Saturday, December 20, 2014

Cyberwar ... a damp squib?

War.. The word conjures up images of people killing one another using warplanes, warships, tanks, cannons etc. Images of cities and countries totally destroyed ... then V Day... then POWs .. medals, martyrs, heros. This was war!

And cyber war? Is it really war ? Or, we diluting the devastating danger of war by terming cyber incidents as war?

No country has publicly declared the formation if a cyber army, or a new cadre. There is no school for cyber weaponry or tactics. In fact well known generals and leaders have publicly accepted that they do not know how to define cyber war. Yet the media and global voices scream cyber war every time a major hack takes place! No one knows whodiddit but everyone has a theory about whodunit!
Last year Sony was hit by non-state actors, and this winter all fingers are pointing at North Korea. Earlier, in autumn it was the blame-it-on Iran season and the summertime ogre was China! Others who have had their place in the sun are the Syrian Electronic Army, Russia, Georgia and others.

One shouldn't forget the private and state armies of India and Pakistan who are constantly engaged in the childish sport of website defacement. Every now and then we have reports about cyber war being staged by either party stating X hundred sites defaced and y hundred retaliated with !
Sabre rattling and finger pointing by all countries and the so called private armies and patriots. No government has stood up to say they are responsible for a website defacement or a data breach/theft from someplace.

Not a single country has declared war in the real sense of the word. American banks, corporations, government entities, critical infrastructure is under continuous attack (as per US-CERT) but America has not declared war against anyone ! Compare this with the same Americans who went to war because someone said the Iraqi's have WMDs. Then they went out and killed Osama bin Laden because of the WTC attack by the Talisman.
It is natural for any country to declare a state of war if their sovereign assets are compromised but look at this
The NSA - Prism program has compromised the assets of friendly and non-friendly states and (possibly) continues to do so. Yet all affected countries have just taken it easy and not spoken up or retaliated (except Brazil).
India Pakistan have border skirmishes every other day and hordes are killed by terrorists (non-state actors) and armies (state actors). However, even though, website defacement and data ex filtration is regularly announced by non-state players there is no "tough" talk or overt action!
In the past few days North Korea is (said to be) the country behind the SONY hack because of the movie 'The Interview'. The USA is said to be affected badly with the hack but there is no strike back! And, going back into history, there are other incidents when South Korea has been repeatedly been (supposedly) attacked by North Korea and there has been no counter-strike! Not even a word of warning, leave alone the 'stern warning' type of public statement.
This infographic shows a few landmark events but what about counter strikes, what about public warnings what about cease-and-desist statements... none!
So is cyberwar sabre brandishing just a damp squib? No one is sending their army/navy/airforce to any country. The US is not asking the aircraft carrier to park itself in the Pacific off the coast of North Korea or China inspite of numerous damning statements against both governments.
Why all this talk about war or elevating these malicious, larcenous crimes to the status of war? These are crimes that may have disastrous consequences; these are disasters that may happen due to oversight or lack of diligence; these are common covert statecraft activities like espionage, agent recruiting etc; these are events which have not been seen or imagined in totality .. and mankind is still struggling to put a name or sentence here.
Can we keep the word "war" out and stop glorifying common criminal intent - it will blow the hype out and allow proper thought to address the problem(s).
Until the internet is all pervasive and is as 'essential' as air / water / land / gravity and we can blast human beings as they walk and talk with precise thought!
Scarier times are ahead, but why build and live with FUD.
This article was published by me on Linked In

Wednesday, April 9, 2014

Suing the Government

Should a government department, a government official or an elected minister be sued in event of negligence or lack of services which are promised by the Constitution?

Yes, by all means; but taking any such action requires permissions at various levels which includes running hurdles for the investigation team.

This thought has been on my mind for quite some time and was rekindled by this report about an event in the US. a court recognizes that a government agency can sue anyone for not having security in place.

We are lucky that our IT Act has a similar provision as it expects ‘reasonable’ security to be in place and this is good for all – prosecution and defence lawyers. I say it is good because everyone will have a great time discussing the definition, scope, inclusions and exclusions of the term ‘reasonable security’.

Anyway there are cyber and non-cyber considerations:

First a look at non-cyber considerations – 
a lady alighted from her car and fell into an open drain on Marine Drive day before yesterday. People have fallen into drains, or off trains because the platform is too low; cars have fallen into ditch sized potholes, potholes dot all Mumbai roads and can break your neck or back.
So can we sue the Mumbai Municipal Corporation, the Commissioner, the traffic cops and the local Minister for abetment in a conspiracy to murder/ or for culpable homicide? If the police arrest the husband, and all in-laws, (usually) as abettors, in the unfortunate event of a suicide by a lady, then how is this different from the blind actions of the MMC arising from the indecent state of infrastructure which can kill you at any moment?

Another scenario is when there is a fire and the Fire Department discovers that the absence of fire-fighting equipment – they penalize and take you to court.

Now we take a look at the Cyber scenario – 
In the country CERT empanelled auditor firms are in great demand and there are only 40 / 50 companies which hold the distinction of this honor. The government mandate is that CERT is our cyber protector, and these empanelled agencies are the eyes, ears and hands which will ensure that the Government infrastructure is secure. Inspite of all the brouhaha and strict procedure government websites are defaced and reports are leaked about breaches and hacks in Government departments, banks etc – all those institutions which place blind faith on the CERT empanelment.
The BIG question is – how come no official is kicked out? How come no empanelled company is de-listed? How come there is no public inquiry into such incidents? Why doesn’t the police arrest anyone from any of these audit firms (they did arrest auditors in the Satyam saga)?
Why is no one taken to court for deficiency in their security infrastructure and for deficiency in service?

Why is no one taken to court for paying huge penalties for using pirated software – not a single company or bank has every reported this to SEBI or the bourses. And when the cops advise not to file an FIR are they not abetting the crime being committed by the management.

A shameful event (among many breaches) was the defacement of the CBI website which then remained ‘down’ for more than a month. Did the auditor / webmaster / IT / IS officers and contractors get kicked out and charge-sheeted .. I guess not!

Will this happen when the insurance market matures, or will this happen when the cyber-police department is sufficiently staffed to handle volumes. And with every passing day the volume of crimes is bound to increase.
What is needed is a Data Protection Act, better Governance (corporate or institutional) but we are all chasing a Privacy chimera – maybe this sounds more fashionable.

Someone has to be held responsible – and we all know who has to stand up. Will anyone have the moral and procedural guts to be the change?

Friday, April 4, 2014

WMDs of a different kind

Just when the world is understanding a concept, we can trust the US Government to come up with some brilliant idea that turns the concept on it's head. 

Remember Stuxnet? We were struggling with the viruses in the wild, calling them trojans and malware and all sorts of names and then... boom! Stuxnet rises, cripples Iran's nuclear abs and creates a new lexicon entry - APT. 

Cut to present day disclosures - Cyberwar and cyberterror experts are yet to digest the contents of TAO or PRISM. In fact the most respected people in the war business have (on record) said they do not understand the term "cyberwar". 

Inspite of such disclosures, governments are buying cutting edge tools for doing stuff on their perimeter and outside. Armies of developers are creating cyber-weapons (malware) and letting their inner devils run wild.

No one even thought about creating chaos to bring down a government, except the brilliantly evil brains in the American establishment! 

Read U.S. secretly built 'Cuban Twitter' to stir unrest

No one thought of converting the idea of "Arab spring" into a cyber-weapon! 
Except for the brilliantly evil brains in the American establishment :)

And the concept of cyberweaponry is now turned over it's head. A true blue WMD that can be used to spread disinformation, create chaotic crowds, influence thought or engineer civil strife. And there is the easy way to engineer the downfall of a government.  

The US government used the facade of USAID to set up a twitter-like portal (Zun Zuneo) focused on building a community in Cuba and have used it for a number of self-serving activities. The underlying objective is to influence thought and bring about change by having a democratic government. 

So what does this now do for the world? Increase the level of distrust for all business or things of US origin. 

I mean if Facebook starts a misinformation campaign after setting up about a 1000 or more fake accounts where are we headed. 

How about scaring a whole country (or community) and starting mass migration and polarization on the lines of caste / color / religion / language. 

Or mobilizing flash crowds in every city to chant anti-national slogans creating a law and order situation.

In the last few days we have read disclosures which reported that Google and Microsoft have accessed emails without authorization. The Snowden disclosures are still continuing and have not helped in managing the reputations of any of these global corporations. 

There is distrust all around! And incidents like this from USAID will not help. 

However, we have a new WMD and it has to be developed in stealth mode. 

Friday, March 14, 2014

Friday Musings - happy times under the spotlight

Taking a break from the daily gloomy tidings about UID misuse, foot in the mouth pronouncements, government system breaches let us look at some silver linings and keep the weekend cheery!

A recent analyst report says that the Information Security business is worth $102 billion - happy days for all! Who cares if this spend secures enterprises or governments so long as we can invoice them and get our payment! I can see the India Infosec group members coming together for an all India F2F to discuss the bulk purchase of high end Mercs, BMWs in the near future. Ek billion de de bhagwan hum ko :)

Tim Berners Lee was answering questions on reddit and there are some great quotes - this is a must read on the weekend He talks about Snowden and that whistleblowers may be all that will save society and that he favors surveillance for fighting crime (but there must be oversight). Incidentally, he had considered alternate names like The Mesh, The Information Mine before he finalized on WWW.

An extract from the reddit post:
[Question] Did you ever think that the internet would get this big?
[TBL] Yes, I more or less had it nailed down when it comes to the growth curve. I didn't get it completely right --- 25 years ago I was predicting Id be asked to do an AMA on reddit next wek, but it turned out to be this week. Well, we all make mistakes. (no of course not)
Closer home and elsewhere, IMS, CMS, NETRA, NSA, PRISM are a few terms that bring visions of a surveillance state intruding into every facet of your life. However this is not the start of surveillance as it has been around even before Biblical times. Every ruler and his statesmen have engaged in some form of surveillance on their populace - the level of intrusion depends on the case. 

In the Internet age, there has been great debate on the extent of surveillance and the fear of misuse, or loss, of data collected.

So say all the wise people outside the establishment. 
So says Tim Berners Lee too. 
Has anyone heard any government say this convincingly ? We shall rest our case here and learn to live with it.  The debate will continue and the government will do what they have to do against the raving and ranting of the privacy and human rights activists. 

There is a lot not happening in the InfoSec domain - good bad and ugly!  Some ugly stuff - I was with a client who had 'obtained' an ISO27001 certificate. They paid Rs. X for the certificate and then another Rs 150 for framing it :) .. of course they felt bad that this agency gave them the certificate without the photoframe. And now they were scrambling because a client wanted to do an audit and they did not have a single policy. Of course they did not have a hope in hell and flunked the audit.

InfoSec advisories warn about the insider threat and this is may be the biggest example: It is being alleged that Princess Diana leaked royal family phone numbers to get back to her husband - disgruntled wife causing a data breach! Another one was about the daughter of Michael Dell who was regularly posting details about her father's travel plans on her FB page while he was spending a few millions on protecting his privacy and security!

BTW - one of the fans on the TBL AMA commented that Berners-Lee does not use a browser! He just pulls on an ethernet cable like a hookah :)

How many of us can claim this power ;-)
However, with dollar dreams I should no longer care about surveillance or insiders - I have the power! (of the ISO certificate!

With that thought... have a great weekend. 

The world is full of great surprises & the uncommon shortage of common sense is one of them. 

Notice: this is my post on the India InfoSec Mailing list on Yahoo! a private closed group of information security professionals from India.

Monday, March 10, 2014

Sadly MH370 is lost and no thanks to the aircraft manufacturers

 Malaysian Airlines MH370 loss

This is not the first time an aircraft has been lost over sea and we are replaying the same scenario - MH370 loses contact and is feared lost. Now there is a search operation involving about 30+ aircraft and an equal number of ships.

The question that nags me is that after so many years of technology advances in aviation we struggle to find missing aircraft and when we find the debris there is big time trouble to locate the 'black box'. By now this should be child's play. I have a few childish  suggestions...
- why can't Boeing and other companies just embed homing beacons all over the body or an aircraft (it should not add more than $ 1000 to the cost) - Why can't these guys put reflective paint on the body- Why not have more than one black box OR keep a voice channel open to the ground where they can keep recording the cockpit activities- Why not have a 'call home' transmitter embedded across different parts of the aircraft

Then when you think about all the issues reported by the Boeing Dreamliner you realize that this is not happening because these guys have yet to get their act together in the flying section so how can we expect them to be good in the security segment!

It is the same story being replayed when precious lives are lost and the relatives are clueless about their loved ones and how did they die! 

As I write this there is a massive search operation underway and in the end we will have a monument somewhere in the middle of nowhere. Security checks have addressed many risks, however, when we think about the hardships which could have been avoided with a swifter search (in the event of an unfortunate mishap) there is no excuse. 

Someone from the design teams or from the FAA in USA or DGCA in India or equivalent bodies across the world should exert pressure on the aircraft manufacturers to something!