Archive | Pragati RSS feed for this section

“The SOPA learning”

A “Perspective” piece titled “The SOPA learning” in the April 2012 edition of Pragati, the publication of the Takshashila Institution:

Imagine a makeshift stall peddling pirated CDs, DVDs and other mediums of music, movies and software. Now imagine a new law that tries to put the stall out of business by disrupting the transport service that takes people to the store, preventing the banks from processing the money that the stall owner tries to deposits and preventing the stall owner from using the stall for any other revenue generating work. Translate this into the online world and you get a rough idea of the scope of the “Stop Online Piracy Act” (SOPA) bill that was introduced in the US House of Representatives and the equivalent “PROTECT IP Act” (PIPA) bill that was introduced in the US Senate in late 2011.

(…)

Head over there and post your comments, or of course, put them down here too.

Comments { 0 }

Duqu: an indicator of the next Stuxnet?

The December 2011 issue of Pragati carries an article titled “Duqu: an indicator of the next Stuxnet?” by yours truly, reproduced below.

Stuxnet worm was first reported in June 2010 and was credited with several exploits, including sabotaging the Iranian nuclear reactors and possibly even causing the malfunction of the INSAT-4B communication satellite. Now, more than one year on, security experts think that they have stumbled upon a worm that is being described as the precursor to the next Stuxnet and potentially written by the same people who wrote the Stuxnet, or at least by someone who had access to the source code of the Stuxnet worm.

Named Duqu, the worm was first reported by the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics in Hungary on 1st September 2011. The name given to the worm came about due to the “~DQ” prefix that was given to the files it created on the system that it infected. Further analysis by Internet security firm Symantec revealed that the worm may have been in the wild since November 2010 and has so far infected computers in eight countries, including India, and potentially four more.

Just like Stuxnet, Duqu makes use of a 0-day vulnerability against Microsoft to exploit the operating system and install the components of the worm stealthy and just like Stuxnet, it also installs a driver with a valid digital signature, the digital certificate used for this seem to have been stolen from a company in Taiwan.

However the similarities do not carry over to the suspected intention of the worms. It is now accepted that Stuxnet was written with the intention of compromising industrial control and monitoring systems, often called Supervisory Control and Data Acquisition (SCADA) systems and specifically targeted at the Iranian atomic program, while it is believed that Duqu does not contain any code related to industrial control systems and is primarily a malware designed to give the attacker complete control over the compromised machine remotely, often termed a Remote Access Trojan (RAT). It is also believed to install malwares that records keystrokes and collect other system information from the compromised machine. The attackers were most probably looking for information that could be used in a future attack, hence the description of Duqu being a “precursor to the next Stuxnet.” It does make one wonder as to what we may have missed that was the real precursor to the Stuxnet worm.

Other than the fact that machines in India have been infected with the Duqu virus, there is another curious connection to the Indian cyberspace. Malwares like Duqu use external Command and Control (C&C) servers as a means for the attackers to remotely control the malware, for example to download new executable onto the infected machine, exfiltrate sensitive information from them, update the malware itself and sometimes even to destroy or deactivate it. One of the only three C&C server identified for Duqu was hosted on the IP address 206.183.111.97. This IP address and the virtual private server (VPS) that it belonged to was being hosted by Web Werks, a Mumbai-based hosting company. According to the company, the VPS belonged to a client in Milan, Italy and because it was a system that was being managed by the client itself, Web Werks did not have any control over what was running in it.

According to reports, officials from the Indian Computer Emergency Response Team (CERT-In) have obtained an image of the VPS before taking it offline. Interestingly, there is no mention of the operation anywhere on CERT-In’s website and officials have refused to comment on the development as it pertains to ongoing investigation.

Getting hold of the C&C servers however doesn’t seem to have done the investigators a whole lot of good though. Recent reports from Symantec indicate that all the three C&C servers, including the one hosted at Web Werks have been setup to forward all the traffic from the worm to other servers, making the discovery of the final endpoint of the C&C chain hard to pinpoint.

The last few year have seen a drastic uptick in the incidents related to cyber crime and the case of Stuxnet and Duqu have shown us that the new generation of malware are being continually honed for purposes that go beyond pranks, notoriety or money.

Stuxnet opened the Pandora’s box and there is no closing it.

Comments { 0 }

“Hacked and shamed” and beyond

Rohan Joshi and your truly have a brief in August 2011 edition of Pragati covering the “weird” compromise of National Security Guards’ website and the downtime of National Investigation Agency’s website.

Defacement of websites is a routine occurrence and usually not a cause of major concern, apart from the embarrassment caused by the negative publicity. However, unauthorised access to the email system is a different matter altogether. Depending upon the practices being followed, this could either have leaked encrypted digital communication between various officials in NSG and beyond, which would be of no practical use to the attacker, or could have revealed unencrypted emails discussing sensitive topics. The details have been sketchy but at least one media report states that the computer system used by an arm major-general had been ‘hacked’ into, as it was discovered that a number of “letters” were sent on the behalf of the general officer.

After the brief was sent off to the editors, the Minister of State for Communications and Information Technology, Sachin Pilot, told the Lok Sabha via a written reply that a total of 117 Government websites were defaced during the period January – June, 2011. With regards to the situation of the NIA’s website the press release goes on to say:

The reply further stated that the information on the website of National Investigation Agency (NIA) is temporarily disabled. Since the website of National Investigation Agency was not hacked, no inquiry in this regard has been conducted.

It has been a month since the website was taken down and it still is in the state of “maintenance“, which begs the question – why just the NIA website? It sure does looks like the site was compromised in some form or the other. Will we ever know the truth about what was compromised? Unlikely!

Comments { 2 }

“A revolution in 140 characters” – Pragati article

In  the article “A revolution in 140 characters” over at Pragati‘s March edition, I cover the use of social media like Twitter and Facebook in the recent revolutions sweeping parts of the world.

Egypt has disposed of its dictator, soon after Tunisia handed out similar treatment to its own. The dizzying pace of these developments left many too shocked to comment, even as journalists scrambled to follow and write up the latest news.

A question that is making the rounds is, “Why now?” A part of the answer seems to be — to the surprise of many—social media.

Comments { 1 }