Warning: Creating default object from empty value in /nfs/c03/h02/mnt/56080/domains/filtercoffee.nationalinterest.in/html/wp-content/themes/canvas/functions/admin-hooks.php on line 160
Tag Archives | RSA

Guestpost — The Weakest Link (II)

The importance of prompt governmental action on cybersecurity threats.

In Part-II of The Weakest Link, Srikanth R., Senior Research Associate for Cyber Security Studies, writes about how India and other countries have reacted and should continue to act to counter cybersecurity threats (also read Part I).

While the attack on RSA was in progress, a slew of attacks on companies and governments all over the world were taking place. These attacks were credited to anonymous groups of people who are not necessarily hackers, but with sufficient skills to detect sites running older versions of software with publicly known exploits. These attacks compromised the data stored in websites that were not up to date with patches to fix known security holes. Unlike zero day attacks that require sufficient technical competence, these attacks were the result of exploiting well-known weaknesses of website software, and did not require much technical competence.

Such attacks have already resulted in the publication of private databases of various web sites all over the world, including NIC in India, indicating that organizations in India will also be potential targets for such groups. In fact, Such organizations need to secure their networks by applying patches for all known security holes, i.e., not zero day.

These events point to an urgent need for organizations/companies specializing in cybersecurity services in India that can provide services such as penetration testing, website audits, and IT security audits for a fee. Such organizations can also be valuable in bringing best practices to all people in an organization — a chain is only as strong as the weakest link, and this is especially true of implementing secure processes and practices in any organization.

All of the above events raise obvious questions about the current status of the security of the corporate and government networks that may be considered high value targets to adversarial state and non-state actors. In considering these targets, it helps to be realistic about the actual importance of a target, and not “official importance”.

Taking down a government agency’s website is an annoyance but it does not actually affect the daily activity of Indians in real terms. The value of disrupting the networks and functioning of an organization increases as the use of technology in governance increases, as it directly affects citizens using such governance schemes. In particular, schemes such as Aadhaar will soon be a high value target as it becomes more central to the functioning of large numbers of organizations, governmental and corporate, as their own services become dependent on the Aadhaar networks functioning as designed.

It would be beneficial to have an independent organization that is in charge of testing and fixing the security of such flagship schemes that hold private information of a growing number of citizens. On this note, it should be noted that data security must be viewed in a comprehensive manner, which in this case would mean security of all paper copies of data collected from the citizenry to be entered into the Aadhaar databases.

Citizens groups need to question the government on whether all the data collected for the UID databases are destroyed once in the Aadhar databases, and if not, demand information on the safeguards taken by the Indian Government to protect this data from being abused in the future. Failing such assurances from the government, citizens must resist any moves to make UID mandatory for all citizens.

The other key infrastructure that will be target to hackers will be telephone networks that are tied to internet data networks. The most obvious way to place the entire network at risk is to run the network using products from foreign corporations without access to the exact source code that run on the hardware on the network and the hardware design of the chips used. Such backdoors can be built into the hardware too.

If an entire network of machines is built from such hardware, a literal flick of the switch can shut down the network when it is most needed. The recent announcement by Reliance Industries to build their company cellular networks based completely on Huawei products is very alarming, because there is no indication that Huawei has parted with the source code for the networks to Reliance.

Short of Reliance building and installing Huawei Source code on their products, there is no way to ensure that Huawei has not installed hardware or software Trojans in the systems sold to Reliance. Operating any hardware/software without the source code in sensitive domains that will be targets to enemy hackers is an exercise in extremely poor judgement.

Summarily, physical security of a State and its cyber security are both complementary aspects of overall National Security. Organizations that provide crucial services to important entities or the public at large must take immediate steps to secure internal processes and procedures of all their employees that have access to their networks.

Furthermore, Indian organizations must eschew incorporating proprietary, i.e., non open source, hardware and software platforms from competitor states such as China, unless they acquire complete knowledge of what hardware and software is being deployed to build public infrastructure. Instead of creating myriad new governmental organizations that do little to improve the security of the nation’s networks, the Indian Government would do well to provide incentives for private businesses that provide critical services and information in securing corporate and governmental networks.

Read full story · Comments { 0 }

Guestpost — The Weakest Link (I)

The state of cybersecurity and governmental response.

After Stuxnet and a series of high profile attacks against government and corporate cyber infrastructure this past year, it is clear that a new age of warfare is here, where state- and non-state actors increasingly use cyberspace to perpetrate attacks against their adversaries. These actions should remind us of the inexorable link between cyber-security and national security. Recently, the U.S. Department of Defense stated in a press release that cyberattacks constituted an “act of war,” if they originated from a foreign country, and that these acts of war could be responded to with conventional military force.

However, given the increase in frequency and sophistication of cyberattacks, and the proliferation of technology in India, there is little indication that the Government of India truly understands the nature of warfare being imposed on States in the world. Indeed, while the Government of India recently released a cybersecurity policy draft, that draft is effectively a policy orphan, as India does not have a national security policy. Cybersecurity is a subset of national security; the former cannot meaningfully exist without the latter.

Takshashila Institution’s Srikanth R., Senior Research Associate for Cyber Strategy Studies writes in a two-part series on The Filter Coffee, about the nature of the threat, and actions India and other governments must take to prevent attacks or effectively mitigate damage.

After last year’s Stuxnet attack on Iran’s facilities, it was revealed recently that the attack was  the result of efforts by the governments of US and Israel.  In March 2011, an “independent Iranian hacker ” took credit for hacking into RSA Corporation’s  master “token seed” database for one of their flagship products, ostensibly retaliating against the Stuxnet attack.  The stolen data from RSA was used to attack other major US corporations, raising fears of escalating attacks on critical US infrastructure.

In response, Pentagon released an official statement that “cyberattacks can count as acts of war if it originates from a foreign country,” most likely directed at the State that hacked into RSA’s databases. However, this did not deter a cyberattack on defense contractor Lockheed Martin on June 2.  Lockheed revealed that stolen information from RSA was used to attack their network. RSA’s official response ambiguously emphasized that “the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology“.   Given that RSA database theft was stolen on March 17th, this attack would by definition be categorized as a “known” threat, and thus not a “new threat”.

While this may appear to be just another database that was hacked into, it has serious implications for all RSA’s customers, which include companies such as Comodo, which provide authentication certificates for users to interact with corporations such as Google, Yahoo, Skype, Mozilla, etc.  Customers of RSA such as Comodo depend on the robustness of RSA’s services to guarantee the integrity of the authenticated SSL certificates issued to Comodo’s customers.  In fact, all the above customers that depend on RSA’s security platform were breached in the weeks after the loss of RSA data.

Token based authentication is a common and popular scheme used to provide  a  user to access specific resources from a site by interacting with an authentication server.  An authentication server provides temporary access to a set of resources or capabilities based on  user’s name and  password by generating a “token”  that allows the user temporary access to  specific resources on the web, and companies like RSA base their products on “seeds” that generate an infinite number of secure tokens. Secure tokens are required for any organization that needs to provide secure access to databases on its servers or secure access to their VPN networks.

The most serious implication of a stolen master database of token seeds is that the stolen information can be used to create “cloned” tokens that can be misused by intruders to attack, for example, a VPN network that is vulnerable to hacker attacks.   On May 29, Reuters reported a defense company  acknowledging it had detected a “tenacious cyberattack” which was eventually thwarted successfully.

It should be noted that  RSA had taken for physical safety of its data, such as “(a) keeping the token records containing the token seed values (secret keys) offline; (b) hardening the SecureID server’s operating system; (c) strictly limiting administrative access to it per RSA’s guidance, and (d) monitoring the SecureID server for signs of fraud and abuse. We felt that the residual risk to our customers as a result of these measures was fairly low.” However, these precautions were insufficient to thwart RSA-type attacks, also known as Advanced Persistent Threats (APT).

Advanced Persistent Threat (APT) attacks are initiated by gaining entry into a network and then remains hidden for a long period of time, actively collecting information but hiding all the stolen information within a machine in the network before shipping all of it out at the very end.  APTs can arise by exploiting zero-day attacks or  fooling known users of the network to part with information to gain entry to a secured network.

Once inside a secure network, this malicious entity hides within the organization’s network silently collecting information for days maybe years before abruptly leaving with all the stolen information.  Given that there are no solutions to avoid zero-day attacks, it is not possible to thwart APT attacks.  However, there could be limited use for network monitoring tools to filter off-hours activity not initiated by a known user in the network — this is not sufficient to thwart APT attacks but can at least detect malicious presence in the network sooner rather than later.

In Part II, Srikanth will discuss what India and other governments must do to effectively prevent exploitation of these security vulnerabilities, or mitigate damage, if they are indeed exploited.

Read full story · Comments { 8 }