, so they employ cheap labor. Western culture is currently much more low trust than it was 50 years ago, and trending worse. If anything, I think culture is the more defining factor - pay is downstream of it.
- Don't want to get into low quality generalizations in your post except to note tahta casual Google search will show you that Tata group is one of the most philantropically oriented groups. Which of course, doesn't excuse this issue.
- Becuase it is about pay.
For example, most of the security portfolio that GCP provides is developed and product managed out of the Google Hyderabad office, as is a fairly major Israeli CNAPP product that starts with "A", a large CNAPP from a public Israeli-American security company that is directly positioned against Wiz, and a major security vuln mgmt and redteaming tool used by the DoD, GitHub, and Google. But all these employers pay $60k-130k TC for mid-career security professionals in India.
We scoop up anyone who is remotely competent at transnational firms or startups because we can afford to pay Western salaries, and traditional conglomerates in India largely do not care about web exploits unless they are a web platform first and foremost.
Tata Motors - being an automotive company - does not care about web development for the same reason GM doesn't as well: it isn't tangibly connected to revenue generation. As such, they will just contract it out to TCS (a Tata Group company, but both are independent of each other) at the lowest contract rate possible.
- Pay should reward doing something well vs merely doing something. Of course, this would generally mean you need to pay more than the competitor which will happily pay for merely doing something. So yes it is about pay.
- Also, Indian companies are competing with American and Israeli founded or funded companies and startups for the same talent.
If you are competent, instead of earning $15k TC working for an automotive company, you could demand $40k-70k in TC from an MNC or a well funded startup (assuming you have the skills to back it up) - and those are the numbers my portfolio companies use to target hiring in India, as well as what I used previously before I became a VC.
- Western companies have the exact same problem though; I've dealt with plenty of incompetent people there too because the organization does not reward technical excellence and quality, so it is completely pragmatic for employees to focus their time on the things that are rewarded (engaging in politics, etc) instead.
During the startup/ZIRP era there might have been people doing the "right" thing because they had skin in the game thanks to stock options or they were paid just so fucking much that they didn't care about putting in the extra work. But as total comps go downward (coupled with inflation) the output's quality tends to regress to the minimum acceptable.
- > I've dealt with plenty of incompetent people there too because the organization does not reward technical excellence and quality
Organizational dysfunction transcends all boundaries, but to a certain extent the kind of issues that lead to the kind of incident such as the one above happen because the affected product (e-Dukaan) is viewed as a cost center by Tata Motors.
Sadly, in most cases, a lot of security will always be viewed as a cost center and never prioritized unless forced to due to insurance, audit, or regulatory pressure.
That said, a thesis I've had for a couple years now is that if we can successfully shift-left by turning security into a DevTool problem as well as an organizational problem, we can both reduce remediation time as well as build stickiness for security products. The AppSec category has definetly adopted this kind of mindset.
- It is about pay. If you don’t have someone working on 5 different items continuously straining their bandwidth they tend to do better work.
- That culture at WITCH and WITCh adjacent companies is itself a result of the pay.
- > $60k-100k TC
Really? I think your numbers for the local marker are overestimated.
- For our portfolio companies, we are fine paying for quality instead of quantity.
Giving a Rs 60-80 lakh TC offer in BLR or HYD makes it easier to identify and hire good talent, and ik peer security firms (private and public) that are product first are offering similar TC offers in BLR, HYD, and NCR.
On top of that, there has been a reverse brain drain going on since the COVID layoffs in early 2020, so if we want to poach good talent that returned to India from the US, we need to be able to offer Western salaries, otherwise they'd either decide to help their former employer open a GCC or they'd start their own startup.
Realistically, I'd say a $35k-60k TC offer gets you the 50 to 75th percentile in talent in much of India for security, but most product-first companies tend to hire for quality not quantity, and depending on size of FDI and the state, a company can get a $10k-20k per head subsidy which makes it easier to offer higher salaries without impacting our bottom line.
That said, if you are being hired to be a SOC, a generic pentester, or a "detection engineer" you'd be lucky to break the $20k TC mark tbh, but the SOC-to-SWE or Pentester-to-SWE conversions have been our most successful ones because it's easier to build a product for security teams when your engineers were former security practitioners.
That said, the salary pressures for getting good talent in India is high simply because we're competing with Google, Microsoft, Citadel, Nvidia, etc for similar kind of talent within India.
Earning $70k-90k TC in Hyderabad or Bangalore is doable with 10 YoE if you have the right profile (the right jobs, work experience, track record, and luck). Heck, this is why companies like Zscaler have been hiring in Tier 1.5/2 cities like Pune or Chandigarh instead because you can get away with paying $35k-50k TCs for the kind of talent that would demand a $70k-90k TC in BLR or HYD.
- > endless popups
Ypu get popups? What are you using to browse? IE5?
I sometimes get 'this site is trying to open another window -allow/ block?': answer is always 'No'.
- Not ad popups, site UI popups.
Another example, financial services publicly traded company with a recent 99% profit decline:
- In site modals.
- This shouldn't be a surprise for anyone who has worked with TCS contractors in the past.
- So the author got nothing but a thank you out of it? That's a shame.
- Typical 'payout' for ""responsible"" disclosure.
- This is a pessimistic comment.
I'm a cofounder of a data and identity security startup operating specifically in APAC. Data security in india a joke.
I would argue even with DPDPA, RBI C-Site and cyber resilience framework from SEBI, it is just going to not happen here.
The list PAN card the blog is taking about is probably already leaked by some other services.
The recent flipkart cash on delivery scams [1] are example of how your personal information is just out there in wild in india, open for exploitation.
There are lot of who do security in good faith (often driven by compliance) and lot of them are our customers too but I hope to see rest of indian tech ecosystem take security seriously.
[1] https://www.reddit.com/r/FuckFlipkart/comments/1hhrw9w/what_...
- I've dealt with Indian companies for security sales and I'd say the newer generation of companies like Razorpay (YC W15) are decent at SecOps, but the older and more established companies suck at it and will continue to suck at it until there is a tangible regulatory incentive to enhance security postures.
It also appears to be a side effect of compensation - why would mid-career security professional want to earn ₹15 LPA TC working for a legacy corporation if they have the skills to land at a security MNC that can afford to pay ₹35-50 LPA in TC.
Ofc, it's us foreign investors who are able to afford those higher TCs ;) - especially if we can convert someone who was mid-career in the US but had to return to India due to family or visa issues.
It reminds me of how the Israeli security scene was 10-15 years ago, with similar problems around compensation and brain drain to MNC offices.
- If there any any TCS employees on Hackernews, please show this post to your management. This is beyond embarrassing on so many levels.
- Total tangent, but I got to ride in some of these on a recent trip to India and I was really impressed with the build quality and utilitarian usefulness of the design.
- I'm curious, why wait so long to publish this? The incident was in 2023.
- Woah Tata is everywhere, weren't they also the biggest youtube channel?
- I believe you're talking about T-Series? pretty sure they are not related
- This is embarrassing.
- protip: never trust the client
- This might be the first time I felt disappointed and sad reading an article like this. The commented username and password felt like something from an early 2000s tv show with the tech guy doing “hacking”.
Wonder how many others stumbled upon this prior, and makes me also wonder how many other sites have things like this hidden in plain sight. Insane.
- This may look "boring" or "uninspired" but this is what real cybersecurity and "hacking" looks like.
In most cases, security and QA are essentially two sides of the same coin - and this is why I get pissed when devs treat testing and QA as bulls**t, becuase even a relatively simple XSS attack or cred misconfig can have a massive impact.
- This has nothing to do with testing. This is a lack of training.
I would say they need to 'think like an attacker' at least some of the time. But this is still too high of a bar.
I think this is really a problem of rewarding people when they finish things. One way or the other. It works, so on to the next project...
- > This has nothing to do with testing.
A good QA can catch/test such security issues although most of such work is given to a dedicated pen tester to find weakness in the platform.
- As someone who has been a SWE, PM, and VC in the cybersecurity space and constantly meets with CISOs as well as has formerly been a security practitioner (I should get back to using HackerOne again for fun), I can safely say that the overwhelming majority of security incidents are due to some form of misconfig because development and code review are orthogonal to proactive security checks.
Shift-left was supposed to fix that but it failed because the primary persona to sell ended up becoming the CISO again, and not trying to find a way to make security ownership a Dev and QA responsibility as well (this is largely organizational).
- Are there any open source tools that scans the code and detects such gaffes
- TruffleHog: https://trufflesecurity.com/trufflehog
I worked for them a little bit and their product is really impressive and works great.
- Not open source, but I have used this before, and they have a very generous free tier: https://www.gitguardian.com/monitor-internal-repositories-fo...
You install their Github app and give them access to your Github repo (private repos are ok too) and they run a Github workflow when each PR is submitted scanning for secrets that should not be in the code. Really happy with how their product works.
- If you weren't aware of it... There is a world of static application security tools (SAST) which can help you. Add them to your text editor/ci/cd to use them.
- trufflehog is a good starting point, then bake in your own simple regex into your github actions or equivalent and make it part of your test suite
- stupid question, can we not make a regex for searching API keys for particular APIs and do a brute force scan across the internet
- There are a number of products and open source tools that do this. Look up "secret scanning".
- He would have had better results if he said "do the needful" in his first email to them.
- btw... some urls in this image contains js with vulnerabilities https://eaton-works.com/cdn-cgi/imagedelivery/VwwCqBIYNXeyNQ...
- give this Uri Said by Deepak Gupta
- I'll just leave this here:
> September 1, 2023: Tata Motors shared with CERT-IN (who then shared with me) that the issues are remediated. September 3, 2023: I confirm only 2/4 issues were remediated and the AWS keys were still present on the websites, and active. October 22, 2023: After no updates and finding the AWS issues still not remediated, I send over some more specific steps on what must be done. October 23, 2023: They confirm receipt and are working on taking action. After this date and up until January 2, 2024, there were various back and forth emails trying to get Tata Motors to revoke the AWS keys. I am not sure if something was lost in translation, but it took a lot of pestering and specific instructions to get it done.
Stay classy TCS.
- [dead]
- [dead]
- [flagged]
- Superpower by 2027.
- Users in India wouldn't care that much about privacy of their data as much as the Western folks do. This reduces the importance of this whole episode and I don't think this news flashed across TV screens or caused a debate anywhere.
India is a karma society. Karma doesn't mean upvotes. It means, you get what you destined for, or what you deserve. People take things in their stride and keep moving, while keeping their eyes wide open. When you are moving through a jungle, there is no point in blaming thorns or getting angry on wild animals.
- So basically you are saying that India is a society that is still soaked in an ideology that justifies the special privileges of temple staff and tells peasants that being a sharecropper in a rent for protection racket is their own fault, so hand it over, and moreso that you approve. You sound like every temple staff worker ever. Grow up.
- Go out into rural India and ask someone if they care about someone knowing their contact details. Same with 90% of city folks. By the way, growing up may not be so cool. For you.
