Sunday, May 29, 2011

Rise of Sophisticated Cyber Attacks for Military Gains? Or not!

On Saturday 28 May 11, Fox News reported that the US government announced that, a major defense supplier Lockheed Martin suffered a cyber breach which prompted a move to shutdown remote access to its employees and reissue RSA two factor tokens. The breach was speculated to be linked to information obtained from an earlier compromise of RSA which according to an open letter by RSA states “Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.” The RSA attack, which was specifically targeted to obtain sensitive information around its security products was sophisticated, time consuming, costly and highly motivated.
Typically to undertake such attacks one needs to have means and motive. If these two attacks were related, and so it seems, then the motive was clearly to obtain military secrets and not money from a bank. The motive narrows down possible suspects to companies or countries interested in military secrets. Secondly, the money and expertise needed to comprise these two companies would have been in the order of several million dollars utilizing highly skilled hackers and sophisticated target reconnaissance.
If Lockheed Martin’s detected the breach through a security process such as audit or monitoring as opposed to accidental discovery it would speak volumes on their security preparedness and ability.

Friday, May 27, 2011

Google Street View will aid cross border terrorism in India

Google launched its Street View program in Bangalore, India. According to Google “Street View in Google Maps lets you explore places through 360-degree street-level imagery.” As a technology user, I am excited at the convenience that such a service brings.
On the hand when I throw my security hat on, I am of the opinion that this service may do more harm than good.  India has been prone to terror attacks planned and coordinated from across our borders.  In most of these attacks sites are identified by planting an agent who uses on ground reconnaissance to capture images and video’s, which are later analyzed across the border, where mock set-ups are created, drills run and attacks planned.
Street View’s will further enhance the choice of target selection. While previously a target could be chosen only because it was well published as a place of interest, now secondary targets can easily be identified by scouring street views. This enables wider coverage for target selection undertaken by enemy military or military trained terrorists without stepping foot on Indian soil. Further reconnaissance will still be with ground support, but the advantage in target identification and location assessment will be with the terrorists.
I therefore am of the sad conclusion that these services for the moment are not desirable for India. The startling revelations of David Headley in the US courts on how the Mumbai 26/11 attacks were planned are eye openers.

Tuesday, May 24, 2011

Can biometrics differentiate Identical twins?

I had not given much thought on whether genetically identical twins have the same fingerprints until a close friend of mine gave birth to twins. It seems that they differ as fingerprints develop as a combination of genes and the development environment such as nutrition, position, rate of growth of fingers and blood pressure during pregnancy. More can be read from this article “Do identical twins have different fingerprints?”. It is for similar reasons that the iris patterns are different.  Nevertheless facial recognition will not be able to distinguish either twin in a large percentage of identical twins. Identical twins may have minor facial differences like position of moles and so on.
If facial recognition is relied upon then either twin an easily impersonate the other. This happens to be the most common form of identification used today. A twin also will be privy to the same set of personal information about each other which could be used to befuddle knowledge based verification.
Now to the crucial question. Can a DNA test positively identify each twins? At the moment the answers seems to be No. More can be read from this article Genetic Differences Between Identical Twins.

Friday, May 20, 2011

Billions of Unverified Identities creating an Online Identity Crisis

The online world faces its greatest challenge, billions of unverified user identities on webmail, social networking and other sites.  Driven by valuations that factored number of customers as a key parameter, VC funding and advertisement supported revenue, sites offered free services which do not require customer identity verification.  The net positive was the dramatic growth of the WWW as the ease of use prompted many users to sign up. The net negative was that free services resulted in a net rise in consumer email fraud and social crimes which are difficult to trace and prosecute. And the problem will just get BIGGER.
The main reason why companies did not pursue the verification of customers was due to cost, global scale of the operation, the fact that customers were unlikely to pay for services and adoption of early web based services were on reference and experiential use.
To reduce social crimes,  social networking site set-up mechanisms to identify and report social crimes like cyber harassment, cyber bullying, hate crimes, flaming, pornography, copyright violations and so on. Countries are attempting to frame laws but they vary in degree of responsibility between the user who generates content and the site which host it. If laws are framed to make it mandatory for the hosting site to remove content, these provider cry Censorship. If the laws are framed to prosecute users it is also seen as Censorship. A political catch 22 situation compounded by the fact that prosecution of an unverified identity provides for many legal loopholes to subvert the law.
Going forward we need a common process to uniquely verify identity, much like a cell phone number. Verification of identity can come from citizen databases which are being set-up in various countries, but there is still a long way to commercial adoption. Once this is done the cost of upgrading existing identities to verified ones would be significant. In my opinion in the next ten years all identities will be verified and identity verification mandated by law.

Tuesday, May 17, 2011

Posting Snaps on Social Networks may have led to Honour Killing

A young lad of twenty was brutally stabbed to death as he walked a desolate stretch to his home in an upper middleclass part of Delhi. There are no clues yet as to the reason of his murder, but popular theory has it that he was murdered in an apparent honour killing. 

According to Wikipedia Human Rights Watch defines "honor killings" as " Honor killings are acts of vengeance, usually death, committed by male family members against female family members, who are held to have brought dishonor upon the family. A woman can be targeted by (individuals within) her family for a variety of reasons, including: refusing to enter into an arranged marriage, being the victim of a sexual assault, seeking a divorce—even from an abusive husband—or (allegedly) committing adultery. The mere perception that a woman has behaved in a way that "dishonors" her family is sufficient to trigger an attack on her life"

Girls and boys chatting and posting photographs on social networking sites could potentially be a trigger for "honour killing" or domestic violence not amounting to death. In the future, as the younger generation embraces the Internet sharing of information that could potential trigger such situations will rise. The number of recorded honour killings is less that 5000 a year, but the incidents of domestic violence as a result of lack of privacy on social networking is largely unrecorded.
 In certain countries, caste plays a key role in family honour and this disease leads rational individuals to commit irrational acts. Photo’s of a boy and girl together on a social network site, particularly one with no privacy settings may provoke incidents, however rare.  The family may feel aggrieved that the relationship is openly promoted in an online world which may diminish the marriage prospects of their child, particularly a daughter in the Indian system of arranged marriages.
While such action rarely leads to a major crime, the impact of minor transgressions when friends post unwanted photographs on social network is a common problems.  It may be as simple as a friend viewing snaps of a private party for which he was not invited posted by an another friend who was. This may sully his relationship with the host.
Privacy settings on social sites are a simple but key responsibility for all users to safeguard themselves from unwanted consequences both large and small. Individuals who fear that their action may lead to such consequence should be careful of what details they expose on social networks.

Saturday, May 14, 2011

No terrorist has yet been caught photographing targets !

In yesterday's newspaper there was a case of an army officer’s wife being hauled into a police station for having taken photographs of a synagogue in Pune.  The synagogue like a few other places was under police protection as they were potential targets for terror attacks. This incident is not isolated, around a year ago, I remember a similar incident of a young man who used his iPhone to photograph Mukesh Ambani’s two billion dollar central Mumbai house.

I am an avid bird watcher and while watching birds in a public garden under renovation on the Mithi river that passes through Mumbai, private security guards rushed out to tell me that photography was not allowed. When questioned they said that they were doing as told, apologized and left. In each case there was no official warning which said photography was prohibited. 

The reason for preventing photography may differ for each of these situations. In the first concern, in the second a misplaced notion of security and in the third, fear that I might be a press reporter reporting on how public funds were used or misused.
I am yet to remember a single terrorist who has been caught taking photographs and whether in today’s world of spycams, mobile phones cams and google maps preventing photography is an effective restriction. We have inherited this notion from the movies and it is of no real significance in urban areas.  I believe we should educate our police force not to be overzealous and appreciate the rights of people.

Monday, May 9, 2011

Fourteen Potential Problems for Sony to Clean up Post the DataBreach

The Sony Playstation Breach is the second largest in history. Let us not forget that the company is also a victim as were many of its customers. I am sure it will do its best to make amends and preserve its reputation. I was touched by its senior executives bowing to apologize, and to be brutally honest we all know that luck was against them. I am not condoning that there were large gaps and a certain lack of security mindset which needs to be corrected. Many analysts have estimated the potential cost of fixing the breach in wide ranging estimates from 1.5 to 24 billion US dollars in terms of lost business and to sort out consumer and political issues.
Looking forward, I attempted to list the several challenges Sony faces as an outcome of the breach:
  • Dissatisfied customers who are victims of lost personal data, exposure to potential fraud and loss of service. In addition these customers have to go through the pain of cancelling credit cards, resting passwords on their accounts and in future will surely experience a rise in spam mail.
  • Class Action Suits filed in US courts
  • Loss of reputation worldwide on all consumer brands
  • Revenue loss due to service downtime, possible penalties, settlements and customer compensations or refunds
  • Challenges in securely resetting the passwords of 77 million people
  • Uncertainty of the extent of the intrusion and on removal of all potential malware vectors prior to relaunch
  • Faced with too short a time to assess and remediate vulnerabilities. If the system has not been securely evaluated in the past, the problem will be acute
  • Facing a shortage of key staff that understand security and can be quickly pulled in to sort the problem
  • PR staff faces a new and difficult situation, particularly while making further disclosures as the extent of the breach is uncovered.
  • Loss of customers
  • Anxiety over a second attack
  • Pressure from the Government and fielding questions from key policy makers in various countries
  • Dealing with different governments, privacy laws and customer across 60 countries
  • Politically and socially unfavorable at home, as Japan is emerging from a natural calamity

Saturday, May 7, 2011

Pay a Reward to Catch a Hacker?

When I read an article titled "Sony Considers Offering Reward To Help Catch Hackers" it demonstated a new approach to catching hackers. Traditional methods to catch real world criminals have used cash rewards for information and leads. I am not sure how effective it would be in tracing cybercrime and would be keen to know the results if indeed a reward is offered. I have found that cybercriminals who hack for profit are more difficult to trace then those involved in cyber protest or hack for fun.

Thursday, May 5, 2011

How Terrorists use the Internet? Even if Osama Bin Laden did not.

It was not ironic that Osama whose death resulted in the third highest sustained twitter rates did not use the phone or the Internet; it was a crafted plan to avoid detection. Osama knew that phone calls could be traced and voice samples analyzed to locate him, and as for the Internet perhaps he suspected his browsing profile may be a giveaway.  But the same is not true for the organization he created which actively uses the Internet for propaganda, organizational management, recruitment, and communication.
Propaganda dissemination is the most popular use. Terrorist have long used websites or web news to pass on statement and images of atrocities to support their cause. Mostly a diatribe against America, Israel and sometimes India, such sites are put up by passive supporters or sent directly to channels which are keen to air them. 
Al Qaeda as an organization works in independent highly decentralized local cells. The Internet has been used for organizational management particularly to disseminate information to these units on how to manufacture terror. Manuals on assault techniques and bomb making are found on the net.
Recruitment through indoctrination of youth in different countries by hardcore terrorist to use as sleepers, local support, and to form small cells is done via social networking sites. Youth who become members of sites allied to the cause of these terrorists are slowly indoctrinated and converted.
Communication between terrorist using the Internet is common as they fear voice surveillance. They evolved ingenious ways to communicate such as to share a single email account post ing mails and replies in draft folders. This ensures that the email is never sent but remains on the site. They also hack open wifi sites to send terror mails via anonymous ids to scare citizens or to claim responsibility for strikes.
To my knowledge there have not been any large cyber strikes by these organizations, perhaps due to limited technological knowledge, traceability and limited impact on human life. As critical national infrastructure networks like power and water go online or if communication to airplanes or trains can be affected resulting in crashes or loss of life this may change.

Tuesday, May 3, 2011

The ONE most important lesson from the Sony PlayStation Security Breach

77 million paid users, personal information such as email, passwords, credit cards, access to a platform that managed powerful Playstation devices, and licensed content makes such services a sure target for hackers and jail breakers. 

Jail Breakers and Hackers both saw the rich opportunity which the business failed to see. Jail breakers for the thrill of free content and the urge to make the content freely available. Hackers for the rich source of credentials, credit card numbers and email which can be sold to fraud rings for a fee, and possibly could install malware updates on Playstation devices potentially  harnessing them for denial of service attacks or even to deactivate them.

There are 50 million or so BIT Torrent users who believe that it’s their right to share licensed content. For all businesses this is a reality that we need to live with.

Jail breakers can be dealt with by removing the need to jailbreak and making the product  secure. Key concerns of jail breakers are price and availability. One can also make it profitable for a jail breaker to report flaws for a fee. Imposing criminal action as a deterrent motivates jail breakers to go underground, thereby loosing the opportunity to harness their expertise to improve product security.

Hackers on the other hand profit from this action as they are already underground. An insecure product or service is rich pickings.

So why did such a large organisation fail to see the inevitable?

The main reason is the inadequacy of addressing security as a major business concern. Instead of improving product and service security, the focus was on prosecution, as the immediate problem was loss of license revenue and that was what business understood of the problem.

This inconsistency is present in every business where business and an IT decision makers overrule security in favor of functionality and a false belief that such problems do not occur.

All CISO’s should highlight this incident to their management as a wakeup call.