Thursday, August 18, 2022

Not attending business networking events in september

I have some travel plans in september. I would be travelling to Visakhapatnam, India and would come back after 2 - 3 weeks. While in India, I have some travel plans to New Delhi and Hyderabad. This is more of a personal trip and related to the identity theft issues happening around. As in the UVAS = Uttam + sriniVAS. They have gamified identity theft and they are trying to frame me as someone else by impersonating, shadowing, hacking, false propaganda etc...

I can still be contacted on +44-07718-273-964 or +1-480-347-6849 or +91-789-362-6688 or admin@alightservices.com or kantikalyan.arumilli@alightservices.com

Tuesday, August 9, 2022

Disappointing News!

     I hoped to make a positive announcement tomorrow, but I have disappointing news. I had a job offer from Mphasis in London. I have been super happy and provided all the required documents. I have shown all of my past and current legal immigration documents. My current India passport - R4542950, my curent Graduate Route Visa BRP - RY7552312. I have shown 2 expired passports, 1 expired BRP. I have sent them my A file from USCIS regarding my past H1B employment between 2008 and 2016. I have signed several forms, agreed for background verification, I did not have N.I number, I applied for N.I number and waiting on N.I number. As per U.K government, I can start working while waiting on N.I number. I have provided share code and proved my right to work in U.K. Yesterday, I went in person and showed all of my documents. Last night, I have received an email saying Welcome onboard but the employee id was empty. This morning, I sent an email mentioning the same. And sent a follow-up email.

     I received a call from the H.R who said the employment is being revoked, I did not receive any receive an official confirmation of revokement via email. I have not been provided with any valid reason other than not having N.I number. But the government of the United Kingdom clearly states that I can start working while waiting on N.I number.

   One last thing, until now, I never saw a job offer being rejected in the very last minute and without any valid reason. If Mphasis is helping the R&AW identity thieves, it's a serious offense and a crime and this is probably what happened 5 years ago in United States and now here in United Kingdom. If yes, how many more innocent and hard-working individuals Indians who have immigrated to other countries identities are being stolen? If Mphasis did not help them, not a problem.

    Shame on the R&AW spies, shame on India!

Saturday, August 6, 2022

The Plan Ahead And Some Web Application Security Tips


        I am hoping to make positive personal announcement soon in the next 3 days. ALight Technology And Services Limited is implementing very high-security measures. The primary threats have been identified, the plan to mitigate the threats has been planned, pending implementation. Much more detailed monitoring, alerting and in few cases even automatic remedial actions are going to be implemented.

       ALight Technology And Services Limited plans to implement these threat mitigating plans over 6 to 9 months period. But, once implemented, world-class, enterprise-grade security and audit would be in place. In other words, ALight Technology And Services Limited would be in a position to instantly demonstrate the security measures in place and this would hopefully help in propelling forward.

       The primary threat is the capabilities of the invisible spying drone by India's spying agency known as R&AW - Research And Analysis Wing. The invisible spying drone has viewing, screenshotting, recording video and audio, whispering and even mind-reading. There is a very high possibility of some advanced hacker tools being used by the spies who could connect to Wi-Fi networks and remotely login into laptops and probably steal files / source code or may be even session hijacking. The invisible spying drone has mind-reading capabilities and if I am not wrong maybe even some kind of projecting images into the mind. The equipment has been used for privacy invasion, human rights violation. I don't know how many people have been victims, but I have been a victim for around 5 years. From what I know, the equipment has been mis-used on few other people also for getting favors done via threat / harassment.

     With the above threat in place, and being the target for over a dozen rogue R&AW spies, I know they would probably do parallel coding and maybe even steal source code - Intellectual Property Theft. As of now, I might not be able to prevent the mind-reading, parallel coding type of threat. But I can definitely secure the network, and use biometric authentication using YubiKey Bio. I have been using Biometric Authentication for over the past 1 year but certain websites have vulnerabilities and using the websites with vulnerabilities has become a headache.

    Over the next few months, I will share some security best practices to thwart these spies. I might even provide links to relevant code samples or I might provide some code samples for ASP.Net/C#.

       Some of the best practices are mentioned below:

1) Audit - Everything that happens in a web application needs to have audit, the audit log should not be tampered, should be viewable.

2) The list of active sessions should be viewable and should allow remotely logging off - Several websites like Facebook etc... implement such security.

3) For applications where multiple tabs are not necessary cookie values need to be changed. Most banking type of applications implement such security, but the problem - back button would invalidate the session. But this is a necessity for high security applications.

4) SSL for every resource such as css, javascript etc... Most applications nowadays implement this.

5) When resetting passwords etc... send long string codes - if the URL has a smaller token, the spies can see the token and can type the token in their browser. When a request comes with the token, immediately invalidate the token. Do not display the token in the emails, provide a link.

6) Do not display keys etc... in plain text on the screen. Instead mask the keys and show a copy button instead. This has been a huge vulnerability, multi-billion dollar businesses like Github, Microsoft Azure, AWS also do not implement this security measure as of today. But, I think this is a must to thwart the spies.

7) If possible use random application-generated passwords and use vaults for storing sensitive secrets i.e as much as possible, admins do not memorize passwords or type in passwords. 

8) SMS, Authenticator, EMail code type of MFA options are weak against these spies. Physical USB key like Yubikey or Yubikey Bio, long string links via email seem to be safer options. Long string links via email is a safe option only if the email provider has proper security in place, else, as of now, Yubikey might be the only safe option.

Extra note: If using SMS / EMail codes for MFA try create pairs of code. OTP's should be seriously for One Time use.

For example:

When user enters username and password and when the web application generate a 2 codes. 1 for displaying on the webpage and 2 for sending via email. On webpage display code1 let's say "QWERTY", in the email send "QWERTY" in the subject and inside email content send OTP. If anyone attempts parallel login, there should be 2 emails and the emails would have different pair codes. By specifying for which the code pair the  user is being prompted, the users can only enter for what was being prompted and email should provide the ability to delete emails without viewing and should be easy. 


Long story short, I went through a lot in the past 5 years and too many lost opportunities. I am hoping to share some knowledge based upon what I went through and how to secure web applications to thwart these spies attempts.

Who knows how many databases might have been hacked / altered / tampered by the spies.

I know that they definitely did screenshots and tried to create fake propaganda and even identity theft, framing, defaming etc...

https://www.simplepro.site/

https://kantikalyan.medium.com/