Warning: Creating default object from empty value in /nfs/c03/h07/mnt/56080/domains/filtercoffee.nationalinterest.in/html/wp-content/themes/canvas/functions/admin-hooks.php on line 160
Archive | July, 2011

Ghulam Nabi Fai’s arrest

Indian agencies have known Mr. Fai was up to no-good for ages.

We’re just being made aware of the arrest in the U.S. of Ghulam Nabi Fai, Executive Director of the Kashmiri-American Council (KAC) for allegedly being on the payroll of the ISI and hiding millions of dollars for illegal lobbying.  A second individual, Zaheer Ahmed, has also been charged.  The FBI affidavit cites that Mr. Fai conspired “to act as an agent of a foreign principal…to falsify, conceal, and cover up materials by tricks, schemes, and devices…” (FBI affidavit, LT @Colinfreeze).

As it turns out, Mr. Fai is no stranger to the FBI.  When questioned in 2007, he contented that he had “never met anyone who identified himself as being affiliated with the ISI.”  Mr. Fai has long been at the forefront of the “Kashmir movement” in the U.S., portraying himself as a Kashmiri-American champion of “the Cause,” independent of any affiliation of Pakistan or its agencies.  In fact, CBS-affiliate KNX 1070’s news report this morning on the arrest identified Mr. Fai as a “Virginia man.”

But Indian security agencies have long confirmed Mr. Fai’s nexus with Pakistan’s ISI.  A 2004 Times of India report on the mysterious death of Hasimuddin, former aide to Syed Ali Shah Geelani, revealed the relationship between Mr. Fai, the Tehrik-e-Hurriyat and the ISI (emphasis added):

This is part of Islamabad’s plan to secure a place for Tehriq-e-Hurriyat in the talks to decide the fate of J&K on the ground that the secessionist outfit was the true representative of ‘Kashmiris’.

Those behind the plan have gone about its execution with clinical precision. Hasimuddin had been managing the funds of Tehriq-e-Hurriyat after he was ousted from the All Party Hurriyat Conference, as its secretary. But Geelani had replaced him recently.  The outfit was getting funds from the ISI and also from Saudi Arabia. Most of the funds were routed through the US-based Kashmir American Council of Ghulam Nabi Fai or the UK-based Ayub Thakar who died recently, sources said. [Times of India]

The arrest of Mr. Fai only confirms what India knows about how the ISI plays the game on Kashmir; with a mixture of subterfuge, political grandstanding, and of course, sub-conventional warfare against India, through a network of carefully cultivated intermediaries and proxies.

Read full story · Comments { 19 }

The day after Mumbai

India needs to arrest the narrative, break the cycle.

Familiar tragedy befell the city of Mumbai last night — three coordinated bomb blasts killed 21 innocent civilians and injured over 100.  My colleague over at Pragmatic Euphony puts across some important questions that deserve answers.  At the time of writing this blogpost, no one is yet to claim responsibility.  And while there were indications that some lessons had been learned by the government since the 26/11 attacks, the two terror incidents can hardly be equated.  The attacks of 7/13 have an unfortunately familiar signature to previous attacks in India — Bombay, 1992; Delhi, 2005; Mumbai 2006; Jaipur, 2008 and Guwahati, 2008.

Had this been a fidayeen attack or a commando-style assault resulting in a hostage situation (like 26/11), we’re not sure what the government’s response might have been. What we do know from previous incidents is that the nature of the attacks in Mumbai align with the modus operendi of two groups — the underworld, and local, but Pakistan-affiliated groups such as the Indian Mujahideen (IM).

India’s track record in bringing to book those responsible for terror attacks on its soil is troubling.  In The Hindu, Praveen Swami points out that despite multi-million dollar investments, India’s investigation into terror attacks since 26/11 have proven inconclusive.  Indeed, despite home minister P. Chidambaram’s claims that our counter-terrorism capabilities have been significantly enhanced since 26/11, we appear unable to even identify where persons on our so-called list of “most wanted” currently live.

It should be troubling to the state and to its citizens that on every occasion where innocent civilians are murdered in India, the narrative of preserving India-Pakistan peace is resurrected from slumber in the Western media. This is a narrative that India needs to arrest.  Like the need for India to talk to Pakistan ranks considerably higher than the value of the lives of innocent men, women and children who have died.  Let there be no “knee-jerk” reaction, they say.  But there’s already been a knee-jerk reaction. And several.

But beyond merely identifying those responsible for the heinous attacks on India, what is the government’s capability to deliver justice to victims?  What is to dissuade those hostile to India from carrying out further attacks in other large metropolitan cities?  If these attacks end up being traced to Pakistan, like 26/11 was, will justice ever be served?

This blog has repeatedly articulated the need for capacity to challenge terror infrastructure where it stood.  If the attack is traced to Pakistan, India has two options — pursuing the matter through political channels, which invariably leads to a cul-de-sac, or military, which appears infeasible given sufficient plausible deniability and international pressure. Now, India certainly has options available that don’t involve either the political or military to put it across to the perpetrators that their actions will not go unpunished.  The question is if India has the political will to deliver justice to victims of terror, by whatever means necessary.

Both within India and outside, those that have conspired against the state continue to act with impunity.  Until  the government can demonstrate that it can act decisively against those that wage war against it, this unfortunate cycle will continue.

India needs no new ideas.  The thinking that needs to be done has already been done.  No new whitepapers are needed.  This country needs doers.

 

Read full story · Comments { 45 }

Guestpost — The Weakest Link (II)

The importance of prompt governmental action on cybersecurity threats.

In Part-II of The Weakest Link, Srikanth R., Senior Research Associate for Cyber Security Studies, writes about how India and other countries have reacted and should continue to act to counter cybersecurity threats (also read Part I).


While the attack on RSA was in progress, a slew of attacks on companies and governments all over the world were taking place. These attacks were credited to anonymous groups of people who are not necessarily hackers, but with sufficient skills to detect sites running older versions of software with publicly known exploits. These attacks compromised the data stored in websites that were not up to date with patches to fix known security holes. Unlike zero day attacks that require sufficient technical competence, these attacks were the result of exploiting well-known weaknesses of website software, and did not require much technical competence.

Such attacks have already resulted in the publication of private databases of various web sites all over the world, including NIC in India, indicating that organizations in India will also be potential targets for such groups. In fact, Such organizations need to secure their networks by applying patches for all known security holes, i.e., not zero day.

These events point to an urgent need for organizations/companies specializing in cybersecurity services in India that can provide services such as penetration testing, website audits, and IT security audits for a fee. Such organizations can also be valuable in bringing best practices to all people in an organization — a chain is only as strong as the weakest link, and this is especially true of implementing secure processes and practices in any organization.

All of the above events raise obvious questions about the current status of the security of the corporate and government networks that may be considered high value targets to adversarial state and non-state actors. In considering these targets, it helps to be realistic about the actual importance of a target, and not “official importance”.

Taking down a government agency’s website is an annoyance but it does not actually affect the daily activity of Indians in real terms. The value of disrupting the networks and functioning of an organization increases as the use of technology in governance increases, as it directly affects citizens using such governance schemes. In particular, schemes such as Aadhaar will soon be a high value target as it becomes more central to the functioning of large numbers of organizations, governmental and corporate, as their own services become dependent on the Aadhaar networks functioning as designed.

It would be beneficial to have an independent organization that is in charge of testing and fixing the security of such flagship schemes that hold private information of a growing number of citizens. On this note, it should be noted that data security must be viewed in a comprehensive manner, which in this case would mean security of all paper copies of data collected from the citizenry to be entered into the Aadhaar databases.

Citizens groups need to question the government on whether all the data collected for the UID databases are destroyed once in the Aadhar databases, and if not, demand information on the safeguards taken by the Indian Government to protect this data from being abused in the future. Failing such assurances from the government, citizens must resist any moves to make UID mandatory for all citizens.

The other key infrastructure that will be target to hackers will be telephone networks that are tied to internet data networks. The most obvious way to place the entire network at risk is to run the network using products from foreign corporations without access to the exact source code that run on the hardware on the network and the hardware design of the chips used. Such backdoors can be built into the hardware too.

If an entire network of machines is built from such hardware, a literal flick of the switch can shut down the network when it is most needed. The recent announcement by Reliance Industries to build their company cellular networks based completely on Huawei products is very alarming, because there is no indication that Huawei has parted with the source code for the networks to Reliance.

Short of Reliance building and installing Huawei Source code on their products, there is no way to ensure that Huawei has not installed hardware or software Trojans in the systems sold to Reliance. Operating any hardware/software without the source code in sensitive domains that will be targets to enemy hackers is an exercise in extremely poor judgement.

Summarily, physical security of a State and its cyber security are both complementary aspects of overall National Security. Organizations that provide crucial services to important entities or the public at large must take immediate steps to secure internal processes and procedures of all their employees that have access to their networks.

Furthermore, Indian organizations must eschew incorporating proprietary, i.e., non open source, hardware and software platforms from competitor states such as China, unless they acquire complete knowledge of what hardware and software is being deployed to build public infrastructure. Instead of creating myriad new governmental organizations that do little to improve the security of the nation’s networks, the Indian Government would do well to provide incentives for private businesses that provide critical services and information in securing corporate and governmental networks.

Read full story · Comments { 0 }

Guestpost — The Weakest Link (I)

The state of cybersecurity and governmental response.

After Stuxnet and a series of high profile attacks against government and corporate cyber infrastructure this past year, it is clear that a new age of warfare is here, where state- and non-state actors increasingly use cyberspace to perpetrate attacks against their adversaries. These actions should remind us of the inexorable link between cyber-security and national security. Recently, the U.S. Department of Defense stated in a press release that cyberattacks constituted an “act of war,” if they originated from a foreign country, and that these acts of war could be responded to with conventional military force.

However, given the increase in frequency and sophistication of cyberattacks, and the proliferation of technology in India, there is little indication that the Government of India truly understands the nature of warfare being imposed on States in the world. Indeed, while the Government of India recently released a cybersecurity policy draft, that draft is effectively a policy orphan, as India does not have a national security policy. Cybersecurity is a subset of national security; the former cannot meaningfully exist without the latter.

Takshashila Institution’s Srikanth R., Senior Research Associate for Cyber Strategy Studies writes in a two-part series on The Filter Coffee, about the nature of the threat, and actions India and other governments must take to prevent attacks or effectively mitigate damage.


After last year’s Stuxnet attack on Iran’s facilities, it was revealed recently that the attack was  the result of efforts by the governments of US and Israel.  In March 2011, an “independent Iranian hacker ” took credit for hacking into RSA Corporation’s  master “token seed” database for one of their flagship products, ostensibly retaliating against the Stuxnet attack.  The stolen data from RSA was used to attack other major US corporations, raising fears of escalating attacks on critical US infrastructure.

In response, Pentagon released an official statement that “cyberattacks can count as acts of war if it originates from a foreign country,” most likely directed at the State that hacked into RSA’s databases. However, this did not deter a cyberattack on defense contractor Lockheed Martin on June 2.  Lockheed revealed that stolen information from RSA was used to attack their network. RSA’s official response ambiguously emphasized that “the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology“.   Given that RSA database theft was stolen on March 17th, this attack would by definition be categorized as a “known” threat, and thus not a “new threat”.

While this may appear to be just another database that was hacked into, it has serious implications for all RSA’s customers, which include companies such as Comodo, which provide authentication certificates for users to interact with corporations such as Google, Yahoo, Skype, Mozilla, etc.  Customers of RSA such as Comodo depend on the robustness of RSA’s services to guarantee the integrity of the authenticated SSL certificates issued to Comodo’s customers.  In fact, all the above customers that depend on RSA’s security platform were breached in the weeks after the loss of RSA data.

Token based authentication is a common and popular scheme used to provide  a  user to access specific resources from a site by interacting with an authentication server.  An authentication server provides temporary access to a set of resources or capabilities based on  user’s name and  password by generating a “token”  that allows the user temporary access to  specific resources on the web, and companies like RSA base their products on “seeds” that generate an infinite number of secure tokens. Secure tokens are required for any organization that needs to provide secure access to databases on its servers or secure access to their VPN networks.

The most serious implication of a stolen master database of token seeds is that the stolen information can be used to create “cloned” tokens that can be misused by intruders to attack, for example, a VPN network that is vulnerable to hacker attacks.   On May 29, Reuters reported a defense company  acknowledging it had detected a “tenacious cyberattack” which was eventually thwarted successfully.

It should be noted that  RSA had taken for physical safety of its data, such as “(a) keeping the token records containing the token seed values (secret keys) offline; (b) hardening the SecureID server’s operating system; (c) strictly limiting administrative access to it per RSA’s guidance, and (d) monitoring the SecureID server for signs of fraud and abuse. We felt that the residual risk to our customers as a result of these measures was fairly low.” However, these precautions were insufficient to thwart RSA-type attacks, also known as Advanced Persistent Threats (APT).

Advanced Persistent Threat (APT) attacks are initiated by gaining entry into a network and then remains hidden for a long period of time, actively collecting information but hiding all the stolen information within a machine in the network before shipping all of it out at the very end.  APTs can arise by exploiting zero-day attacks or  fooling known users of the network to part with information to gain entry to a secured network.

Once inside a secure network, this malicious entity hides within the organization’s network silently collecting information for days maybe years before abruptly leaving with all the stolen information.  Given that there are no solutions to avoid zero-day attacks, it is not possible to thwart APT attacks.  However, there could be limited use for network monitoring tools to filter off-hours activity not initiated by a known user in the network — this is not sufficient to thwart APT attacks but can at least detect malicious presence in the network sooner rather than later.


In Part II, Srikanth will discuss what India and other governments must do to effectively prevent exploitation of these security vulnerabilities, or mitigate damage, if they are indeed exploited.

Read full story · Comments { 8 }