Tag Archives | Government

Secrecy of Cyber Threats Said to Cause Complacency?

Secrecy of Cyber Threats Said to Cause Complacency? Oh please! First of all, ignorance or unawareness is not the same as complacency. Furthermore, while the bill concerned, Cyber Security Public Awareness Act, is itself a boon, especially for researchers as well as those who want to hold the government accountable, the central theme of the article‘s rhetoric that the awareness among population is low because the attacks on critical infrastructure and government networks are classified just doesn’t add up. Give the high rate of identity theft,
a lot of which has cyber-related cause and the huge amount of existing press on the matter of cyber attacks (China is the new USSR), it is not the lack of information that is preventing the spread of “awareness” (read hysteria). More likely is a combination of:

  • Bigger things to worry about, economy comes to mind
  • Cognitive disconnect between report of incident, its impact and relevance to oneself
  • Knowledge that recent over-the-top war mongering is a part of an elaborate scheme to get more federal budget
Comments { 2 }

No .xxx please, we are .gov.in

The Internet Corporation for Assigned Names and Numbers (ICANN), the body responsible for the management of the top-level domain name space, recently approved the establishment of the top-level domain (TLD) “.xxx” as a sponsored TLD. The domain is currently intended as a (voluntary) option for pornographic sites. The Indian government, or at least one of its officials, promptly threatened to exercise its censorship scissors by declaring the intention to block access to .xxx domains:

“India along with many other countries from the Middle East and Indonesia opposed the grant of the domain in the first place, and we would proceed to block the whole domain, as it goes against the IT Act and Indian laws,” said a senior official at the ministry of IT. “Though some people have said that segregation is better, and some countries allow it. But for other nations transmission and direct distribution of such content goes against their moral and culture,” he added.

There seems to be nothing official about the statement, other than that it was uttered by “a senior official at the ministry of IT” but it wouldn’t be surprising that this is indeed the stand of the ministry on this matter, especially if precedence is considered.

The Information Technology (Amendment) Act, 2008 that the official mentions, defines the prohibition on “lascivious” and “sexually explicit” in Chapter Paragraphs 67 and 67 A as:

67. Whoever publishes or transmits or causes to be published or transmitted in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description fora term which may extend to three years and with fine which may extend to five lakhrupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to ten lakh rupees.

67 A Whoever publishes or transmits or causes to be published or transmitted in the electronic form any material which contains sexually explicit act or conduct shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to ten lakh rupees andin the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees.

Not surprisingly, the Act does not define or clarify as to what constitutes transmission and publishing but what is interesting is that paragraph 69 provides the intermediaries (like ISPs) protection from liability (up to an extent) of the content it is carrying. This means that as long as the .xxx domains are hosted outside India, by organisations without a presence in India, there doesn’t seem to be any automatic way for the block to be set in place unless the provisions in paragraph 69 A are exercised by the government:

69A. (1) Where the Central Government or any of its officer specially authorised by it in this behalf is satisfied that it is necessary or expedient so to do in the interest of sovereigntyand integrity of India, defence of India, security of the State, friendly relations with foreignStates or public order or for preventing incitement to the commission of any cognizableoffence relating to above, it may subject to the provisions of sub-section (2), for reasons tobe recorded in writing, by order, direct any agency of the Government or intermediary toblock for access by the public or cause to be blocked for access by the public any informationgenerated, transmitted, received, stored or hosted in any computer resource.

Given that the most likely interpretation of paragraph 67 does not make it a crime to view (not transmit or publish) pornography online, the stage is set for a good tussle between the government and those who object to the moral policing by the government. Also interesting is the attitude of the government to non-.xxx domains that host pornographic material. The use of .xxx domains is voluntary and it is unlikely that pornographic content will be confined to the sTLD. So far the government has not actively blocked every pornographic content online, so a question that someone wanting to question the .xxx block could ask, is why they are being singled out.

Those who have been following the saga of the .xxx TLD application within ICANN would remember the warning provided by the Governmental Advisory Committee (GAC) of ICANN when they stated in their San Francisco Communique (pdf):

the GAC would like to inform the ICANN Board that an introduction of a .xxx TLD into the root might lead to steps taken by some governments to prohibit access to this TLD. The GAC therefore calls the Board’s attention to concerns expressed by experts that such steps bear a potential risk/threat to the universal resolvability and stability of the DNS.

The GAC must be doing the “We told you so!” dance. Blocking/filtering exists at various scales and at various levels though most do not happen at the DNS level. Given that blocking of the .xxx domain will most likely involve a DNS level block and the history of incorrectly implementing blocks and filters by Indian ISPs, it is not far-fetched to be alarmed that the stability of the DNS is threatened, as pointed out by the GAC. What would of course follow is a cat and mouse game between technically savvy users would try and consider ways to circumvent the block (there are several ways based on how the blockis implemented) and the government/ISPs that tries to prevent “depravation and corruption”.

Interesting times :)

Comments { 3 }

Dissecting Defense Minister’s response “Hacking of Security Information”

Defense Minister AK Antony has finally made a statement on the recent cyber espionage events reported in “Shadows in the Cloud“. Please do read the response – “Hacking of Security Information“, it won’t take a lot of time. It it is a relief to actually see someone actually asking the questions at the right level and the questions are being answered. Now let us take a look at the answer (emphasis added).

certain internet facing computers were compromised by the hackers which had no sensitive defence data

While it is reassuring that the Minister thinks  no sensitive data was leaked, something doesn’t add up. The report states:

“Although there is public information available on these military projects, it indicates that the attackers managed to compromise the right set of individuals that may have knowledge of these systems that is not publicly known. We recovered documents and presentations relating to the following projects:

(*) Pechora Missile System – an anti-aircraft surface-to-air missile system.

(*) Iron Dome Missile System – a mobile missile defence system (Ratzlav-Katz 2010).

(*) Project Shakti – an artillery combat command and control system (Frontier India 2009).

We also found that documents relating to network centricity (SP’s Land Forces 2008) and network-centric warfare had been exfiltrated, along with documents detailing plans for intelligence fusion and technologies for monitoring and analysing network data (Defence Research and Development Organisation 2009).

That is of course just the “defence” bit. It is hard to believe that all those information on the missile systems and warfare strategy are public knowledge. Now to approach the “sensitive” non defence part of the report’s content:

We recovered one document that appears to be an encrypted diplomatic correspondence, two documents classified as “SECRET”, six as “RESTRICTED”, and five as “CONFIDENTIAL”. These documents contain sensitive information taken from a member of the National Security Council Secretariat concerning secret assessments of India’s security situation in the states of Assam, Manipur, Nagaland and Tripura, as well as concerning the Naxalites and Maoists. In addition, they contain confidential information taken from Indian embassies regarding India’s international relations with and assessments of activities in West Africa, Russia/Commonwealth of Independent States and the Middle East, as well as visa applications, passport office circulars and diplomatic correspondence. The attackers also exfiltrated detailed personal information regarding a member of the Directorate General of
Military Intelligence.

It is indeed true that none of these are defence data but it sure looks sensitive.

So, either all these exfiltrated information was public knowledge (highly unlikely) or India doesn’t consider any of these (including the missile programme details) as “sensitive defence data”  or the report is wrong or of course the Minister has not been properly informed.

Pick your poison, I guess.

Services Headquarters have an information security policy and their networks are audited as per the guidelines.

I hope not the 27001 audit!

Comments { 1 }