Am a standard example of an urban middle class family. I have 2 degrees one Btech and obviously a MBA. I join a MNC with the aim of doing great but somewhere down the line I don’t like it. So one fine day I get up and say I will start my own business and that too an online one. Fair enough!
So I start with the usual stuff designing my website, getting a coder on board and doing whatever marketing I can with my limited budget. After a year or so am doing decent enough and people want to join me as employees. Since am doing everything on my own am not that smart as I miss out things like signing a contract as I feel that an email is a legit enough document. Right? WRONG.
To make things bad I meet a writer who tells me that she would like to work for me and when I have paid her dues, she tells me that not only have I NOT paid her dues but I should pay an exorbitant amount for the work she has done for me .
Well things are not bad yet, a hacker comes on board, send a nasty email specifying what he is doing and how he will delete all my data and crash my website. Can you believe it, someone I don’t know have no clue is threatening to destroy my website? So yes he has hacked my website and has threatened to put the code online. To think of all the hard work my team has put in.
I want to tell this HACKER something he should know before doing the same to anyone else ever:
- Am not giving up on my baby. You steal, destroy, the idea is mine no one can take it from me.
- I will fall again and again,I will start from scratch, BUT I WILL NOT EVER EVER GIVE UP.
- You can’t violate me or anything that’s mine!
- You think you are smart enough but I think you have nothing in your life to do
- You just wait and watch and how we make things bigger and better.
So this post is an earnest request to everyone in the community to let me know how a legal action against such a person and secondly the most important one what are the safety measures one should take for protecting your website. I wanted to share what I have gone through so that no one else would have to go through it.
Matchmecupid.com is an invitational only website. We provide customized services to our members.
asha chaudhry
hi mandeep,
this is really unfortunate. listen – pls feel free to reach out to rahul dev – he’s a lawyer member.
https://www.therodinhoods.com/profile/RahulDev
i’m sending him an email as we speak.
Mandeep Kaur
Thanks Asha, I will get in touch with Rahul!
Nishant Agrawal
Can you give us more information on how this guy is trying to hack in? If he’s not a very sophisticated hacker, and is simply exploiting a vulnerability, he can be easily stopped.
Mandeep Kaur
Well he has spammed the opt in form (where i take information of a new member) and has added around 4800 entries which were deleted by the team. This is the link https://matchmecupid.com/new-member, so he has added alot of entries on this. He informs me that he has my source code and would delete all the social networking links.
Nishant Agrawal
I would suggest the following:
1. Block his IP address. This will work, unless he is on dynamic IP. If he comes from a small city, you might want to consider blocking all traffic from his city. Or, you can use session variables, or cookies, to limit creation of new entries after the first entry.
2. If he has your source code, he would know the flaws and workarounds. However, this doesn’t mean that he can delete or add anything to your database (assuming the data we are talking about resides in a database). Change the username and password for database access.
Mandeep Kaur
Thanks, now can you suggest how to block this on an ongoing basis?
Nishant Agrawal
Are you on shared hosting? cPanel, or Plesk Panel? I think you can block his IP directly through their account interface.
Alternatively, you can use session variables or cookies. If a particular user fills up the form, store a cookie on their computer. If the user comes back to signup, and your program finds the cookie in place, redirect him to some other page. However, the jerk can simply use another PC to signup. But he can’t use 4800 PCs 😀
Changing the database user / pass should be your priority; but I assume you must have already done that.
Mandeep Kaur
Hi Nishant, this is helpful. Can you please share your cell number at jhajjmandeep@gmail.com, so that I can speak to you in detail.
Mandeep Kaur
Thanks Rahul, appreciate the same!
Nitish Mehta
E-mail can be traced , you can just complain to police and with help of ethical Hacker you can trace email and that person can get high penalty and sentence too , Google indian IT act 2000 and 2008 , you will have more information . IF need help, regarding anything you can contact me , https://www.nitishmehta.in
Nitish Mehta
dude IP which we get allocate , i.e from our ISP (Internet service provider ) like reliance , tata , airtel ,ect are Dynamic only , just ip of servers , VPN are static .
Nitish Mehta
and ya if you want to know vulnerabilities in your website , i can provide that too ,
Nitish Mehta
use CAPTCHA + email validation +phone validation system ,
Mandeep Kaur
Right now with Nishant’s help has put a code in place so that a person who has logged in can’t fill in new user details.
Kaushal Bhavsar
I remember it happening to me almost a year back, the same thing. One important point you must remember is that you don’t need to be paranoid about security.
1. Get a vulnerability assessment done for your website.
2. If there are some vulnerabilities, they can be fixed.
3. Security is not a one-time task. It has to be maintained, so you need to keep monitoring things.
But as I said, don’t let this spoil your sleep – hackers that give warning don’t usually attack. And yes, I believe you may not be in a state to go legal about this – it’s a time consuming process and will hurt you in the end.
Mandeep Kaur
Kaushal,
These are good points. I have got great help from Rodinhood community to fix the vulnerabilities.
I guess for a noncoder, its important to understand the keys checks that should be in place.
Also can you recommend cms which one should use?
Kaushal Bhavsar
I would recommend WordPress since the community of WordPress is very active and they give updates as soon as there’s some problem detected. Though it is more of a blogging platform, it can be used as a CMS.
I would encourage you to try various hosted options as well, like rodinhoods.com is on Ning. Ning takes care of the security and backup and all so that the Rodinhoods team can focus on content and community instead.
Let me know the type of website you are building. I think I can help you with the right suggestion.
shashank dixit
Hey I am an expert in Web Security. And have tested many finance/banking/government websites. I am an ethical hacker. I would suggest go for a security assessment of your website and get the penetration testing of it done.
I can help you a lot on this. Let me know.
Ankit Sawant
Hey Mandeep,
In addition to checking your legal options with Rahul do get in touch with Defencely. They will surely help you get all the security loopholes on your website fixed thus preventing from any such attack occurring in future. I got to know Ritesh Sarvaiya of Defencely in Mumbai’s Open House. https://www.therodinhoods.com/forum/topics/defencely-com-india-s-upcoming-effective-cloud-security-services
Regards,
Ankit Sawant
http://www.projectbazinga.in
Mandeep Kaur
Thanks, can you pass me your email id?
Mandeep Kaur
Hey Ankit
Thanks for providing the link, will definitely check it!
shashank dixit
shashank[dot]dixit27[at]gmail.com
Sheth Raxit
You can contact rodinhood Defencely! https://www.therodinhoods.com/forum/topics/defencely-com-india-s-upcoming-effective-cloud-security-services
Amar Jyoti
hi Mandeep, it looks to me a case of SQL Injection attack. I have just tried to submit the form without filling up any data to the form https://matchmecupid.com/new-member by disabling the JavaScript,and it showed me “Thanks for submitting the details,we will get in touch shortly” ! I am not sure, how you are handling validation, but if have not done yet, please provide server side validation ASAP. It looks like the site has client side validation only, though I am not sure about the internal code.
Mandeep Kaur
Hi Amar, we were spammed, so put up a code that a person can’t log in twice. I will get it checked asap.
Nishant Agrawal
Yea, I saw there was no server side validation. But it is protected against SQL injections.
Sam
Hi Mandeep,
Sad to hear this but proper validation shall do the job, and hecking is different from spamming it seems this guy has used some bot, using Captcha and proper validation and if possible a check on valid email shall help you. Keep you validations for empty fields and regex in place that should help in avoiding SQL injection as well as spamming.
Mandeep Kaur
Hi Sam,
Thanks, have made a note of the same and will get it implemented.
I would really like to thank each and every person who has pointed out the flaws and the solutions. It would be great if someone could write an article on these pointers which could be helpful for the entire rodinhood community. The way we have a PR guidelines. Everyone has a website these days for their business and mostly its designed by non coders or people who are not savvy with coding. This can be a handy post for them.
Rohan Dias
Hi Mandeep,
*sigh* it’s a small world, fellow rodinhooder :-). The writer in question posted her side of the story along with your info in Blacklist, a Facebook group used to inform fellow freelancers, artists & technicians about nonpayment of dues. Then, an overzealous kid who thinks hacking is cool and nonpunishable by Indian law decided to take matters in his hands.
I’m a member of the group and had a futile argument with the hacker in question for the methods used to recover the alleged unpaid fees of the writer. You should join the group to tell what the truth really is. Let me know if you need to be added there.
Cheers!
Rohan Dias
Digital Quirk
http://www.digitalquirk.co.in
Mandeep Kaur
Hi Rohan
I had a discussion with Rahul and one more lawyer regarding the issue when the writer had posted about the issue. So my lawyer informed me that since I had nothing in written (as in a contract) there was no way to prove that what I was saying could be proved in court. He informed me that email is not a valid contract. Hence I didn’t post anything back on the group.
Yesterday only this guy created a fake account in my name and spammed me again. I have reported his email id in gmail along with the threatening email he had written.
I guess I will join the group and do the needful. However am not really sure if it will serve the purpose.
Thanks!
Rohan Dias
Cool. Cheers!
Nishant Agrawal
While I am not a professional lawyer, I know the Indian Contract Act, and no where in the whole Act does it say that a contract has to be on a written piece of paper. A contract is an agreement enforceable by law, to quote the precise words. Even an agreement made with gestures (no words, no papers) can be a contract which can be enforced in a court of law.
You might want to consult another lawyer.
I might be wrong here, although I really doubt it. Can someone please refute?
Hardik Shah
Could we check this on another front?
Since there is no contract in place, on what basis is the writer demanding pay from you?
I am a CA by qualification so have gone through Contract Act and stuff. But legally, its just could be a toll. You may want to argue on a different footing altogether. You may also send a strongly worded email to provide a public apology or else you could sue for reputation. You could send a similar letter to the hacker to stop his activities or you would file a case of cyber crime against the person.
Probably you can also ask a lawyer to sign it for you. Maybe we can try a bit of threat over here.
And yes, you can legally pursue the above matters if they do not stop at the earliest.
Mandeep Kaur
Hardik, Nishant
I just checked and found the following can be done:
Hardik Shah
Just read through all the comments on the Blacklist group.
Suggest, you should keep a screenshot of the comments handy. Will backup your other alibi’s.
And I think you should revert on the group, so that people do not report your page as spam.
Mandeep Kaur
That’s a good point!
Nishant Agrawal
I think you should reply to the facebook post and clear things up.
Mandeep Kaur
Hey Nishant, consulting an online expert for replying.
Rohan Dias
Hi Nishant,
I’m no legal expert but how can a contract not on paper or without any witness be proved in a court of law. Any party can backtrack from a verbal agreement and then it’s a case of he said, she said…
Nishant Agrawal
The lawmakers wouldn’t draft an unjust law simply because it would be difficult to prove a just one in the court of law.
In this specific case, I understand that both the parties have email conversations, which is a sufficient proof.
Rohan Dias
Email conversations can be easily faked. I don’t see them holding any weight as a contract in court.
Nishant Agrawal
This is really pointless.
What is easier?
Forging a signature, or hacking into Gmail servers and altering the data?
Rohan Dias
After reading you need to hack into an email server to alter the data, you’re right, this conversation is pointless.
Nishant Agrawal
So you thought that you could just write to Google and they’d do it for you? or maybe you thought that email data is saved on your PC?
Rohan Dias
Thanks for the clarification, Rahul. Cheers
Nishant Agrawal
There is no way a contract can be enforced in court of law without written (agreement) or oral (witness) evidence.
I can understand why the court would refuse to admit a case which has no evidence. But can’t emails be taken as evidence, even after the amendments in the Cyber Law and Indian Evidence Act? If not, can you justify? Any case laws?
The Indian Evidence Act:
“E-records to be admissible as documentary evidence. (Sections 3, 65A,
65B) – Primary Evidence”
I was also able to dig this out
https://www.lawyersclubindia.com/forum/Email-Proofs-are-Legally-Vali…
Nishant Agrawal
Okay. I pretty much agree with everything said here. Thanks.