Friday, June 19, 2015

nasscom-symantec will resolve global skill shortage

When this was announced I did have some strong thoughts but kept my counsel to myself. Now when I read the last para in this news item I felt like clapping and kicking someone. 

Just two questions - does the Nasscom-Symantec jodi (couple) really think they are going to resolve the global problem? I want to invite readers to applaud this statement which is bound to make many chests fill with air in the corridors of power, not to mention them being laughing stock of the global community making banana statements. 

Second question - does Nasscom think the country lacks the capability to devise adequately strong training programs? 

Saala no one wants to put money so how do they expect anyone to do this ... just don't have five star hotel conferences and don't stay in five star hotels for a year and you will have enough money to create more than world class programs. Besides, there are many people who travel across the country delivering lectures to LEA, school and college kids and these guys are working selflessly - so is their knowledge worth nothing. Sad to see small thinking continuing to plague these supposedly "national" organizations... especially in a time when they speak 'make in India' and then go "make-out without India" . 

Thursday, June 18, 2015

Pandora's box opening .. dot SUCKS TLD is here

New TLD goes on sale from Sunday 21/6 - Book your .SUCKS domain
- IndiaWatch
Yes you got it - the new TLD that will be available is .sucks and there is bound to be a big rush on opening day. If you have a big brand, trade mark or a well known company or celebrity client - make sure you book the domain name before any of the trolls, criminals or dirty guys get it.
It's like someone rushing to get or and the Congress party looking for or the BJP getting their hands on
Looks like fun or more litigation, claims and counter claims. The domain registrars will make it good and so will my lawyer friends.
So be prepared to do this immediately if you want to protect yourselves and your clients. Oh yes the domain squatters will be also out in full numbers at the 'first day first show' to take the names and then sell them back at good profit.
It seems there was a "sunrise period” (…) during which trademark holders could apply and protect themselves, but IndiaWatch has not seen any media report which could have brought this to the notice of stakeholders. However it will be interesting to see how this works out in the country and how the judiciary will address this new threat to IP and reputation.
The .sucks registry is manged by and they have a few other TLDs which are pending approval. Quoting the report on The Register they (Momentus) defends itself as saying it is empowering consumers to start conversations about brands. It's therefore created an "advocates program" that gives away free .sucks domains to "cause-related, customer service-driven and politically partisan websites among an even wider set of domains devoted to helping people make a point and rally a community."
You want one? Pay $249 - check out the pricing. And if SUCKS is not good enough wait for dot-GAY or some other controversial TLD.
As for me.. I am old school and believe in not doing bad to anyone so I hope no one wants to do something bad to me so I am sticking to dot-COM.. man I cannot afford 250 bucks and try to fight the world.

Wednesday, April 29, 2015

Information Security Buzzwords

Every year (or is it every 6 months) we find a new trend in the IT or IS world and this is seized upon by all and sundry. Conferences revolve around these buzzing trends, million dollar business is contracted and zillion dollar investments are made by VCs and folks with lots of money!

I got a start with this article from the CISO platform website and added some of my own thoughts... 


Threat/Cyber Intelligence
Everyone who is anyone in the security business is talking about TI and offering it. Many different flavors and definitions but whether it is providing value to anyone is everyone's guess. In any case, someone's makin' a good load of money here.
Internet of Things - IOT
IOT is hot hot and hot.. and it is huge. Every product is good for IoT, so is every threat and vulnerability and risk. Be prepared for more FUD and a lot more happiness. Who will win the game - anyone! However, we will see both - the IoT vendor and the security practitioner making good. 
I have seen one organization offering IoT training! Don't ask me what the training does but it is offered regularly and costs about a 100 bucks. 

Software Defined Network or Software Defined Perimeter
Not yet mainstream buzzword and I too came across it quite recently. SIEM is passe and this is it. It will be quickly climbing up the MQ and you will soon hear it more frequently so keep watching the space. 
Everyone is setting up a Security Operations Center! Don't say SIEM because it is the only thing in the SOC.... old wine new bottle. What will a SOC do is still being investigated. 

This seems to have lost it's bite and the FUD associated with APT doesn't seem to be as scary. Or maybe humanity has developed immunity to this strain. 
Were big things and every enterprise was mucho concerned about this. Whereas there was no reason to really worry because there is nothing you can do to stop the march and onslaught of mobile devices. This is like telling your workforce not to wear shirts or pants to work!
Other Notable Keywords from CIO Platform are some other notable keywords seen at the floor
  • Mobile
  • Cloud
  • Phishing
  • Insider Threats
  • DDOS
  • Risk
  • Analytics
  • Passwords/Identity

If you have any suggestions please submit and make this list more interesting :)

Friday, January 2, 2015

(Indian Government) Strategy / Planning Deficiency in Cybersecurity

Jan 04, 2014. This article has been updated based on feedback from friends in government.
The India news media is going ga-ga over the proposed cybercrime panel announced by the Home Minister.. but, not me! I have serious reservations about this activity hope good sense prevails before the panel gets to work!In case you missed the news, read it here on Deccan Herald, and here on TOI or search online

It is an accepted fact that the world is technology dependent, and, that governments and infrastructure will come to a halt in event of non-availability of IT resources. Doomsday and Pearl Harbor scenarios are thrown up by world leaders and every malicious incident is termed as cyberwar accompanied by appropriate war-drum type noises by Presidents, ministers and ministries.

Governments, globally, have a common objective of the necessity of securing their information – whether to keep state secrets or keep their black deeds secret or to steal someone else's secrets. Some are creating armies of cyber-warriors while some are deploying cyber-mercenaries to achieve their goal.  

A number of ‘so-called’ third world countries are defining their IT and Cyber Security policies and working hard (and fast) at building internal capacity and capability. These are strategically planned efforts with clearly defined objectives (we want to be the technology powerhouse in our region in 10 years time).

When we compare such activities with those at home one can only hangour heads in shame! Since the advent of the internet in 1995 and the IT Act we are yet to see any national strategy or workable plan. Yes we have seen non-working policies and delusional visions of our leaders (India is IT Superpower, Mumbai will be Shanghai, BRTS in Mumbai, Ban Google etc)

Last week the Home Minister announced the formation of a panel of experts to define a policy for cybercrime. This august panel was to comprise academics and industry professionals, but has academics and bureaucrats and not a single cybercrime officer

The action itself smacks of self-aggrandizement and demonstrates the continuing deficiency of strategic thought OR common sense at the high levels of a supposedly 'aware' government.  Without a SINGLE member having cybercrime and/or cyberlaw experience (pray) how does this august panel expect to define a national cybercrime policy which will actually work.

We can expect another big load of balderdash, alien concepts or impractical and inane directives on the same lines as the much touted National Cyber Security Policy (NCSP).

To refresh our memories, the NCSP was announced with much fanfare in mid 2013 and has, thankfully, remained dormant till now. It has provisions which are far reaching in thought and reality. So far, we do not seem to have taken our first steps. A few concern areas from the NCSP worth mentioning are:
  • Suggestion for PPP: without talking about how will the Private entities benefit from the Public Participation. The government expects free services – just because they are what? Government?
  • The policy says “enabling creation and operationalization of sectoral CERTs as well as facilitating communication and coordination actions”. These are very noble intentions that sound great but just one line in a national policy for such an important function! It had to be lost at birth!
  • Using PKI for Government communication – we haven’t been able to get government to stop using public email services and we talk about PKI. 
  • NCIIPC … where is this gone?
  • The piece de resistance is the last paragraph “This policy shall be operationalised by way of detailed guidelines and plans of action at various level  such as national, sectoral, state, ministry, department and enterprise, as may be appropriate, to address the challenging requirements of security of the cyberspace.” 
    • that's great and who is responsible, how this will be done, when will this be done and is there a penalty for non-compliance?

Frankly, I can keep going on but this is another story altogether. If interested you can ask me for my clause-by-clause analysis of the NCSP. 

Before I move ahead to the present topic, I must mention another governmental activity for brownie points to get media attention - around the same time as the NCSP in 2013, the National Critical Infrastructure Guidelines document was released. It was not really a set of guidelines but was a bad clone of ISO27001 and was actually a set of controls suggested for the CI Institutions. How effectively it has been used in the establishment is evident from the fact that it is not talked about at all. One simple question - does NCIIPC exist? Yes but is it staffed appropriately, and does the staff know what they are supposed to do? Personally I have yet to hear about baby steps of this organization. 

Returning to the subject of the proposed Cybercrime Policy development panel and the serious deficiency on the part of the government establishment. 

It seems no one thought it appropriate to apply their mind to create a strategy, objective / vision BEFORE nominating names and forming panels to create national policies. Especially nominating names of persons from unrelated domains. A knee jerk reaction to the world events around cybersecurity or what? And it seems our government is just doing what it always does .. create new security organizations, panels, policies as a knee-jerk reaction whenever a new incident happens!

Doing a root cause analysis of such fiasco type acts it is obvious these are political actions designed to sound and feel good. It ends here as political masters are seriously deficient in cybersecurity knowledge and have short-term memories. 

Another surprising factor (for me) is the acceptance of the nomination by these persons of eminence. None of them felt the need to object saying that cybercrime was not his/her domain. None felt the need to ask the same Government establishment and functionaries to include additional members, especially cybercrime specialists.

I do not want to name names but is it so much of a problem for all nominees to raise a flag against such decisions if working within the government establishment.

Today there are cybercrime cells across the country and these are manned by uniformed junior and senior officers of various Law Enforcement Agencies. The personnel are qualified and professionally trained and face multiple challenges everyday in the course of their investigations and fight to control the menace of cybercrime. These cybercrime professionals have to struggle against the stonewalling tactics of domestic and foreign corporations in the business of ISP, web hosting etc and have developed an intimate knowledge of local and international laws, treaties and regulations.

These personnel are acutely aware of the limitations of Indian laws and policies and possess the leadership of thought for development of domestic rules and regulations that will help in cybercrime control at all levels and will help build the image of the country as a resilient nation that will deal strictly with new-age criminals.

I can only hope that better sense will prevail and that the powers-that-be will consider a change in their decision making process when looking at the cyber domain. This is new-age and cutting edge, stuff which has not been experienced in real life and (seriously) needs to be handled differently.

High time the establishment undertakes cyber training / learning and does a reality check to clear their mindset of conventional thinking so that the knowledge deficiencies are cleared. High time, India claimed it’s place in the Internet / Technology space as a real leader and not just a self-proclaimed one. 

The internet age needs a new pair of spectacles and no one is buying. It needs a central agency to own and operate security, it needs leaders to think but leaders do not think! It needs governance and transparency but every government is loathe to accept this. It does not need an alphabet soup of organizations with each pushing personal agendas and claiming to be the ultimate cybersecurity organization. 

High time, we become the keepers of security in cyberspace and thought leaders. 

Sunday, December 21, 2014

Sony oh Sony.. your mess is all over

Life is a bitch! And if  you are a leader it's lonely at the top and every other guy in the universe is trying to pull you down (even if he is not capable of taking up your chair).

The Sony management must be praying their guts out calling for divine intervention hoping lightning strikes the people who hacked them. The question God is bound to ask them - should I strike the guys who came first, second or the third time? And, who are they?

Wow! That's a big question and no one knows the answer. The FBI seems to know (for certain) it is North Korea.. but then these guys in US agencies are so sure of things that are reasons used for going to war.
Remember the WMDs everyone was screaming about before the attack on Iraq. Years later that President has gone and there are no WMDs and no one is asking! Who cares! Defense suppliers made billions and the bottom line is what matters. Who cares if a few third world countries have been reduced to ghettos and slums. 

The Mr Obama tells Sony - you did the wrong thing, You should have called me and I would have sent my bombers to unleash destruction. Does anyone have a clue about what happened and from where and who did that what happened thingy.

Oh yes, these very same players (Mr O, FBI and other intelligence agencies and security companies) have been lampooning China until recently. Pointing fingers at their capability and their unethical hacking of networks around the world. A fundamental question for the US Administration is that until a few weeks earlier you were talked about China being the biggest villian of them all. And now it is North Korea.

Read the article and laugh at the statement of the government saying that the US and China believe that destructive attacks violate the norms of appropriate behavior in cyberspace! ROTFL ! Imagine the US talking about appropriateness in cyberspace. So what was Prism and Stuxnet ? Good behavior? This is hilarious.

Anyway to come back to dear Sony - this has become bad. And what is worse is that a threat is issued by some unknown entity and every single theater owner across the US is too scared to run the movie, And Sony is too scared to release the movie too.

Till date enough dirt and sh*** has already been revealed by the hackers through the emails made public. The opinion of Sony executives for people like Angelina Jolie is now common knowledge and one would like to believe that there cannot be more dirtier smelling dirt still to come! Apparently there is more disastrous stuff so this big corporation has had to go down on it'e knees.

Along with the theater owners across the nation!

Such is the power of the unwritten word, such is the power of a breach - how it hits you, you will not know. Sony thought it was a hack, they did something. Another happened, and they again did something. And now this is BIG and they jusy dom't know how bad it will be.
- It has turned out to be a reputation blaster and the reps of most Sony top executives is in tatters.
- It has turned out to be a financial stinker and with the release stalled and with the IP (unreleased movies, stories) that have been stolen, it is anyone's guess.
- It has become the biggest corporate threat made in public ... and accepted by a frightened world.

One of the risks of cyber security was ransomware but this is a different type of ransomware! No hard drive has been encrypted. Instead, data has been stolen and the companies are paying ransom because they are scared of the revelations that are in the stolen data!

Now the US President is also in the fray and calls is a national issue.and the administration has said they will take action, What will they do... remains to be seen.

In the meanwhile, it is important for organizations and governments to relook at their security strategy, budgets and plans and make sure that things are in place, They must make sure that if things are in place it is not just for the sake of being in place but in reality!

Else, they all have to be prepared for doomsday type scenarios... times like the one at Sony where no one has a place to hide.

Saturday, June 21, 2014

The case of objectionable FB posts - time to change

Some miscreants put up objectionable posts on FB and the state erupted with riots and ham handed police response. 

It is time to change the way we think about online life because the lines have blurred making the virtual personae as much a part of real life as real life is of the virtual! 

I put together a compendium of news articles starting from June 01... and the headlines speak for themselves (my comments are in red):

Protest against objectionable post on social media hits expressway traffic  - how will traffic disruption help catch the culprit? There are many other ways to protest... why the e'way which is miles away from the police station! Times of India
Tech experts hunt author of FB post which led to violence across state  - Really ! Can they "hunt"  Mumbai Mirror 
Cyber crime cell takes over probe  - this is the department which should have been given the responsibility on day 1 instead of trying to "hunt"  Times of India
Maharashtra police to crack whip on those who ‘like’ offensive Facebook posts - so one guy commits an offense and the government wants to show it's muscle just because it can do little else. 
The government just wants to crack whips - did any minister stand up and make a responsible statement about the posts and calm down the emotionally charged citizens?

Times of India
Origin of offensive posts unclear, cops seek details from Facebook - reality bites! Times of India
Pune mob violence over 'Bal Thackeray pics' kills 1 - an unfortunate killing by a mob. What was the police doing when the mob was getting their act together? The loose handling allows lumpen elements to come in and take advantage of citizen emotions.  Hindustan Times
Don’t let Pune techie’s killers & their leaders get away  Mumbai Mirror 
Pune murder -Six more held Times of India
Servers abroad used to make offensive Facebook posts, Mumbai cyber crime investigation cell says - everyone knows FB servers are abroad. Whats new! Just some inane statements to keep the news papers printing. 

Times of India
Maha Govt Under Siege Over Techie Killing - with irresponsible handling of the law and order situation and refusing to make changes in the face of technology pervasiveness this is bound to happen.

Times of India
Pune techie murder case -  8 more arrests made, 2 minors detained DNA
Pune techie murder case - Another man was attacked by same gang the night Mohsin was killed - what an undeserved death. Poor man was killed for no fault of his.  Times of India
ATS probing reason behind Pune violence -Why are we bringing the ATS ? What next SIT and NIA? This is political FUD - just make it sound so big and show how responsibly you are handling the case. Call the army and tell the world I called them... what more can I do!

Times of India
Offensive FB posts 187 rioting cases filed, 710 held -Great statistics to be proud about. Fundamentalist lumpens go on riot. Government sleeps and makes no statement. No one helps any of the affected and everyone from CyberCell to ATS and technical experts are "hunting" the culprit! Will they find someone?

Times of India
Court extends HRS leader Desai's police custody till tomorrow Times of India
After killing Pune executive, mob attacked bakeries and shops - Whats wrong with us? how will this riot find the culprit? Who does all this and why are these guys not locked up for good. Frankly I would like to know if any of the 700 guys who have been arrested know what is FB and what is objectionable!!

Times of India
Another FB post sparks protests across state Times of India
Cops blocked 113 of 198 ‘offensive’ social media posts since Jan -Great job - this is the capability we have to increase to the level where problems are nipped in the bud. The police and central authorities must create an ecosystem to discover such anti-national posts before they damage the country's peace.

Mumbai Mirror 
My son's murder not just a law & order issue -  Mohsin's father  Times of India
Those behind inflammatory Facebook posts identified  R R Patil -Wow! Great. Mr Patil - now we must throw the biggest book at the culprits and make sure that they get the death penalty. 

Times of India
2 crore of taxpayer money lost as mobs target buses in state Times of India
Like, share ‘objectionable posts and face prosecution Mumbai Mirror 
Facebook posts- Mumbai police say leads did not pan out, trail gone cold - Oh really! What happened to Mr Patil's statement two days earlier that they have been identified! How irresponsible - shows the lack of respect for the dead and the riot affected.

Times of India
Offensive FB posts may be from Pak - YES ! Blame it on Pak. They are the root cause of every evil in India - from robberies to increase in train fares !

Times of India

This is not how one handles communication and government outreach in times of crisis. 

Rumors (normally) move fast in the normal world, especially malicious and mischievous ones that are meant to create strife. In the internet world they move faster and further so the impact is greater in a shorter period of time. 

The slow reaction of the establishment is the first culprit in this case and the situation was compounded by the lack of responsible communication by the ministers. Our problem is that the government first goes to sleep and hopes that the problem will be wished away.. and then they come out making inane statements. 

Check the table above - blame it on Pak! How convenient to sweep everything under the table and go back to fiddling while Maharashtra burns. 

Friday, March 7, 2014

Foot in the mouth disease afflicts the establishment - shameful statements for national security

Today is a sad and shameful day when a person no less than the National Security Advisor (Mr Shivshankar Menon) of the country has trivialized security breaches in the (supposedly) most secure confines of the Indian Government infrastructure. 

As reported in the media he has made irresponsible statements like 
"A mere fact that some computer is open in North Block and South Block and is accessible, does not mean that therefore there is big gap in security."
"not every leaked password is a big threat to security"

I really do not know whether to cry or jump off a cliff especially when I know I am living with such people heading security for the country. First we had our Minister (Mr Khurshid) who was very quick to forgive the Americans for their NSA-PRISM snooping calling it patterning and that they were "really not snooping".

Of course if someone shows you evidence of the holes in your underwear you will keep your mouth shut and happily take all the shit that is thrown at you. Then you will go to town claiming that this is not humiliation but is actually adding to your dignity .

No one has the guts to stand up and say we are being raped - this country which is supposed to be Incredible and what-not. Not even a whimper from any of the hallowed institutions which are supposedly responsible for cyber security in the country.

In any case who will stand up to the NSA or the Minister or the people in power and tell them they are not wearing their robes! 

The country is sold every other day with thousand crore scams by politicians and their cohorts. Innocent lives are lost because the defense forces do not have the money to spend on submarine repairs or MIG upgrades. Farmers commit suicide and floods and famine co-exist to wreak havoc on the motherland. 

And all the while we fart with false pride. In simple words, I am plain angry, hassled and I am sure this is the same state of many of my other fellow countrymen and women.

Does the country have any hope when the PMO, DRDO, MEA, MHA, CBI and other sensitive institutions are "haped" every now and then - and the powers that be take pride in their hour of humiliation.

If the people who are responsible for security in the country have such a cavalier attitude, how can we expect any sort of responsibility on the part of government institutions or law enforcement or judiciary?

Well it is a dark day for the country to realize that we have a funnily irresponsible NSA who also has the foot-in-the-mouth affliction. All that we can do is ... "havan karengey, havan karengey.."