Tuesday, July 21, 2015

A New Proactive Responsibility For Bankers in the Face of Cross Border Frauds

Let's face it - no one,, (whether an individual, a government or an organization)  is immune to or safe from a breach, an attack, a scam, a rootkit or a virus / APT or whatever you may call it. 
A crack is a crack is a crack is a crack (calling it a hack is sacrilege) 
And this is a global problem which is growing (exponentially) by the day, by the hour, minute, second and even nanosecond. Everyone has to face the threat, directly or indirectly, and no one ever knows when he/she will fall victim to an attack or an incident, and it really does not matter whether you are hyper intelligent or live inside Fort Knox. 
We do not have to go too far into history to see institutions like OPM, SONY, White House; global security organizations like RSA, The Hacking Team, HB Gary, NSA etc - the list is really big and includes banks etc.
In this global cybersecurity threat and crime maelstrom the Law Enforcement Agencies (LEA), Intelligence and Defense Agencies are first and foremost affected. They have a responsibility to investigate cybercrimes perpetrated across international borders, using sophisticated attack techniques or compromising insiders into malicious acts, voluntarily or involuntarily. Invariably while following cross-border leads, the LEA meets with insurmountable challenges and lengthy procedures (or red-tape even non-cooperation). And, if the request is to an unfriendly nation, the case might as well be closed and filed away!
Example challenges faced by LEA are in (1) following a money trail, (2) getting source IP information, (3) user name and address, etc. 
We will only look at "following the money trail" - in this case the victim may know the name of the bank where the funds were fraudulently transferred. However, when the bank is advised about the same they may not take any action until there is an order for the same in compliance with their locally applicable laws and regulations.  
However it is time for these officials, across the world, to raise a red flag at their end when they receive a communication directly from the victim (or victim country LEA).
Imagine if a bank manager gets a mail from a victim who informs about a fraud which has been perpetrated and where the funds have been transferred to that particular branch of the bank. The branch Manager may not be able to stop the account from operating but he/she can inform the local LEA about the suspect transaction. In addition, he/she can proactively guide the foreign victim and LEA about the quickest procedure to get the legally appropriate instructions for necessary action. 
The only (simple) reason why this bank manager in a foreign country should stand up and raise a red flag on the account, on the account holder and the transaction(s) is .... it can happen to him/her too. 
Yes, there is no guarantee that this bank branch, anyplace in the world, may fall victim to a fraud or a bank client may fall victim - then this manager will be running the same hoops as the victim / LEA who had connected earlier. 
This is not a call to disclose information, neither a call to work against the law or invade the account holder's privacy. It is not an aggressive look into transactions which is done through Risk Management and AML practices. In these changing times, it is an acceptance of responsibility by the banking professionals to set up a simple deterrent control. Criminals will slow down on using accounts in foreign lands once they are aware that ANY transaction can be notified to LEA proactively. 

Saturday, July 11, 2015

What I Learned when Hacking Team became Hacked Team

There are many takeaways from this hack which has effectively named and shamed many and (possibly) relegated Hacking Team to history (good riddance to an arrogant lot). I am sharing some lessons which I have learned as a security practitioner and will touch upon some issues (e.g. NDAs are worthless and a waste of time; they can't cover gossip, resumes et al) 
(my apologies for the flowery language which is prompted by my glee at the fall of this organization for personal reasons of my own)
Security bloopers courtesy the hacking team (RIP)
Learning # 1 -  If you are in the security business (or any unsavory business) and you are dealing in sh**, crack, LSD, heroin, 0-day, malware or any such crap ...make sure your emails and data is encrypted - saves your clients the embarrassment of dealing with a debauched organization 
Learning # 2 -  Remember your underpants always smell but you will never know how bad; once put out in public and you will know how bad it stinks ... and you will also learn you have holes in the wrong places wink emoticon
Learning # 3 - Once your privates are exposed be prepared for ridicule about your size, morals, hygeine, etc... and don't be surprised if the guys at Daesh / ISIS / Al Qaeda are leading the criticism - just goes to show how low you are in the reputation index
Learning # 4 - Just because you have all the 0-days in the world in your kitty OR all the kings of the world at your doorstep wanting to buy your wares.... this does not mean someone 'cannot' screw you because arrogance rising from your mal-knowledge and a big order book corrupts you as bad as power in hand (remember to respect the forces of humanity and nature)
Learning # 5 - You think you know the world and it's underbelly but then it brings you into the gutter yourself.... and then it is survival you against the real shi****s and they will always win because you are a wannabe shi****
Learning # 6 - When the sh** hits the ceiling you can be kicked off the throne without the opportunity to wipe your ass ... and we all know what happens when you are soiled
Learning # 7 - When underground stay there and make sure everything you own is also there... air gap, pgp, whatever
Learning # 8 - We all know doctors do not follow their own advise... as security guys we do not indulge in data classification, encryption, backup, etc... that sermon is for our clients
Learning # 9 - What goes round comes round... if you sell cyber weapons or surveillance stuff and think it cannot come back and hit you... you do not even deserve to live in Wonderland too as Alice will be scandalized
Learning # 10 - An intelligence agency is not setup to be ethical or maintain loyalties to anyone except their government... if HT expected their tools will not be used on them by every buyer they needed a reality check
Learning # 11 - You are never "there" in security even if you are the cat's whiskers so stay grounded, say your prayers diligently and make sure you ask your God to keep you safe from the omissions and commissions of your vendors and other malicious trespassers !
If there are any learning you can add to my list please be my guest and help the community!

Thursday, January 1, 2015

Hopes for 2015

This was first published on Linked in https://www.linkedin.com/pulse/hopes-2015-dinesh-o-bareja
My prescription is for awareness and common sense! Both practices need guts and will guarantee glory.
The experts, oracles, analysts, market-leaders, gurus have spoken - forecasts for 2015 have been made, published, read, publicized, devoured and digested by all across the world (and I am talking only in the Information Security and Technology space). These soothsayers have already told you how accurate they were in 2014, and I do not dispute anyone of their position as a cool guy or where he/she makes magic. My quadrant is nowhere near any so I am not worried. 
As an aside - have you realized the only people in the world who really do not worry about opinions are the very rich and the very poor. The rich cares a F for what the world or people think about him and lives, dances, splurges in a cocoon - they set the opinion! The poor cares a F because if things are anyway shi* in life what more can go wrong. That's where I am with my opinion ;-)
I see some gaps (from my perspective) in all the forecasts and analyst opinion floating around that I decided to start the year by enlightening my small band of friends and followers. While this list of mine may not cover "everything" it will be inline with that of the big brand forecasters because none of them are complete
1. Awareness - The one thing missing in EVERY forecast is the highly critical need for user awareness and as an appendix to this is the need to use awareness content which is prepared by some good experts and not by a newbie sysadmin who is has skills to do 'blind-ctrl-c-v".  
There is a lot of talk about malware, spear phishing, cloud insecurities and more.. but who is aware of the risks that these things carry? Has anyone told anyone using gmail carries a risk and that spear phishing is used to catch people and not fishes in the backwaters of Australia! Has anyone in your organization EVER explained that malicious code can be come into the organization embedded in a document or an image and can then steal stuff or wreak havoc?
I am sure even the CEO or Board has never been told the sh***y side of technology.
So this is the most important missing link - ensure regular awareness programs, demonstrate risks and threats, show videos, play games and relate everything to the life and work of the participants. Do not run a presentation and mark attendance for your compliance report but make sure you run awareness to actually achieve the objective of making  your company users aware!
2. Common Sense: Don't laugh. This is the one item missing in most portfolios and plans and it is not easy to have. Everyone thinks he / she has it and this is the first gross error - it may be there but may not be in abundance and may be highly unused. In other words you have it or not and even if you have it, you need guts to use it and stand by your conviction. 
CS is not applied in any security implementation or purchase. Corporations pay top dollars to consultants to devise the most convoluted RFPs designed to keep the beggars out. None of them provide the actual "sense" of using the product or service being purchased!
OK so you are implementing SIEM or DLP - you purchased it as per your RFP with 5 standard rules out-of-the-box. What did you get - a hahahah roll in the hay! One year or more later you realize you have been taken for a ride and you cannot tell your wife/husband/gf for fear of being kicked with an incompetent tag. 
Or you are implementing ISO27001 or any of the other ISO flavors, and what did you do - make a full library of documents and templates but do you really need this? At the end of the day everyone is following the book but if you actually read the change management log you can make a funny movie. You are a 20 person organization and you have an encryption policy... hey hey can you spell encryption for me let alone use it in your day to day work. 
I have been working in IS for a number of years and yet to happily use encrypted emails (who will I send these mails to!). And not to speak of the many password protected files which are on my machine and the password has passed away into the sands of time and memory!
The one thing that was not applied is common sense because the consultant never mentioned it. And the CEO or CISO did not speak the troubles in his / her mind because he/she was busy playing to the gallery (during sales pitch and PoC) trying to pick holes in the presentation and throwing his/her knowledge in the air!
Oh oh oh,, if only you had asked the silliest question that came to your mind because that was most relevant. For example - you asked about references and they connected you with their friendliest neighborhoodest buyer but after the spiel did you ask the reference about the time it took for the deployment, did you ask about the challenges and who sorted them, did you ask about the number of functional meetings in which the consultant participated, did you ask how was the feedback from the operations team... and much more. 
So yes, it is simple common sense that if you are purchasing cloud services, you must check the infra, SLA, client history, uptime etc but did you ask about portability and ease of the same? What if you want a divorce - do you have a pre-nup in place? 
There are many more scenarios which you can envision to apply this theory of CS and Awareness and take a lead over your peers.
These are two things I find missing in all the 2015 forecasts and I sincerely believe that if you dump all the advise given by every guru and soothsayer and just use your common sense you are bound to find awesome success. Add to this a highly aware user community in your organization and you have a strong mix of resilience and proactive security!
But, yes, you need to have the guts to drive this thought and if your management supports you, you are home with a tremendous amount of saving. 
So, good luck and best wishes for 2015 - may the most sensible thought win!
Some Self Promotion: Information Strategy and Policy development or advisory services for states /national bodies and large enterprises is my forte. If you want practical, meaningful and usable advice, KPIs, etc connect with the author on twitter (@bizsprite) or Linked-IN or Facebook (dineshobareja).

Saturday, December 20, 2014

Cyberwar ... a damp squib?

War.. The word conjures up images of people killing one another using warplanes, warships, tanks, cannons etc. Images of cities and countries totally destroyed ... then V Day... then POWs .. medals, martyrs, heros. This was war!

And cyber war? Is it really war ? Or, we diluting the devastating danger of war by terming cyber incidents as war?

No country has publicly declared the formation if a cyber army, or a new cadre. There is no school for cyber weaponry or tactics. In fact well known generals and leaders have publicly accepted that they do not know how to define cyber war. Yet the media and global voices scream cyber war every time a major hack takes place! No one knows whodiddit but everyone has a theory about whodunit!
Last year Sony was hit by non-state actors, and this winter all fingers are pointing at North Korea. Earlier, in autumn it was the blame-it-on Iran season and the summertime ogre was China! Others who have had their place in the sun are the Syrian Electronic Army, Russia, Georgia and others.

One shouldn't forget the private and state armies of India and Pakistan who are constantly engaged in the childish sport of website defacement. Every now and then we have reports about cyber war being staged by either party stating X hundred sites defaced and y hundred retaliated with !
Sabre rattling and finger pointing by all countries and the so called private armies and patriots. No government has stood up to say they are responsible for a website defacement or a data breach/theft from someplace.

Not a single country has declared war in the real sense of the word. American banks, corporations, government entities, critical infrastructure is under continuous attack (as per US-CERT) but America has not declared war against anyone ! Compare this with the same Americans who went to war because someone said the Iraqi's have WMDs. Then they went out and killed Osama bin Laden because of the WTC attack by the Talisman.
It is natural for any country to declare a state of war if their sovereign assets are compromised but look at this
The NSA - Prism program has compromised the assets of friendly and non-friendly states and (possibly) continues to do so. Yet all affected countries have just taken it easy and not spoken up or retaliated (except Brazil).
India Pakistan have border skirmishes every other day and hordes are killed by terrorists (non-state actors) and armies (state actors). However, even though, website defacement and data ex filtration is regularly announced by non-state players there is no "tough" talk or overt action!
In the past few days North Korea is (said to be) the country behind the SONY hack because of the movie 'The Interview'. The USA is said to be affected badly with the hack but there is no strike back! And, going back into history, there are other incidents when South Korea has been repeatedly been (supposedly) attacked by North Korea and there has been no counter-strike! Not even a word of warning, leave alone the 'stern warning' type of public statement.
This infographic shows a few landmark events but what about counter strikes, what about public warnings what about cease-and-desist statements... none!
So is cyberwar sabre brandishing just a damp squib? No one is sending their army/navy/airforce to any country. The US is not asking the aircraft carrier to park itself in the Pacific off the coast of North Korea or China inspite of numerous damning statements against both governments.
Why all this talk about war or elevating these malicious, larcenous crimes to the status of war? These are crimes that may have disastrous consequences; these are disasters that may happen due to oversight or lack of diligence; these are common covert statecraft activities like espionage, agent recruiting etc; these are events which have not been seen or imagined in totality .. and mankind is still struggling to put a name or sentence here.
Can we keep the word "war" out and stop glorifying common criminal intent - it will blow the hype out and allow proper thought to address the problem(s).
Until the internet is all pervasive and is as 'essential' as air / water / land / gravity and we can blast human beings as they walk and talk with precise thought!
Scarier times are ahead, but why build and live with FUD.
This article was published by me on Linked In

Wednesday, April 9, 2014

Suing the Government

Should a government department, a government official or an elected minister be sued in event of negligence or lack of services which are promised by the Constitution?

Yes, by all means; but taking any such action requires permissions at various levels which includes running hurdles for the investigation team.

This thought has been on my mind for quite some time and was rekindled by this report about an event in the US.http://www.nationaljournal.com/tech/court-upholds-ftc-s-power-to-sue-hacked-companies-20140407So a court recognizes that a government agency can sue anyone for not having security in place.

We are lucky that our IT Act has a similar provision as it expects ‘reasonable’ security to be in place and this is good for all – prosecution and defence lawyers. I say it is good because everyone will have a great time discussing the definition, scope, inclusions and exclusions of the term ‘reasonable security’.

Anyway there are cyber and non-cyber considerations:

First a look at non-cyber considerations – 
a lady alighted from her car and fell into an open drain on Marine Drive day before yesterday. People have fallen into drains, or off trains because the platform is too low; cars have fallen into ditch sized potholes, potholes dot all Mumbai roads and can break your neck or back.
So can we sue the Mumbai Municipal Corporation, the Commissioner, the traffic cops and the local Minister for abetment in a conspiracy to murder/ or for culpable homicide? If the police arrest the husband, and all in-laws, (usually) as abettors, in the unfortunate event of a suicide by a lady, then how is this different from the blind actions of the MMC arising from the indecent state of infrastructure which can kill you at any moment?

Another scenario is when there is a fire and the Fire Department discovers that the absence of fire-fighting equipment – they penalize and take you to court.

Now we take a look at the Cyber scenario – 
In the country CERT empanelled auditor firms are in great demand and there are only 40 / 50 companies which hold the distinction of this honor. The government mandate is that CERT is our cyber protector, and these empanelled agencies are the eyes, ears and hands which will ensure that the Government infrastructure is secure. Inspite of all the brouhaha and strict procedure government websites are defaced and reports are leaked about breaches and hacks in Government departments, banks etc – all those institutions which place blind faith on the CERT empanelment.
The BIG question is – how come no official is kicked out? How come no empanelled company is de-listed? How come there is no public inquiry into such incidents? Why doesn’t the police arrest anyone from any of these audit firms (they did arrest auditors in the Satyam saga)?
Why is no one taken to court for deficiency in their security infrastructure and for deficiency in service?

Why is no one taken to court for paying huge penalties for using pirated software – not a single company or bank has every reported this to SEBI or the bourses. And when the cops advise not to file an FIR are they not abetting the crime being committed by the management.

A shameful event (among many breaches) was the defacement of the CBI website which then remained ‘down’ for more than a month. Did the auditor / webmaster / IT / IS officers and contractors get kicked out and charge-sheeted .. I guess not!

Will this happen when the insurance market matures, or will this happen when the cyber-police department is sufficiently staffed to handle volumes. And with every passing day the volume of crimes is bound to increase.
What is needed is a Data Protection Act, better Governance (corporate or institutional) but we are all chasing a Privacy chimera – maybe this sounds more fashionable.

Someone has to be held responsible – and we all know who has to stand up. Will anyone have the moral and procedural guts to be the change?

Friday, April 4, 2014

WMDs of a different kind

Just when the world is understanding a concept, we can trust the US Government to come up with some brilliant idea that turns the concept on it's head. 

Remember Stuxnet? We were struggling with the viruses in the wild, calling them trojans and malware and all sorts of names and then... boom! Stuxnet rises, cripples Iran's nuclear abs and creates a new lexicon entry - APT. 

Cut to present day disclosures - Cyberwar and cyberterror experts are yet to digest the contents of TAO or PRISM. In fact the most respected people in the war business have (on record) said they do not understand the term "cyberwar". 

Inspite of such disclosures, governments are buying cutting edge tools for doing stuff on their perimeter and outside. Armies of developers are creating cyber-weapons (malware) and letting their inner devils run wild.

No one even thought about creating chaos to bring down a government, except the brilliantly evil brains in the American establishment! 

Read U.S. secretly built 'Cuban Twitter' to stir unrest

No one thought of converting the idea of "Arab spring" into a cyber-weapon! 
Except for the brilliantly evil brains in the American establishment :)

And the concept of cyberweaponry is now turned over it's head. A true blue WMD that can be used to spread disinformation, create chaotic crowds, influence thought or engineer civil strife. And there is the easy way to engineer the downfall of a government.  

The US government used the facade of USAID to set up a twitter-like portal (Zun Zuneo) focused on building a community in Cuba and have used it for a number of self-serving activities. The underlying objective is to influence thought and bring about change by having a democratic government. 

So what does this now do for the world? Increase the level of distrust for all business or things of US origin. 

I mean if Facebook starts a misinformation campaign after setting up about a 1000 or more fake accounts where are we headed. 

How about scaring a whole country (or community) and starting mass migration and polarization on the lines of caste / color / religion / language. 

Or mobilizing flash crowds in every city to chant anti-national slogans creating a law and order situation.

In the last few days we have read disclosures which reported that Google and Microsoft have accessed emails without authorization. The Snowden disclosures are still continuing and have not helped in managing the reputations of any of these global corporations. 

There is distrust all around! And incidents like this from USAID will not help. 

However, we have a new WMD and it has to be developed in stealth mode. 

Friday, March 14, 2014

Friday Musings - happy times under the spotlight

Taking a break from the daily gloomy tidings about UID misuse, foot in the mouth pronouncements, government system breaches let us look at some silver linings and keep the weekend cheery!

A recent analyst report says that the Information Security business is worth $102 billion - happy days for all! Who cares if this spend secures enterprises or governments so long as we can invoice them and get our payment! I can see the India Infosec group members coming together for an all India F2F to discuss the bulk purchase of high end Mercs, BMWs in the near future. Ek billion de de bhagwan hum ko :)

Tim Berners Lee was answering questions on reddit and there are some great quotes - this is a must read on the weekend He talks about Snowden and that whistleblowers may be all that will save society and that he favors surveillance for fighting crime (but there must be oversight). Incidentally, he had considered alternate names like The Mesh, The Information Mine before he finalized on WWW. 


An extract from the reddit post:
[Question] Did you ever think that the internet would get this big?
[TBL] Yes, I more or less had it nailed down when it comes to the growth curve. I didn't get it completely right --- 25 years ago I was predicting Id be asked to do an AMA on reddit next wek, but it turned out to be this week. Well, we all make mistakes. (no of course not)
Closer home and elsewhere, IMS, CMS, NETRA, NSA, PRISM are a few terms that bring visions of a surveillance state intruding into every facet of your life. However this is not the start of surveillance as it has been around even before Biblical times. Every ruler and his statesmen have engaged in some form of surveillance on their populace - the level of intrusion depends on the case. 

In the Internet age, there has been great debate on the extent of surveillance and the fear of misuse, or loss, of data collected.

So say all the wise people outside the establishment. 
So says Tim Berners Lee too. 
Has anyone heard any government say this convincingly ? We shall rest our case here and learn to live with it.  The debate will continue and the government will do what they have to do against the raving and ranting of the privacy and human rights activists. 

There is a lot not happening in the InfoSec domain - good bad and ugly!  Some ugly stuff - I was with a client who had 'obtained' an ISO27001 certificate. They paid Rs. X for the certificate and then another Rs 150 for framing it :) .. of course they felt bad that this agency gave them the certificate without the photoframe. And now they were scrambling because a client wanted to do an audit and they did not have a single policy. Of course they did not have a hope in hell and flunked the audit.

InfoSec advisories warn about the insider threat and this is may be the biggest example: It is being alleged that Princess Diana leaked royal family phone numbers to get back to her husband - disgruntled wife causing a data breach! Another one was about the daughter of Michael Dell who was regularly posting details about her father's travel plans on her FB page while he was spending a few millions on protecting his privacy and security!

BTW - one of the fans on the TBL AMA commented that Berners-Lee does not use a browser! He just pulls on an ethernet cable like a hookah :)

How many of us can claim this power ;-)
However, with dollar dreams I should no longer care about surveillance or insiders - I have the power! (of the ISO certificate!

With that thought... have a great weekend. 

The world is full of great surprises & the uncommon shortage of common sense is one of them. 

Notice: this is my post on the India InfoSec Mailing list on Yahoo! a private closed group of information security professionals from India.