Sunday, September 9, 2012

Communal Cyber Distortions Campaigns and Social Networks

Social media can be effectively manipulated to create a sense of panic among citizens on communal lines, since rumors spread virally leaving little time for Governments to clamp down on such communications.

Nation states’ which lack effective cyber enforcement and harbor radical elements enable members of these group to post distorted information on social networks and websites, without the fear of law. Such posts are intended to create conflict and communal strife in their own and other countries.

In India, the recent communal clashes between two communities in the North Eastern State of Assam, gave an opportunity for radicals within other countries to post morphed images of the supposed violence on social networks while instigating local sleeper cells to send SMSes designed to trigger panic among people of North Eastern origin working in large Indian cities like Bangalore, Hyderabad and Pune. This resulted in mass panic and triggered an overnight exodus of over 50,000 people from these cities, forcing the Government to take the extreme step of banning bulk SMSEs for a fortnight, in an effort to curb the panic.  

There are four lessons to be learned from this incident. 

The first is the obvious efficacy of such mass cyber hate campaigns and their ability to fuel ideological cyber wars which affects the safety and security of citizens directly. In the recent past, most of the state sponsored cyber war related activities were for espionage or to take down industrial units.

Secondly, it exposed the hurdles in speedily taking down hate posts and tweets through popular sites like Twitter, and Facebook, in the viral phase of such campaigns.  Steps involved identifying hate sites, reviewing them, finding consensus on blocking these sites and later trying to get social networks outside of India’s jurisdiction to remove them without court orders.  India, is now formulating an incident response mechanism to counter future hate campaigns.

Thirdly, India realized that it did not have the ability to block hate posts on a state or regional basis. This ability would be useful in putting out local conflicts.  India currently has the ability to block URL’s at a national level and not at state level.  Trying to build networks capable of regional blocking requires reallocation of the ip schemes based on individual states, and large investments in filtering technology.

Fourthly, there is the need for a neutral international agency which solicits an appropriate response from nations that are not keen on or unable to act against hate actors operating from their soil, based on international treaties or agreements.

Balancing the need for a secure cyber space, while respecting the privacy and individual freedom of cyber citizens and ensuring that the Internet remains open for innovation are increasingly stressed in such situations.  To prevent Governments from being forced to enact regulations that prevent free use of the Internet, future collaborative working between social networks and Governments is vital, as what they do or do not do has an impact on people lives and safety.

Tuesday, September 4, 2012

Proprietor of a Cyber Security firm caught for Hacking for Profit

Two members of a pan-India hacker group, "Indishell", and its offshoots were arrested on Saturday 1 Sept 2012 for hacking into an e-commerce website that specializes in mobile recharge. The hacker in question was the owner of a cyber security firm. This highlights the dangers of choosing pen test vendors as the loss of vulnerability information is a significant threat.

The Government of India via its cyber institution CERT-IN, has a high quality empanelment process, which includes a detailed expertise evaluation, and involves a thorough check of the company’s background, experience and personnel. The test challenge is of high quality (requiring both tool and manual expertise). With a cut off score 90%, it is difficult to pass.

At the moment, we do not have an independent Indian body to individually assess, background verify and accredited pen testers. Some large companies do this on their own, undertaking external background verification check for every consultant, and mandating basic qualifying certifications like CEH.

Monday, September 3, 2012

Security controls have side effects which affect user experience

Most security controls are like drugs which cure potent diseases but bring along undesirable side effects.  These side effects affect the ease of use of most electronic devices such as ATM’s, biometric devices, login on or even enrollment on web sites. Design of controls must focus on how controls can be misused to eliminate or reduce these side effects. The best way, though difficult to implement, is to tuck security in the background where it works silently and invisibly. Would we all not like to pay using our credit card online, without the filling in of a lengthy form?

Take the case of the Reserve Bank of India (RBI) doing away with the cash retraction systems in ATM’s as it found that there were large numbers of dubious claims on the non receipt of cash.  The security feature helped customers in instances when ATM’s did not disburse cash quickly and was left behind by customers who thought the ATM was not working.

Another example is the locking of accounts after a fixed number of failed authentication attempts. This feature protected users from a variety of automated password attacks, reducing the risk of account compromise where the password strength was low. The same feature can also be used to create a minor inconvenience, if the account is deliberately locked by malicious individuals.

CAPTCHA is another feature, which prevents automated attacks during enrollment on web sites, but with the sophistication in machine reading the design of CAPTCHA phrases are becoming complicated for humans to read too. Invariably user success comes after a few tries.

There are many more such examples. Our challenge is to recognize the side effects and work out ways to minimize them, rather than let customers live with them. This requires better architectural designs and innovation in security technology.

Saturday, September 1, 2012

The Saudi Aramco cyber attack points to new arsenal in a Hacktivists armoury

On August 15, 2012 a virus infected 30,000 desktops of the world largest oil producer Saudi Aramco, forcing disconnection of its IT systems from the external world, and the launch of a massive exercise to cleanse the infection. The primary objective of the virus was to erase all data from hard disks and report the deleted file names to an external control center.  The attack was undertaken by a group calling itself the “Cutting Sword of Justice” which said in an ideological post on Pastebin, that it was “fed up of crimes and atrocities taking place in various countries around the world”.

Saudi Aramco is one of the largest petroleum producing companies and accounts for a significant portion of the Saudi economy.  The hackers chose a Critical National Infrastructure target which is the largest financial source for the Al-Saud Regime.  A major disruption of Aramco’s oil production networks would consequently have had a direct impact on global energy supplies and the global economy. Aramco reported that it had air gapped its oil production network thereby preventing damage to its oil production assets.

In past attacks like Stuxnet, the development of similar malware was primarily attributed to government funded units, but in this case the incident seems to suggest that the virus was developed by a hacktivist outfit.  If true, it indicates a new and disturbing trend as previous Hacktivist methods were limited to the more mundane denial of service attacks or hacking into web sites.

Antimalware products have also once again demonstrated how deficient they are in defense against custom malware.