Wednesday, December 5, 2012

Cybercrime responders become partners in a new crime

This is copied from my blog infosecgallery.. 

Sometime back I was pondering about surrogate criminal activity that happens in the absence of incident disclosure by corporate bodies. While pondering whether the regulators will act to bring in any form of control I realized that it is not just the corporate but others too who are engaging in criminal activity.

To illustrate I present an example ... I have a pistol and shoot a friend accidentally. We take the injured person to a hospital where he/she will be refused treatment by the doctor until a police compliant is registered. A police complaint will lead to my arrest and confiscation of my gun. I shall be in a lockup I get bail and then even if my friend stands by me the cops will interrogate and investigate and may not drop the case.

Now we come to a cybercrime scenario - a company or government department is breached (they get hacked / data is stolen / phished / financial fraud). The CISO is the first to respond and advises the CxO. Then they call in a forensic/security consultant who provides his/her analysis with remediation advice. Now they go to the Police Cybercrime cell and ask for an investigation. At the end of the Police investigation, they cops are told "we do not want to file a case" and the whole thing is dropped because they "know" who or what happened.

So we have the victim company (organization, bank, department..), CISO, Forensic/Security consultant, and Police investigators who have all colluded to close a criminal case (theft, hacking, piracy, porn... whatever)

Does this make all these people / institutions party to the crime of abetting a criminal act ?

If yes then can the various banks, government departments and organizations be taken to court along with the police departments of all states? I understand Sec 120 b or Section 34 of the IPC establishes guilt for conspirators.

Will the ITA be amended soon for 66A and can the mandarins add "disclosure" as an obligation under the act.

The moot question is whether everyone is a criminal now? The consultant who found out the modus operandi and advised on new controls, the cybercrime police who did not register the case and advised closure thus (possibly) causing loss to shareholders and the exchequer.

Monday, May 28, 2012

Indian firms under Anonymous attack.... extreme inarchy!

Posting without comment... 

#op NewSon
This is a different one.... FBI warning to a number of top firms to expect an attack, starting May 25, and the list includes Reliance Industries Limited (RIL). I learned about this earlier through our commercial Security Threat Intelligence services and was trying to find someone at RIL to pass the information. Unfortunately could not connect with anyone and gave up trying after the start of the attacks on May 25.

This is the list of top firms identified by FBI:

UPDATE: this was a failure... but they have not yet given up.

Anonymous announcement of their attack on various Indian sites / companies. One of them was Relaince Communications and started the day before. People using the RCOMM network for internet access were presented with a page carrying a message from Anonymous.

Friday, May 18, 2012

The Shape of things to come- Internet Inarchy

Anarchy, move over - it is time for INarchy. 

They tweeted: “Namaste #India, your time has come to trash the current government and install a new one. Good luck.” 
A YouTube video (May 15) by user Sen0nymous, titled ‘Operation India Engaged’, issued a call to action for fellow hackers. The video stated, 
“It has been known that the government of India and its ministers are committing aristocracy. The idea of democracy remains an idea only.”

“We were and are watching closely all activities of the government and its ministers. Many ministers were and are charged with severe cases of corruption. They do not care. They do not care for the injustice happening. They do not care for the freedom being snatched.”

“The government has been covering up its activities and hiding the facts from its citizens. It has imposed the IT Act which allows it to censor the internet as it seems fit. None other than the DoT needs to be blamed. One can’t block on purview of security concerns.” 

So Anonymous does not like the moves made by the Indian government and they start firing all cannons. They had started off protesting against the US, Swedish and the UK government actions regarding Wikileaks and that sort of hacktivism was cool. Now, and with other actions (anti SOPA etc) is this morphing into a sort of conscience keeper for the world ?

And for the moment the actions are just defacing websites and pulling any data that is bagged in the operation - so how long before this activity turns more malicious. Or how long before there is another few groups that do not have morals or have some sort of hate driven objectives. We do not have to search too far to find psychos !

We can dump all the international treaties and cooperation programs aside - a cyber-war or cyber-terror scenario is so easy to conjure ... just a handful of faceless people from anywhere in the world meet over time in a chat room and put together their bag of tricks. And, they let loose.

They can attack, plant an APT, steal data, commandeer weapons ... in short, they can do a lot. Or they can just choose to poison an information source like a satellite. Let your internal criminal out and let your imagination run wild, soon you will have enough zillion doomsday scenarios that an asteroid hit will be child's play

After that, all the king's men can spend their lifetimes to find who did it. 

Tuesday, May 15, 2012

License to Surf .. the shape of things to come

Internet Commerce, Presence and the Shape of Things to come

The internet has evolved dramatically since conception ... inception and I do not believe that the founding fathers of would have imagined it in it's present form. 

Like all things "free", the world has used, misused and abused the internet as it is continues to be a self governed network, owned by no one. Organizations like ICANN, IETF, W3C do their bit in controlling or running this worldwide network. 

When I started an online business in the mid-nineties, I realized that there are no taxes in cyberspace - the seller in country A was not selling in the domestic market so there was no tax liability... and the buyer in country B was buying (retail for personal use) from overseas so there was no domestic transaction ! Cool.. a lot of people made a lot of tax free money.

Email, tweets, networking, websites, graphics, content ... et al - everything is "free" on the internet. Or so it seems. We in India, and many other countries, are yet to face the whiplash of IP theft or have an organization like SOPA follow an IP address to prosecution and penalty. 

All that we pay for is internet access and once on the information highway, one just let loose. There are no rules - one site leads to another, check out recipes or people, post stuff online or make your sites. 

We are leading to an Internet which will be paid for and with the amount of wild west type shootings and lawlessness, pretty soon we shall have to have a "License to Surf". A license which will uniquely identify me and allow me to visit a certain set of websites. 

Governments are already creating tough laws to rein in the lawlessness and the new breed of criminals. Websites, service providers and law enforcement agencies are increasingly tracking every move / keystroke made online for their own purposes. Technology is advancing towards a more connected life, towards blurring the  difference between online and offline persona. 

ISPs are already 'shaping' traffic and can start offering 'bundled' internet access much like a cable service. Websites will consolidate services and will charge a small fee when you visit and this will be charged from the ISP - based on time. Emails will start costing money and so will tweets and social network posts - quite possibly the ISP will have to share a part of their revenue here too or pay an annual license fee.  

The "free" internet is slowly fading - there is an Internet Interpol proposed, international treaties coming up, international cooperation among law enforcement agencies, global takedowns and many other such related activities happening. On the other hand, botnets owners, spam-masters, cybercrime gangs and such criminals use free resources and cyberspace anonymity to wreak havoc on the global user community.

Maybe this will be a good thing because it will protect us from the paedophiles and other cyber criminals. A small price to pay for the protection and personal safety on the internet but a very high price when one considers the surrender of privacy and the 'freedom' of an unfettered cyberspace. 

Saturday, March 24, 2012

India Risk Survey 2012 ... unreliable references and more !

When I saw a new report India Risk Survey 2012 I was really happy because it carried the names of FICCI and Pinkerton - both are respected and one can expect solid work from them. 

Unfortunately I am terribly disappointed with the report, in the area where it relates to Information Security.. and as I write this, I hope these organizations rewrite the report or withdraw parts of it, as their gesture of apology.

While reading the report the first 'jhatka' came to me when I read they quoted a Norton report stating cyber crime losses at 34,110 cr (where on earth does one conjure up such a number) - such numbers only fools will suffer !

The second one was a big shocker - they have the gall to quote a Univ of Brighton report which is so full of crap that even a kid can see through that sham of a white paper ! This is personal for me since I wrote about the sad guys who wrote that paper (check Univ of Brighton - bunch of liars) The paper writers did not have the guts to write back to me.   

This same university has been trashed by one of the leading national authorities in Information Security - Dr Kamlesh Bajaj wrote about this outfit way back in 2009

Now this report started bothering me and I feel sure they have lifted some of the text - lo and behold - do a check for plagiarism and I find text lifted from "The Hindu". There is a statement  wrongly attributed to the CID Review. Refer to the article on Cyber Crime in this CID Review newsletter on the subject of cybercrime from Jan 2008 - come on - who writes spam as SPAM in a regular sentence :) only a SPAM eater !

Over the past few years, we have seen many 'branded' reports and surveys published under BIG banners - they carry outlandish statistics and statements about cyber crime, information security etc in the country. While almost all such statements need to be taken with a large pinch of salt  it is more necessary to trash stuff like what is written by these Brighton chaps. 

It  is time to call them back to the table, if they have the guts to come and substantiate their bullS^1t. 

Tuesday, February 14, 2012

You are ethical ... and Information Security is a blind alley...!

Ethics is a much used word and we know that EVERYONE in the security is ethical, trustworthy with a high level of integrity and will keep all my corporate secrets deep in his/her heart until death do us part (or if you do not pay my bill!)

Well a number of times I have asked some friends how can they say that they are ethical hackers ! I mean you are certifying your own honesty. Simply speaking, if walk around Mumbai or Gurgaon wearing your white hat for less than half an hour and it will become dirty ... lo and behold you are a gray hat. And, if you accidentally bump your car or cycle into someone you will morph into a black hat :)

Earlier I have been thinking about individuals because you do not mistrust security majors. And then this happens.... 
Trustwave admits issuing man-in-the-middle digital certificate; Mozilla debates punishment
The evolution of the internet, technology and mankind are a fact. Also that concepts of privacy, democracy, freedom, human rights, commerce, economics, crime, war et al are being re-written. Symantec keeps quiet for five years after being hacked, the Arab spring helped overthrow despots, wikileaks has shaken the most powerful nation so badly that they want to get to him anyhow, state or non-state players are not distinguishable.

So who can we trust ? And how is trust proven ? Can the company we trust trust the thousands of persons who contributed to the millions of lines of code or that small widget that was embedded in my cellphone, or pacemaker !

Sinister thoughts in a dark world where we are all walking blind and talk like we know it all. I mean I feel clueless / helpless and what-have-you when I read about Symantec, RSA, Microsoft, Verisign, Diginotar (the CA that was hacked),SONY, Heartland, TJ Max, Citibank etc etc - and other bastions of security that were felled.

Then you read about the suspicion that malware or spyware is embedded in hardware coming out of China, or that Apple and others installed tracking software from Carrier IQ. 

What is ethical, what is not; where do we draw the line. In a zillion lines of code how does anyone know if there is that one line that is keeping tabs on you (and maybe the developer company does not know about it too).

Monday, January 16, 2012

Data – The Ultimate Asset

Traditionally, business has looked at land, plant, building, machinery as assets that need to be protected and security thoughts have focused on fortification of the perimeter surrounding the assets. Business was about manufacturing, trading, services and then came the technology age... and life changed. Or did it ?

Unfortunately, businesses transposed traditional experiences into the technology realm thinking that firewalls, anti virus solutions, IDS/IPS and server hardening will protect the perimeter and life will continue securely. Computers became assets, but not data and it has taken a long time for businesses to realize their folly. While mature organizations have taken adequately appropriate steps, a majority continue to give lip service to their data assets.

And therein lies the error of judgment – it is easier to buy a new plant than to make sense of a thousand files with unstructured data. Data is the ultimate asset in the technology age and the dependency on IT systems is growing exponentially. At work we grapple with more information (data) than we can handle and one hoards relevant and irrelevant data. The data which we work on grows into multiple copies across the organization and, whether one likes it or not, dependency on data is absolute.

Business organizations, or individuals, cannot survive in event of non availability or loss of data and must accept that data is their most critical asset. It is essential to enable data security and manage this asset throughout the lifecycle using technologies that enable real time proactive protection.

Data security is critical for business in the manner that

• Confidentiality is maintained and data is not exposed, leaked, lost, stolen or compromised
• Integrity of data is assured and users know that it is not tampered
• And it is available at all times for uninterrupted business operations

Technologies like Security Incident and Event Management (SIEM), Data Loss Prevention (DLP), Information Rights Management (IRM) when deployed together in any organization, provide a high level of protection to the data assets and the organization has control on their assets while inside and outside their infrastructure perimeter. The SIEM will help monitor the network and alert against malicious activity, the DLP system will lock down assets from inappropriate access or transmission and the IRM system will provide the ability to remotely control document access rights.