Authbridge

Businessworld : There are too many malcontents in the online world, and they spare neither governments nor individuals.

On Sunday, 28 March, governments in 103 countries including India scrambled to gauge the implications of a malware (malicious software) attack from China, as discovered by the Information Warfare Monitor (IWM) — a Canada-based research organisation. According to a report it had put together after 10 months of research, a malware unleashed from four servers in China had infiltrated 1,295 computers containing confidential government data in 103 countries. The malware, dubbed ghost RAT, could not only monitor the text files in the infected computer, but could also supposedly log keystrokes, capture video and audio and do a host of other such things.

The Chinese government denied that it had anything to do with the attack. But what scared most cyber warfare analysts were the basic findings of the report. First, it said that many of the computers had been infected almost two years ago — and the malware had remained undetected. Two, it pointed out that it had been detected by IWM largely because the agency was looking for something like it. It may have remained undetected for many years otherwise.

We live in a networked world. We use the internet routinely for a lot of work. And governments around the world are increasingly depending on computer networks to make life easier for citizens, and to work more efficiently. But as the world becomes tightly linked through wired and wireless networks, the danger of hackers, phishers and other tech-savvy malcontents getting hold of confidential documents and secrets has also increased exponentially.

Just how bad can this get? And what can we do about it? Read on.

Bringing A Government To Its Knees

The Chinese attack was merely a snooping mission. As far as the researchers can tell, it started off to keep an eye on what the Dalai Lama and other exiled leaders of Tibet were doing. And what the countries they were in touch with were contemplating in terms of support to these leaders. In a real sense, the malware that infected the government networks was just about passing back information to four servers in China.

www.onguardonline.gov But in 2007 and 2008, the attacks that were apparently planned from Russian soil showed at least a glimpse of what can happen to a government that is attacked. The first one, in 2007, was aimed at Estonia and was reported to have briefly disrupted several services, including emergency ones. In the second case, in 2008, a website sprang up that provided the details of not only the most important sites in Georgia, but also how they could be flooded with email or data to throw their operations out of gear.

There is no proof that the Russian government had anything to do with these attacks. They were possibly the work of nationalistic Russians with good software skills. But the attacks proved how easily government networks can be disabled, if anyone really wanted to.

But even these attacks are really benign, points out a software security expert who does not want to be identified. “The amount of damage that can be done by a hacker group to a country that is heavily networked is infinite,” he says. “Cyber terrorism is evolving from guns and grenades to the internet,” says Ajay Trehan, CEO of security solutions firm AuthBridge.T he doomsday scenario is of hackers breaking into networks that control missiles or satellites.

In the civilian realm, a hacker attack in a wired country can paralyse airport operations, banking and dozens of other things — in fact, almost anything that is connected to the Web. “Just because this is something you see in movies doesn’t mean it is not possible,” he says. The very fact that the Indian government is still not fully networked is what works in its favour, he says.

Source: CERT-In Hopefully, Indian missile controls are not in such danger, but other parts of the government are. Early this year, according to Trend Micro, a global leader in internet content security, the Indian Embassy in Spain was found serving malware through an injected malicious iFrame. And if the report by the Canadian researchers is to be believed, dozens of other Indian government computers were affected by gh0st RAT (see ‘Chinese Cyber Flu’).

Experts believe the biggest mistake India has made is to have a common network connecting all its departments. If someone breaks into the National Informatics Centre (NIC) network, he or she can access networks of most ministries, including Defence and Home, points out M.K. Dhar, former joint director of Intelligence Bureau (IB). “It is like keeping all eggs in one basket,” he says. “You are basically inviting disaster.”

Agrees Ajit Kumar Doval, former director of IB: “NIC network was good when it was set up, but now slowly it should be disengaged and sensitive ministries such as Defence, External Affairs and Home should have their own networks.” The IB and the Research and Analysis Wing (RAW) operate on networks that are not part of the NIC. They don’t allow employees to link to the internet from office.

Senior officials in NIC and the Department of Information Technology (DIT), however, do not agree that a common network increases vulnerability. “We have a robust system and our cert-in (the system to identify virus and other dangers) guides the ministries regularly on updating their software or on precautions in the event of a virus attack as well as diagnosis for spyware or malware,” says a senior official in cert-in. “If they do not implement it, why should NIC or DIT be blamed?”

But that is precisely the problem, points out a computer expert. The network might have all the security measures — but even if one department or person is not following the safety protocols, he or she puts the entire network at risk.

In essence, it becomes a human error. And the chances of human error leading to a security breach becomes a very real possibility when there are hundreds of thousands of employees routinely accessing the network as is the case in government departments.

And India is not the only country that is vulnerable. In 2007, a similar malicious worm apparently was found on Italian websites. Amit Nath, country manager at Trend Micro India & SAARC, says, “Online criminals had launched a widespread web attack that had turned tens of thousands of legitimate websites into weapons (these could be used to send virus and malware) and almost all the websites that sourced the malware were from Italy.”

George Heron, founder of BlueFin Security and former chief scientist for cyber security firm McAfee believes cyber warfare will play a significant role amongst countries. “Cyber threats originating from China are very real and growing,” says Heron. “Other evidence supports this, such as the majority of bot masters being traced back to China, along with malware and other disruptive threats.”

In 2007, cyber experts testified to the US department of homeland security that the country’s cyber defences were dated. “Countries that claim leadership in technology have hired team of hackers that peep into other countries’ critical establishments,” says Doval. The US is strengthening its systems and laws to deal with cyber security more effectively.

The third reason why government networks become vulnerable, points out another expert, is the hierarchical nature of government departments. Network security is often controlled by middle-aged people whose technical skills are probably no match for young hackers using the latest techniques, he says.

The good news is that experts believe most hack attacks do not aim at getting control of missiles or other weapons. Last year, Georgia Tech Information Security Center’s (GTISC) annual summit on emerging security threats and counter measures concluded that data will continue to be the primary motive behind future cyber crimes — whether targeting traditional fixed computing or mobile applications. Heron says, “It’s all about the data,” whether botnets, malware, blended threats, mobile threats or cyber warfare attacks. And he expects data to drive cyber attacks for years to come.

Big Business, Big Risks

Reports of attacks on business targets are increasing and catching up with those on government sites and networks.

In February this year, Gmail suddenly started acting up. People could not access their accounts — or if they managed to, opening a mail was painfully slow. A hacker group had written a programme that sent hundreds of millions of requests simultaneously to the Gmail servers. Even though Google has servers that are capable of processing millions of requests per second, the sheer volume of requests coming from the hacker programme was too high even for the tech giant to handle. This is what is called the classic “denial of service” attack — an attack where the hackers seek to overwhelm a company’s servers by the brute force of millions of simultaneous requests.

Google moved quickly to restore the Gmail service, but the attack was a way of showing that even Google, the company that epitomises technological prowess to the common man, can be hurt if someone really goes after it.

Google was in august company. In 2000, there were reports of denial of service attacks on companies such as Yahoo! and Amazon. Even Microsoft and Intel have been attacked off and on. But these are companies that spend millions to protect themselves from cyber attacks — smaller companies often find themselves out of depth while dealing with such eventualities.

While denial of service attacks are dangerous — they are only one part of the problem facing big business. Some experts feel attacks aimed at stealing consumer data are a greater menace.

As transactions have increased on the net, so has the incidence of stealing of credit card and similar data. In the US and the UK, millions of consumers have faced theft of their credit and debit card data in the past few years, from supposedly safe sites. And credit card data thieves are getting smarter. In the old days, they used the data to buy goods on the Net. Today, there are reports that this data is used to withdraw cash from ATMs as well.

Last year in April, the websites of United Nations and the UK government came under attack and later in December the State Bank of India’s website was hacked. Attacks often indicate the personality and mind of the hacker. Krishnan Thyagarajan, managing director of Quest Software India, says, “Those who do it for kicks would like to see the attacked network down for weeks, not hours. While others who do it for financial gains, are serious offenders.”

The third category of hacking attacks in the corporate realm takes place when one organisation wants to snoop on its rivals, though this is a topic that is little talked about.

Hacking is easier when firms continue with old hardware and software. “We cull birds when infected with virus; people are kept in isolation to diagnose. But computers in India and globally have old hardware and software, and many of them continue to spread virus,” says Sanjay Bahl, chief security officer, Microsoft India. The antivirus software needs to be regularly upgraded and certain hardware that are susceptible and that infect the hard drive need to be changed periodically. The problem is that you can try all these out and still get infected. Because virus and Trojan writers almost invariably stay one step ahead of anti-virus software makers. “Unfortunately, no data reception and transmission over the internet can be guaranteed to be 100 per cent secure,” says Vakul Sharma, a senior Delhi-based Cyberlaw expert.

But it is important that companies dealing in critical data use better resources when their customers trust them with their personal information. “Today, more than 3 per cent of internet users in India (out of 45 million net users) are paying to store pictures on the net. It is an indication of trust,” says Dibtarup Chakraborti, principal research analyst with Gartner India. According to IDC, the heightened security risk perception in view of the threat of terrorist attacks will force enterprises to look at business continuity services seriously. As a consequence, the security solutions space is expected to evolve and grow by 20 per cent in 2009.

Naked On The Net

If governments and tech-savvy companies cannot keep their data safe, how vulnerable are you on the Net? A decade ago, the then Sun Microsystem’s chief Scott McNealy is reported to have said that privacy was dead in the era of the internet. The problem is that the intrusion of privacy has been growing over the years.

Every site you surf — even the most legitimate and most respectable ones — invariably start tracking you from the moment you type in their IP address. They put a ‘cookie’ — a small piece of computer code — on your computer to collect information on your surfing habits. Or they use other tracking software to keep tabs on you.

In many cases, the cookie is relatively harmless. It merely collects basic data on your viewing habits on one site itself. If you are going regularly to a newspaper site, for instance, the cookies may try to track how many times a day you log on or which sections you visit more often.

There are many reasons why almost all sites you surf will routinely collect such data. One, many sites want to track your surfing habits to serve you better — to customise offerings that are more tailored to your interests. In other cases, the data is collected just to provide a profile for advertisers who want to target you. Google makes its billions by tracking what you surf and offering you targeted ads.

But it is important that companies dealing in critical data use better resources when their customers trust them with their personal information. “Today, more than 3 per cent of internet users in India (out of 45 million net users) are paying to store pictures on the net. It is an indication of trust,” says Dibtarup Chakraborti, principal research analyst with Gartner India. According to IDC, the heightened security risk perception in view of the threat of terrorist attacks will force enterprises to look at business continuity services seriously. As a consequence, the security solutions space is expected to evolve and grow by 20 per cent in 2009.

Naked On The Net

If governments and tech-savvy companies cannot keep their data safe, how vulnerable are you on the Net? A decade ago, the then Sun Microsystem’s chief Scott McNealy is reported to have said that privacy was dead in the era of the internet. The problem is that the intrusion of privacy has been growing over the years.

Every site you surf — even the most legitimate and most respectable ones — invariably start tracking you from the moment you type in their IP address. They put a ‘cookie’ — a small piece of computer code — on your computer to collect information on your surfing habits. Or they use other tracking software to keep tabs on you.

In many cases, the cookie is relatively harmless. It merely collects basic data on your viewing habits on one site itself. If you are going regularly to a newspaper site, for instance, the cookies may try to track how many times a day you log on or which sections you visit more often.

There are many reasons why almost all sites you surf will routinely collect such data. One, many sites want to track your surfing habits to serve you better — to customise offerings that are more tailored to your interests. In other cases, the data is collected just to provide a profile for advertisers who want to target you. Google makes its billions by tracking what you surf and offering you targeted ads.

The big precautions you need to take involve preventing Trojans, viruses and other malware from taking control of your computer. Installing a proper firewall helps. So does downloading and implementing security patches for your browsers. These are regularly made available by browser and software companies and should be downloaded religiously. Individuals can download or purchase anti-snooping and anti-bot software on the net. You may also encrypt sensitive information using free software like PGP and Cryp tools that are cryptographic mechanisms. There are two steganography (concealed writing, that only sender and the intended recipient can read) tools, wbStego and outguess, that can hide data inside other files.

Using proper anti-virus software and scanning your system carefully at frequent intervals helps. But an anti-virus software is only good for you if you regularly update it.

Do all these things, and you will increase your chances of staving off a malware attack. Oh yes! — don’t forget to pray regularly.