IIMs say CAT 2017 registrations lower than 2016

Apart from the IIMs, several other business schools use the Common Admission Test (CAT) score for admission. CAT 2017 will be held on 26 November. Photo: HT

Apart from the IIMs, several other business schools use the Common Admission Test (CAT) score for admission. CAT 2017 will be held on 26 November. Photo: HT

New Delhi: The Indian Institutes of Management (IIMs) said Monday that while an extended registration window propelled the Common Admission Test (CAT) registration numbers to nearly 231,000, these were still slightly below the 2016 numbers.

By the original deadline of 20 September, the IIMs had received around 211,000. They subsequently extended the deadline to 25 September.

In 2016, the IIMs received 232,434 applications for the test. Apart from the IIMs, several other business schools use CAT score for admission.

“The final registration numbers are around 2.31 lakh. Around around 20,000 (registrations) were added during the extended window,” said Neeraj Dwivedi, convener of CAT 2017.

Dwivedi, also a professor of IIM Lucknow, said exact numbers would be available on Tuesday.

India has 20 IIMs admitting nearly 4,000 students into their flagship post graduate programme in management.

IIM Lucknow, which is conducting CAT 2017, will allow candidates to correct errors in application between 27 and 30 September. CAT 2017 will be conducted across 140 cities on 26 November.

[“Source-livemint”]

BadRabbit: NotPetya Hackers Likely Behind Ransomware Attack, Say Researchers

BadRabbit: NotPetya Hackers Likely Behind Ransomware Attack, Say Researchers

Technical indicators suggest a cyber-attack which hit Russia and other countries this week was carried out by hackers behind a similar but bigger assault on Ukraine in June, security researchers who analysed the two campaigns said on Wednesday.

Russia-based cyber firm Group-IB said the BadRabbitvirus used in this week’s attack shared a key piece of code with the NotPetya malware that crippled businesses in Ukraine and worldwide earlier this year, suggesting the same group was responsible.

The BadRabbit attack hit Russia, Ukraine and other countries on Tuesday, taking down Russia’s Interfax news agency and delaying flights at Ukraine’s Odessa airport.

Multiple cyber-security investigators have linked the two attacks, citing similarities in the malware coding and hacking methods, but stopped short of direct attribution.

Still, experts caution that attributing cyber-attacks is notoriously difficult, as hackers regularly use techniques to cover their tracks and sometimes deliberately mislead investigators about their identity.

Security researchers at Cisco’s Talos unit said BadRabbit bore some similarities with NotPetya as they were both based on the same malware, but large parts of code had been rewritten and the new virus distribution method was less sophisticated.

They confirmed BadRabbit used a hacking tool called Eternal Romance, believed to have been developed by the US National Security Agency (NSA) before being stolen and leaked online in April.

NotPetya also employed Eternal Romance, as well as another NSA tool called Eternal Blue. But Talos said they were used in a different way and there was no evidence Bad Rabbit contained Eternal Blue.

“It is highly likely that the same group of hackers was behind (the) BadRabbit ransomware attack on Oct. 25, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017,” Group-IB said in a technical report.

Matthieu Suiche, a French hacker and founder of the United Arab Emirates-based cyber security firm Comae Technologies, said he agreed with the Group-IB assessment that there was “serious reason to consider” that BadRabbit and NotPetya were created by the same people.

But some experts have said the conclusion is surprising as the NotPetya attack is widely thought to have been carried out by Russia, an allegation Moscow denies.

Ukrainian officials have said the NotPetya attack directly targeted Ukraine and was carried about by a hacking group widely known as Black Energy, which some cyber experts say works in favour of Russian government interests. Moscow has repeatedly denied carrying out cyber attacks against Ukraine.

The majority of BadRabbit’s victims were in Russia, with only a few in other countries such Ukraine, Bulgaria, Turkey and Japan.

Group-IB said some parts of the BadRabbit virus dated from mid-2014, however, suggesting the hackers used old tools from previous attacks. “This corresponds with BlackEnergy timeframes, as the group started its notable activity in 2014,” it said.

[“Source-gadgets.ndtv”]

Bug Bounty Hunters Say They Aren’t Welcome in India

Bug Bounty Hunters Say They Aren't Welcome in India

HIGHLIGHTS

  • Bug bounty hunters are hackers who warn companies about security flaws
  • They do this for both rewards, and recognition
  • They say Indian firms pay less, and don’t like talking of vulnerabilities

The recent Wannacry global ransomware attack, and closer to home, the Zomato user data breach, where millions of user logins were compromised, have forced all of us to be much more conscious of digital security. A key part of this ecosystem is the community of ethical hackers, also called bug bounty hunters, these are people who work with companies to patch security flaws. While big bounty program have been standards worldwide for several years, Indian companies like Zomato are only now following suit.

A bug bounty program is a vulnerability reward program instituted by corporates for ethical hackers. Hackers report bugs and vulnerabilities of websites or apps from corporates, who, in turn, recognise and compensate these hackers. Gadgets 360 spoke to a couple of ethical hackers told us that that they normally try and work with foreign companies, who are more open to paying bounties, and offer richer rewards to boot, when compared to their Indian counterparts.

Manish Bhattacharya, an ethical hacker born and raised in Bihar, said he paid off his educational loan through bug bounty programs from Facebook, GitHub, Shopify, and others. Some years ago, he had reported two clickjacking issues for Facebook – where a real link gets replaced by a malicious one, which could serve ads, or even malware. For this, he was paid $5,000 (over Rs. 3.22 lakhs today) by Facebook.

Anand Prakash has his own cyber-security startup, called AppSecure India, based out of Bengaluru. He is on Facebook’s ‘White Hat Bug Bounty Program’, which recognises and rewards security researchers who report vulnerabilities in Facebook’s services. In 2016, he has also found a bug in Uber that could let any hacker take multiple rides without paying for them. Uber gave him $5,000 in return.

anand prakash hacker ethical hacker

Anand Prakash runs his own security firm, AppSecure India

For Bhattacharya, bug bounty hunting has been, well, bountiful. He now works for a security firm in the United States. Prakash is on the list of Forbes Asia’s 30 under 30 (2017) and runs his security audit firm.

The ethics of bug bounties
Many companies such as Microsoft, Facebook, and Google are openhanded to bug bounty hunters. Bugcrowd maintains a list of websites that have a rewards program. But it’s important to remember that there are a bunch of rules that define what is ethical hacking.

“The difference [between ethical hacking and unethical hacking] lies primarily in the intent. and access rights,” says Amit Sethi, Chief Information Officer, AXIS Bank. “One is authorised and the other is unauthorised. Technology-wise there’s no difference per se.”

Bhattacharya and Prakash also agree with the corporate ethical code.

“If I have permission from the company to test their website or they have a bug bounty program then only I’ll go for bug hunting,” says Bhattacharya. “I’ll never test any government/ bank website without their written permission.”

“Hackers exploiting bugs and leaking user data is unethical. Recent Zomato hack was a perfect example of an unethical hack,” adds Prakash. “The hacker should not have forced the company to run a bounty program by leaking their data.”

manish bhattacharya hacker ethical hacker

Manish Bhattacharya works for a security firm in the US

The argument could be made that the hacker pushed the company to improve its security and institute a program that will only help users – but in the process, the data of millions of users was up for sale, as Prakash points out.

Indian companies don’t like to talk about vulnerabilities
As the hackers we spoke to mentioned, Indian companies aren’t typically welcoming of their efforts. Uber told Gadgets 360 that it has paid more than $860,000 – approximately Rs. 5.5 crore – in the last year to security researchers around the world. Of this, there were six researchers from India in Uber’s top 50 list. India topped Facebook’s bug bounty list last year, but things are very different when you look at Indian companies.

Global players award Indian hackers consistently, says Sandeep Sharma, a research analyst for IDC. “But, when it comes to Indian corporates, the picture isn’t as rosy,” Sharma explains. “Indian enterprises still have a long way to go as far as proactive security implementations are concerned.”

Why haven’t Indian corporates been encouraging when it comes to bug bounty programs? Startups we approached refused to be a part of this story. According to reports, Snapdeal, Ola, and Swiggy all have private bug-bounty programs, but none of these companies wanted to talk about why bug bounty hunters don’t get due credit in India.

Swiggy CTO and co-founder Rahul Jaimani instead pointed out that the company encourages bug bounties, as long as it’s done in an ethical manner, and ties up with credible third-party bug bounty platforms on an invite only basis. He added that Swiggy supports ethical hacking, as long as the researchers comply with Swiggy’s ethical and responsible disclosure norms. He also added that the terms and conditions of the website and app mention that unethical techniques used against the system are liable under the cyber security law, as per the IPC and Information Technology Act.

We asked Zomato the same question too, but the company wasn’t available for comment. Zomato had a bug bounty program on HackerOne for a while and after the recent Zomato hack, its CEO Deepinder Goyal tweeted, “Had never offered money as part of the program. That’s what’s going to change now.”

zomto culture 1495085835107 zomato

After the company was hacked, Zomato now offers money as part of its bug bounty program

This attitude is a problem as far as most bug bounty hunters are concerned – apart from money, recognition is a big driver as it helps to build a career in ethical hacking, explains Bhattacharya.

“Right now, India is full of startups, most of them don’t have – or they don’t want to spend – extra budget to hire a full-time security guy,” he says. “Most companies don’t trust an independent individual with their security; they prefer a security firm instead. Few startups like Ola, Paytm have bug bounty. But, their rewards don’t match the international standards, so bug hunters don’t spend time with these programs.”

Change remains slow
Axis Bank has an Innovation Lab that experiments with bug bounty. “It would be an incremental step in our efforts towards robust and secure software development and testing,” says Axis’ Sethi. In India, banking and financial service firms have been proactive about security solutions, adds AppSecure’s Prakash, who also told us that his security firm saw a sudden surge of fin-tech corporate customers, after WannaCry and the Zomato hacks.

However, both Bhattacharya and Prakash say that the industry has largely been slow to react, even after high profile attacks on their infrastructure.

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Tags: Bug Bounty, ethical hackers, security advisor, Cyber security, Malware, Ransomware, WannaCry, Zomato Hacked
[“Source-ndtv”]

Overseas aid ‘should focus on education’, say MPs

South Sudan

The UK’s overseas aid budget should target more of its funding towards education projects, says a cross-party committee of MPs.

The international development committee says the proportion spent on education should be lifted from 8% to 10%.

There are 250 million children around the world without access to school – and efforts to tackle this have been “shamefully underfunded”, say MPs.

Committee chair Stephen Twigg warned of a “global learning crisis”.

The select committee says that the Department for International Development’s spending on education is £526m per year – less than on supporting health, civil society and intervention in disasters.

  • UN warns of schools lost in conflict
  • Who really paid up to help Syria’s refugees?
  • Does the UK give more aid than other countries?

But the MPs say that in terms of long-term impact, investing in education will reap dividends in preventing conflict, improving life chances and improving economic development.

Mr Twigg says: “Education has been shamefully neglected by the international community and many national governments.”

The committee heard that there had been a “clear decline in international aid spending on education since 2011”.

“Even though we know the benefits of education, there is not enough funding from the international community to deliver this, particularly in the low-income countries which need most support,” said Mr Twigg.

Former Prime Minister, Gordon Brown, told the committee that such development funding suffered from being “short-term and unpredictable”.

“We cannot forever continue with this situation where the only way we fund humanitarian aid, whether it be for education, health, shelter or food, is through a begging bowl,” said Mr Brown.

Earlier this week, Unicef warned that warfare and conflict are preventing 25 million young people from getting any access to school, particularly in parts of sub-Saharan Africa.

In south Sudan, Unicef says almost three-quarters of primary-school-age children are missing out on education.

The international community set targets for universal primary education to be achieved by 2000 and then 2015, which, despite progress being made, were both missed.

The current target, part of the sustainable development goals, aims for this to be fully achieved by 2030.

However, Unesco, the UN agency that monitors global access to education, warned last autumn that, on current trends, the target was already unlikely to be achieved.

The international development committee says that funding would need to be more than doubled to achieve the international goals for education.

Figures from the OECD have shown that the UK is one of the biggest providers of international aid, both in cash terms and as a proportion of national wealth.

An analysis of international support for Syria’s refugees also showed that the UK was among the countries that had met their funding pledges, while a number of countries still had to deliver the aid they had announced.

A DFID spokesperson said the department was “proud to have supported over 11 million children in primary and lower secondary education from 2011-2015”.

[“Source-bbc”]