Warning: Creating default object from empty value in /nfs/c03/h01/mnt/56080/domains/filtercoffee.nationalinterest.in/html/wp-content/themes/canvas/functions/admin-hooks.php on line 160
Archive | Cyber warfare RSS feed for this section

Guestpost — The Weakest Link (I)

The state of cybersecurity and governmental response.

After Stuxnet and a series of high profile attacks against government and corporate cyber infrastructure this past year, it is clear that a new age of warfare is here, where state- and non-state actors increasingly use cyberspace to perpetrate attacks against their adversaries. These actions should remind us of the inexorable link between cyber-security and national security. Recently, the U.S. Department of Defense stated in a press release that cyberattacks constituted an “act of war,” if they originated from a foreign country, and that these acts of war could be responded to with conventional military force.

However, given the increase in frequency and sophistication of cyberattacks, and the proliferation of technology in India, there is little indication that the Government of India truly understands the nature of warfare being imposed on States in the world. Indeed, while the Government of India recently released a cybersecurity policy draft, that draft is effectively a policy orphan, as India does not have a national security policy. Cybersecurity is a subset of national security; the former cannot meaningfully exist without the latter.

Takshashila Institution’s Srikanth R., Senior Research Associate for Cyber Strategy Studies writes in a two-part series on The Filter Coffee, about the nature of the threat, and actions India and other governments must take to prevent attacks or effectively mitigate damage.


After last year’s Stuxnet attack on Iran’s facilities, it was revealed recently that the attack was  the result of efforts by the governments of US and Israel.  In March 2011, an “independent Iranian hacker ” took credit for hacking into RSA Corporation’s  master “token seed” database for one of their flagship products, ostensibly retaliating against the Stuxnet attack.  The stolen data from RSA was used to attack other major US corporations, raising fears of escalating attacks on critical US infrastructure.

In response, Pentagon released an official statement that “cyberattacks can count as acts of war if it originates from a foreign country,” most likely directed at the State that hacked into RSA’s databases. However, this did not deter a cyberattack on defense contractor Lockheed Martin on June 2.  Lockheed revealed that stolen information from RSA was used to attack their network. RSA’s official response ambiguously emphasized that “the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology“.   Given that RSA database theft was stolen on March 17th, this attack would by definition be categorized as a “known” threat, and thus not a “new threat”.

While this may appear to be just another database that was hacked into, it has serious implications for all RSA’s customers, which include companies such as Comodo, which provide authentication certificates for users to interact with corporations such as Google, Yahoo, Skype, Mozilla, etc.  Customers of RSA such as Comodo depend on the robustness of RSA’s services to guarantee the integrity of the authenticated SSL certificates issued to Comodo’s customers.  In fact, all the above customers that depend on RSA’s security platform were breached in the weeks after the loss of RSA data.

Token based authentication is a common and popular scheme used to provide  a  user to access specific resources from a site by interacting with an authentication server.  An authentication server provides temporary access to a set of resources or capabilities based on  user’s name and  password by generating a “token”  that allows the user temporary access to  specific resources on the web, and companies like RSA base their products on “seeds” that generate an infinite number of secure tokens. Secure tokens are required for any organization that needs to provide secure access to databases on its servers or secure access to their VPN networks.

The most serious implication of a stolen master database of token seeds is that the stolen information can be used to create “cloned” tokens that can be misused by intruders to attack, for example, a VPN network that is vulnerable to hacker attacks.   On May 29, Reuters reported a defense company  acknowledging it had detected a “tenacious cyberattack” which was eventually thwarted successfully.

It should be noted that  RSA had taken for physical safety of its data, such as “(a) keeping the token records containing the token seed values (secret keys) offline; (b) hardening the SecureID server’s operating system; (c) strictly limiting administrative access to it per RSA’s guidance, and (d) monitoring the SecureID server for signs of fraud and abuse. We felt that the residual risk to our customers as a result of these measures was fairly low.” However, these precautions were insufficient to thwart RSA-type attacks, also known as Advanced Persistent Threats (APT).

Advanced Persistent Threat (APT) attacks are initiated by gaining entry into a network and then remains hidden for a long period of time, actively collecting information but hiding all the stolen information within a machine in the network before shipping all of it out at the very end.  APTs can arise by exploiting zero-day attacks or  fooling known users of the network to part with information to gain entry to a secured network.

Once inside a secure network, this malicious entity hides within the organization’s network silently collecting information for days maybe years before abruptly leaving with all the stolen information.  Given that there are no solutions to avoid zero-day attacks, it is not possible to thwart APT attacks.  However, there could be limited use for network monitoring tools to filter off-hours activity not initiated by a known user in the network — this is not sufficient to thwart APT attacks but can at least detect malicious presence in the network sooner rather than later.


In Part II, Srikanth will discuss what India and other governments must do to effectively prevent exploitation of these security vulnerabilities, or mitigate damage, if they are indeed exploited.

Read full story · Comments { 8 }

‘Tis the season for hacking

Cyber-security asymmetries 101: Hacking is easier than defending.

Indian and Pakistani hackers are out defacing websites of each others’ countries.  On the second anniversary of the 26/11 attacks in Mumbai, an Indian group calling itself the “Indian Cyber Army” (ICA) carried out an attack on 36 Pakistani websites, including the websites of the Pakistani Navy, the National Accountability Bureau (NAB) and Ministry of Foreign Affairs.

In response, a group called Pakistan Cyber Army (PCA) launched an attack on about 200 Indian websites, including the CBI (littering it with trash-talk that should, quite frankly, embarrass the hackers more than the compromise should, the CBI).  The very next day, Indian groups retaliated by hacking Pakistan’s Oil & Gas Regulatory Authority (OGRA) and a Pakistani Army recruitment website.

A review of the list of 200 websites hacked by the PCA reveals that a majority of sites were private small-business websites.  Embarrassing perhaps, but of low strategic value.  The goal of any large-scale defacement is to hurt the reputation of the victim.  If PCA’s victim was the Indian state, then its targets were poorly chosen.

Yes, websites owned by Indians were hit, but they are hardly representative of the Indian state in the same way that the government or the military is. This could indicate that the attack itself was poorly planned and motivated more by a desire to show that Pakistani hackers could retaliate quickly, by hitting out at low-hanging fruit, than an orchestrated attempt to deliver the same quality of response as ICA did on 26/11.  By all measures, compromising the website of Khanna Constructions isn’t remotely of the same strategic value as defacing the Pakistani Ministry of Foreign Affairs website.

But the world of cyber-security is faced with certain asymmetries.  Hacking is easier than defending.  For any government to be able to defend its “universe” of websites requires it to have three things — an appreciation for the challenge it faces, determination to address the challenge, and good counsel on how to address the challenge. If the first two are absent, the third is almost irrelevant.

It is no secret that the first two are almost entirely missing in India. In an apparent response to the hacking of the CBI website, we were given this bit of information from DRDO, via PTI:

Close on the heels of hacking of the CBI website, Defence Research and Development Organisation (DRDO) on Sunday said it was developing a mechanism to make websites hacking-proof. “It is always better to use indigenously developed systems than using others’ designs,” he said. The DRDO chief expressed optimism that its engineers could certainly develop hacking proof devices. [NDTV] (Credit: Parth Bakshi)

That’s just brilliant. Not only do they not know what they are talking about, they also don’t know what hit them nor how to defend against it.

And pray, what is a “hacking-proof” website?

Based on the attack on the CBI website, we know that a vulnerability management program isn’t in place right now.  The CBI attack was a standard SQL-injection exploit.  Out-of-the-box solutions (some, even free) exist today that assess whether websites are susceptible to SQL-injection and other attacks.  Even a basic vulnerability management program would have detected and alerted those responsible for security about the existing vulnerability.

That dovetails nicely into my closing question: who owns the security of India’s websites and supporting infrastructure, across the Centre and State? The answer is no one. And everyone. The blind lead the blind. With that being the case, there really is no reason not to believe that Indian websites will continue to get hit over the coming days and months, just as they have over the past many years.  Cyber-security is uphill battle to begin with. With the current levels of apathy and ignorance to such issues prevalent in our government, we should be prepared for nothing less.

Read full story · Comments { 2 }

The BlackBerry saga

Shoot the (BlackBerry) Messenger.

India’s pushback on the BlackBerry issue, along with U.A.E. and Saudi Arabia’s stance is challenging fundamental perceptions of electronic security and global commerce.  India and the Gulf countries, contend, and not without justification that they require the ability to intercept encrypted electronic communication in the interest of national security.

India’s history as perhaps the nation most victimized by terrorism has necessitated such a stance.  The Indian government has let it be known that it will ban BlackBerry devices in the absence of such an ability (the U.A.E. expects to enforce its ban beginning October 11, if no agreement is reached). At the core of this security dilemma is the uniqueness of RIM’s BlackBerry architecture, where its encrypted emails are stored in server farms in Canada.

There are two aspects to any government’s legitimate need to access encrypted emails — surveillance under warrant, and post-incident forensics.  As far as surveillance is concerned, governments should be able to intercept and read communication that they legitimately feel threaten the integrity of the nation and the safety of its citizens.  From a post-incident forensics standpoint, physical access to the servers that contain encrypted email will allow the state to control variables, establish a chain of custody and bring about successful prosecutions.

In the U.S., the National Security Agency (NSA) has the ability to “snoop” electronic communication under court order.  During the George W Bush Administration, the NSA had the ability to intercept electronic communication without a court order in the days immediately following 9/11 (many suspect that this is an ability that the NSA retains).

India has asked to be given the ability to decrypt BlackBerry emails, if it feels they threaten its national security.  RIM has denied the request, stating that there are no master keys to decrypt BlackBerry emails.  There are two obvious fallacies with regard to this assertion.  One, knowing U.S.’s preoccupation with security,  it would have been impossible for RIM (a foreign company, for all intents and purposes) to operate commercially in the U.S., were this true.  Two, news reports indicating that the U.S. is in negotiations with India on resolving the issue makes me question why the U.S. would want to insert itself into what should rightly be negotiations between India and RIM (or Canada).

It is the legitimate right of any democratic government to intercept communication that threatens its national security, or to secure and use as evidence any information used to undermine it.  Any talk of a settlement whereby a third party or government (such as the U.S.) decrypts BlackBerry emails for India, upon request is unwelcome.  For one, it should be fundamentally unacceptable to GoI to allow custody of its citizens’ secure communication to a third country.

The government of India should therefore accept nothing short of access to RIM’s decryption keys and a server farm physically located in India.  Anything short of this will likely be a compromise of national security.  If RIM chooses to be unyielding, it is entirely their loss.  This blogger can think of a million reasons why they will be compelled to reconsider their stance.

Read full story · Comments { 5 }

Battleground Cyberspace: My article in Pragati

In this month’s Pragati, I lay out the state of India’s defense preparedness in the theater of cyberspace and argue for a sustained commitment to the proactive defense of the nation’s information assets, as well for the augmentation of India’s capabilities in conducting offensive IO operations.  Both of these can only be effective when operating under a legislative framework that is attuned to global trends in the proliferation and use of information technology in the conduct of both conventional and unconventional warfare in this Information Age.

DECEMBER 24, 2008.  Barely a month after the 26/11 attacks, a group calling itself “Whackerz Pakistan” hacks into the Indian Eastern Railways website, defacing it with a series of threats against Indian financial institutions and Indian citizens.  Earlier that year, hackers from China attacked the Ministry of External Affairs (MEA) website. Despite official denials, at least one website reported that the hackers stole login identities and passwords of several Indian diplomats.

The proliferation of information technology in India, coupled with low levels of security awareness (at personal, corporate and government levels) means that this vulnerability to attacks from hostile national and sub-national entities will only increase.  The rapid adaptation of new technologies in today’s world presents challenges that India, and other nations, will be forced to address.  Due to the nature of cyber warfare and cyber terrorism, no nation can truly be invulnerable to attacks.  Indeed, cyber attacks will continue to be weapons of choice to many, given issues of jurisdiction in bringing offenders to book, relative anonymity of operating over the Internet, and the negligible cost associated with mounting a cyber attack (and indeed, each incremental cyber attack) against a specific adversary.

Read more about it on Pragati ( PDF; 2.5 MB)

Read full story · Comments { 0 }