About Srijith

Author Archive | Srijith

Security of Indian Electronic Voting Machines

The security and integrity of electronic voting machines (EVMs) have been a point of debate for a long time. Various studies conducted in relation to EVM used in elections within the USA have shown time and time again that they are susceptible to both software as well as hardware based attacks. However, EVMs used in Indian elections have not been subjected to similar rigorous scrutiny, even though they have been used nationwide since 2004. Neither has the details of the inner working of the EVM been made public. Security and privacy have been cited as the main reason for this (pdf).

The Commission has not allowed reverse-engineering of the ECI-EVMs, inter-alia, for the reasons that manufacturers of ECI-EVMs, BEL & ECIL, have a patent on the machines and have objected to any attempt at reverse-engineering.

(…)

The Commission is concerned that commercial interests could use the route of reverse engineering which may compromise the security and sanctity of the entire election system. It is, therefore, not possible for the Commission to permit reverse-engineering of ECI-EVMs.

The two expert panel that have been tasked by the EC to verify the security of the EVM have had to do the job relying on presentations materials given by the vendors to the panel. In fact, experts for the EC have equated any questioning of the security of the EVMs to attack on the commission’s own impartiality and integrity [1] and have been quoted to have drawn parallelism between proving the security of the EVM and “asking Sita to prove her virginity [sic.] by having Agni Pariksha”!

All that until now. A team of researchers, led by Hari K. Prasad, Dr. J. Alex Halderman and Rop Gonggrijp have written a paper in which they describe two hardware based attacks they have been able to perform on an actual EVM given to them by an unnamed source. To quote from the site’s Q&A section:

First, we show how dishonest election insiders or other criminals could alter election results by replacing parts of the machines with malicious look-alike parts. Such attacks could be accomplished without the involvement of any local poll officials. Second, we show how attackers could use portable hardware devices to change the vote records stored in the machines. This attack could be carried out by local election officials without being detected by the national authorities or the EVM manufacturers.

The fact that these attacks were not even as a result of extracting and analysing the software (read the paper to know why) from the chip should alarm people.

This raises serious questions about the integrity of elections held in India. While it is unlikely that such attacks have already been conducted, it means that they are possible and now that it has been shown possible, there is likelihood of them being attempted by parties aiming to subvert the election process. The unhealthy attitude of the EC-associated experts of equating questions raised about the security of the EVM to attack on their impartiality and integrity nor that of the EC who has not insisted on the release of the software powering the machine, at least under a Non Disclosure Agreement, to competent security experts does not help either. Any company that does not open up the code and the inner working to such an expert group should not be allowed to provide machines to voting. Security through obscurity has been shown to not work – again and again and again.

A rigorous analysis of the security of both the hardware and the software used by the machines that enpower adult suffrage in the world’s largest democracy is an absolute necessity.

[1] Page 98 of  Democracy at Risk! (Book on Indian EVMs published by Citizens for Verifiability, Transparency & Accountability in Elections), New Delhi, 2010, by G. V. L. N. Rao.

Comments { 4 }

“Cyberwar” at Fault Lines

A good piece on “Cyberwar” at Fault Lines on Al Jazeera English.

Comments { 0 }

Rise of infection in Indian cyberspace

The recent Symatec report on Internet Security Threats for 2009 showed a marked increase in malicious activities originating from Indian cyberspace. Overall, India ranked 5th in the list of nations contributing to various malicious activity, up from the 2008 rank of 11! It ranked 2nd in the malicious code list and 3rd in spam zombie list.

As stated in the report, one of the (obvious ) reasons for this surge is

Malicious activity tends to increase in countries experiencing rapid growth in broadband infrastructure and connectivity, and the level of malicious activity occurring in India has been  increasing steadily over several reporting periods as its broadband infrastructure and user base grows.

and the associated prediction unsurprisingly is

These countries may continue to account for larger percentages within specific categories because their relatively new and growing internet infrastructures could be exposed to increasing levels of malicious activity until security protocols and measures mature enough to counter these activities.

But that is generalising it to a abstraction level that loses much actionable points. Most malicious activity originate from infected machines in the network and the obvious reasons why so many infected machines tend to be in India are:

  • non-use of anti-virus software: even free anti-virus software are not installed on a lot of machines and even if they are, regular updates are not performed. Reasons range from ignorance to apathy.
  • non-patched machines: regular updates that are issued against operating systems and software running in it are ignored for reasons like ignorance, lack of bandwidth needed to download the patches and the (misplaced) fear of updating pirated software.
  • wide spread use of infected pirated software: a majority of software installed on Indian machines tend to be of dubious nature, often illegal pirated copies peddled in the street (as much as 68% in 2008, according to the Sixth Annual BSA-IDC Global Software Piracy Study released in May 2009 by the Business Software Alliance (BSA). Installation of pirated versions of popular software often led to the installation of other malicious code into the system.

The widespread use of Windows OS and other Microsoft products could be one of the underlying cause from a monoculture view point but within Indian context it is more of economics than anything else. With pirated software available for a fraction of the price of the genuine original and the actual cost of pirate software hidden from view, a lot of consumers  end up choosing pirated version over the genuine.

This is as good a case as any to adopt a policy change to migrate from non-free software to free software, not just within the government but also among individuals. Free software does not equate to a bug-free software, far from it, but at the least the piracy and associated infections can be decreased. It goes without saying that this should go hand in hand with educational initiatives to make the public understand the dangers of computer infection.

Comments { 1 }

Why did GhostNet succeed?

The recent increase in attention given to cyber security is thanks in no small measures to the works published by Information Warfare Monitor and Shadowserver Foundation titled “Shadows in the Cloud: Investigating Cyber Espionage 2.0” as well as the earlier report titled “Tracking GhostNet: Investigating a Cyber Espionage Network“.  Both detail the existence of cyber espionage operations targeted against Tibetan and Indian officials and institutions, allegedly run by the Chinese. If you haven’t read these reports yet, you should.

There is enough content in these reports to provide fodder for several posts at Vyuha ranging from technical discussions on how the espionage network was run to more higher level “what have we learnt” ones. This post looks at one of the factors that allowed this episode to play out – the effectiveness of the malware attacks that were used to set the exfiltration network up.

The reports identify that the attackers used Microsoft Office (DOC, XLS, PPT) and PDF files to deliver their malwares and that the information acquisition phase before the delivery must have been involved and meticulous.

What is surprising and frustrating  about the whole attack is that while the malwares were delivered using targeted effictiveness, there is no proof that they exploited any 0-day vulnerabilities in the applications and hence could have been caught and prevented from wrecking havoc on target machines. Why were the vulnerable applications not patched? Did the targeted machines have protective mechanisms in place like updated anti-virus  or HIPS software installed on it? If not, why were they not? Given the fact that the information leaked from the documents exfiltrated were of sensitive nature, it can be assumed that the people operating those machines had specific clearance. Why were their working environment not secured enough? In addition were network based Intrusion Prevention/Detections Systems installed on these networks and if so, why were they not effective in preventing or even detecting these attacks?

A lot of questions with few answers. But then that has been the case with all the questions raised by the public about this incident.

Comments { 5 }

In the Beginning

The information age is upon us and its impact can be felt everywhere. The cyber world that we immerse ourselves in is a large manifestation of the information strata. Dominance in the cyber world may seem like a trivial pursuit but we believe it has far reaching consequences in the physical world, be it in the sphere of economy,  politics or warfare.

Vyuha aims to explore the cyber security strategies (and to a lesser extent, the overarching information security aspects) that are of paramount importance to India in this networked 21st century and beyond. Towards this end we will be covering important events and developments that shape this area while expounding our views on the issues. In doing so we hope to influence, ever so slightly at the least, the doctrines and the key players involved in promulgating them.

Comments { 4 }