A good piece on “Cyberwar” at Fault Lines on Al Jazeera English.
The recent Symatec report on Internet Security Threats for 2009 showed a marked increase in malicious activities originating from Indian cyberspace. Overall, India ranked 5th in the list of nations contributing to various malicious activity, up from the 2008 rank of 11! It ranked 2nd in the malicious code list and 3rd in spam zombie list.
As stated in the report, one of the (obvious ) reasons for this surge is
Malicious activity tends to increase in countries experiencing rapid growth in broadband infrastructure and connectivity, and the level of malicious activity occurring in India has been increasing steadily over several reporting periods as its broadband infrastructure and user base grows.
and the associated prediction unsurprisingly is
These countries may continue to account for larger percentages within specific categories because their relatively new and growing internet infrastructures could be exposed to increasing levels of malicious activity until security protocols and measures mature enough to counter these activities.
But that is generalising it to a abstraction level that loses much actionable points. Most malicious activity originate from infected machines in the network and the obvious reasons why so many infected machines tend to be in India are:
- non-use of anti-virus software: even free anti-virus software are not installed on a lot of machines and even if they are, regular updates are not performed. Reasons range from ignorance to apathy.
- non-patched machines: regular updates that are issued against operating systems and software running in it are ignored for reasons like ignorance, lack of bandwidth needed to download the patches and the (misplaced) fear of updating pirated software.
- wide spread use of infected pirated software: a majority of software installed on Indian machines tend to be of dubious nature, often illegal pirated copies peddled in the street (as much as 68% in 2008, according to the Sixth Annual BSA-IDC Global Software Piracy Study released in May 2009 by the Business Software Alliance (BSA). Installation of pirated versions of popular software often led to the installation of other malicious code into the system.
The widespread use of Windows OS and other Microsoft products could be one of the underlying cause from a monoculture view point but within Indian context it is more of economics than anything else. With pirated software available for a fraction of the price of the genuine original and the actual cost of pirate software hidden from view, a lot of consumers end up choosing pirated version over the genuine.
This is as good a case as any to adopt a policy change to migrate from non-free software to free software, not just within the government but also among individuals. Free software does not equate to a bug-free software, far from it, but at the least the piracy and associated infections can be decreased. It goes without saying that this should go hand in hand with educational initiatives to make the public understand the dangers of computer infection.
The recent increase in attention given to cyber security is thanks in no small measures to the works published by Information Warfare Monitor and Shadowserver Foundation titled “Shadows in the Cloud: Investigating Cyber Espionage 2.0” as well as the earlier report titled “Tracking GhostNet: Investigating a Cyber Espionage Network“. Both detail the existence of cyber espionage operations targeted against Tibetan and Indian officials and institutions, allegedly run by the Chinese. If you haven’t read these reports yet, you should.
There is enough content in these reports to provide fodder for several posts at Vyuha ranging from technical discussions on how the espionage network was run to more higher level “what have we learnt” ones. This post looks at one of the factors that allowed this episode to play out – the effectiveness of the malware attacks that were used to set the exfiltration network up.
The reports identify that the attackers used Microsoft Office (DOC, XLS, PPT) and PDF files to deliver their malwares and that the information acquisition phase before the delivery must have been involved and meticulous.
What is surprising and frustrating about the whole attack is that while the malwares were delivered using targeted effictiveness, there is no proof that they exploited any 0-day vulnerabilities in the applications and hence could have been caught and prevented from wrecking havoc on target machines. Why were the vulnerable applications not patched? Did the targeted machines have protective mechanisms in place like updated anti-virus or HIPS software installed on it? If not, why were they not? Given the fact that the information leaked from the documents exfiltrated were of sensitive nature, it can be assumed that the people operating those machines had specific clearance. Why were their working environment not secured enough? In addition were network based Intrusion Prevention/Detections Systems installed on these networks and if so, why were they not effective in preventing or even detecting these attacks?
A lot of questions with few answers. But then that has been the case with all the questions raised by the public about this incident.
The information age is upon us and its impact can be felt everywhere. The cyber world that we immerse ourselves in is a large manifestation of the information strata. Dominance in the cyber world may seem like a trivial pursuit but we believe it has far reaching consequences in the physical world, be it in the sphere of economy, politics or warfare.
Vyuha aims to explore the cyber security strategies (and to a lesser extent, the overarching information security aspects) that are of paramount importance to India in this networked 21st century and beyond. Towards this end we will be covering important events and developments that shape this area while expounding our views on the issues. In doing so we hope to influence, ever so slightly at the least, the doctrines and the key players involved in promulgating them.
- Raymundo: Just desire to say your atclrie is as surprising. ...
- @srijith: At Vyuha "The “mirror” effect" http://t.co/u...
- @srijith: GoI bars international vendors from National Optic...
- @filter_c: I am reminded of an old blogpost by @srijith on th...
- Cyber Security Policy: [...] NSCS’ cyber Security Policy | VyūhaAn...
- (@srijith) (@srijith): At Vyuha - "Use of private companies in cyber ope...
- Srikanth R. (@_R_Srikanth) (@_R_Srikanth): Informative Q&A on Cyberwar by Dr. Martin Libi...
- Rohan Joshi (@filter_c): Hello, Mr. Sachin Pilot. RT @srijith: Over at Vyū...
- Srijith (@srijith) (@srijith): Over at Vyūha - “Hacked and shamed” and beyon...
- Unnikrishnan R: >>Would the US or China or for that matter I...
- Govt to develop own operating system May 12, 2010
- Why did GhostNet succeed? April 22, 2010
- Hardware security and the Chinese May 17, 2010
- In the Beginning April 20, 2010
- Biomimicry on its “side” March 1, 2011
- Security of Indian Electronic Voting Machines May 3, 2010
- Army does 27001 audit, that should make it secure July 21, 2010
- No .xxx please, we are .gov.in April 5, 2011
- System security and fascination with homegrown solutions February 13, 2011
- Cyberwar makes NPT useless? October 22, 2010