Vyūha  

These are my links for 23-01-2012:

• Dutch Council on Int’l Affairs’ Advise On Digital Warfare – In December 2011 the Dutch Advisory Council on International Affairs published an advisory (.pdf, in Dutch) entitled "Digitale Oorlogsvoering" (English: "Digital Warfare") intended for the Dutch government. The council describes itself as "an independent body which advises government and parliament on foreign policy, particularly on issues relating to human rights, peace and security, development cooperation and European integration". Its existence originates in Dutch law (.pdf, in Dutch). The council is administratively co-located at the Dutch Ministry of Foreign Affairs.

Recently, a parliamentary committee has castigated the UID program as being poorly designed and ill planned, and with a very high error rate and as being completely impractical. As explained in this post, the UID is, in fact, quite robust and is guaranteed to provide true positives and true negatives all the time in practice. Even if the technology fails, the UIDAI has drafted processes to ensure that a citizen is not left in the lurch and locked out of the system. A thorough look at the issues shows that the parliamentary committee’s technical objections about the UID, as being unreliable, borders on the frivolous.

Criticism 1: The issue of Aadhaar numbers “is riddled with serious lacunae,” and this problem can be traced to conceptualisation “with no clarity of purpose” and implementation in “a directionless way with a lot of confusion.

As explained here, the entire process, right from registration down to ensuring that the UID numbers in the database are uniquely assigned to biometrics has been carefully planned, including a robust process for de-duplication to prevent abuse of the UID system. All of this indicates that the UIDAI has thought through the various issues and has been transparent in the way it collects all the data and the way in which the system is implemented. The above criticism by the parliamentary committee almost sounds frivolous, as if the committee has not bothered to do its homework correctly.

Criticism 2: The Ministry of Home raised “serious security concerns” over the introducer model used to enrol persons without any proof of residence.

The main problem with this criticism is its presumption that a poor person who has no authenticating documents would have a “proof of residence”. The whole point of the UID is to tag that human being with a unique UID number. What does the Home Ministry plan to do with this person, if they only want people with “proof of residence” to register for the UID? Furthermore, as the UIDAI website explains, many of the poor do not have a proof of residence, and the UID is their ticket to be authenticated, for example when they go to open a bank account or perform any economic activity that requires an additional and 100% reliable means of matching a UID number to a set of biometric information. Banks will use UID as an auxiliary authentication mechanism along with photo ID etc. The natural-born biometrics of these paperless poor is all they need to possess in order to become a part of the system for the rest of their lives.

Criticism 3: The report concludes that the enrolment process “compromises the security and confidentiality of information of Aadhaar number holders,

As the UIDAI website states clearly, the privacy of the people enrolled are protected because none of the data is every leaked via the API provided to vendors using the UIDAI’s biometric authentication services. Secondly, the Aadhaar number need not be protected. Knowing the number alone is not enough to steal the identity of another person or leak any of their information. Why? Because one would have to mimic the biometric information of another person in order to use their UID number. This is why the UID is a robust scheme for authenticating a person, by mapping them to a UID number. In fact, this scheme protects the privacy of the citizen by allowing vendors who want to use the UIDAI’s services. How? When organizations such as banks, security services need an auxillary foolproof means of authenticating the identity of a person, they can do so by linking their software to the UID databases. Their software will contact the UID server to get a “yes”/”no” answer to the question: “Does this UID number match the biometric information presented with it?”, and use this as an auxiliary means of authenticating the identity of a person in their premises. The UID will be used along with photo IDs and other means of identification, all of which together will establish the identity of the individual beyond a doubt.

Criticism 4: the UID has far reaching consequences for national security [because of the possibility] of possession of Aadhaar numbers by illegal residents through false affidavits/introducer system.

As the UID website says, all that the UID is doing is assigning a unique UID number to each Indian, based on the fact that every Indian has unique biometric signature.

Criticism 5: the SCoF comes down heavily on the government for proceeding with the project without “enactment of a national data protection law,” which is a “pre-requisite for any law that deals with large-scale collection of information from individuals and its linkages across separate databases.

The UID is designed to only assign a unique number to every Indian. All the separate databases can keep their own data. They have the option of using the UIDAI’s services as an auxiliary means of authenticating if they so require. The UID is not a means to determine the citizenship status of a person or their residency status in the country, it is only a means to identify a human being accurately via a single, unique 12-digit number.

Criticism 6: the report strongly disapproves of “the hasty manner” in which the project was cleared. It concludes that a “comprehensive feasibility study…ought to have been done before approving such an expensive scheme.

This just seems like a vague excuse to delay the implementation of anything at all. The fact of the matter is that biometrics is a proven technology that solves a very difficult problem for India: including more and more poor and economically backward Indians into the Indian economy. It can all start only when the nameless faceless poor acquire an identity bound to a unique 12-digit UID number and their own biological uniqueness. Furthermore, if the citizen can no longer use a UID number, or if the citizen’s biometric information has changed, all that needs to be done is assign a new unique UID number to the citizen, and invalidate the old UID number.

Criticism 7:This conclusion follows the government’s admission to the SCoF that “no committee has been constituted to study the financial implications of the UID scheme,” and that “comparative costs of the Aadhaar number and various existing ID documents are also not available.

Unless the comparative ID schemes can provide the 100% true positive and true negative reliability that the UID provides, this is a vacuous criticism. The committee needs to spell out what other schemes they have in mind and demonstrate those schemes also have an equal degree of reliability.

Criticism 8: The total cost of the Aadhaar project would run into multiples of ten thousand crore of rupees. For just Phase 1 and 2, where 10 crore residents were to be enrolled, the allocation was Rs. 3,170 crore. For Phase 3, where another 10 crore residents are to be enrolled, the allocation is Rs. 8,861 crore. In a rough extrapolation, for 120 crore residents the total cost would then be over Rs. 72,000 crore. Is the Comptroller and Auditor General listening?

The MGNREGA scheme is a pure expense scheme that has zero return on investment and costs the government lakhs of crores of Rupees. The UIDAI is eventually planned to be self-supporting once banks and private organizations pay for the UIDAI’s services as an additional means of authenticating the identity of the customers of such organization. The benefits provided to the nation by the UID in terms of cutting down on fraud and providing the poor a means to open a bank account and to otherwise participate in the economy. Those kinds of benefits are well worth the initial costs, costs that will be recovered in the long-term, once more and more organizations buy and use the services of the UIDAI. Surely the parliamentary committee does not think that government organizations that can support themselves is bad for governance, or does it?

Criticism 9: the report tears apart the faith placed on biometrics to prove the unique identity of individuals. It notes that “the scheme is full of uncertainty in technology” and is built upon “untested, unreliable technology.

Given that biometrics is not only proven technology, but that it is trusted by law enforcement officials, the above objection by the committee is just plain wrong. Justice systems worldwide consider fingerprints and DNA matching admissible evidence in court to support claims of presence of an individual at the crime scene, based on fingerprint (or DNA) matches with a high degree of certainty. The parliamentary committee is entitled to its own opinions, but it is not entitled to its own facts.

Criticism 10: It criticises the UIDAI for disregarding (a) the warnings of its Biometrics Standards Committee about high error rates in fingerprint collection; (b) the inability of Proof of Concept studies to promise low error rates when 1.2 billion persons are enrolled

A simple calculation such as the one here shows that the error rates for the UID, in terms of maintaining the uniqueness of biometrics in the UID database, is around 10^-30, or odds of 1 in 10^30. This is an extremely low error rate, and can be considered close to zero for all practical purposes.

Criticism 11: (c) the reservations within the government on “the necessity of collection of IRIS image.” The report concludes that, given the limitations of biometrics, “it is unlikely that the proposed objectives of the UID scheme could be achieved

The Committee cannot just make vague statements about “the limitations of biometrics” and pretend that is a valid argument against the UID. Can Mr. Yashwant Sinha and the rest of the parliamentary committee spell out to the public what these limitations of the biometrics are and how they result in a high error rate? Surely, if Mr. Yashwant Sinha and his committee want to cancel the UID based on such technical objections, they need backup their objections with facts.

Existing facts say that all the technical objections by the Parlimentary committee are poorly thought out, and demonstrate a lack of understanding of the scope and usefulness of the UID project in streamlining processes in governmental and private organizations in India.

Surely, a nation that often complains about rampant, runaway corruption in the system should welcome such a means for cutting down on waste and fraud, shouldn’t it?

Biometric identification has become a core part of national security in many nations around the world, and is expected to be the standard for the foreseeable future. The trust placed by governments in biometric schemes stems from the notion that every human being has unique physical characteristics, such as fingerprints or iris signature. The idea is to capture these unique physical features and encode them in a format that can be processed by computers. The UID project’s main goal is to identify every Indian’s biometrics with a unique number assigned to each citizen by the UIDAI — the UID number.

When a Citizen registers with one of many registrars partnering with the UIDAI, the Citizen’s biometrics, signature, and other information is collected and a temporary number is assigned, along with receipt acknowledging submission of the information to the UIDAI. The entire process is detailed in the UIDAI web page. At the time of registration, a temporary UID number is provided to the Citizen, with a permanent number later mailed in to the applicant once appropriate verification and uniqueness of biometric data has been determined. How do we know that best effort has been made to ensure that data in the UID database is correct and not falsified? This question is especially important, given that preventing fraud is one of the stated goals of the UID project. It is important to note that an enormous number of Indians simply do not have any form of identification that can be presented to Registrars. This is clearly a loophole that can be exploited by those who want to cheat the system by registering the same person multiple times with different Registrars. This raises the importance of the issue of detecting and eliminating fraudulent use of the system.

The Registration Process: When a Registrar inputs a UID user data to UID’s Central ID Repository (CIDR) servers, the user’s biometrics are compared with existing biometrics in the UID database to ensure that the biometric data does not already exist — a process that has been referred to as de-duplication. This is handled by the Fraud Detection Application (FDA) that takes care of the following types of fraudulent usage: misrepresentation of information, multiple registrations by same person, registration for non-existent residents, or impersonation, as specified on the UIDAI web page. All of these problems boil down to identifying more than one applicant in the UID database with matching fingerprints and matching iris image biometrics, at a minimum. That is, both these biometrics need to match with a high degree of accuracy in order for an entry to be flagged as a match with an existing entry in the UID database. Note that the iris prints are from both eyes, and in every human, these prints are completely different for the two eyes. Note that the registrars operate independently scanning this biometric information, and then enter the data into the CIDR from a remote terminal, and this is why temporary numbers are assigned at the point of registration.

In an analysis of UID registration process, it is noted that the UIDAI’s official statistics show that they registered (at the time of the analysis) 25900000 individuals of which 20050 were determined to be duplicate registrations. These duplicate registrations were determined by a “multi-modal de-duplication scheme”. The scheme is “multi-modal” because it takes into account multiple bio-metric modes: fingerprints and iris scan. However, a look at the open complaints page in the UIDAI web page, show only a handful of complaints, and none of them major in terms of denied identity, as would have to be the case for one of the 20050. A testament to the fact that the de-duplication scheme of the UIDAI is doing the job it is intended to do. Specifically, these UIDAI registrations were flagged as duplicate registrations and rejected because the FDA determined a match in multiple biometric modes, to a high degree of certainty. In this case, the newly input user data matched another entry in the UID database with a high degree of certainty, both fingerprints and iris-scan. Once the UIDAI has processed an entry through the FDA, and it is determined as a unique print as per a online multi-modal search and/or offline search, then the process of de-duplication is essentially complete and a permanent UID number is assigned to the resident. Note that the UID is 12 digits and this can identify about 1000 times as many Indians as currently exist today. It should be noted that the UIDAI has meticulously noted the process for processing UID deliveries to applicants.

As mentioned earlier, biometrics are unique, and secondly, both fingerprint and iris signatures do not change with age and are constant throughout a person’s life. This is the reason why biometrics can be taken for very small children for a UID number, because the UID technology can adjust for the physical size of the fingers by normalising the image before comparison. In the case of the eyeballs, it is a fact of human physiology that the eyeballs of an individual remain the same size throughout their lives.

The only way for a person to fool the UID system into accepting more than one entry in the UID database is by presenting multiple biometrics that do not match in all modes, one for each fraudulent UID number. Biometric attributes cannot be faked any more than a person can change their own DNA, as a person’s DNA determines the ridges in their iris and the prints on their extremities. Biometric matches can be used as evidence in court in most countries with such forensic technologies at their disposal. Fingerprint matching is done by examining the spatial separation of various unique characteristics of the ridges, loops and whirls on every human’s fingers. Similarly the 360 degree 3D maps of the irises in both eyes, which are both unique. The probability of the biometrics of all fingerprints and both irises matching for two humans due to the limitations of the biometric system is small enough that it may be assumed to be zero.

To see why this is the case, assume that matching print on any finger is independent of matching print on any other finger, i.e., they are independent events in the probabilistic sense. Now, the probability of a finger print match giving a false positive could be some number say p, which is a percentage of times on the average a finger match is matched positive, when it should not have been. Similarly, let ii be the probability of false positive match in one eye. Now, the cumulative error rate for the de-duplication system employed by the UIDAI, is the product of the error rate for fingerprint comparing prints from one hand (denoted by error rate p per finger) , and the error rate per iris (denoted by ii), i.e., p^5*ii^2, where ^ is the exponent symbol. The error rate, also known as the Error Crossover Rate (ECR) for iris scan is 1 in 131,000 and 1 in 500 for finger printing. False acceptance rates are very low for iris scans and both false positives and false negatives are difficult to produce, both for fingerprint and iris recognition. Now, substituting 1/500 and 1/130000 for p and ii we can see the probability for an error in the multi-modal duplication, where the fingerprint and iris biometrics are compared to create a score between 1 and 100 as to the closeness of the match. Note that the cumulative error rate is (0.002^5)*(7*10^-7^2) equals approximately 10^-30 (or 1 in 10^30). The entire population of the world right now is around 6*10^9. The implication of this low cumulative error rate in the de-duplication process, is that all 20050 applicants flagged as duplicates or fakes were, in fact, all fraudulent UID applications. In a way, it proves the effectiveness of the UID system as a robust authentication mechanism.

Also, in the analysis of the error rate in the CIS paper, the random variable Y can be considered a constant, specifically zero, given the really low false positive and false negative rates for biometric schemes. This, in turn, implies that the UIDAI uses a very stringent de-duplication algorithm and thus guarantees that every biometric in the UID database is uniquely mapped to a 12-digit UID number. Also, the random variable X is redundant, since we do not expect the biometrics of any two entries match. Further, let us recall that in the registration process, the Fraud Detection Application detects and rejects applications where there is a match in the biometrics. I believe these and other safeguards employed by the UIDAI guarantees unique biometrics in the UID database.

What happens if a Citizen is locked out of the UID database? The Citizen must first contact the UIDAI on the website and explain they have been locked out. And when that is done, they can be assigned a new UID number and disable the old UID number, so that it no longer exists in the UID database. None of this means that the UIDAI or the system is infallible. Citizens groups and NGOs such as CIS should question the precautions taken for physical safety of the UID servers, both from criminals and from even the employees of UIDAI themselves. It is a continuous process, requiring constant vigilance on the independent functioning of the UIDAI, without interference from government or bureaucrats or politicians. Such independence is essential and of utmost importance in retaining the trust of the Citizen in the UID system.

These are my links for 16-12-2011:

• A Few Chinese Hacker Teams Do Most US Data Theft – ABC News – As few as 12 different Chinese groups, largely backed or directed by the government there, do the bulk of the China-based cyberattacks stealing critical data from U.S. companies and government agencies, according to U.S. cybersecurity analysts and experts.

Why not? Why should we miss out on the party fun?

First it was the American and then the Israelis and then the joint US-Israel angle and now, we have the Russians as suspected makers of Stuxnet. Now, I ask you, why not the Indians? Don’t bother to answer, it was a rhetorical question – I know the odds against it!

On a more serious note, the article linking Russians to Stuxnet does everything except link them. It goes on to provide a good old Cold War story of why the Russians would want to sabotage the Iranian nuclear program

“their companies’ profit margins will benefit as long as the Iranians keep Russian scientists and engineers in country, who can oversee Iranian nuclear progress”

and why they would rather let the American and Israelis be given the credit

“its designers wouldn’t want it traced back to the Kremlin, and so it would have to appear as if it were a clandestine operation by an adversary that didn’t have access to the gateway entry points”

It even goes on to speculate on Russian expertise

“Russian scientists and engineers are familiar with the cascading centrifuges whose numbers and configuration – and Siemen’s SCADA PLC controller schematics – they have full access to by virtue of designing the plants.”

What is missing, of course, is the tiniest shred of evidence supporting this claim or even circumstantial evidence that Russian possesses enough cyber power to carry out such a well orchestrated cyber attack.

The December 2011 issue of Pragati carries an article titled “Duqu: an indicator of the next Stuxnet?” by yours truly, reproduced below.

Stuxnet worm was first reported in June 2010 and was credited with several exploits, including sabotaging the Iranian nuclear reactors and possibly even causing the malfunction of the INSAT-4B communication satellite. Now, more than one year on, security experts think that they have stumbled upon a worm that is being described as the precursor to the next Stuxnet and potentially written by the same people who wrote the Stuxnet, or at least by someone who had access to the source code of the Stuxnet worm.

Named Duqu, the worm was first reported by the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics in Hungary on 1st September 2011. The name given to the worm came about due to the “~DQ” prefix that was given to the files it created on the system that it infected. Further analysis by Internet security firm Symantec revealed that the worm may have been in the wild since November 2010 and has so far infected computers in eight countries, including India, and potentially four more.

Just like Stuxnet, Duqu makes use of a 0-day vulnerability against Microsoft to exploit the operating system and install the components of the worm stealthy and just like Stuxnet, it also installs a driver with a valid digital signature, the digital certificate used for this seem to have been stolen from a company in Taiwan.

However the similarities do not carry over to the suspected intention of the worms. It is now accepted that Stuxnet was written with the intention of compromising industrial control and monitoring systems, often called Supervisory Control and Data Acquisition (SCADA) systems and specifically targeted at the Iranian atomic program, while it is believed that Duqu does not contain any code related to industrial control systems and is primarily a malware designed to give the attacker complete control over the compromised machine remotely, often termed a Remote Access Trojan (RAT). It is also believed to install malwares that records keystrokes and collect other system information from the compromised machine. The attackers were most probably looking for information that could be used in a future attack, hence the description of Duqu being a “precursor to the next Stuxnet.” It does make one wonder as to what we may have missed that was the real precursor to the Stuxnet worm.

Other than the fact that machines in India have been infected with the Duqu virus, there is another curious connection to the Indian cyberspace. Malwares like Duqu use external Command and Control (C&C) servers as a means for the attackers to remotely control the malware, for example to download new executable onto the infected machine, exfiltrate sensitive information from them, update the malware itself and sometimes even to destroy or deactivate it. One of the only three C&C server identified for Duqu was hosted on the IP address 206.183.111.97. This IP address and the virtual private server (VPS) that it belonged to was being hosted by Web Werks, a Mumbai-based hosting company. According to the company, the VPS belonged to a client in Milan, Italy and because it was a system that was being managed by the client itself, Web Werks did not have any control over what was running in it.

According to reports, officials from the Indian Computer Emergency Response Team (CERT-In) have obtained an image of the VPS before taking it offline. Interestingly, there is no mention of the operation anywhere on CERT-In’s website and officials have refused to comment on the development as it pertains to ongoing investigation.

Getting hold of the C&C servers however doesn’t seem to have done the investigators a whole lot of good though. Recent reports from Symantec indicate that all the three C&C servers, including the one hosted at Web Werks have been setup to forward all the traffic from the worm to other servers, making the discovery of the final endpoint of the C&C chain hard to pinpoint.

The last few year have seen a drastic uptick in the incidents related to cyber crime and the case of Stuxnet and Duqu have shown us that the new generation of malware are being continually honed for purposes that go beyond pranks, notoriety or money.

Stuxnet opened the Pandora’s box and there is no closing it.

Assessing the cost of cybercrime is extremely hard, not just because of the nature of the crime, the differing definitions and actors involved but also because of hype-cycle surrounding the area and the inflated numbers thrown out. Kings of War takes to task the cost estimate of £27 billion provided by the UK Cabinet Office and Detica.

While I completely agree with the view that the £27 billion figure looks inflated, some of the counterpoints stated in the post is also weak.

The figure of £30 million damage is to be contrasted by the worldwide market of scareware estimated at £114 million. The UK would therefore represent 26% of the share of this market for an online population representing only less than 2% of the global online population. Why the discrepancy?

“2%” of global population does not say much. It might seem like a small number when compared to the “26%” market share but other factors need to be considered. For example, China and India occupies a good percentage of global online population but that population may  not really care when a scary message prompts them to buy a (fake) anti-virus software. Even if they care, the default mode of operation could be different that click on a link and spend money online to buy the anti-virus. I have no concrete numbers to provide nor any specific study to quote, however given first hand experience, I would be surprised if I am too far off the mark. A little knowledge is dangerous and it applies to cybersecurity as well.

And regarding consumer data loss: all the 3 legal cases in 2010 where the Computer Misuse Act 1990 was invoked concerned a breach of confidentiality, and no data were deleted. Thus the cost of consumer data loss reported to the police would be zero.

Consumer data may not have been deleted but given that confidentiality has been breached, it is naive to think that the cost of the data loss would be zero. For example, if my credit card details were compromised (but not deleted), I would have to go through the motion of reporting it, getting it revoked, replacing it etc. Of course this would mean costs imposed on the credit card company too. These can add up very quickly.

All these discussions go on to show that guesstimating the (real) cost of cyber crime is not an easy task and therein lies a big problem – if one cannot estimate such a number then one cannot set aside an appropriate budget for fighting the crime. After all, security is a lot about economics.

These are my links for 26-11-2011:

• Pentagon: Offensive cyber attacks fair game – Checkpoint Washington – The Washington Post – The Pentagon has laid out its most explicit cyberwarfare policy to date, stating that if directed by the president, it will launch “offensive cyber operations” in response to hostile acts.

These are my links for 25-11-2011:

• Cyber Security Strategy | Cabinet Office – The new Cyber Security Strategy was published on 25 November 2011. It sets out how the UK will support economic prosperity, protect national security and safeguard the public’s way of life by building a more trusted and resilient digital environment.
• Cyberwarfare and its damaging effects on citizens – The paper analyzes the damaging effects, in terms of loss of human lifes, that an hypothetical cyber-war or individual acts of cyberwarfare could cause to citizens of a nation under attack.

These are my links for 17-11-2011:

• Geneva Convention-like pact is required on cyber security – Home – livemint.com – Ross Perot Jr, the son of an American billionaire who twice ran unsuccessfully for the office of the President of the US, talks about the importance of having a secure cyberspace for digital commerce, the need to have a Geneva Convention-like agreement on cyber security and the disagreements between nations on a common global framework. India will host the third global conference on cyber security next year.

  Repeat after me – cybercrime != cyberwar