About Srijith

Author Archive | Srijith

The “mirror” effect

The National Security Council Secretariat of GoI seems to be claiming that the Executive Order issued by the US President on February 12 titled “Improving Critical Infrastructure Cybersecurity

in many respects mirrors the initiatives taken by India in it’s document on framework of cyber security.

A document issued by security brass of the country, which was reviewed by ET, cites at least 12 instances where the US order mirrors India’s cyber security framework that was drafted in 2011. These include setting out a cyber security policy, defining critical infrastructure, information sharing between departments and protection of civil liberties.

Reading this, two things jump out – the insecurity that this claim projects and the fact that frameworks and plans like these are not even worth the cost of paper it is written on [1] if it is not put to practise.  Given that the GoI’s National Cyber Security Policy (Draft PDF) wants the CERT-IN to

act as a nodal agency and co-ordinate all matters related to information security in the country

we shouldn’t expect getting out of this self-dug pit any time soon.

 

[1] Yup, I said “paper” because, you know what, a lot of GoI reports and documents are scans of printed documents!

Comments { 1 }

Moving feed away from Google Feedburner

It is high time to move away from Google Feedburner. If you have already subscribed to feeds of Vyuha, please edit the subscription to point to locally hosted http://vyuha.nationalinterest.in/feed/  By the end of next week, the feed hosted by Feedburner will be deleted and redirected to the earlier mentioned feed.

Sorry for the inconvenience but we think that, overall this is in the best interest of everyone, especially the subscribers.

Comments { 0 }

GoI bars international vendors from National Optical Fiber Network project

Afte the Centre for Development of Telematics (C-DoT) submitted a memo to the Government of India to to bar Chinese network vendors  Huawei and ZTE from bidding in the Rs 20,000-crore  roll out of a national optical fiber network (NOFN) project, the Government has decided to heed the advice and bar all international vendors from the project.

The DoT has decided that it will be going ahead with a 100 per cent domestic sourcing and has released a list of certified GPON suppliers. (…) Local companies that made it to the certified list include Tejas Networks, Prithvi Infosystems, Center for Development of Telematics (C-DoT), VMC Systems, Sai Systems, United Telecoms, and SM Creative.

This follows the decision by US House Intelligence Committee which branded ZTE and Huawei as national threat:

The House Intelligence Committee said that after a yearlong investigation it had come to the conclusion that the Chinese businesses, Huawei Technologies and ZTE Inc., were a national security threat because of their attempts to extract sensitive information from American companies and their loyalties to the Chinese government.

While is is good that the GoI decided to look beyond the Chinese companies when considering possible threats, the question it raises is, isn’t it turtles all the way down? Is it certified that the local companies will use 100% indigenously developed  components and if not, why is it better to prefer a “Assembled in India” sticker?

The FOFN project is a high investment and long term project that will power the infrastructure of Indian network for some time to come. So it is prudent for the GoI to tighten the security but it cannot be an isolated event. Nor is it viable to blanket-ban all foreign companies and technologies from such infrastructure and other sensitive projects. I hope someone higher up is thinking and acting seriously on an Information Assurance program within the scope of Critical Infrastructure Protection.

Comments { 1 }

Stuxnet – chickens come home to roost?

General William Shelton, who heads Air Force Space Command and oversees the Air Force’s cyber operations, comments that Iran will be a “force to be reckoned with” in the future after it has perceivably strengthened its cyber defence and offense capabilities after the Stuxnet attacks.

“The Iranian situation is difficult to talk about,” Shelton told reporters. “It’s clear that the Natanz situation generated reaction by them. They are going to be a force to be reckoned with, with the potential capabilities that they will develop over the years and the potential threat that will represent to the United States.”

Has the chickens come home to roost or is this just more war mongering to get yet more defense buget share?

Comments { 0 }

NSCS’ cyber security policy

Another week and it seems it is time for another “cyber security policy” from a GoI body. This time it seems to be the National Security Council Secretariat (NCSC), which has reportedly

come up with a comprehensive cyber security policy for upgrading the security of systems and preventing them from being hacked, attacked with malware, or intruded upon by hostile entities.

Details are sketchy, which is not a surprise. Only Hindustan Times is reporting the story and what they say is

the plan has three components that demarcate task and authority. The existing Indian Computer Emergency Response Team (CERT-IN) will be tasked to handle the commercial aspects of cyber security, including 24×7 proactive responses to hackers, cyber-attacks, intrusions and restoration of affected systems.

The second aspect of the cyber plan is the creation of a technical-professional body that certifies the security of a network to ensure the overall health of government systems. While NSCS is advocating that initially the certification of networks could be done by private agencies, the long term plan is to create a technical body of professionals, all under 40, who will form the backbone of Indian cyber security.

The third aspect of the plan is cyber defence of critical infrastructure networks that are vulnerable to hostile foreign governments or proxy entities.

This seems eerily similar to the Ministry of Information’s “National Cyber Security Policy” Discussion Draft (pdf) that was issued around this time last year. We at Takshashila had responded  (pdf) to that earlier invitation for comments and from the looks of it the issues raised then still plague this policy too.

(3) Orphan Policy. Cyber security cannot be considered in a silo. Cyber  security – the business of safeguarding a country’s networking and technology infrastructure, and electronic information – is a subset of  national security and a cyber security policy must be congruent to a national security policy. However, as India does not have a national security policy, the cyber security policy identified in the draft is effectively a “policy orphan.” As a result, significant gaps could exist between this policy document and what different ministries, departments and agencies assume might be India’s national security goals and priorities. While we agree that this is not something that can be remedied at one go, the orphaned nature of the cyber security policy should be recognised and its implication studied and understood.

 

Comments { 1 }

Use of private companies in cyber operations

US Homeland Security Secretary Janet Napolitano’s recent comment that the administration has and will consider the participation of private companies in “proactive” cyber “counterattacks” has received its share of attention:

In discussing the private partnerships she is promoting to combat cyberattacks, Napolitano was asked if instead of just taking defensive measures, the government and companies should be launching proactive counterattacks against foreign-based culprits. “Should there be some aspect that is in a way proactive instead of reactive?” she responded, and then answered her own question with “yes.” She added, “it is not something that we haven’t been thinking about,” noting someone else had raised the subject with her earlier Monday.

Before analysing this development and the concept in general, it needs to be stated that there seems to be some ambiguity, at least in my mind, about the statement(s) by  Napolitano. Napolitano’s use of “proactive” and “counterattack” together, as reported by San Jose Mercury News, seems confusing since “proactive” is a term that is used usually along with the concept of “defense.” In risk management lingo ‘proactive’ denotes the act of taking initiative by acting rather than reacting to threat events, while ‘reactive’ actions respond to past event(s) rather than predicting and acting before these perceived event. Thus “proactive” gels well together with “defense”, which in military literature refers to the art of preventing an attack, to mean the act of defending against an imminent attack by taking action before the act of attack has happened. This flies completely against the concept of counter-attack which is about, duh, countering an attack that has happened, something that automatically classifies the act as being reactive.

My guess is that Ms. Napolitano did mean counter-attack but by “proactive” she was trying to emphasis the fact that the reaction from the US will not be limited to acts of defense but will include counter offensive moves. Either way, I did end up smiling when I read the double negative that Ms. Napolitano used:

“Should there be some aspect that is in a way proactive instead of reactive?” she responded, and then answered her own question with “yes.” She added, “it is not something that we haven’t been thinking about,” (…)

Now that my confusion regarding the use of “proactive counterattack” is out in the open, let us get to the main point of discussion – use of private companies in proactive cyber attacks by nation states. In traditional military engagement, private military companies have long been used to supplement the operational capability of the nation state’s army. In recent years the role has increasingly moved from support of military personnels in areas like security of the military base, protecting the convoy  etc., to a more traditional role played by active military personnels as part of an active war operation. The case of Academi (previously Blackwater) is a prime example of such private military companies.

The reasons have been numerous, the cost  being the obvious but not the main one, which is to avoid scrutiny, including Congressional oversight in the US, that seems to be reseved for the military personnels of the nation-state. A similar reasoning can be used within the cyberspace as well. Private companies engaged in cyber operations, regardless of its nature (defensive, offensive, counter-attack, proactive), can be set up to evade deep scrutiny and congressional oversight. This gives them the flexibility to be a lot more liberal about the means and mechanisms used without having to worry about repercussions.

The practice also provides a good means to exploit the attribution problem, which has so far been an issue rather than a way out for the US (pdf). By engaging private civilian companies it becomes harder for the subject of the attacks to concretely state that they were indeed targeted by the US. Even if they did, the fact that the attacks cannot be tracked back to hav been originated from the networks of the US military complex gives the US enough excuses to assert that they were not aware of nor authorised such attacks. Such a setup has been used with good results by the Chinese and the Russians.

In the narrower context of counter-attacks, the domain of cyber differs from the rest of the domain of land, sea, air and space in a crucial way in that the conduits/medium that are used for the attacks, the networks consisting of the backbone of routers, cables and other physical and software based systems, are owned by private companies. The four traditional domains differ from cyber domain in that in each of the four cases, the conduit of attack (land, sea, air and space respectively) are usually owned, at least in the extended sense of the word, by the nation states that is attacking or being attacked. This makes it easier for constructing a case for involving private companies since after all they are direct front line causalities in the event of an attack.

Another reason is of course the simple practical fact that the talent pool of experts expands drastically if private companies are also considered as part of the “recruitment” space. Cyber is the only domain in the list of five where the private sector holds a big pie of capable, qualified individuals who can provide service in these operations. Public-private partnerships just makes sense.

The wholesale hiring of “ethical hackers” by NTRO, as reported by news outlets provides a seemingly similar setup in India with the crucial disadvantage that these “hired helps” are still directly associated with NTRO and hence NTRO can and will be held accountable for their actions, negating some of the crucial advantages of using private companies/individuals. What is needed is a deeper and longer term relationship between the government and private companies that makes defending the infrastructures that they both rely on as the central theme and working on means to do that, be it defensive postures or offensive gestures.

There are of course risks involved. Command structure gets blurred when the military structure merges with the private sector and without one, controlling these private parties becomes a risky process that cannot be taken for granted. This has been seen again and again in cases related to Blackwater. What if an unapproved action from the part of the private contractor is judged as an act of war by the other party and leads to a confrontational situation? A similar situation can arise when wrong magnitude of (counter)attack force is applied accidentally or otherwise by these third parties.

All these point to fact that use of private companies in cyber operations is tactically a good move and some would argue, a necessity. However it cannot be done at the drop of a hat since the “rules of engagement” is bound to be fickle in such symbiotic associations.

Comments { 1 }

“The SOPA learning”

A “Perspective” piece titled “The SOPA learning” in the April 2012 edition of Pragati, the publication of the Takshashila Institution:

Imagine a makeshift stall peddling pirated CDs, DVDs and other mediums of music, movies and software. Now imagine a new law that tries to put the stall out of business by disrupting the transport service that takes people to the store, preventing the banks from processing the money that the stall owner tries to deposits and preventing the stall owner from using the stall for any other revenue generating work. Translate this into the online world and you get a rough idea of the scope of the “Stop Online Piracy Act” (SOPA) bill that was introduced in the US House of Representatives and the equivalent “PROTECT IP Act” (PIPA) bill that was introduced in the US Senate in late 2011.

(…)

Head over there and post your comments, or of course, put them down here too.

Comments { 0 }

Was India Behind Stuxnet?

Why not? Why should we miss out on the party fun?

First it was the American and then the Israelis and then the joint US-Israel angle and now, we have the Russians as suspected makers of Stuxnet. Now, I ask you, why not the Indians? Don’t bother to answer, it was a rhetorical question – I know the odds against it!

On a more serious note, the article linking Russians to Stuxnet does everything except link them. It goes on to provide a good old Cold War story of why the Russians would want to sabotage the Iranian nuclear program

“their companies’ profit margins will benefit as long as the Iranians keep Russian scientists and engineers in country, who can oversee Iranian nuclear progress”

and why they would rather let the American and Israelis be given the credit

“its designers wouldn’t want it traced back to the Kremlin, and so it would have to appear as if it were a clandestine operation by an adversary that didn’t have access to the gateway entry points”

It even goes on to speculate on Russian expertise

“Russian scientists and engineers are familiar with the cascading centrifuges whose numbers and configuration – and Siemen’s SCADA PLC controller schematics – they have full access to by virtue of designing the plants.”

What is missing, of course, is the tiniest shred of evidence supporting this claim or even circumstantial evidence that Russian possesses enough cyber power to carry out such a well orchestrated cyber attack.

Comments { 0 }

Duqu: an indicator of the next Stuxnet?

The December 2011 issue of Pragati carries an article titled “Duqu: an indicator of the next Stuxnet?” by yours truly, reproduced below.

Stuxnet worm was first reported in June 2010 and was credited with several exploits, including sabotaging the Iranian nuclear reactors and possibly even causing the malfunction of the INSAT-4B communication satellite. Now, more than one year on, security experts think that they have stumbled upon a worm that is being described as the precursor to the next Stuxnet and potentially written by the same people who wrote the Stuxnet, or at least by someone who had access to the source code of the Stuxnet worm.

Named Duqu, the worm was first reported by the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics in Hungary on 1st September 2011. The name given to the worm came about due to the “~DQ” prefix that was given to the files it created on the system that it infected. Further analysis by Internet security firm Symantec revealed that the worm may have been in the wild since November 2010 and has so far infected computers in eight countries, including India, and potentially four more.

Just like Stuxnet, Duqu makes use of a 0-day vulnerability against Microsoft to exploit the operating system and install the components of the worm stealthy and just like Stuxnet, it also installs a driver with a valid digital signature, the digital certificate used for this seem to have been stolen from a company in Taiwan.

However the similarities do not carry over to the suspected intention of the worms. It is now accepted that Stuxnet was written with the intention of compromising industrial control and monitoring systems, often called Supervisory Control and Data Acquisition (SCADA) systems and specifically targeted at the Iranian atomic program, while it is believed that Duqu does not contain any code related to industrial control systems and is primarily a malware designed to give the attacker complete control over the compromised machine remotely, often termed a Remote Access Trojan (RAT). It is also believed to install malwares that records keystrokes and collect other system information from the compromised machine. The attackers were most probably looking for information that could be used in a future attack, hence the description of Duqu being a “precursor to the next Stuxnet.” It does make one wonder as to what we may have missed that was the real precursor to the Stuxnet worm.

Other than the fact that machines in India have been infected with the Duqu virus, there is another curious connection to the Indian cyberspace. Malwares like Duqu use external Command and Control (C&C) servers as a means for the attackers to remotely control the malware, for example to download new executable onto the infected machine, exfiltrate sensitive information from them, update the malware itself and sometimes even to destroy or deactivate it. One of the only three C&C server identified for Duqu was hosted on the IP address 206.183.111.97. This IP address and the virtual private server (VPS) that it belonged to was being hosted by Web Werks, a Mumbai-based hosting company. According to the company, the VPS belonged to a client in Milan, Italy and because it was a system that was being managed by the client itself, Web Werks did not have any control over what was running in it.

According to reports, officials from the Indian Computer Emergency Response Team (CERT-In) have obtained an image of the VPS before taking it offline. Interestingly, there is no mention of the operation anywhere on CERT-In’s website and officials have refused to comment on the development as it pertains to ongoing investigation.

Getting hold of the C&C servers however doesn’t seem to have done the investigators a whole lot of good though. Recent reports from Symantec indicate that all the three C&C servers, including the one hosted at Web Werks have been setup to forward all the traffic from the worm to other servers, making the discovery of the final endpoint of the C&C chain hard to pinpoint.

The last few year have seen a drastic uptick in the incidents related to cyber crime and the case of Stuxnet and Duqu have shown us that the new generation of malware are being continually honed for purposes that go beyond pranks, notoriety or money.

Stuxnet opened the Pandora’s box and there is no closing it.

Comments { 0 }

Cost of cybercrime

Assessing the cost of cybercrime is extremely hard, not just because of the nature of the crime, the differing definitions and actors involved but also because of hype-cycle surrounding the area and the inflated numbers thrown out. Kings of War takes to task the cost estimate of £27 billion provided by the UK Cabinet Office and Detica.

While I completely agree with the view that the £27 billion figure looks inflated, some of the counterpoints stated in the post is also weak.

The figure of £30 million damage is to be contrasted by the worldwide market of scareware estimated at £114 million. The UK would therefore represent 26% of the share of this market for an online population representing only less than 2% of the global online population. Why the discrepancy?

“2%” of global population does not say much. It might seem like a small number when compared to the “26%” market share but other factors need to be considered. For example, China and India occupies a good percentage of global online population but that population may  not really care when a scary message prompts them to buy a (fake) anti-virus software. Even if they care, the default mode of operation could be different that click on a link and spend money online to buy the anti-virus. I have no concrete numbers to provide nor any specific study to quote, however given first hand experience, I would be surprised if I am too far off the mark. A little knowledge is dangerous and it applies to cybersecurity as well.

And regarding consumer data loss: all the 3 legal cases in 2010 where the Computer Misuse Act 1990 was invoked concerned a breach of confidentiality, and no data were deleted. Thus the cost of consumer data loss reported to the police would be zero.

Consumer data may not have been deleted but given that confidentiality has been breached, it is naive to think that the cost of the data loss would be zero. For example, if my credit card details were compromised (but not deleted), I would have to go through the motion of reporting it, getting it revoked, replacing it etc. Of course this would mean costs imposed on the credit card company too. These can add up very quickly.

All these discussions go on to show that guesstimating the (real) cost of cyber crime is not an easy task and therein lies a big problem – if one cannot estimate such a number then one cannot set aside an appropriate budget for fighting the crime. After all, security is a lot about economics.

Comments { 0 }