A Swallow, summer, India bashing and what about the others....

This is a follow up post to my blog yesterday about the $45m cyber heist.http://infosecgallery.blogspot.com/2013/05/a-swallow-summer-india-bashing-and-what.html

I just got pointed out to a Reuters post http://www.reuters.com/article/2013/05/11/net-us-usa-crime-cybercrime-india-idUSBRE94A06P20130511

All I can say is that I am hassled, very hassled by some of the quotes and this piece is in response to the inane comments of a clueless Mr Eddie Schwartz. 

Well he may be the CISO of RSA but he seems to have forgotten that his company (which is considered the holy grail of Information Security) was compromised and, in turn, exposed organizations all over the world to an INSECURE SECURE ID !!! 

The breach at Lockheed was traced to RSA among others. You were going to replace 4 million tokens across the world but a few people i know never got a phone call from RSA. Apology ? Maybe Indians do not deserve them, or should i make a racist comment. 

Well today he is talking about Indian laws and goverment oversight - please ask your local RSA folks to educate you differently Mr E. The USA and the UK are no better and as I write to you no one in the world can claim to be an expert or to have a zero risk environment.

Your homeland and other countries that (supposedly) have government oversight depend on class action lawsuits more than any other tool. The governments are as full of reactionary folks as anywhere in the world.

So.... grow up... and let's not try brinkmanship here just because you are head C! 

I am dead sure you checked with you India office to confirm that Electra Card and En Stage are not your customers else I would have loved to see your comments. And when it is a commercial disaster you do not go about bad mouthing a host country.


A hack can happen to anyone and anytime. It happened to Global Payments, Worldpay, TJ Maxx, Heartland and countless government departments and private companies. So how come you have not written off the USA or UK governments. How come you did not insult the PCI-DSS standard which is the holy grail for card processors or the ASVs or QSAs .... ? 

Anyway, this is not just nationalist pride at my end but common sense. 

Every "expert" has the right to make comments and sound like a global statesman but learning is always round the corner - so please look at what Madeline Aufseeser says in the same article. 


Note: I have not spoken about the omissions and commissions of the four victims on purpose. This piece is from my heart only because irresponsible statements are not expected from people who purportedly are experts in this line of business. 

One swallow does not a summer make

Being connected to the $45m international cyber heist does not mean that India's IT outsourcing industry is insecure !

Yes, though I am usually quite vocal about the (sad) state of security in our organizations I stand by what I am stating. 

Time and again, there is a lot of noise in India and overseas whenever a data breach or malicious hack is reported in the country. Invariably everyone overseas is screaming hoarse about the lack of security in Indian outsourcing companies and we, the local InfoSec community, bemoan the sad state and add more fuel to the fire. 

Today, newsmedia across the world and in India, is digesting and dissecting the report about the $ 45 m global cyber heist that has been uncovered. 
http://www.bbc.co.uk/news/world-us-canada-22484364
http://www.nydailynews.com/new-york/cyber-thieves-busted-45-million-heist-article-1.1339051

At times like this everyone falles over each other to brand the country as a bad destination for outsourcing. People with vest interests will want to use these occasions to lobby for stricter controls on outsourcing.

And the game goes on ! 

And this is what gets me - what about the big ticket compromises ? RBS, TJ Maxx, Heartland, Cardsystems and many more. 
http://flowingdata.com/2011/06/13/largest-data-breaches-of-all-time/

I do not see any Indian name here so why is there so much noise when any person or company of Indian origin associated with any security incident. Or if there is any activity in the information security domain everyone has to pull out a magnifying glass to obtain every detail about the objective and pass judgment (which is usually negative).

It is high time, the community accepted that Indian companies are doing good work and there is a lot more to be done. Frankly even the "most developed" country in the world has miles to go before it can claim to be shielded from security incidents which continue to happen at the most secure and high profile entities, regularly!

So does this mean that the world should write off the US of A ? Just as naysayers and vested interests call to move from India when there is an incident. 

And yes it is not summer if you saw just a swallow ! The industry / country, as a whole, is not an information security black hole, just because one company got haped. 

About bounties, government, ethics and morals - this is a good thing!

March 01, 2013 I was at nullcon 2013 in Goa and as the CTF/Jailbreak contests were coming to a close, there was an announcement - some Government officers attending the conference wanted a piece of malware analyzed and were willing to pay 25k bounty. Excitement all around ! Me too  saying a silent prayer - Thank God the elephant awakens. 
To cut a long story short, [a] the bounty was raised to 50K (25 day 1 and 25k day 2) [b] by the same time next day two teams had done the analysis and one of them got 37k with the other getting 13k. 

The media covered the event as a botnet takedown and many members of the India Information Security community and some from the international community screamed blue murder. The naysayers talked about the lack of ethics and knowledge among the Indians to undertake such activities. Some made the point that the international community must be taken into confidence for such actions.... much more. I was part of some serious conversation with professionals overseas and managed to explain the facts and the distorted media coverage so it did settle down. Unfortunately members of the community in India are still keeping the fire burning and this has to be addressed soon to be doused. 

OK to come back to my main subject - bounties are a good thing to happen to the country and I hope the government departments will keep their pockets open. 

The simple 50k bounty must have saved that department a lot of headaches:
- malware analyzed in about 15 hours which may have taken 3 or more days.
- analysis done while attack was on and this was done manually.
- they paid only 50k = $ 1k which is chicken feed money.
- they identified 20 good guys who can be hired or called upon.

Imagine if a corporation pays a bounty how can it benefit in the same manner but Indian companies are yet to realize this. 

With the government having taken the lead in offering a bounty I hope that this will be a regular program as it will help raise the interest level in the community as well as contribute as a "public-private partnership" model.

Companies all over the world are offering bounties and many Indian ethical hackers (young and old) are making good money. Google, Paypal, Facebook etc all have ongoing bounty programs and are paying out good dollar amounts. They benefit because they get legions of hackers trying to break their defences and discovering vulnerabilities which were otherwise not known. The bounty is always less than the commercial cost of discovery !

One may argue this is immoral and is akin to 'guns for hire' or making a generation of 'mercenaries' but this is the new age of thought. There is nothing immoral about this and it is a regressive thought. 

My take is that first - the Government departments must all offer a bounty program ! This will make sure that the shoddy jobs done by IS auditors is exposed and Indian government sites will become more secure. Intelligence agencies are usually struggling to find good analysts and when they find them they cannot afford to hire them on annual terms - this is an easy way of getting tough jobs done. The agency pays a bounty to the specialist who is able to complete an analysis or reverse-engineer the malcode that has been put up. 

All in a day's work !

Second - the corporations or business houses must accept that a breach or a hack is just like a disaster. And disasters do not warn you and there is no need to be embarrassed if hit by one. After all, if there is a fire or flood, you do not hide behind a 'ghoonghat' - stand up and declare the disaster and ask for help. Many Indian companies do not have the necessary in-house skills to respond to disasters like this and can take advantage of the bounty culture. Offer a bounty for the vulnerabilities that are found by ethical hackers and your own credibility will go high.


Another fallout of a bounty program is that it stops ethical hackers from crossing the 'lakshman rekha' to become blackhats. If he/she can make decent money in the country through bounty programs there is less reason for them to turn to criminal activities. 

As I have said earlier, many in the profession may argue about the ethics of offering bounties and the risk of turning rogue. Or the risk of messing up someone's systems. These fears are unfounded when you consider that there may be an unethical hacker from a foreign country who will find and exploit the vulnerabilities and inflict more damage !

So in the end - what do you want - attract your own country talent to find and report any weaknesses in your systems or some firang coming in and bringing your system down just for a few bucks. 

It's a new age and it requires new thinking, it requires you to take action in a new manner. So, go Government of India, go - it's been a while since something proactive happened from your end ... just move on and make an official program and announce it - this will certainly get good karma from all over. 

And naysayers can remain at their desktops and continue to fret and fume :)

Responsible Disclosure -1 - Roles and Responsibilities

This piece is written for the Responsible Disclosure Initiative of the Cyber Defence Research Center, Special Branch, Jharkhand Police (http://cdrc.jhpolice.gov.in/responsible-disclosure-submission/)

Responsible Disclosure is a concept alien to our country. We should not just talk about our country, but we should say it is alien to the world. And the world is just waking up to it.

There are bound to be many questions - both for and against and again there is only one simple action required by all - change your thinking to align with the new age of technology and the internet.

One must remember that every action in the realm of the internet is not necessarily covered by law, as it stands. Nor is it understood by the law or lawmakers. Time and again we are distressed by the shortcomings of existing laws like the new IT Act. Over the past few years we have witnessed a number of instances of ethical researchers venting their frustration in the face of inaction by vulnerable organizations. Their frustration and that of the community is compounded when these organizations have taken retaliatory action against the researcher, at times unlawful in nature.

Unfortunately the researcher has not been able to stand up for his/her rights and bears punishment for doing a good deed. Things can go horribly wrong and a good white hat may decide to cross over and become a black-hat. No prizes for guessing the first target !

It is important to harness the skills of the researcher and bring the advantage to lawful use. It is important to bring the knowledge to the organization that is researched and that they remediate the reported vulnerabilities and gain commercial through fees saved. It is important that this unsolicited research activity is recognized as another internet phenomenon and as a technical whistleblowing activity so a proper platform is provided, which will suit the sensibilities of the brick-and-mortar world.

Such a platform is termed "Responsible Disclosure" and like all internet and technology activities, there are unwritten rules and rules for engagement. This piece will try to collate some rules that will govern responsible disclosure transactions (or activities) in terms of the engagement etiquette and expectations.

There are usually three parties involved in a RD transaction:

1. The 'DISCLOSER' is the person or entity who discovers a vulnerability in someone's IT infrastructure, website, or application.
2. The 'DISCLOSEE' is the entity or organization who owns, or is responsible for, the IT infrastructure, website or application in which the vulnerability was discovered.
3. The Responsible Disclosure "Host Facility" provider who acts as the "escrow" between the discloser and disclosee and is the custodian for the rights and security of both parties.

An RD transaction requires both discloser and disclosee to be responsible in their approach. There has to be mutual respect for each other - the discloser must respect the confidentiality and the business interests of the disclosee; and the disclosee must recognize and respect the skills and ethical behavior of the discloser.

Once these grounds are set, it is important to keep a number of other points in mind that will govern the activity and the conduct of all concerned parties.


FOR THE DISCLOSEE

- do not consider a disclosure to be an attempt to insult you or your organization, or to harass you in any manner.
- accept the vulnerability information maturely and accept the presence of the vulnerability in your systems.
- respect the skill of the person who discovered the vulnerability
- recognize and accept the fact that there were some errors / weaknesses that were overlooked and are being brought to your notice by some well meaning person(s).
- ask for help from the same person(s) if your team does not have the expertise or skills to remediate the weakness.
- accept that the discloser is ethical and has come forward to share the information with you.
- understand that the discloser has not taken advantage and exploited the vulnerability.
- finally be happy that you saved a considerable amount of money which you would have spent on conducting a vulnerability assessment / penetration test on your systems or infrastructure. Also that you can offer the researcher a job as you would be hiring someone with proven skills (and you can save on hiring costs too).
FOR THE DISCLOSER

- do not assume that the disclosee organization is staffed by ignorant people just because you were able to discover a vulnerability.
- do not carry out a destructive test on any site that you are researching.
- make sure your POC document lists every step and test that you have carried out.
- provide remediation suggestions for the vulnerabilities which you have discovered.
- never take the high ground just because you may be more intelligent than others - remember there are others in the world who are better.
- prepare a nice POC in a professional, dispassionate manner so that the receiving organization is blown away by your work.
- if the disclosee organization asks to meet you make sure that they indemnify you from any action before you permit the RD Host to disclose your identity.


Seek help from the RD Host to prepare the necessary legal indemnity document before exposing yourself. This is a precautionary measure as in the event of a lawsuit you are on your own !
- if the disclosee organization requests you to help close the vulnerabilities the request will come through the RD Host. First take precautions as indicated above and then offer your services if you have the time... do not forget to charge them now as you have done enough free service!
- if the disclosee organization offers you a job ... all the best !


THE RESPONSIBLE DISCLOSURE HOST (RD Host)

It is also essential for an atmosphere of trust to exist between the discloser and disclosee. However, as both parties may not be known to each other it will be difficult to establish a trust relation in view of sensitive nature of the information being exchanged. As such, the introduction of an escrow service can facilitate a trust relationship which will make it easy for the transaction to take place. This escrow can be termed as an "RD Host" organization and the following points will be relevant to the operation and functions:

- the RD Host should (preferably) be a part of a law enforcement agency or supported by one.
- the hosting organization will ensure that the information is shared with the disclosee in the manner which was requested at the time of submission.
- a professional POC submitted will bring pride to the hosting organization as it will be recognized as an organization which has been able to disseminate a sense of ethics and responsibility to supporters.
- will carry out the responsibility of disclosure in a lawful and discreet manner and will provide assistance to both discloser and disclosee as needed.
- assistance to discloser may be in the form of help to close the vulnerabilities.
- assistance to disclosee may be in the form of protection against identity disclosure or against unlawful action by affected party/parties.
- handhold the discloser in event of introducing to the disclosee as indicated above.

Cybercrime makes consultants, police all abettors in another crime

Sometime back I was pondering about surrogate criminal activity that happens in the absence of incident disclosure by corporate bodies. While pondering whether the regulators will act to bring in any form of control I realized that it is not just the corporate but others too who are engaging in criminal activity.

To illustrate I present an example ... I have a pistol and shoot a friend accidentally. We take the injured person to a hospital where he/she will be refused treatment by the doctor until a police compliant is registered. A police complaint will lead to my arrest and confiscation of my gun. I shall be in a lockup I get bail and then even if my friend stands by me the cops will interrogate and investigate and may not drop the case.

Now we come to a cybercrime scenario - a company or government department is breached (they get hacked / data is stolen / phished / financial fraud). The CISO is the first to respond and advises the CxO. Then they call in a forensic/security consultant who provides his/her analysis with remediation advice. Now they go to the Police Cybercrime cell and ask for an investigation. At the end of the Police investigation, they cops are told "we do not want to file a case" and the whole thing is dropped because they "know" who or what happened.

So we have the victim company (organization, bank, department..), CISO, Forensic/Security consultant, and Police investigators who have all colluded to close a criminal case (theft, hacking, piracy, porn... whatever)

Does this make all these people / institutions party to the crime of abetting a criminal act ?

If yes then can the various banks, government departments and organizations be taken to court along with the police departments of all states? I understand Sec 120 b or Section 34 of the IPC establishes guilt for conspirators.

Will the ITA be amended soon for 66A and can the mandarins add "disclosure" as an obligation under the act.

The moot question is whether everyone is a criminal now? The consultant who found out the modus operandi and advised on new controls, the cybercrime police who did not register the case and advised closure thus (possibly) causing loss to shareholders and the exchequer.

Surveys... Norton Survey for India 2012 ... read with a lot of salt

Another India report and at first one is happy then by the time you are through it you wonder you are reading some fuzzy fiction or what.


I haven't got a copy of the report but came across some tidbits from these articles in the media and wanted to record my high and low feelings as I read about the findings which make up the report. 

http://tech2.in.com/news/general/indians-pick-personal-data-security-over-1mn-norton-survey/294102
http://articles.timesofindia.indiatimes.com/2012-03-29/mumbai/31253852_1_phishing-attacks-indian-netizens-indian-users

The report states "3 out of 4 Indians said they would rather give up $ 1 mn than allow access to their computer". While I like this statement and would like to give full marks to the level of ethics attributed to my countrymen /women but this does not fly in the face of reality, especially when I think about 10 or 20 rupee bribes (that is not even 50 cents). 


I am sure their respondents would have answered more honestly if they had said 5 crores ;-) Everyone knows prize money offered in dollars will never come but many crorepati chances exist ! 


Else, if Norton had a corollary to the question - what about your neighbour's PII ? 


One of the above articles calls this finding "fantastic" ... need I say more.

Forget Indians, I bet anyone anywhere will happily give up PII, get a million and migrate to another country with a new identity !

Then we have to thank God for giving us Mr Hall, Symantec and Norton for coming along to save the online Indian. According the report the online Indian used multiple devices to connect online and does not know how to protect him/her self. 


So, to save our brethren there is hope - Norton is going to provide a 360 anywhere solution which will be an all-in-one solution for security on PCs, mobiles and tablets. 


Gentlemen you are doing the country and community a favor by assigning resources to carry out market surveys and I highly appreciate your investment.

This is the reason why I have no comment for the other findings reported about internet habits of the online / connected Indian

I also understand that there has to be a ROI from any investment but then why water down your effort with such statements and findings - you are a pillar of respectability in the  security domain and do not need to milk every single rupee you spend. The Bhagvad Gita says that you do your good thing and good results will follow - you do not need to flog the horse it will bring you home. Why did you not do a reality check with your own in-house team which is full of highly respected and accomplished security professionals. 


One hopes that the marquee InfoSec giants that operate in the country will support and publish non-commercial, original and authentic surveys and reports. This will be very welcome and highly appreciated and will surely bring good karma to the firm resulting in good business too. 
   
Take a look at my blog mention about a FICCI-Pinkerton report two weeks earlier, and the many other "industry interest" driven reports it is no wonder we are starved for facts. 


And truth, as they say, is always hard to come by. Until then we live in a world fuzzed by FUD and dartboard-happy statisticians :)

India Risk Survey 2012 ... risky reading :)

When I saw a new report India Risk Survey 2012 I was really happy because it carried the names of FICCI and Pinkerton - both are respected and one can expect solid work from them. 


Unfortunately I am terribly disappointed with the report, in the area where it relates to Information Security.. and as I write this, I hope these organizations rewrite the report or withdraw parts of it, as their gesture of apology.


InfoSec professionals will be glad not to take this up or quote it anyplace !

While reading the report the first 'jhatka' came to me when I read they quoted a Norton report stating cyber crime losses at 34,110 cr (where on earth does one conjure up such a number) - such numbers only fools will suffer !


The second one was a big shocker - they have the gall to quote a Univ of Brighton report which is so full of crap that even a kid can see through that sham of a white paper ! This is personal for me since I wrote about the sad guys who wrote that paper (check Univ of Brighton - bunch of liars) The paper writers did not have the guts to write back to me.   


This same university has been trashed by one of the leading national authorities in Information Security - Dr Kamlesh Bajaj wrote about this outfit way back in 2009


Now this report started bothering me and I feel sure they have lifted some of the text - lo and behold - do a check for plagiarism and I find text lifted from "The Hindu". There is a statement  wrongly attributed to the CID Review. Refer to the article on Cyber Crime in this CID Review newsletter on the subject of cybercrime from Jan 2008 http://tnpolice.gov.in/pdfs/ReviewcyberJan08.pdf

Over the past few years, we have seen many 'branded' reports and surveys published under BIG banners - they carry outlandish statistics and statements about cyber crime, information security etc in the country. While almost all such statements need to be taken with a large pinch of salt  it is more necessary to trash stuff like what is written by these Brighton chaps. 


It  is time to call them back to the table, if they have the guts to come and substantiate their bullS^1t. 


If anyone knows someone at FICCI or Pinkerton, please do them a favor and ask them to read this and make necessary corrections or disassociate themselves from the report.