Warning: Creating default object from empty value in /nfs/c03/h01/mnt/56080/domains/filtercoffee.nationalinterest.in/html/wp-content/themes/canvas/functions/admin-hooks.php on line 160
Tag Archives | 26/11

‘Tis the season for hacking

Cyber-security asymmetries 101: Hacking is easier than defending.

Indian and Pakistani hackers are out defacing websites of each others’ countries.  On the second anniversary of the 26/11 attacks in Mumbai, an Indian group calling itself the “Indian Cyber Army” (ICA) carried out an attack on 36 Pakistani websites, including the websites of the Pakistani Navy, the National Accountability Bureau (NAB) and Ministry of Foreign Affairs.

In response, a group called Pakistan Cyber Army (PCA) launched an attack on about 200 Indian websites, including the CBI (littering it with trash-talk that should, quite frankly, embarrass the hackers more than the compromise should, the CBI).  The very next day, Indian groups retaliated by hacking Pakistan’s Oil & Gas Regulatory Authority (OGRA) and a Pakistani Army recruitment website.

A review of the list of 200 websites hacked by the PCA reveals that a majority of sites were private small-business websites.  Embarrassing perhaps, but of low strategic value.  The goal of any large-scale defacement is to hurt the reputation of the victim.  If PCA’s victim was the Indian state, then its targets were poorly chosen.

Yes, websites owned by Indians were hit, but they are hardly representative of the Indian state in the same way that the government or the military is. This could indicate that the attack itself was poorly planned and motivated more by a desire to show that Pakistani hackers could retaliate quickly, by hitting out at low-hanging fruit, than an orchestrated attempt to deliver the same quality of response as ICA did on 26/11.  By all measures, compromising the website of Khanna Constructions isn’t remotely of the same strategic value as defacing the Pakistani Ministry of Foreign Affairs website.

But the world of cyber-security is faced with certain asymmetries.  Hacking is easier than defending.  For any government to be able to defend its “universe” of websites requires it to have three things — an appreciation for the challenge it faces, determination to address the challenge, and good counsel on how to address the challenge. If the first two are absent, the third is almost irrelevant.

It is no secret that the first two are almost entirely missing in India. In an apparent response to the hacking of the CBI website, we were given this bit of information from DRDO, via PTI:

Close on the heels of hacking of the CBI website, Defence Research and Development Organisation (DRDO) on Sunday said it was developing a mechanism to make websites hacking-proof. “It is always better to use indigenously developed systems than using others’ designs,” he said. The DRDO chief expressed optimism that its engineers could certainly develop hacking proof devices. [NDTV] (Credit: Parth Bakshi)

That’s just brilliant. Not only do they not know what they are talking about, they also don’t know what hit them nor how to defend against it.

And pray, what is a “hacking-proof” website?

Based on the attack on the CBI website, we know that a vulnerability management program isn’t in place right now.  The CBI attack was a standard SQL-injection exploit.  Out-of-the-box solutions (some, even free) exist today that assess whether websites are susceptible to SQL-injection and other attacks.  Even a basic vulnerability management program would have detected and alerted those responsible for security about the existing vulnerability.

That dovetails nicely into my closing question: who owns the security of India’s websites and supporting infrastructure, across the Centre and State? The answer is no one. And everyone. The blind lead the blind. With that being the case, there really is no reason not to believe that Indian websites will continue to get hit over the coming days and months, just as they have over the past many years.  Cyber-security is uphill battle to begin with. With the current levels of apathy and ignorance to such issues prevalent in our government, we should be prepared for nothing less.

Read full story · Comments { 2 }

Link Digest: July 18, 2010

l’affaire Lahore.

Your weekly news digest:

  • The ISI…controlled and coordinated [26/11] from beginning to end“:  G.K. Pillai’s interview with Indian Express on J&K, Naxalism and 26/11.
  • It was the Pakistanis who deviated from the summit’s agenda: Vir Sanghvi stands up for G.K. Pillai after some journalists pilloried the Home Secretary for his statements on the eve of the S.M. Krishna — S.M. Qureshi talks.
  • Pakistan’s Urdu press reacts.  “No India-Pakistan talks can produce a result without Kashmir being resolved” (Ausaf); “One more India-Pakistan dialog drama — May God  not compell us to use our atomic bomb” (Nawa-i-Waqt); “Sensitivity from the Indian side is the need of the hour” (Jang); “Why did India agree to the agenda and send S.M. Krishna if he had no mandate?” (Express).
  • Ignore. With Contempt: Sound advice from B. Raman on how New Delhi should react to S.M. Qureshi’s jibes.
  • Can we talk?: Thomas Friedman says CNN was wrong to fire Octavia Nasr for condoling the death of Mohammad Hussein Fadlallah (who many consider the spiritual leader of the Hizballah).
Read full story · Comments { 0 }

SM Qureshi’s outburst

A tongue of the slip?

Pakistan’s Foreign Minister Shah Mehmood Qureshi lost his cool last night in a heated debate with members of the Indian media contingent.  When asked whether inflammatory speeches made by Jamaat ud-Dawwa chairman Hafiz Muhammad Saeed were vitiating the environment, Mr. Qureshi responded by drawing parallels between Mr. Saeed’s speeches and recent statements made by Indian Home Secretary, G.K. Pillai.  Mr. Pillai had cited information provided by 26/11 mastermind David Headley which indicated that Pakistan’s ISI was intimately involved in the planning and execution of the attacks in Mumbai.

So the question needs to be asked.  And Mr. Qureshi should be nudged to explain.  If Mr. Pillai is a ranking member of the Indian government (which, as Home Secretary, he undoubtedly is), what position is Mr. Qureshi suggesting Mr. Hafiz Saeed holds in the Pakistani establishment?

Read full story · Comments { 2 }

26/11 and India’s response

It’s politics as usual in New Delhi, and no one seems to care

A year has gone by after the carnage in Mumbai that left over 190 people dead and hundreds injured.  In the immediate aftermath of 26/11, articles were written about the gaping holes in India’s internal security preparedness.

Recommendations put forth to the Indian government are all in public domain —  a tougher anti-terrorism law, a separate ministry for internal security, police reform, increasing NSG headcount and footprint, and enhancing India’s covert ops capability

Of the recommendations made, Manmohan Singh’s government chose to make the establishment of the National Investigation Agency (NIA) central to its response to the holes in India’s internal security preparedness.  To be sure, the establishment of the NIA was an important move, because it addressed Centre-State jurisdiction issues that hitherto plagued the CBI.

However, the NIA’s mandate notwithstanding, nothing in public domain indicates any significant activity in the NIA, until 11 months and two weeks after November 26, 2008, when the NIA belatedly sprung into action, based on inputs from the FBI on David Headley and Tahawwur Rana.

In addition, by virtue of design, the NIA mostly addresses post-incident investigation and forensics.  Manmohan Singh’s government articulated little by way of detective and preventive enhancements to India’s internal security preparedness.

The bigger picture that needs to be examined on the first anniversary of 26/11 isn’t necessarily about specific structural and organizational changes, but about the government’s willingness (confidence?) to make public aberrations in its response to the terror attacks and how these can be addressed.

In the year following the World Trade Center attacks in the US, the Bush Administration constituted the 9/11 Commission to examine aspects of US’s response to the attacks as they unfolded, and make recommendations on how the US should proceed, going forward.  The US Department of Homeland Security was born out of these recommendations.

India deserved its 26/11 commission with a limitless mandate to examine our response to the attacks in Mumbai. Key aspects of the events of 26/11 require independent review.

These include incident-specific issues relating to governance and leadership such as  (a) How long it took to notify key stakeholders, such as the Prime Minister, NSA, intelligence services and ministers of Home Affairs and Defense, (b) The time it took for the relevant stakeholders to coordinate and assess the situation, (c) How long it took to authorize deployment of anti-terror units to the scene, and (d) Crisis management — who was coordinating what aspect of India’s responses.

The second aspect of the commission’s review should have entailed structural and organizational changes and enhancements, including those previously discussed.  Sadly, this government does not have the gumption to constitute such a comprehensive review of its responses to the 26/11 attacks.  This isn’t an assailment of the the UPA administration, it is an indictment of India’s petty political environment.

There are critical aspects of the attack that require further analysis — aspects that India is still uncovering, including the roles of Headley and Rana — and questions that no one seems to be able to answer, such as how a bunch of semi-literate people alien to Mumbai, were able to negotiate their way through the city’s conspicuous and inconspicuous landmarks, without local assistance.

This cannot be accomplished by adhocism or through token responses, such as establishing the NIA and deploying the NSG in some cities. One would have thought that the time was ripe for such a bold response, faced as the UPA is, with an ineffectual, embattled Opposition. Sadly, barring a few cosmetic rearrangements, not much has changed in India, and no one, least of all Mumbaikars seem to care.

Read full story · Comments { 4 }