Dr. C. S. Rao is an industry veteran with a career experience of over 25 years spanning Telecom, R&D and technology, in the management functions and currently he is the Managing Director at Intel and also the spear heads the Wimax Program 2008 initiative at Intel. His career spans successful stints with large blue chip companies like British Telecom (India), Lucent India as the Managing Director and Tellabs India as President and CEO. He was also among the core team of founders at CDOT and currently is the Chairman of the WIMAX forum, India Chapter.

Some of his career highlights include, pioneering the concept of  21^st century NW for BT India, the first ever nationwide MDN network launch in India and played a significant role in the first ever ISDN in India in 1989. He was also responsible for the roll out of the first largest CDMA Network in India for 30 million subscribers at Reliance telecom. He established $2b (Rs 8000 crore) Telecom Network Infrastructure in India through Tellabs (USA), LUCENT(USA) and BT(USA).

His career includes various accolades towards his contributions which include the Business leadership award from ASSOCHAM, NRDC award from the President of India, Innovation, Leadership and Achievement award from Tellabs and Lucent USA.

For more details about the Advisory board please check our webpage http://www.aujas.com/advisory_team.html

We welcome him on our Advisory board and wish him all the best in our journey together.

Srinivas Rao
Chief Executive Officer

As you all know it’s easy to create a binary for open source software’s as the code is readily available. But there are also ways to alter a binary file without the code. A binary file could be altered to perform various other tasks. In windows a good win32 programmer can easily hijack the code. In theory the data and other sensitive information can be easily stolen. Even your antivirus can not detect this kind of attack.

Take example of a sample attack for win32 program:

Open any win32 application with a debugger. These debuggers have sophisticated ways to identify the system calls. It’s a no brainer for a windows programmer to identify the system calls and add break point to trace the exact location. Using this tool, we can exactly decide where we need to hijack to accomplish a certain task.

Once decided the place to hack, we need to decide where to place the hack code inside the binary. As per windows PE format the binary is organized as sections whose size is the multiple of file alignment value. So there is a high chance that we can always find some free space inside the segments to place our hack code. Use the Portable Executable (PE) identification tools to see the segments.

Open the EXE in hex editor, a powerful one like Hiew and change the API call that we identified to jump to a free location where we would write our new functionality. At the end, the function jumps back to the original location to continue the execution of the program. You can also call an external file to accomplish more work.

Either open source or binaries are susceptible to the same attacks. It’s always advised to download software from a trusted site and also make it a practice to download and verify the checksums of the software from an official website.

Build security in your organization: From process to application…

Recently I came across two intresting information in one of the online security forums (InfoSec).

One is a statistics on registered Cyber Crime cases in India (http://ncrb.nic.in/CII2007/cii-2007/CHAP18.pdf)

Very intresting data collection and seems to follow the genral IT trends in india.

Cyber crime is classified under IPC and IT Act. IPC related cyber crimes are the generic crime which uses electronic medium as an aide (forged electronic documents) whereas IT Act is specifically related to Hacking and other very computer specific crimes.

Some highlights : Most of the defendents are in the age group 18-30, with most cases in Karnataka, Kerala, Andhra and Maharashtra with metros leading. Obscene media distribution tops the list followed by hacking. IT savvy states are also leading the hacking incidences.

That brings me to the issue of IT Act amendement that was passed on Dec 23 2008.

http://economictimes.indiatimes.com/articleshow/msid-3875931,prtpage-1.cms

http://prsindia.org/docs/bills/1168510210/1168510210_The_Information_Technology__Amendment__Bill__2006.pdf

There have been grumblings about how the bill was passed without any discussion. But keeping that aside, amendments do seem to be reflecting the cyber crime trends.

Specific amendements are added to deal with obscene content, privacy and data handling. Digital signatures are being made more legal and givernamnet is given more power for interception and analyses.

On that note, wishing you a Very Happy New Year !!

Are the customers ready to trust a service provider to store their private data?

Individual home users have very less information that has to be secured but what about the advertisement based on the users data. Where is the user’s privacy? Should the user buy privacy?

As a corporate do we wish to store the company specific information in a server where we have no control? What about the NDA's? What if my data is sold/stolen without my knowledge?

Is it really worth the ROI?

Individual users have very less sensitive data and there seems no big benefit of accessing information where ever the users goes other than the mail box.

But as a corporate yes there is a huge benefit in terms of the principal equipment cost, support and maintenance charges for software as a utility rather than an investment in capital assets. Think about the amount of laptops that are lost every year and the security risk involved with the stolen laptops or any other thick clients. The boon of accessing information from anywhere without any additional cost and infrastructure is very attractive for a global business.

Being security experts we wish to organize all the data in one place and secure that place tightly rather than securing each and every thick client.

 Some ways to overcome these problems

·         Ensure more transparency between the cloud service providers and cloud consumer.

·         Have better SLA’s and clear security policies, privacy policies and Data ownership policies.

·         The provider should have both physical and logical security infrastructures.

·         Trusted third party’s to overlook the cloud service providers activity and compliance.

I am in Hyderabad attending the DSCI (Data Security Council of India) conference (http://www.nasscom.in/Nasscom/Templates/CustomEvents.aspx?id=54143). Aujas also did one day training on Application Security which was well received.

Naturally recent unfortunate events in Mumbai have formed the backdrop for lot of speeches, offline discussions and dinner conversations.

One of the recurring theme in the conference and the security industry is the people being the weakest link. It could be lack of awareness, lack of empowerment or lack of responsibility. Enterprise security cannot be complete without this aspect.

Taking it to the national level it is becoming apparent that it is high time for common people to join hands with the government for national security. Heartening is the fact that there is strong urge among security professionals to contribute in some way to the national security. This makes sense given that the patterns of digital security and national security is very similar.

In the given instance, one can easily draw analogies between digital security and national security.

     · Perimeter security (Sea Route),

     · Intrusions detection (Terrorists stayed inside without detection),

     · Deep packet inspection, Incident Response (Delayed response),

     · Management commitment (Lack of political will),

     · Employee Awareness (Suspicious activity was not informed to anyone),

     · Background checks, Business Intelligence and Correlation (Co-operation among intelligence agencies)

     · The RISK Management (National Security policy)

have all become more significant than ever before. Moreover Digital world is more advanced as it is easier to attack and hence security mechanisms have evolved with attacks. So far digital world mimicked the real world, but given the evolution, is it time for real world to mimic the digital world?

I have online accounts with many financial institutions and I do most ofmy transactions online. Being a security conscious user, I take all precautionsfor using strong and different passwords along with managing my passwords in asecure way. But frankly, all these are too much complicated. The fear ofmis-managing the passwords and possibility of your bank account being pilferedremains.

Password based authentication is past its use-by-date. With the current advancesin technology and skills, password authentication is like providing passbook tothe person who mentions the account number (an unsophisticated but a real lifeexample in non urban banking in India till couple of years back). I am notgoing into the details of how a password can be cracked or known by others. Themain problem is that once password is known, the intruder's job is done and hehas uninterrupted access.

Two-factor authentication alleviates this adding one more factor forauthentication. Along with password (which you know), you need to provideinformation based on what you have. One of my bank has given me security tokenwhich generates an unique number every time I press a key. I need to enter thisnumber along with password for authentication. So even if my password iscompromised, an intruder cannot login as he does not have this token and cannotspecify the unique number. Of-course there are various other ways to providethe second factor in authentication based on what you have (software basedtoken, phone, cell phone). Again the advantages are same.

Note that two-factor authentication is not solution for ‘Man-In-Middle’ orTrojan attacks. Both of these attacks will not need your the input passwords orunique numbers. These attacks which take place with the help of phishingare more active threats to be worried about. But that is a topic for anotherpost.  

In summary, by using two-factor authentication, we are juststrengthening the already existing security mechanism against a known threatand not really dealing with any new threats. So in that way two-factorauthentication has become a first step in any security implementation.

Of course the psychological effects or physical harm cannot be thateasily quantified. My 5 year son is still shocked that someone tried to breakinto our neighbour's house, couple of months earlier. So security mechanisms atmy house is sort a trade-off considering the loss of tangibles and intangibles,and how much I am willing to spend.

Business security is much more complex, but very much similar topersonal security example quoted above. It should protect the organization, itsability to perform their mission and not just its IT assets.  It shouldalso consider the factors like confidence loss and bad publicity, perception ofmarket, investors and all stakeholders. Finally is should also take intoconsideration the amount of money spent on security versus the value of assetsthat is being protected.

Any Risk Assessment activity starts with understanding and collectingsystem related information. The paper <link given below> from NISTelaborates on this activity. It classifies and gives details of the IT systemrelated information which can be collected. It also enumerates some techniquesto collect such information.

http://www.mirrorservice.org/sites/ftp.wiretapped.net/pub/security/info/reference/nist/draft-special-publications/sp-800-30-rev-a-draft.pdf

Another related activity is business impact analysis. It analyzes theimpact associated with the compromise of information assets based on aqualitative or quantitative assessment of the sensitivity and criticality ofthose assets.  Identifying, classifying and associating a cost to theinformation helps to concentrate on realistic threats among the innumerablethreat perceptions. It would also help in deciding quantity of investment andany other tradeoffs which would be made with respect to security. 

We automatically do risk assessment and impact analysis when it comes to our personal security,to ensure a comfort level.  Organizations need to do the same but in amore systematic way. Only then, they will be sure on how much to spend on security and where to focus. It would also be a good beginning for measuring the Security Return on Investment (RoI).

TRAI has released a recommendation for VOIP on August this year (http://www.trai.gov.in/trai/upload/Recommendations/99/recom18aug08.pdf)

This has removed the final hurdle in terms of implementing VOIP on a large scale basis and has been hailed as the step in the right direction.

While benefits are many including cost savings, ease of implementation, convergence and value added services, it also brings with it a slew of security issues.

For Service Providers:

One of the interesting aspects, telephony being of national importance, is that of Lawful Interception. The recommendation while noting the vulnerabilities of internet as a medium notes that along with string encryption service providers need to make sure interception is possible. But given the real time nature of the VOIP networks, latency introduced by security is a big concern.

This adds a significant complexity for service providers. Moreover VOIP network is prone to frauds and sophisticated controls are needed to block the man-in-the-middle attacks and call frauds, to stop the unscrupulous people from stealing the network time.

For Customers:

Given the benefits, it makes business sense for enterprises to go for VOIP solutions. However one needs to take care of the security issues with VOIP. It is easy to spoof and is open for interceptions.

Security solutions including voice based firewalls (telecom firewalls) may need to be implemented to protect the VOIP network security. Regular audit of the telecom network is also a must to address to safeguard against known and newly found vulnerabilities.

It is essential to treat VOIP network as any other network and manage the security.

Wi-Fi security has caught attention of laymen and the experts alike. After the recent frenzy in the media, it is now the turn of the regulators and compliance frameworks. PCI DSS 1.2 (https://www.pcisecuritystandards.org/pdfs/pci_dss_summary_of_changes_v1-2.pdf) has been released and is seen as an improvement rather than a replacement for PCI DSS 1.1. Of the few changes, two factors are significant, one the mandatory Application security aspect which was announced earlier and the other is the stringent measures suggested for Wi-Fi.

PCI DSS 1.2 now mandates use of 802.1x implementation for Wi-Fi networks. The current 802.11i implementation that use WEP and WPA need to be replaced. New implementations of WEP are not allowed after March 31, 2009. Current Wi-Fi implementations must discontinue use of WEP after June 30, 2010. 802.1x uses a client, service provider and an authentication server (such as RADIUS) as part of the access control and provides sophisticated access control. While the intention seems to secure the Wi-Fi network, this will in fact drive proper Identity and Access management throughout the enterprise.

Another interesting aspect is turning off SSID, is removed and is no longer a requirement. Reason given is it wouldn't help much, as SSID is available through other communication channels. Given that security is always a layered approach, I wonder what was the necessity of removing this? Convenience? Your comments are welcome!