Pages

Wednesday, August 21, 2024

Thousands of Corporate Secrets Were Left Exposed. This Guy Found Them All

 NYT profile of Alex Karp.


NoVa is the world’s data center, followed by Beijing and Dublin.  And India is sending us their best.


Rogue Tax Officer, 3 Lawyers, 500 Firms - Big GST Heist Uncovered In Delhi

The fake firms generated invoices worth Rs 718 crore, i.e. fake purchases were made and business was only on paper, the probe, which was later transferred to the ACB, found.


New Delhi : 

A rogue tax officer, a trio of lawyers and a few other people masterminded a fraud, swindling Rs 54 crore from the Goods and Service Tax (GST) Department in the national capital. It was exposed by the Anti-Corruption Bureau of the Delhi Government. 

'The Special 7 And 500 Firms'

A GST officer, three lawyers, two transporters and the owner of a "company" were part of a plot involving 500 fake companies and fake invoices worth Rs 718 crore to claim GST refunds worth Rs 54 crore. The 500 companies only existed on paper and were purportedly involved in the import/export of medical goods to claim GST refunds.



Babita Sharma, the GST Officer (GSTO), hatched a plan with 96 fake firms and approved over 400 refunds worth Rs 35.51 crore between 2021 and 2022. In the first year, only refunds worth Rs 7 lakh were approved but later the remaining were approved. 

Interestingly, the refunds were approved by the GSTO after filing the applications and approval was given within three days. In 2021, Ms Sharma was transferred to Ward 22 of the GST office and surprisingly, within a few days, over 50 firms applied for migration from Ward 6 to Ward 22, and was okayed within a short period. The migration raised alarm bells and the GST Vigilance Department sent teams to the offices of these firms. It led to the unearthing of the GST fraud, which had roots in its own office


The investigation revealed that the GST refunds were issued in the bank accounts of three lawyers - Rajat, Mukesh and Narendra Saini and their family members, through different bank accounts. The ACB found 1,000 bank accounts directly related to the fake firms, their family members and the employees.


 Wired – Security researcher Bill Demirkapi found more than 15,000 hardcoded secrets and 66,000 vulnerable websites—all by searching overlooked data sources[unpaywalled]:

 “If you know where to look, plenty of secrets can be found online. Since the fall of 2021, independent security researcher Bill Demirkapi has been building ways to tap into huge data sources, which are often overlooked by researchers, to find masses of security problems. This includes automatically finding developer secrets—such as passwords, API keys, and authentication tokens—that could give cybercriminals access to company systems and the ability to steal data. 



Today, at the Defcon security conference in Las Vegas, Demirkapi is unveiling the results of this work, detailing a massive trove of leaked secrets and wider website vulnerabilities. Among at least 15,000 developer secrets hard-coded into software, he found hundreds of username and password details linked to Nebraska’s Supreme Court and its IT systems; the details needed to access Stanford University’s Slack channels; and more than a thousand API keys belonging to OpenAI customers. A major smartphone manufacturer, customers of a fintech company, and a multibillion-dollar cybersecurity company are counted among the thousands of organizations that inadvertently exposed secrets. 

As part of his efforts to stem the tide, Demirkapi hacked together a way to automatically get the details revoked, making them useless to any hackers. In a second strand to the research, Demirkapi also scanned data sources to find 66,000 websites with dangling subdomain issues, making them vulnerable to various attacks including hijacking. 

Some of the world’s biggest websites, including a development domain owned by The New York Times, had the weaknesses. While the two security issues he looked into are well-known among researchers, Demirkapi says that turning to unconventional datasets, which are usually reserved for other purposes, allowed thousands of issues to be identified en masse and, if expanded, offers the potential to help protect the web at large. “The goal has been to find ways to discover trivial vulnerability classes at scale,” Demirkapi tells WIRED. “I think that there’s a gap for creative solutions.”