Saturday, December 20, 2014

Cyberwar ... a damp squib?

War.. The word conjures up images of people killing one another using warplanes, warships, tanks, cannons etc. Images of cities and countries totally destroyed ... then V Day... then POWs .. medals, martyrs, heros. This was war!

And cyber war? Is it really war ? Or, we diluting the devastating danger of war by terming cyber incidents as war?

No country has publicly declared the formation if a cyber army, or a new cadre. There is no school for cyber weaponry or tactics. In fact well known generals and leaders have publicly accepted that they do not know how to define cyber war. Yet the media and global voices scream cyber war every time a major hack takes place! No one knows whodiddit but everyone has a theory about whodunit!
Last year Sony was hit by non-state actors, and this winter all fingers are pointing at North Korea. Earlier, in autumn it was the blame-it-on Iran season and the summertime ogre was China! Others who have had their place in the sun are the Syrian Electronic Army, Russia, Georgia and others.

One shouldn't forget the private and state armies of India and Pakistan who are constantly engaged in the childish sport of website defacement. Every now and then we have reports about cyber war being staged by either party stating X hundred sites defaced and y hundred retaliated with !
Sabre rattling and finger pointing by all countries and the so called private armies and patriots. No government has stood up to say they are responsible for a website defacement or a data breach/theft from someplace.

Not a single country has declared war in the real sense of the word. American banks, corporations, government entities, critical infrastructure is under continuous attack (as per US-CERT) but America has not declared war against anyone ! Compare this with the same Americans who went to war because someone said the Iraqi's have WMDs. Then they went out and killed Osama bin Laden because of the WTC attack by the Talisman.
It is natural for any country to declare a state of war if their sovereign assets are compromised but look at this
The NSA - Prism program has compromised the assets of friendly and non-friendly states and (possibly) continues to do so. Yet all affected countries have just taken it easy and not spoken up or retaliated (except Brazil).
India Pakistan have border skirmishes every other day and hordes are killed by terrorists (non-state actors) and armies (state actors). However, even though, website defacement and data ex filtration is regularly announced by non-state players there is no "tough" talk or overt action!
In the past few days North Korea is (said to be) the country behind the SONY hack because of the movie 'The Interview'. The USA is said to be affected badly with the hack but there is no strike back! And, going back into history, there are other incidents when South Korea has been repeatedly been (supposedly) attacked by North Korea and there has been no counter-strike! Not even a word of warning, leave alone the 'stern warning' type of public statement.
This infographic shows a few landmark events but what about counter strikes, what about public warnings what about cease-and-desist statements... none!
So is cyberwar sabre brandishing just a damp squib? No one is sending their army/navy/airforce to any country. The US is not asking the aircraft carrier to park itself in the Pacific off the coast of North Korea or China inspite of numerous damning statements against both governments.
Why all this talk about war or elevating these malicious, larcenous crimes to the status of war? These are crimes that may have disastrous consequences; these are disasters that may happen due to oversight or lack of diligence; these are common covert statecraft activities like espionage, agent recruiting etc; these are events which have not been seen or imagined in totality .. and mankind is still struggling to put a name or sentence here.
Can we keep the word "war" out and stop glorifying common criminal intent - it will blow the hype out and allow proper thought to address the problem(s).
Until the internet is all pervasive and is as 'essential' as air / water / land / gravity and we can blast human beings as they walk and talk with precise thought!
Scarier times are ahead, but why build and live with FUD.
This article was published by me on Linked In

Wednesday, April 9, 2014

Suing the Government

Should a government department, a government official or an elected minister be sued in event of negligence or lack of services which are promised by the Constitution?

Yes, by all means; but taking any such action requires permissions at various levels which includes running hurdles for the investigation team.

This thought has been on my mind for quite some time and was rekindled by this report about an event in the US.http://www.nationaljournal.com/tech/court-upholds-ftc-s-power-to-sue-hacked-companies-20140407So a court recognizes that a government agency can sue anyone for not having security in place.

We are lucky that our IT Act has a similar provision as it expects ‘reasonable’ security to be in place and this is good for all – prosecution and defence lawyers. I say it is good because everyone will have a great time discussing the definition, scope, inclusions and exclusions of the term ‘reasonable security’.

Anyway there are cyber and non-cyber considerations:

First a look at non-cyber considerations – 
a lady alighted from her car and fell into an open drain on Marine Drive day before yesterday. People have fallen into drains, or off trains because the platform is too low; cars have fallen into ditch sized potholes, potholes dot all Mumbai roads and can break your neck or back.
So can we sue the Mumbai Municipal Corporation, the Commissioner, the traffic cops and the local Minister for abetment in a conspiracy to murder/ or for culpable homicide? If the police arrest the husband, and all in-laws, (usually) as abettors, in the unfortunate event of a suicide by a lady, then how is this different from the blind actions of the MMC arising from the indecent state of infrastructure which can kill you at any moment?

Another scenario is when there is a fire and the Fire Department discovers that the absence of fire-fighting equipment – they penalize and take you to court.

Now we take a look at the Cyber scenario – 
In the country CERT empanelled auditor firms are in great demand and there are only 40 / 50 companies which hold the distinction of this honor. The government mandate is that CERT is our cyber protector, and these empanelled agencies are the eyes, ears and hands which will ensure that the Government infrastructure is secure. Inspite of all the brouhaha and strict procedure government websites are defaced and reports are leaked about breaches and hacks in Government departments, banks etc – all those institutions which place blind faith on the CERT empanelment.
The BIG question is – how come no official is kicked out? How come no empanelled company is de-listed? How come there is no public inquiry into such incidents? Why doesn’t the police arrest anyone from any of these audit firms (they did arrest auditors in the Satyam saga)?
Why is no one taken to court for deficiency in their security infrastructure and for deficiency in service?

Why is no one taken to court for paying huge penalties for using pirated software – not a single company or bank has every reported this to SEBI or the bourses. And when the cops advise not to file an FIR are they not abetting the crime being committed by the management.

A shameful event (among many breaches) was the defacement of the CBI website which then remained ‘down’ for more than a month. Did the auditor / webmaster / IT / IS officers and contractors get kicked out and charge-sheeted .. I guess not!

Will this happen when the insurance market matures, or will this happen when the cyber-police department is sufficiently staffed to handle volumes. And with every passing day the volume of crimes is bound to increase.
What is needed is a Data Protection Act, better Governance (corporate or institutional) but we are all chasing a Privacy chimera – maybe this sounds more fashionable.

Someone has to be held responsible – and we all know who has to stand up. Will anyone have the moral and procedural guts to be the change?


Friday, April 4, 2014

WMDs of a different kind

Just when the world is understanding a concept, we can trust the US Government to come up with some brilliant idea that turns the concept on it's head. 

Remember Stuxnet? We were struggling with the viruses in the wild, calling them trojans and malware and all sorts of names and then... boom! Stuxnet rises, cripples Iran's nuclear abs and creates a new lexicon entry - APT. 

Cut to present day disclosures - Cyberwar and cyberterror experts are yet to digest the contents of TAO or PRISM. In fact the most respected people in the war business have (on record) said they do not understand the term "cyberwar". 

Inspite of such disclosures, governments are buying cutting edge tools for doing stuff on their perimeter and outside. Armies of developers are creating cyber-weapons (malware) and letting their inner devils run wild.

No one even thought about creating chaos to bring down a government, except the brilliantly evil brains in the American establishment! 


Read U.S. secretly built 'Cuban Twitter' to stir unrest

No one thought of converting the idea of "Arab spring" into a cyber-weapon! 
Except for the brilliantly evil brains in the American establishment :)

And the concept of cyberweaponry is now turned over it's head. A true blue WMD that can be used to spread disinformation, create chaotic crowds, influence thought or engineer civil strife. And there is the easy way to engineer the downfall of a government.  

The US government used the facade of USAID to set up a twitter-like portal (Zun Zuneo) focused on building a community in Cuba and have used it for a number of self-serving activities. The underlying objective is to influence thought and bring about change by having a democratic government. 

So what does this now do for the world? Increase the level of distrust for all business or things of US origin. 

I mean if Facebook starts a misinformation campaign after setting up about a 1000 or more fake accounts where are we headed. 

How about scaring a whole country (or community) and starting mass migration and polarization on the lines of caste / color / religion / language. 

Or mobilizing flash crowds in every city to chant anti-national slogans creating a law and order situation.

In the last few days we have read disclosures which reported that Google and Microsoft have accessed emails without authorization. The Snowden disclosures are still continuing and have not helped in managing the reputations of any of these global corporations. 

There is distrust all around! And incidents like this from USAID will not help. 

However, we have a new WMD and it has to be developed in stealth mode. 



Friday, March 14, 2014

Friday Musings - happy times under the spotlight

Taking a break from the daily gloomy tidings about UID misuse, foot in the mouth pronouncements, government system breaches let us look at some silver linings and keep the weekend cheery!

A recent analyst report says that the Information Security business is worth $102 billion - happy days for all! Who cares if this spend secures enterprises or governments so long as we can invoice them and get our payment! I can see the India Infosec group members coming together for an all India F2F to discuss the bulk purchase of high end Mercs, BMWs in the near future. Ek billion de de bhagwan hum ko :)

Tim Berners Lee was answering questions on reddit and there are some great quotes - this is a must read on the weekend He talks about Snowden and that whistleblowers may be all that will save society and that he favors surveillance for fighting crime (but there must be oversight). Incidentally, he had considered alternate names like The Mesh, The Information Mine before he finalized on WWW. 

http://t.co/yWjsCiGN53

An extract from the reddit post:
[Question] Did you ever think that the internet would get this big?
[TBL] Yes, I more or less had it nailed down when it comes to the growth curve. I didn't get it completely right --- 25 years ago I was predicting Id be asked to do an AMA on reddit next wek, but it turned out to be this week. Well, we all make mistakes. (no of course not)
 
Closer home and elsewhere, IMS, CMS, NETRA, NSA, PRISM are a few terms that bring visions of a surveillance state intruding into every facet of your life. However this is not the start of surveillance as it has been around even before Biblical times. Every ruler and his statesmen have engaged in some form of surveillance on their populace - the level of intrusion depends on the case. 

In the Internet age, there has been great debate on the extent of surveillance and the fear of misuse, or loss, of data collected.

So say all the wise people outside the establishment. 
So says Tim Berners Lee too. 
But. 
Has anyone heard any government say this convincingly ? We shall rest our case here and learn to live with it.  The debate will continue and the government will do what they have to do against the raving and ranting of the privacy and human rights activists. 

There is a lot not happening in the InfoSec domain - good bad and ugly!  Some ugly stuff - I was with a client who had 'obtained' an ISO27001 certificate. They paid Rs. X for the certificate and then another Rs 150 for framing it :) .. of course they felt bad that this agency gave them the certificate without the photoframe. And now they were scrambling because a client wanted to do an audit and they did not have a single policy. Of course they did not have a hope in hell and flunked the audit.

InfoSec advisories warn about the insider threat and this is may be the biggest example: It is being alleged that Princess Diana leaked royal family phone numbers to get back to her husband - disgruntled wife causing a data breach! Another one was about the daughter of Michael Dell who was regularly posting details about her father's travel plans on her FB page while he was spending a few millions on protecting his privacy and security!

BTW - one of the fans on the TBL AMA commented that Berners-Lee does not use a browser! He just pulls on an ethernet cable like a hookah :)

How many of us can claim this power ;-)
However, with dollar dreams I should no longer care about surveillance or insiders - I have the power! (of the ISO certificate!

With that thought... have a great weekend. 

..!Dinesh
The world is full of great surprises & the uncommon shortage of common sense is one of them. 


Notice: this is my post on the India InfoSec Mailing list on Yahoo! a private closed group of information security professionals from India.

Monday, March 10, 2014

Sadly MH370 is lost and no thanks to the aircraft manufacturers


 Malaysian Airlines MH370 loss

This is not the first time an aircraft has been lost over sea and we are replaying the same scenario - MH370 loses contact and is feared lost. Now there is a search operation involving about 30+ aircraft and an equal number of ships.

The question that nags me is that after so many years of technology advances in aviation we struggle to find missing aircraft and when we find the debris there is big time trouble to locate the 'black box'. By now this should be child's play. I have a few childish  suggestions...
- why can't Boeing and other companies just embed homing beacons all over the body or an aircraft (it should not add more than $ 1000 to the cost) - Why can't these guys put reflective paint on the body- Why not have more than one black box OR keep a voice channel open to the ground where they can keep recording the cockpit activities- Why not have a 'call home' transmitter embedded across different parts of the aircraft

Then when you think about all the issues reported by the Boeing Dreamliner you realize that this is not happening because these guys have yet to get their act together in the flying section so how can we expect them to be good in the security segment!

It is the same story being replayed when precious lives are lost and the relatives are clueless about their loved ones and how did they die! 

As I write this there is a massive search operation underway and in the end we will have a monument somewhere in the middle of nowhere. Security checks have addressed many risks, however, when we think about the hardships which could have been avoided with a swifter search (in the event of an unfortunate mishap) there is no excuse. 

Someone from the design teams or from the FAA in USA or DGCA in India or equivalent bodies across the world should exert pressure on the aircraft manufacturers to something!


Friday, September 20, 2013

Creating A New World Order on the Internet - SAC5

It was a dark day in Internet history to which the world woke up when The Guardian published Snowden's disclosures about NSA's Prism program. Then over the next few days we read how the US Government unleashed it's wrath, using 'all the king's horses and all the king's men' to get to him in Hong Kong. Since then, the story has taken many twists and turns, bringing grief and embarrassment to the US establishment as every new disclosure peels of the layers of the prism program and reveals the depth (and extent) of surveillance carried out globally. 

As it has turned out - there is no safe harbor, nothing is sacred and no one can be believed. It is akin to the world known to spies during the cold war when the world was fractured into the western world and the communist camp. 

In those times of strife a few nations rose above the demands of the powers that be to ally with them and formed the Non Aligned Movement (NAM). This eventually morphed into regional movements driven by social and commercial motives. 

Now, we been brought to the cusp of another era of global strife and mistrust with the US program that has been spying on, practically, human being on the planet. Against this power center is China which has created exceptional capability and capacity in all things cyber - offensive, defensive, proactive and preventive. The third player is Russia with it's underground players who are also very nationalist, as was proven during the known cyberwarfare attacks on Georgia and Estonia.  

Whether a country is aligned to any of these three global players is of no consequence whatsoever because, as per the disclosures, even if you are actively participating and contributing to the Prism program, you will continue to be monitored and spied upon.

So,maybe the world order needs change and the 'weak' nations need to come together to form their own support and power club. India can lead this movement, in the same way as having led the NAM many years earlier by forming a South Asian Cybersecurity Capability and Capacity Cooperation Council (SAC5). 

The South Asian Council can comprise neighboring countries, Middle Eastern and African countries with India leading the way. Collectively, these countries can share information, develop joint capabilities, conduct skill enhancement training and form a central response or early warning cell. 

Brazil has put out the clarion call for an Independent Internet and slowly and steadily the backlash against US (and Allies) resources will gather momentum like a tsunami. The Prism - NSA disclosure has implicated US corporations like Google, Microsoft, Facebook etc and resistance is bound to rise in time. 
http://www.globalresearch.ca/the-brics-independent-internet-in-defiance-of-the-us-centric-internet/5350272Brazil says - let's break away from the Internet ! The Brazilians have also protested strongly to the US and this has led to a long phone call between the two presidents. 
So is it time for the world to polarized again and, worse, for the internet to publicly lose it's independence and be branded as a tool of American hegemony. 

The movement to break away from dominance of a few countries on the internet has been shouted out. If the South Asian countries ally and form a Council it will be another power center which will be an effective foil to any type of actions to take over this critical medium. 

As I have said earlier this is a new and different dimension and has to be understood and accepted in a different light. Mankind co-exists with the dimensions of water, air and has to learn to live with ether - better early...  before this dimension is destroyed by mankind itself. 




Monday, September 9, 2013

Innocence Lost....

Sometime back we lost our innocence. 

When wikileaks leaked Manning’s files worms crawled out affecting the pride of country leaders across the world. Egos were punctured because the cables sent by US embassy minions to their masters were judgmental in nature and revealed “private” foibles and conversations. This has been followed up by Snowden’s snowfall which is more damaging for the US Government and business than for any other government.

Over the past few months, every day we are stripped layer by layer by the revelations of the NSA’s prowess for invisibile intrusion. We thought the TSA guys were having fun seeing us in whole body scanners and sharing the pics, but it turns out that the NSA has been having more fun. Move over Guantanamo Bay that was just a small set of prisoners who could be stripped, chained or flogged – here they have the world at our fingertips, and no one looking over their shoulders.

First one learned that there was access to emails and internet conversations, the next layer included voice conversations, then came location data, followed by the revelation that IT majors like FB, Google. Microsoft, et al are participating in the program. Alongwith these businesses, some governments also howled in only to retract when the next revelation exposed their participation and remuneration. It was another shocker that told everyone about the possiblity of backdoors in commonly used software and hardware. The world started thinking about seeking safety under cover of encryption and proxy technologies only to learn that these have been seduced long ago – in other words encryption technologies have a backdoor.

So, is there anything which is safe? Maybe we have to go back to living in caves to save ourselves from this intrusion, because it seems that the only thing Uncle Sam cannot do is shove a finger up your 455. But, maybe the time is not too far off too what with the Internet of Things promising particle transportation and more!

Yes our innocence is lost – the new innocence is that “we do not look inside, we only search patterns”. The new innocence is that you are just a lump of flesh which eats, breathes, shits and screws and that’s it – simply put you are an animal and no more. Of course, this is so if you are not the most powerful man on earth, a.k.a. Mr President. Liberty, freedom, privacy and such rights are good to discuss but not to be expected in the face of secret laws and powers available with the intelligence organizations.  

In any case, even if you are Mr P there is no gurantee that someone did not dip into your smart phone or that of your wife or children. There is no way you would know, just like the world did not know until it started snowing. Quite possibly Mr Snowden carried some stuff on you and that is the major cause of the big manhunt that has been launched.

Today, every government wants their own NSA with enough powers to run every sort of surveillance on their citizens. What will be done with the data is anyone’s guess – maybe it will help run genocides and progroms more effectively. Or get to play ghetto-ghetto by segregating people based on caste, color, religion etc. At the cost of development, Governments are spending billions on technology selling the dream of nirvana that follows thorugh an e-governance portal or a new registration card, and it does not matter whether you can read or write, or whether you have had a square meal in a day.

Innocence lost forever, welcome to the new order Kalyug is now the C-Yug  where C=corruption, chamchagiri, cronyism, chutiyapanti, conmanship, carpetbaggers, cybercrime, computers and any other C which you can define negatively.

So what is happening is that we are all without clothes, having been stripped, layer by layer and naked for NSA eyes.

I wonder – are we a number or a name in the NSA records? Is this numeric, alpha-numeric, with or without capitalization. Or is it a continuation of the numbers given in Auschwitz and Dachau .. that may be apporpriate. Will we soon start hearing ‘arbeit macht frei’ or will it be embedded into our flesh at birth. Are we going to see Mr President in a new role as the oracle from Minority Report?


Mommy is that what Big Brother’s look like.


Wooooohhh !