Bank of India home page was hacked - and serving malware/viruses for almost 7 hours

I just read that on a Ryan Naraine blog that the Bank of India web site was compromised and the web page was serving up malware and viruses for nearly 7 hours.

Anyone that is reading this blog and has an account with Bank of India should be suspicious and (ideally) take their money somewhere else :-) Or at least ensure that their home PCs are disinfected.

Additional information for people that might be interested in what this attack means:

According to the article (F-Prot and McAfee were among the forms that raised the alarm) contacted Bank of India and worked with them to clean up the problem. But instead of shutting down the web site and protecting their customers, the web site kept running for over 7 hours. Either they are totally incompetent, or the traditional Indian banks' bureaucracy needed an act of God to shut down the web site.

Although you could think of this as something not alarming (after all, it is only an unpatched, unprotected computer that was affected by this web hijacking), you would be wrong.

The principle that has just been demonstrated here is that common web sites that people assume to be safe, can be hijacked. Knowing that most people in India have virus ridden PCs at home, including illegal versions of windows that are not subscribed to Microsoft's automatic patching, anti-virus software that has not been updated in years (probably since the pirated version was installed during the purchase of the PC), I won't be surprised to hear that this in-your-face attack results in more zombies populating the Indian home PC market.

Although RBN (Russian Business Network) which is thought of as being behind this attack, may have no interest in Indian Rupees, what is scary for the rest os the world is that such hijacks could result in other, more familiar, websites getting hacked.

Another thing that I would be scared of, if I had money at BoI, is the extent to which BoI's systems have been hacked. After all, if the main web page was hijacked, it means their server was compromised. And a compromised bank server means there must have been - probably still has one - a hole in their security system. And no one knows how long that hole has existed. Which means no one knows how safe their accounts are with BoI.

What are the things you can do? In no particular order:

1) Switch from Windows to Ubuntu - I have done it with my kids' computers and there is little you cannot do with Ubuntu, that you can do with Windoze. Remember, Ubuntu is Linux - and is free.

2) If you are still inclined to stick with Windoze (I am - becuse of work requirements - need investigation to see if I can switch - plus wireless cards are still rather fragile with Ubuntu - mine isn't supported), make sure that it is legal.

3) If it is not legal, go and spend the money to buy a legal version of Windoze. Install it.

4) Buy anti-virus software and a subscription. You can also install something like AVG (which is free for individuals) that also has auto updates. Preferably have 2 anti-virus softwares installed

5) Install a router at home, including a hardware firewall that usually comes with the router. Remember to turn on the router firewall. That is your first line of defense.

6) Install a firewall on each of your home computers - Zone Alarm is free. So is Comodo firewall. But you need just one. Choose whichever you feel is friendlier - most people will prefer Zone Alarm. Being a geek, I prefer Comodo personal firewall.

7) Install something like WinPatrol which will monitor your registry and other sensitive areas of your PC and tell you if any unusual activity is detected. A similar program that could be used is SpyBot. I use both (being a little paranoid). Bith are free programs, but require registration - use a fake e-mail address to register, but make sure you can monitor the fake email address.

8) Install Adaware from Lavasoft. It will specifically check for malware that may be installed on your PC. Set it up to run at startup (and if you have Scotty from Winpatrol or SpyBot installed, you will get a warning that something is trynig to install itself to run at startup - click OK). I don't remember other anti-malware products. Maybe someone else may come up with additional ideas.

9) Use Firefox to browse the web, instead of InternetExploder. I only use Firefox.

10) Use any e-mail client other than Outlook or Outlook Express. There are commercial products available. Thunderbird (from the Firefox family) is a nice product. I don't use any e-mail client - I only use web mail - either Gmail or Yahoo Mail.

9) Develop a healthy sense of paranoia when using the Net. Click on links that people send you only if you trust them. Similarly, forward links to people that you *know* are safe.

Of all the tips, I think it is easiest to use 1 instead of 2 thru 9. But I have done both.

Breast feeding and the Bush administration - how they cave in to commercial interests

A damning article in the Washington Post about how the Bush administration has caved in to commercial interests. How could they? This shows that the Bush administration cares two hoots about the mothers, or for that matter, the citizens of the United States. All they care about is ensuring funding for the next election - from corporations, which are the entities that can give them the most money. Shame!

Pakistan and the US - how much longer?

I am obviously an interested party in this development. Pervez Musharraf has apparently decided that he will not impose anemergency according to The Economist, Reuters, the BBC and CNN.

Really? Just because he gave them his word? Or because some aide said 'there was never such a plan! We don't know how such a rumor got started'! How many assurances has MUshy given to the US in the past? And how many of those assurance have been proven to be lies?

Let us go back to before the time he staged his coup. He was guilty of conducting a de facto war with India (Kargil) while not informing his superior - then PM Nawaz Sharief. It was the US that found out about it, told the PM as well as appealed to India's then PM A B Vajpayee to not escalate this into an outright war.

Then we had 9/11. Of course, Pakistan did not have anything to directly connect then with the incident. But entire support structure for the incident - the Taliban, their arming, their training etc - was done courtesy of Mushy and his pet department - the ISI (Inter Services Intelligence) - Pakistan's equivalent of the CIA. And guess who was responsible for the Kargil war in the first place? The ISI of course!

After being co-opted by the US into its 'war on terror' (you are either with us or against us), Mushy found it very convenient to keep the status quo for as long as he could. He delivered 'kills' whenever there was news that the US was tiring of Pakistan's two-facedness.

Which leads me to a more interesting query. Where is Osama bin Laden? It is my guess that he is safely ensconced in a part of Pakistan (not Afghanistan) in a location unknown to Mushy (so he can technically be telling the truth), while always being knowable. He is the insurance card for Musharraf. If OBL and Ayman al Zawahiri are captured, the US will lose interest in Pakistan and the current funding that Pakistan receives from the US (numbers from armscontrol.org and worldpolicy.org) is comparable to the 1.8 billion that the US gives annually to Israel and Egypt for having signed a peace treaty. What? Over a billion annually to FIGHT? What does tha make the Pakistani soldiers? I'll give you a hint - mercenaries. Except that, in this case, their master is taking in the loot while they are dying in the field. But I digress.

The whole point is, if OBL and AAZ are found, Mushy suddenly stops being able to take cookies! And everyone else in his support structure suffers too.

Now what about the US? It is my personal belief that the US government knows the exact whereabouts of OBL and AAZ. Heck, I can put my personal beliefs on this blog - it is mine and I can do pretty much what I want with it. What is the rationale for Bush not bombing him to oblivion? A few possibilities come to mind. Before 2004, he wanted to get reelected. Now he wants to (in his disconnected universe) try and ensure that the Republican party stays in power and at least some of his policies are continued. This is admittedly a weak argument for a conspiracy theory. But consider the contrary side. If OBL and/or AAZ were to be captured, the Republican party current leader - Giuliani - will no longer be able to say 'vote for us if you want to feel safe - vote Democratic if you want to be attacked by terrorists'. This is what got Bushy reelected.

Enough of the digressions. So how are we to believe that Mushy is not going to declare an emergency? No idea. And, if you want to listen to me, you should really not believe anything that a snake says either.

Nardelli gets a second chance - to kill a company

I just read the article at Business Week detailing the appointment of Nardelli as the new CEO of Chrysler under Cerberus. Cerberus, for those that didn't know, is the private equity firm that recently took Chrysler off the hands of Daimler Chrysler, for next to nothing.

What can I say about Robert Nardelli! His colorful exit from HomeDepot, a firm where I have some minimal stock interest (note: in my case minimal means, quite literally, < 100 shares), along with a package of USD 210 million caused many a HD employee and fan a great deal of heartburn. His inability to connect with the employees, as well as the shareholders make him a poster child for the reasons why he should not have been made a CEO. At the very least a good CEO needs to be liked by his employees - or at least admired. Nardelli failed miserably on all those fronts.

Ad now, the poor employees of Chrysler get him. No matter what, Nardelli is going to deliver financial results to his new bosses at Cerberus. And, no matter what, he will receive a fat financial package. Nardelli knows that this is the only chance he will get to redeem himself. Maybe he has taken charm lessons from someone. Maybe he will be better off, now that he has no anonymous shareholders to please.

As you might have guessed by now, I am no fan of Nardelli. Nor am I a fan of six-sigma in areas where it is NOT APPLICABLE. Nor am I a fan of Welchian 'grading employees on a curve', guaranteeing that at least one person from a group will be fired evey year. GE may have done well during Welch's reign. However, his lack of focus on products - which is what drives companies forward - has left GE trailing in the post-Welch years.


Aggressive cost-cutting, massive lay offs, pruning of suppliers and putting them through the wringer - all will produce short-term benefits, which Cerberus will love. If they do enough to put lipstick on the Chrysler pig, and take it public, they may even fool the public into believing this story. Ultimately, unless Chrysler is able to produce cars that rival Toyota (they shouldn't really look at GM or Ford as competitors) in quality, they will not be able to build the reputation that Toyota has. And until they build that reputation - which will take anything from 5-10 years - they cannot afford a stumble.

It will have to be a slow rise. I don't think Cerberus or Nardelli have the stomach for it. Be prepared for the demise of Chrysler