What Not To Say During A Salary Negotiation

If you want things to go your way, don’t say any of this

Get the best offer possible during your salary negotiation

Preparation pays off, literally, when it comes to salary negotiations. Research about the market and company standards can only take you so far – you need to be able to pitch yourself too. There are some phrases people tend to use in these discussions that don’t really end up working in their favour – despite what they (or you) believe. Here are a few of them. Remember not to say any of this during your next salary negotiation.

1. ‘I’m getting married/moving house/etc’

Let us try to say this as politely as possible – no one cares. Your personal matters are just that – personal. And you can not expect them to influence any professional decisions made at that meeting. The best thing to do is avoid talking about your personal dilemmas, no matter how much they’re affecting you, and focus on the work you’re doing and it’s worth.

2. ‘I’m sorry but…’

Don’t apologise. We all tend to use the word quite liberally, especially when talking to superiors. But there is nothing to apologise for here – you’re talking about your remuneration, which is your right. Don’t feel embarrassed or uncomfortable about it. You’ve worked hard for it.

3. ‘I need/want… ‘

But do you really ‘need’ it? And if you want it, so what? We’re sure every person wants a higher salary. But what’s more important is – do they deserve it? Sometimes the answer to that is no. During your salary negotiations, instead of telling them what you want, tell them what you deserve – and why.

4. ‘I have another offer that is much higher’

Take it then? You don’t want your prospective employer to think you’re in it just for the money. If the other company is offering you more money, and that’s all that matters, you would have taken it anyway. So don’t play that card and try to keep the focus of the conversation on the offer you’re discussing.

5. ‘I haven’t had a raise in so long’

You need to put your point across, without sounding like you’re whining and saying this doesn’t help your case. Bringing their attention to the fact that you have not gotten a raise only makes them think that there has been no reason for you to get a raise.

6. ‘But others are getting paid more to do less work’

Again, trying to compare yourself to others won’t work, nor it is your place to do so. Talk about how much time and effort you have been putting in, irrespective of others – but as soon as you make it seem like a competition, you’re going to lose favour in the discussion. Also, it makes you sound like a gossip-monger.

7. ‘I want more…’

‘More’ is too vague for you to use in this discussion. ‘More’ can be 2% more than the original offer was. There is no room for ‘more’ in this negotiation. Talk about how much more you would like the offer to be and they might take you seriously.

[“Source-ndtv”]

IIMs say CAT 2017 registrations lower than 2016

Apart from the IIMs, several other business schools use the Common Admission Test (CAT) score for admission. CAT 2017 will be held on 26 November. Photo: HT

Apart from the IIMs, several other business schools use the Common Admission Test (CAT) score for admission. CAT 2017 will be held on 26 November. Photo: HT

New Delhi: The Indian Institutes of Management (IIMs) said Monday that while an extended registration window propelled the Common Admission Test (CAT) registration numbers to nearly 231,000, these were still slightly below the 2016 numbers.

By the original deadline of 20 September, the IIMs had received around 211,000. They subsequently extended the deadline to 25 September.

In 2016, the IIMs received 232,434 applications for the test. Apart from the IIMs, several other business schools use CAT score for admission.

“The final registration numbers are around 2.31 lakh. Around around 20,000 (registrations) were added during the extended window,” said Neeraj Dwivedi, convener of CAT 2017.

Dwivedi, also a professor of IIM Lucknow, said exact numbers would be available on Tuesday.

India has 20 IIMs admitting nearly 4,000 students into their flagship post graduate programme in management.

IIM Lucknow, which is conducting CAT 2017, will allow candidates to correct errors in application between 27 and 30 September. CAT 2017 will be conducted across 140 cities on 26 November.

[“Source-livemint”]

BadRabbit: NotPetya Hackers Likely Behind Ransomware Attack, Say Researchers

BadRabbit: NotPetya Hackers Likely Behind Ransomware Attack, Say Researchers

Technical indicators suggest a cyber-attack which hit Russia and other countries this week was carried out by hackers behind a similar but bigger assault on Ukraine in June, security researchers who analysed the two campaigns said on Wednesday.

Russia-based cyber firm Group-IB said the BadRabbitvirus used in this week’s attack shared a key piece of code with the NotPetya malware that crippled businesses in Ukraine and worldwide earlier this year, suggesting the same group was responsible.

The BadRabbit attack hit Russia, Ukraine and other countries on Tuesday, taking down Russia’s Interfax news agency and delaying flights at Ukraine’s Odessa airport.

Multiple cyber-security investigators have linked the two attacks, citing similarities in the malware coding and hacking methods, but stopped short of direct attribution.

Still, experts caution that attributing cyber-attacks is notoriously difficult, as hackers regularly use techniques to cover their tracks and sometimes deliberately mislead investigators about their identity.

Security researchers at Cisco’s Talos unit said BadRabbit bore some similarities with NotPetya as they were both based on the same malware, but large parts of code had been rewritten and the new virus distribution method was less sophisticated.

They confirmed BadRabbit used a hacking tool called Eternal Romance, believed to have been developed by the US National Security Agency (NSA) before being stolen and leaked online in April.

NotPetya also employed Eternal Romance, as well as another NSA tool called Eternal Blue. But Talos said they were used in a different way and there was no evidence Bad Rabbit contained Eternal Blue.

“It is highly likely that the same group of hackers was behind (the) BadRabbit ransomware attack on Oct. 25, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017,” Group-IB said in a technical report.

Matthieu Suiche, a French hacker and founder of the United Arab Emirates-based cyber security firm Comae Technologies, said he agreed with the Group-IB assessment that there was “serious reason to consider” that BadRabbit and NotPetya were created by the same people.

But some experts have said the conclusion is surprising as the NotPetya attack is widely thought to have been carried out by Russia, an allegation Moscow denies.

Ukrainian officials have said the NotPetya attack directly targeted Ukraine and was carried about by a hacking group widely known as Black Energy, which some cyber experts say works in favour of Russian government interests. Moscow has repeatedly denied carrying out cyber attacks against Ukraine.

The majority of BadRabbit’s victims were in Russia, with only a few in other countries such Ukraine, Bulgaria, Turkey and Japan.

Group-IB said some parts of the BadRabbit virus dated from mid-2014, however, suggesting the hackers used old tools from previous attacks. “This corresponds with BlackEnergy timeframes, as the group started its notable activity in 2014,” it said.

[“Source-gadgets.ndtv”]

Bug Bounty Hunters Say They Aren’t Welcome in India

Bug Bounty Hunters Say They Aren't Welcome in India

HIGHLIGHTS

  • Bug bounty hunters are hackers who warn companies about security flaws
  • They do this for both rewards, and recognition
  • They say Indian firms pay less, and don’t like talking of vulnerabilities

The recent Wannacry global ransomware attack, and closer to home, the Zomato user data breach, where millions of user logins were compromised, have forced all of us to be much more conscious of digital security. A key part of this ecosystem is the community of ethical hackers, also called bug bounty hunters, these are people who work with companies to patch security flaws. While big bounty program have been standards worldwide for several years, Indian companies like Zomato are only now following suit.

A bug bounty program is a vulnerability reward program instituted by corporates for ethical hackers. Hackers report bugs and vulnerabilities of websites or apps from corporates, who, in turn, recognise and compensate these hackers. Gadgets 360 spoke to a couple of ethical hackers told us that that they normally try and work with foreign companies, who are more open to paying bounties, and offer richer rewards to boot, when compared to their Indian counterparts.

Manish Bhattacharya, an ethical hacker born and raised in Bihar, said he paid off his educational loan through bug bounty programs from Facebook, GitHub, Shopify, and others. Some years ago, he had reported two clickjacking issues for Facebook – where a real link gets replaced by a malicious one, which could serve ads, or even malware. For this, he was paid $5,000 (over Rs. 3.22 lakhs today) by Facebook.

Anand Prakash has his own cyber-security startup, called AppSecure India, based out of Bengaluru. He is on Facebook’s ‘White Hat Bug Bounty Program’, which recognises and rewards security researchers who report vulnerabilities in Facebook’s services. In 2016, he has also found a bug in Uber that could let any hacker take multiple rides without paying for them. Uber gave him $5,000 in return.

anand prakash hacker ethical hacker

Anand Prakash runs his own security firm, AppSecure India

For Bhattacharya, bug bounty hunting has been, well, bountiful. He now works for a security firm in the United States. Prakash is on the list of Forbes Asia’s 30 under 30 (2017) and runs his security audit firm.

The ethics of bug bounties
Many companies such as Microsoft, Facebook, and Google are openhanded to bug bounty hunters. Bugcrowd maintains a list of websites that have a rewards program. But it’s important to remember that there are a bunch of rules that define what is ethical hacking.

“The difference [between ethical hacking and unethical hacking] lies primarily in the intent. and access rights,” says Amit Sethi, Chief Information Officer, AXIS Bank. “One is authorised and the other is unauthorised. Technology-wise there’s no difference per se.”

Bhattacharya and Prakash also agree with the corporate ethical code.

“If I have permission from the company to test their website or they have a bug bounty program then only I’ll go for bug hunting,” says Bhattacharya. “I’ll never test any government/ bank website without their written permission.”

“Hackers exploiting bugs and leaking user data is unethical. Recent Zomato hack was a perfect example of an unethical hack,” adds Prakash. “The hacker should not have forced the company to run a bounty program by leaking their data.”

manish bhattacharya hacker ethical hacker

Manish Bhattacharya works for a security firm in the US

The argument could be made that the hacker pushed the company to improve its security and institute a program that will only help users – but in the process, the data of millions of users was up for sale, as Prakash points out.

Indian companies don’t like to talk about vulnerabilities
As the hackers we spoke to mentioned, Indian companies aren’t typically welcoming of their efforts. Uber told Gadgets 360 that it has paid more than $860,000 – approximately Rs. 5.5 crore – in the last year to security researchers around the world. Of this, there were six researchers from India in Uber’s top 50 list. India topped Facebook’s bug bounty list last year, but things are very different when you look at Indian companies.

Global players award Indian hackers consistently, says Sandeep Sharma, a research analyst for IDC. “But, when it comes to Indian corporates, the picture isn’t as rosy,” Sharma explains. “Indian enterprises still have a long way to go as far as proactive security implementations are concerned.”

Why haven’t Indian corporates been encouraging when it comes to bug bounty programs? Startups we approached refused to be a part of this story. According to reports, Snapdeal, Ola, and Swiggy all have private bug-bounty programs, but none of these companies wanted to talk about why bug bounty hunters don’t get due credit in India.

Swiggy CTO and co-founder Rahul Jaimani instead pointed out that the company encourages bug bounties, as long as it’s done in an ethical manner, and ties up with credible third-party bug bounty platforms on an invite only basis. He added that Swiggy supports ethical hacking, as long as the researchers comply with Swiggy’s ethical and responsible disclosure norms. He also added that the terms and conditions of the website and app mention that unethical techniques used against the system are liable under the cyber security law, as per the IPC and Information Technology Act.

We asked Zomato the same question too, but the company wasn’t available for comment. Zomato had a bug bounty program on HackerOne for a while and after the recent Zomato hack, its CEO Deepinder Goyal tweeted, “Had never offered money as part of the program. That’s what’s going to change now.”

zomto culture 1495085835107 zomato

After the company was hacked, Zomato now offers money as part of its bug bounty program

This attitude is a problem as far as most bug bounty hunters are concerned – apart from money, recognition is a big driver as it helps to build a career in ethical hacking, explains Bhattacharya.

“Right now, India is full of startups, most of them don’t have – or they don’t want to spend – extra budget to hire a full-time security guy,” he says. “Most companies don’t trust an independent individual with their security; they prefer a security firm instead. Few startups like Ola, Paytm have bug bounty. But, their rewards don’t match the international standards, so bug hunters don’t spend time with these programs.”

Change remains slow
Axis Bank has an Innovation Lab that experiments with bug bounty. “It would be an incremental step in our efforts towards robust and secure software development and testing,” says Axis’ Sethi. In India, banking and financial service firms have been proactive about security solutions, adds AppSecure’s Prakash, who also told us that his security firm saw a sudden surge of fin-tech corporate customers, after WannaCry and the Zomato hacks.

However, both Bhattacharya and Prakash say that the industry has largely been slow to react, even after high profile attacks on their infrastructure.

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Tags: Bug Bounty, ethical hackers, security advisor, Cyber security, Malware, Ransomware, WannaCry, Zomato Hacked
[“Source-ndtv”]