Wednesday, December 5, 2012

Is Surfing the Internet a Crime?

It isn’t, but that is the very message youngsters in India are beginning to receive when political activists riot outside their houses and haul their brothers and sisters to nearby police stations. More so, when they are young, innocent and unsuspecting victims of pranksters as in the recent case of a teenage boy, from a suburb of Mumbai.
The prankster’s modus operandi is simple. Spoof the victims Facebook ID or hack into his legitimate one.  Post an offensive message against the political leader. Relax, and enjoy the drama which unfolds as the victim faces the ire of the leader’s supporters and is embroiled in a police investigation. 

This strategy was used by a prankster (or individual wanting to settle a score) to put a 19 year old lad in a state of emotional distress.  The boy was escorted to the police station by people he knew from the neighborhood in which he lived for the last 17 years. The cyber police after a brief investigation cleared his name.
Some of statements he made which were published in the Times of India show the fear and anguish his family faced:

“I was scared when the police detained me. I was worried for my parents and sister who wondered why using the Internet should land someone in the police station”

“My sisters (one in class 12 and another in class 8) were asking if using the Internet was a crime”
People affected by offensive posts are entitled to follow the due process of the law by filing complaints and allowing the police to investigate. But at the same time they must be restrained from taking law into their own hands and hauling individuals to police stations based on their own interpretation of posts and tweets.

To be safe from such problems remember that you are responsible for what you post online and the wider audience that views it. Do take precautions to report spoofed accounts as well as your legitimate accounts that have been hacked. The responsibility for protecting your accounts rests on your use of best practices while choosing passwords and while surfing the Internet.

Sunday, December 2, 2012

Indian Politicians and Social Networkers scramble to check fake Facebook Accounts

Multiple arrests of social networkers over “allegedly offensive” posts under Section 66 A of the Indian IT Act has motivated pranksters and people seeking revenge to hack into legitimate Facebook accounts or to setup spoofed accounts in their victims name to circulate offensive and hate posts against well known political leaders, communities and Indian national emblems.

In an attempt to avoid being embroiled in tiresome police investigations or to face the ire of political parties- social networkers who searched for spoofed profiles in their name or found that their accounts were hacked into have started reporting such instances to the Indian cyber police.

The lack of clear guidelines about which content violates Section 66 A of the Indian IT Act has resulted in the flawed reasoning behind these arbitrary arrests of innocent social networkers for banal posts and posts from hacked accounts. It is advisable for Indian social networkers to proactively check if their account was spoofed or hacked into and report those to the respective social networking sites or the police.

Most online sites which accept user-generated content have a‘reporting’ mechanism. Sites allow subscribers to report others who violate their Statement of Rights and Responsibilities by clicking the ‘Report’ or‘Block this Person’ type tick boxes. Users can report profiles that impersonate them, use their photograph, list a fake name, that do not represent a real person or carry abusive posts. They can also report improper images, nudity, illegal drug use, the advocacy of terrorism or cyber harassment.

All social networkers should take a few simple precautions to secure there Facebook or twitter accounts as written in my previous posts titled Best practices for safe social networking and Thirteen Best Practice to StaySafe Online

Wednesday, November 28, 2012

Your posts could be misused to settle scores

Most countries have enacted laws to police online publications that are libellous, criminal and violate national security interests. Publishing and republishing such posts and tweets is against the law. Cybercitizens and journalists need to be aware that republishing posts by “liking”, “retweeting” or copying the contents in news reports or blogs can also constitute a crime. Unfortunately, the drafting of these cyber laws have introduced a level of subjectivity in their interpretation and execution (Redefining Section 66 A of the IT Act), which can be conveniently misused by third parties to settle scores and for their political interests.

Last week there was a huge uproar in Mumbai, India when two young girls were arrested for a Facebook post questioning the shutdown in Mumbai to mourn the death of a popular political leader.  One girl was arrested for writing the Facebook post and the other for liking it. Both were charged for hurting religious sentiment, a section which can attract three years of imprisonment. Both these incidents led to a widespread public condemnation on the way the police interpreted the law, took action and the failure to dismiss these cases by both the police and judiciary. The political pressure from the people’s movement resulted in the suspension of the police officer who registered the case and the transfer of a magistrate who allowed it to proceed without sufficient assessment of its merits.

From what it appears, the current case in Mumbai will lead to the adoption of a set of procedures by the police to filter out frivolous complaints through a process of validation of such complaints with their legal cell.  

Cybercitizens should bear in mind that the openness of the Internet allows posts to be seen by a wider audience who may interpret their contents with a vastly different perspective and motive than your close friends.  They may also use this opportunity to file complaints to further their political interests, and in the process ensure complete disruption of normal life for the person who wrote the post. It may be wise to bear in mind that your posts can be misused by a person you trusted to settle scores or by strangers for their political interests.

Appropriate privacy settings and judicious review of what you post and tweet is essential.

Monday, November 26, 2012

Safe surfing at cybercafés

In cybercafés, where computers are shared by many users, there is a high probability of the presence of malware. Malware can be used to steal user credentials and later takeover your
account. Safety tips to keep in mind for a safer browsing experience from the convenience of a cybercafé are:

  1. Avoid carrying out online financial transactions and using websites that may reveal your personal details and financial status
  2. Restrict the use of cybercafés to internet surfing.
  3. Cybercafés are primarily used for chatting and emails. Consider alternatives like the use of smartphones for this purpose.
  4. For emails, consider setting up a dummy account to which emails from your primary accounts can be forwarded. In case of a compromise, your primary email accounts will remain unaffected.
  5.  Have different passwords for all your online accounts. This can prevent the compromise of one account from affecting your other accounts.
  6.  Change all passwords regularly after use in cybercafés from a trusted personal computer.
  7.  Logout of each account manually and ensure that your passwords are not automatically stored on the computer.
  8.  Ensure privacy of your surroundings when entering your password; people may watch you type your password in.
  9.  A cybercafé which allows you to download software onto the desktop is probably unsafe. Other users could potentially download malware too onto it. Where necessary, use only those cybercafés that restrict users from having administrative access to their computers.

Wednesday, November 14, 2012

Sites that allow anonymous posting of your intimate pictures

Entrepreneurs abound on the Internet. Even those that set up sites which allow an anonymous individual, to repost your intimate pictures (nudes or seminudes) without your permission along with your telephone number, location and Facebook profile link. It is a sure shot recipe for reputation damage, emotional trauma and depression.  Such sites allow ex-partners, jealous friends and blackmailers an easy opportunity to publish such pictures to a wide audience of people looking for casual sex and even send email links to your friend circle.  Intimate photos may be introduced online in many ways as outlined in 3G,Cell Phones, Social Networking and the not so Innocent Obsession.

These shady sites are able to exploit sections of the law that protect sites from legal action for contents posted by users. And in countries where pornography is legal, it allows publication of such pornographic content. Copied below are some of the guidelines for submission for one such site, which I do not wish to name to provide it popularity it does not deserve.

·    You must send at least 2 pictures with your submission. At least one must be a full or partial nude image.

·    You must send a phone number or Facebook link with your submission.

·    You must be 18+, and the person you are submitting must also be 18+, they also must have been 18+ at the time that the pictures were taken.

·     In the event of any legal, criminal or civil action you agree to indemnify (the Site) and its owners from involvement.

·     Anything that happens to you, legally, or otherwise, as a result of your submission/use of this website, is not our fault or responsibility.

·    By submitting you are forming a ‘contract’ with (The Site) (an agreement to the terms listed here) and allowing us to repost your content. You are considered to be the actual poster of this content and we are simply reposting it for you.

 The site in question, also offers a takedown service for a fee. This is one of the ways, they profit.

Wednesday, November 7, 2012

Best practices for safe social networking

Stay safe and better aware on social networks by following these simple tips:
  • Familiarize yourself with the privacy and security settings on your social networking site and set your desired level of privacy protection.
  • Protect your online reputation by being careful about what you post. What you post online stays online. Besides possibly causing reputation damage, the more information you post, the easier it is for someone else to use that information to steal your identity, track movements, or commit other crimes, such as stalking.
  • Be prudent, say no, and select only people you would like to invite onto your social network. Once you invite friends, their posts on your page can be viewed by your entire friends’ circle and vice versa. What they post could have an impact on your reputation.
  • Do not invite unknown strangers merely because they display an attractive photograph. This is a common technique used by spammers and those with malevolent intentions to gain access to you and your friend circle.
  • If someone is harassing or threatening you, remove them from your friends’ list and report them immediately.
  • Be cautious about posts which have embedded links, even if sent by your close friend, who may himself or herself be a victim. Spam or malicious links are couched in attractive posts to ensure they go viral.
  • Do not circulate objectionable content. Report such content if you come across it.
  • Do background profile checks and be wary of suspicious behavior of unknown people or friends of friends you invite on social networks.
  • Withdraw from suspicious groups or block people you begin not to trust.
  • Do not go unescorted to meet a stranger. This applies to you whether you are an adolescent, teenager or adult. There have been cases of men who went to meet a "pretty girl" from Facebook ending up being brutally beaten and robbed.
  • Any request for money from unknown persons you befriended online should be met with the greatest of scepticism.
  • Any request for money from a friend or a friend's friend should be verified first by a phone call or through other means.
  • Avoid revealing or sexually-attractive photographs in your profile, as it will draw the wrong kind of attention. But do put a recent photograph of yourself so that others can verify who you are.
  • Limit the dissemination of sensitive personal information, as technical flaws and advertising may reveal it to an unintended audience.

Monday, November 5, 2012

Redefining Section 66 of the Indian IT Act

The use of Section 66 A of the Indian IT Act to arrest a businessman, who tweeted that a cabinet minister’s son was corrupt, drew sharp condemnation from twitter users and the national press as it appeared Orwellian. The main issue was ironically not on the use of the law, but on its definition which allowed its use in lieu of other provisions to tackle defamatory statements. People feared that the current definition would be used to instill fear and censor free speech online.

Section 66A of the Indian IT Act 2000 amendment 2008 states “

 Any person who sends, by means of a computer resource or a communication device,—

(a) any information that is grossly offensive or has menacing character; or

(b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device,

(c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages, shall be punishable with imprisonment for a term which may extend to three years and with fine.

As a layman reading the law, I felt the definition to be comprehensive enough to address a wide range of cybercrimes, but not specifically able to distinguish between the very petty and the more severe cases without going to the courts.

Laws are made to accommodate the normal behavior and misbehavior of people and should not be so encompassing that the definition in itself is difficult to interpret. There is an anti social part in all Internet communication that all netizens are willing to live with, such as those messages which results in annoyance, ill will and inconvenience.

I believe that the section could be furthered refined to target cases where people are unduly harassed by vicious and relentless online messages which affect the emotional behavior of victims, leading to depression, fear and suicides. Such communications which include vulgar emails, death threats, blackmail, hate, sedition, and the posting of a victim’s obscene pictures must be exemplified.

Sunday, November 4, 2012

Cyber Trolls are sadistic Anti Social Networkers

The issue of cyber trolling shot into online prominence with the tragic suicide of the 15 year old Amanda Todd. Innocent and trusting Amanda, then 13 was convinced to flash her breasts by a smooth talking stranger over a webcam. The stranger captured this image and tried to blackmail her for more private sessions. When this failed, he mailed the picture to her friends and set off a relentless and vicious cycle of cyber bullying. So persistent was the cyber bullying which followed, that it ousted her from her school and locale, and even a full year later when she was trying to put her life together in another place and school, it caught up with her - leaving her nowhere to turn.

Wikipedia define a troll as “someone who posts inflammatory, extraneous, or off-topic messages in an online community, such as a forum, chat room, or blog, with the primary intent of provoking readers into an emotional response or of otherwise disrupting normal on-topic discussion.”

The anonymous nature of social networks limits individual accountability, and fuels the resultant breakdown of social norms and rules which allows a small percentage of netizens called cyber trolls to indulge unchecked in vile and deviant behavior. Cyber trolls prowl social networks anonymously for every opportunity to post slanderous or downright insulting remarks on people both living and dead, who they may know in real life or are just strangers. They display no morals when writing demeaning comments on RIP pages, hurling hurtful taunts and issuing death threats to children, teenagers and even celebrities.

If individuals try to fend off their vitriol, they retaliate in packs often encouraged by others who apparently laugh at their jokes; fuelling their sadism and egging them on.

Every person expects a certain amount of abuse as part of everyday social networking, but when it crosses a threshold, both children and adult have been driven to depression, drugs and ultimately attempt suicide, triggered by the ensuing feeling of helplessness. Help is not at hand from social networking sites as they refuse to police these messages and mediate content, regardless of whether it was "potentially" offensive or controversial unless it violates their terms of service.

One of the better options for victims is not to retaliate and try their best to ignore these comments. If they attempt to fight back, it is seen as a weakness which is exploited by the pack mentality of trolls and their supporters inviting a further barrage of spite.

Cybercitizens should not support cyber trolls by agreeing with them or egging them on. Not feeding these trolls and condemning their activities will help rein in their deviant behavior. While incidents of cyber bullying may be widespread, they vary in severity. Serious cases are few, but concerns due to the potential of the problem do exist. It is also important for parents to be aware if their child is a victim or a perpetrator of cyber bullying.


Wednesday, October 17, 2012

Amending existing laws to accommodate cybercrimes, a flawed approach

Indian newspapers recently carried reports captioned “Crimes against women: Send porn MMS, emails, land in jail for 3 yrs, pay Rs 50,000 fine. Cybercrime through filming and distributing of porn mmses of unsuspecting women, have always captured newspaper headlines in India. Publicized cases have been few and convictions almost negligible.

According to these reports an amendment to the Indecent Representation of Women (Prohibition) Act 1986 was cleared by the Indian Cabinet which brought in stringent penalties for transgressors using electronic media. Until now the 26 year old act, only covered print advertisement and publications

When I read the fine print of the amendment it struck me that this was not in the least a law against cybercrime, only an amendment to include the indecent representation of women in electronic advertisements. Beyond proving how newspaper headlines can be fallacious, it amply establishes that cyber laws are daunting to enact, and far from practical implementation.

Trying to amend old laws to accommodate new behavior in the Internet era is fundamentally flawed, though it may be a quick fix.  In the past, by using print media, it was arduous for ordinary individuals to distribute indecent content to scale. Consequently, when the act was written, twenty-six years ago, it never considered this as an issue. But today, in the electronic world, equipped with a mobile phone camera and the Internet, anyone with a dirty motive or opportunity can do it. Such indecent online postings by solitary individuals like trolls, bullies, pornographers, or even cybercitizens settling scores online are commonplace.
New laws to tackle cybercrime must be written which embody the new genre of criminal behavior and cybercitizen misdemeanors.

Monday, October 15, 2012

Cyber Crime: Unsuspecting Indians fall prey to Call Fraud

The phone rang once and was instantly cut. Sixty year old Sally gave a passing glance at the missed call number which began with + 22 – her local Mumbai code and called back.  At the other end of the line, she heard the mournful shrieks of a women being beaten, and the savage voice of a man hurling constant abuses. Worried, confused and in fear that she may have received an SOS call, she asked “Who’s there, Is there a problem, Stop it”.

In the following 3-4 minutes, before she had time to think clearly, her phone conversation was cut short, due to a lack of funds. The Rs 200 ($ 4) she had recently topped up her account with, was exhausted. At the mobile store, she was informed that as she made a call to a premium rate number which charged Rs 50 per minute, her balance was consumed. There was no refund. The telecom provider was not at fault. She should have checked the number before she made the call. Only later, did she read in the national newspaper that such frauds were widespread.

As she recounted this incident to her neighbor, she asked “If the frauds were so well known should not the telecom company and the government have done something about it”.

India is a large prepaid market, and international fraudsters have conjured several tricks to coax vulnerable people into making such calls to international premium rate numbers. Calls are charged at a premium to normal calls. Such numbers are regularly used for adult sex, directory enquiries and voting for contestants during game shows.

 Fraudsters buy these premium rate numbers from international telecom companies, and earn money by sharing the revenue for calls made to these numbers. They grow their earnings by raising call volumes using automated dialers and other such schemes to dupe victims into calling these numbers. The revenue sharing arrangement, some would argue, reduces a telecom’s self motivation to check such activity, unless forced to do so by law or regulation.

The fraudster’s first objective is to dupe people into making a call to the premium rate number. They do this by making several “ ring once and cut” (missed) calls to a victims phone, thereby creating a sense of urgency  to call back, and to make the missed call number appear local by using international numbers which are similar to local codes. For example an international number +224 may be mistaken for the “022” Mumbai code, by individuals unfamiliar with international dialing.

The second objective is to try and keep the victim engaged on the call for as long a time as possible. A longer duration call results in higher revenue to the fraudster. This is usually done, by playing a recorded audio tape of a women being abused, having sex or by using a real life operator masquerade as an agent for schemes such as a lottery the victim is supposed to have won. The operator takes time to brief the victim on the win, and even notes down personal details such as his or her postal address to mail the award too. Personal information can later be used for other types of online scams.

Stolen phones are also used to call premium rate numbers.  Fraudsters usually do this immediately after the theft.  Tourists who lose their phones abroad will quickly find out that their set credit limits do not apply - due to the delay in receiving billing data from the foreign carrier. Bills may be huge.

Safety Tips to Keep in Mind to Avoid Call Fraud

1.    Do not call back on unknown international numbers. Be suspicious of “a one ring and cut” call.

2.    Disable the international dialing facility, if not needed

3.    Report a stolen phone and have the number blocked immediately

Actions Telecom operators and the Law can take

1.    Telecoms should enable international calling on request, and not by default.

2.    Telecoms should detect if premium rate numbers were used fraudulently through a study of call patterns

3.    Governments should enact strict laws and penalties to discourage such crimes

Wednesday, October 10, 2012

Loss of a personal portable electronic device

Most of us routinely carry many portable computing devices which vary in shape, colour, size and function. From expensive laptops, tablets and smartphones to cheaper eBook readers, portable hard drives and USB drives.  Invariably, some of us lose one or more of these items through theft, physical damage, electronic failure or misplacement. 

For an individual owned device, the largest cost is the replacement value of the asset.  But there are other inherent but non-tangible risks; such as the disclosure of personal data like intimate pictures and private correspondence, the potential misuse of email and social network accounts, and the access to stored business data and emails.

Being aware off and alert in the situations where the probability of losing these devices is the highest - is in itself an effective safeguard against loss. Based on statistics, theft is most likely to occur at home or from a car, physical damage through lax handling during travel, and misplacement at security checkpoints in airports, hotel rooms and in rented cars. Individuals are most vulnerable when in a hurry, have things on their mind, act carelessly or in anger and carry to many gadgets.

Safety tips that can be kept in mind are:

1.    Label the device with your name, address, email id and telephone number to assist in its return

2.    Use full disk encryption to prevent access to data - both personal and business

3.    Use strong passwords to log onto the Operating System (e.g. Windows) to delay access to email and social networking application where passwords were automatically saved by the browser. We can only delay and not prevent access, as the operating system password can be found out using password cracking tools.

4.    Take backups

5.    Use protective cases to prevent physical damage during travel

6.    Immediately change all passwords to email and social networking applications where passwords were saved by the browser. Preferably, disable the browser function which saves passwords and take the trouble to key in passwords each time.

7.    Carry fewer devices

Monday, October 8, 2012

A lesson on keeping information secret

While preaching the Sunday sermon, our parish priest gave a vivid example of how a young mother taught her ten year old son, a lasting lesson on keeping secrets.

He said “Shirley was Beth’s neighbor and her best friend.  Animatedly, over a cup of tea, at Beth’s house she poured out the problems she was facing with her young daughter. As she left, she asked Beth to keep what she told her a secret, as it would affect her relationship with her daughter, if she or others came to know.

Later, Beth realized that here ten year old son had overheard the entire conversation. She called him and said “Ryan, if Shirley had to leave her purse in our house today, would we give it to anyone or only to her”. Ryan replied, “Only to her mama”. Then Shirley said, “Today, she left something even more valuable when she shared her problems with me. We do not have the right to share them with anyone”.

In this simple way she taught her child the meaning of confidentiality.

In a similar way, we as employees share an equal, or greater, responsibility to protect corporate and customer personal data. Organizations, like individuals, have their own set of confidential and personal customer data to safeguard against loss, or theft by competitors and criminals. Companies need to keep secrets to protect business interests and keep certain decisions confidential, safeguard new product development, ensure customer data privacy and keep design secrets under wraps as long as needed

Sunday, October 7, 2012

Security helps avoid common omissions and errors in business operations

A flash crash at the National Stock Exchange in India, brought down the Nifty (stock index) by 15.5%, and shut down the exchange for a short period of time. Circuit breakers were triggered after a trader erroneously mistyped a single large order into the system - interchanging the number of shares to be sold with the value of the trade. The incident exposed two types of systemic failures – the inability to prevent erroneous trade entries of abnormally large magnitude by traders, and the failure of processes, software and systems of the exchange to swiftly freeze trade and shut down the market, once the market volatility threshold of 10% was breached.      

Most believe that the definition of “Security” in Information Security is only restricted to the set of measures an organization uses to protect against malicious activities of external agents and company employees. But, this is partly true – information security ensures not only the confidentiality, integrity and availability of information; against external threats but also from mistakes, errors, and faulty process and system design.

A good security plan and its implementation will always take into account all the potential misuse scenarios’ which have a harmful effect to an organizations reputation, assets or compliance mandates. In layman’s terms- actions both malicious and inadvertent that endangers a business. 

Most data breaches are due to simple acts of omission such as technical misconfigurations by system administrators, use of default passwords and inadequate operational checks and balances. Security, if well thought off and implemented can prove to be a lifesaver by reducing the occurrence of operational risks in an organization’s day to day operations.

The trading firm, in the above incident had to purchase the shares back at higher prices to stay in business. The cost to the company amounted to 50% of its net worth. Had the firm put in place relevant checks and balances to validate large trades, before they were keyed in the system by traders, they would have been spared the financial loss.

On a different note, a similar situation could have been arisen, if a malicious hacker or disgruntled informed employee misused the system to crash the exchange with the execution of a single large trade.  An experienced security professional would have brought in this perspective through a “misuse” scenario while designing or reviewing the design of trading processes and software, and recommended preventive controls.


Sunday, September 9, 2012

Communal Cyber Distortions Campaigns and Social Networks

Social media can be effectively manipulated to create a sense of panic among citizens on communal lines, since rumors spread virally leaving little time for Governments to clamp down on such communications.

Nation states’ which lack effective cyber enforcement and harbor radical elements enable members of these group to post distorted information on social networks and websites, without the fear of law. Such posts are intended to create conflict and communal strife in their own and other countries.

In India, the recent communal clashes between two communities in the North Eastern State of Assam, gave an opportunity for radicals within other countries to post morphed images of the supposed violence on social networks while instigating local sleeper cells to send SMSes designed to trigger panic among people of North Eastern origin working in large Indian cities like Bangalore, Hyderabad and Pune. This resulted in mass panic and triggered an overnight exodus of over 50,000 people from these cities, forcing the Government to take the extreme step of banning bulk SMSEs for a fortnight, in an effort to curb the panic.  

There are four lessons to be learned from this incident. 

The first is the obvious efficacy of such mass cyber hate campaigns and their ability to fuel ideological cyber wars which affects the safety and security of citizens directly. In the recent past, most of the state sponsored cyber war related activities were for espionage or to take down industrial units.

Secondly, it exposed the hurdles in speedily taking down hate posts and tweets through popular sites like Twitter, and Facebook, in the viral phase of such campaigns.  Steps involved identifying hate sites, reviewing them, finding consensus on blocking these sites and later trying to get social networks outside of India’s jurisdiction to remove them without court orders.  India, is now formulating an incident response mechanism to counter future hate campaigns.

Thirdly, India realized that it did not have the ability to block hate posts on a state or regional basis. This ability would be useful in putting out local conflicts.  India currently has the ability to block URL’s at a national level and not at state level.  Trying to build networks capable of regional blocking requires reallocation of the ip schemes based on individual states, and large investments in filtering technology.

Fourthly, there is the need for a neutral international agency which solicits an appropriate response from nations that are not keen on or unable to act against hate actors operating from their soil, based on international treaties or agreements.

Balancing the need for a secure cyber space, while respecting the privacy and individual freedom of cyber citizens and ensuring that the Internet remains open for innovation are increasingly stressed in such situations.  To prevent Governments from being forced to enact regulations that prevent free use of the Internet, future collaborative working between social networks and Governments is vital, as what they do or do not do has an impact on people lives and safety.

Tuesday, September 4, 2012

Proprietor of a Cyber Security firm caught for Hacking for Profit

Two members of a pan-India hacker group, "Indishell", and its offshoots were arrested on Saturday 1 Sept 2012 for hacking into an e-commerce website that specializes in mobile recharge. The hacker in question was the owner of a cyber security firm. This highlights the dangers of choosing pen test vendors as the loss of vulnerability information is a significant threat.

The Government of India via its cyber institution CERT-IN, has a high quality empanelment process, which includes a detailed expertise evaluation, and involves a thorough check of the company’s background, experience and personnel. The test challenge is of high quality (requiring both tool and manual expertise). With a cut off score 90%, it is difficult to pass.

At the moment, we do not have an independent Indian body to individually assess, background verify and accredited pen testers. Some large companies do this on their own, undertaking external background verification check for every consultant, and mandating basic qualifying certifications like CEH.

Monday, September 3, 2012

Security controls have side effects which affect user experience

Most security controls are like drugs which cure potent diseases but bring along undesirable side effects.  These side effects affect the ease of use of most electronic devices such as ATM’s, biometric devices, login on or even enrollment on web sites. Design of controls must focus on how controls can be misused to eliminate or reduce these side effects. The best way, though difficult to implement, is to tuck security in the background where it works silently and invisibly. Would we all not like to pay using our credit card online, without the filling in of a lengthy form?

Take the case of the Reserve Bank of India (RBI) doing away with the cash retraction systems in ATM’s as it found that there were large numbers of dubious claims on the non receipt of cash.  The security feature helped customers in instances when ATM’s did not disburse cash quickly and was left behind by customers who thought the ATM was not working.

Another example is the locking of accounts after a fixed number of failed authentication attempts. This feature protected users from a variety of automated password attacks, reducing the risk of account compromise where the password strength was low. The same feature can also be used to create a minor inconvenience, if the account is deliberately locked by malicious individuals.

CAPTCHA is another feature, which prevents automated attacks during enrollment on web sites, but with the sophistication in machine reading the design of CAPTCHA phrases are becoming complicated for humans to read too. Invariably user success comes after a few tries.

There are many more such examples. Our challenge is to recognize the side effects and work out ways to minimize them, rather than let customers live with them. This requires better architectural designs and innovation in security technology.

Saturday, September 1, 2012

The Saudi Aramco cyber attack points to new arsenal in a Hacktivists armoury

On August 15, 2012 a virus infected 30,000 desktops of the world largest oil producer Saudi Aramco, forcing disconnection of its IT systems from the external world, and the launch of a massive exercise to cleanse the infection. The primary objective of the virus was to erase all data from hard disks and report the deleted file names to an external control center.  The attack was undertaken by a group calling itself the “Cutting Sword of Justice” which said in an ideological post on Pastebin, that it was “fed up of crimes and atrocities taking place in various countries around the world”.

Saudi Aramco is one of the largest petroleum producing companies and accounts for a significant portion of the Saudi economy.  The hackers chose a Critical National Infrastructure target which is the largest financial source for the Al-Saud Regime.  A major disruption of Aramco’s oil production networks would consequently have had a direct impact on global energy supplies and the global economy. Aramco reported that it had air gapped its oil production network thereby preventing damage to its oil production assets.

In past attacks like Stuxnet, the development of similar malware was primarily attributed to government funded units, but in this case the incident seems to suggest that the virus was developed by a hacktivist outfit.  If true, it indicates a new and disturbing trend as previous Hacktivist methods were limited to the more mundane denial of service attacks or hacking into web sites.

Antimalware products have also once again demonstrated how deficient they are in defense against custom malware.

Sunday, August 26, 2012

A Naked Prince, Spy Cams and a big Hangover

The very recent episode of “The Naked Prince in Las Vegas” amply demonstrated the commercial value of a celebrity's personal life.  The party girl, who revealed naked snaps of Prince Harry online, has reportedly been offered a 1 m$ package for the mobile footage of the entire party.   Was the secret filming planned or simply opportunity seized! I guess we will never know.

Privacy can easily been compromised with a mobile or spy camera. There have been many instances of where such footage has been used for blackmail, sold to porn sites or used by media.

Celebrities are most at risk, when they move out of closed social circles and try to socialise like normal people.  It must be difficult for royalty, who are caught between the need to adhere to tradition and personal life.

Tuesday, July 31, 2012

London Olympic 2012 Security and the Mysterious Woman leading the Indian Contingent

Hosting an event like the Olympics’ requires a large number of security personnel to operate x-ray machines, search vehicles and stand guard at venues. For the London 2012 Olympics over 10,000 personnel required to be recruited and trained to prevent theft, activism and unruly activity. Mobilizing an enormous workforce via temporary recruits or volunteers is an expensive affair for short events, which usually results in poor or hurried training of personnel, and inadequate background checks. It is not possible to recruit well in advance due to the large numbers and need to contain staff costs. It may be said that the temporary workforce is used more for mitigation of risks rather than removal of it, with the prime responsibilities for security resting on the more qualified forces such as police and military and their use of a defense in depth security cordon to protect athletes and people in venues.

When I read about the mysterious woman who walked alongside flag bearer Sushil Kumar in red track top, blue pants and sneaker smiling, waving and soaking in the moment as the Indian contingent walked the track it indicated a brazen gate crash into what should have been considered the inner sanctum of the security perimeter.  

In this case, it turned out to be a protocol breach. An over eager Indian student volunteer taking up the opportunity to walk with the team. But it also indicated a large failure of the security apparatus, volunteer training and supervision of volunteers. The same security vulnerability could have been exploited by terrorists for malicious ends.

Sunday, July 8, 2012

Use of infected Thumb Drives (USB Drives) is a major security weakness

Thumb drives are extremely popular due to their portability, convenience and low cost.  Computer users, at home or at work cannot do without a thumb drive for sharing digital data such as files or music.  Drives have become so cheap that product vendors freely distribute them at product conferences as giveaways or as repositories of digital product literature.  Any digital product with a USB port and storage capacity can be converted into a digital drive.  A common example would be the ubiquitous smart phone.  Thumb drives have also become fashion accessories with drives disguised as pendants and pens making them harder to detect.

Most companies prohibit or regulate the use of USB ports and the devices that can be connected to them. The US Government has forbidden the use of such devices in Government and Defense departments post Wikileaks.  USB’s are used in targeted attacks to compromise systems which are physically isolated from the Internet or external networks. Stuxnet, a cyber weapon which destroyed Iranian centrifuges spread through a compromised USB drive.  In a more recent case, the Indian Eastern Naval Command was infected by malware which allegedly spread through a compromised USB. According to news reports “The malware is then thought to have created a secret folder on the drives where it stored documents, and as soon as the drive was plugged into a computer connected to the web, it sent the files to specific IP addresses”.

Users of USB drives face the risk of mass malware designed for cyber crime involving spam or financial fraud or the more targeted variety for espionage or cyber destruction. Malware normally propagates by copying itself onto clean drives inserted into infected computers. There is a probability of mass infection if the drive is infected at production or when digital data (such as product brochures) are mass copied onto several thousand drives.

 In both these cases, the common elements are a lack of security awareness or the pressure of a deadline causing individuals to override the fundamental security principle of not using third party USB drives, and an over reliance on antimalware products to detect malware. Antimalware products have limited success in instances where the malware is custom designed for select targets.

 In the case of the Iranian Stuxnet infection or the Indian Naval Leaks, the key introspection point was the method in which the compromised drive entered the premises. These installations are highly secure and forbid the use of outside drives (non registered drives), therefore the use of an unauthorized drive or the compromise of an internal drive needs detailed investigation into the human element and motive behind it. It is an indicator that the technical methods to prevent motivated individual using such drives was not as restrictive as it needed to be.

Saturday, June 16, 2012

Flame and the Cyber Citizen. Why we should be worried?

Flame is hailed as the most sophisticated cyber weapon built to date. Discovered last month, it is currently the most talked about issue in the security community.

Flame is designed to propagate by intercepting window update requests to surreptiously install itself onto computers. The virus has the ability to self propagate over a local network and record audio, screenshots, keyboard activity and network traffic.  This data, along with locally stored documents, is sent to servers on the Internet controlled by the creators of Flame.

 Flame was primarily designed for espionage and its use targeted to companies in the Middle East. The flame virus is a normal application, with the major element of sophistication residing in its method of self propagation and detection avoidance.

Cybercriminals today, use similar applications. Their delivery mechanisms are not as sophisticated as the one in Flame. They also do not have the ability to self propagate and instead rely on tricking cybercitizens into downloading such applications onto a desktop or mobile phone.

These applications are built for a purpose, just like Flame was built for espionage. The main motive of cybercriminals is money, and therefore these applications are normally used for a variety of frauds such a premium sms scams, fraudulent cash transfers in internet banking and even espionage.

The relative ease at which users adopt new technology allows cybercriminals devise new ways to beat existing security systems.  For instance, the growth of the mobile apps stores provides a simple way to infiltrate malicious applications onto smartphones.  Cybercriminals have already built applications to beat the two factor authentication provided by banks. Once installed on your device, they proxy all requests to your Internet banking site through a cybercriminal controlled computer (actually call centers) allowing cyber criminals to make fraudulent transactions.

At the moment, there are no mature security products that can easily detect such applications as a first line of defense. Cybercitizens need to be cautious on what they download and where they download it form.

Saturday, March 10, 2012

Thirteen Best Practice to StaySafe Online

The art of a safer online experience is to acquire situational awareness of cyber risks and use common sense to mitigate them. The thirteen best practices to reduce your risk exposure are:

1.    Be aware of cyber risks by regular reading of news reports on real life cyber incidents

2.    Build situational awareness on how to recognize cyber threats

3.    Use commonsense while social networking

4.    Write responsibly with proper etiquette. What you post online remains online and you remain responsible

5.    Have open discussions with your children on Internet safety

6.    Avoid use of copyrighted or pirated goods

7.    Do not get tempted by discounted offers and money making schemes

8.    Call up the institution or check for scams before replying to mails from law enforcement, financial institutions and  governments requesting personal information

9.    Do not engage in conversation or reply to mails from scammers

10.  Be careful of unsolicited mail and clicking on links within

11.  Use security software on all you devices (computer, tablet, phone) and update it regularly

12.  Use strong passwords with alternate authentication and verification options provided by sites

13.  Report cyber crime