Aujas Blog

Cyber Crime and IT Act

Recently I came across two intresting information in one of the online security forums (InfoSec).

One is a statistics on registered Cyber Crime cases in India (http://ncrb.nic.in/CII2007/cii-2007/CHAP18.pdf)

Very intresting data collection and seems to follow the genral IT trends in india.

Cyber crime is classified under IPC and IT Act. IPC related cyber crimes are the generic crime which uses electronic medium as an aide (forged electronic documents) whereas IT Act is specifically related to Hacking and other very computer specific crimes.

Some highlights : Most of the defendents are in the age group 18-30, with most cases in Karnataka, Kerala, Andhra and Maharashtra with metros leading. Obscene media distribution tops the list followed by hacking. IT savvy states are also leading the hacking incidences.

That brings me to the issue of IT Act amendement that was passed on Dec 23 2008.

http://economictimes.indiatimes.com/articleshow/msid-3875931,prtpage-1.cms

http://prsindia.org/docs/bills/1168510210/1168510210_The_Information_Technology__Amendment__Bill__2006.pdf

There have been grumblings about how the bill was passed without any discussion. But keeping that aside, amendments do seem to be reflecting the cyber crime trends.

Specific amendements are added to deal with obscene content, privacy and data handling. Digital signatures are being made more legal and givernamnet is given more power for interception and analyses.

While bill is a welcome move, the overall issue in my opinion is still of Awareness and Enforcement of cyber laws.

On that note, wishing you a Very Happy New Year !!

 del.icio.us  Stumbleupon  Technorati  Digg 

Cloud computing a gift or curse?

Cloud computing one of the old principles often confused with grid computing has started to grow as a complete Software as a Service (SAAS). But is the world ready to jump on board? Are you ready for this? Are the cloud providers ready?

Are the customers ready to trust a service provider to store their private data?

Individual home users have very less information that has to be secured but what about the advertisement based on the users data. Where is the user’s privacy? Should the user buy privacy?

            As a corporate do we wish to store the company specific information in a server where we have no control? What about the NDA's? What if my data is sold/stolen without my knowledge?

Is it really worth the ROI?

Individual users have very less sensitive data and there seems no big benefit of accessing information where ever the users goes other than the mail box.

            But as a corporate yes there is a huge benefit in terms of the principal equipment cost, support and maintenance charges for software as a utility rather than an investment in capital assets. Think about the amount of laptops that are lost every year and the security risk involved with the stolen laptops or any other thick clients. The boon of accessing information from anywhere without any additional cost and infrastructure is very attractive for a global business.

Being security experts we wish to organize all the data in one place and secure that place tightly rather than securing each and every thick client.

 

Some ways to overcome these problems

·         Ensure more transparency between the cloud service providers and cloud consumer.

·         Have better SLA’s and clear security policies, privacy policies and Data ownership policies.

·         The provider should have both physical and logical security infrastructures.

·         Trusted third party’s to overlook the cloud service providers activity and compliance.

 del.icio.us  Stumbleupon  Technorati  Digg 

High time, the Real world mimics the Digital world

I am in Hyderabad attending the DSCI (Data Security Council of India) conference (http://www.nasscom.in/Nasscom/Templates/CustomEvents.aspx?id=54143). Aujas also did one day training on Application Security which was well received.

Naturally recent unfortunate events in Mumbai have formed the backdrop for lot of speeches, offline discussions and dinner conversations.

One of the recurring theme in the conference and the security industry is the people being the weakest link. It could be lack of awareness, lack of empowerment or lack of responsibility. Enterprise security cannot be complete without this aspect.

Taking it to the national level it is becoming apparent that it is high time for common people to join hands with the government for national security. Heartening is the fact that there is strong urge among security professionals to contribute in some way to the national security. This makes sense given that the patterns of digital security and national security is very similar.

In the given instance, one can easily draw analogies between digital security and national security.

· Perimeter security (Sea Route),

· Intrusions detection (Terrorists stayed inside without detection),

· Deep packet inspection, Incident Response (Delayed response),

· Management commitment (Lack of political will),

· Employee Awareness (Suspicious activity was not informed to anyone),

· Background checks, Business Intelligence and Correlation (Co-operation among intelligence agencies) and finally

· The RISK Management (National Security policy)

have all become more significant than ever before. Moreover Digital world is more advanced as it is easier to attack and hence security mechanisms have evolved with attacks. So far digital world mimicked the real world, but given the evolution, is it time for real world to mimic the digital world?

 del.icio.us  Stumbleupon  Technorati  Digg 

Two-factor authentication – Getting Security basics right

I have online accounts with many financial institutions and I do most of my transactions online. Being a security conscious user, I take all precautions for using strong and different passwords along with managing my passwords in a secure way. But frankly, all these are too much complicated. The fear of mis-managing the passwords and possibility of your bank account being pilfered remains.

 

Password based authentication is past its use-by-date. With the current advances in technology and skills, password authentication is like providing passbook to the person who mentions the account number (an unsophisticated but a real life example in non urban banking in India till couple of years back). I am not going into the details of how a password can be cracked or known by others. The main problem is that once password is known, the intruder's job is done and he has uninterrupted access.

 

Two-factor authentication alleviates this adding one more factor for authentication. Along with password (which you know), you need to provide information based on what you have. One of my bank has given me security token which generates an unique number every time I press a key. I need to enter this number along with password for authentication. So even if my password is compromised, an intruder cannot login as he does not have this token and cannot specify the unique number. Of-course there are various other ways to provide the second factor in authentication based on what you have (software based token, phone, cell phone). Again the advantages are same.

 

Note that two-factor authentication is not solution for ‘Man-In-Middle’ or Trojan attacks. Both of these attacks will not need your the input passwords or unique numbers. These attacks which take place with the help of phishing are more active threats to be worried about. But that is a topic for another post.  

 

In summary, by using two-factor authentication, we are just strengthening the already existing security mechanism against a known threat and not really dealing with any new threats. So in that way two-factor authentication has become a first step in any security implementation.

 del.icio.us  Stumbleupon  Technorati  Digg 

Why measuring what you protect is important?

One suggestion I always get from visitors to my house is to add additional security measures. Instances of all sorts of potential attacks and burglary are quoted. Some suggestions are good, but some down-right impractical (apart from the fact that it is not easy to do major alterations in the house). My standard response is, the current security is enough to protect  the assets in the house. At any instant, I approximately know how much I am going to lose (in monetary terms) in case of a burglary.

 

Of course the psychological effects or physical harm cannot be that easily quantified. My 5 year son is still shocked that someone tried to break into our neighbour's house, couple of months earlier. So security mechanisms at my house is sort a trade-off considering the loss of tangibles and intangibles, and how much I am willing to spend.

 

Business security is much more complex, but very much similar to personal security example quoted above. It should protect the organization, its ability to perform their mission and not just its IT assets.  It should also consider the factors like confidence loss and bad publicity, perception of market, investors and all stakeholders. Finally is should also take into consideration the amount of money spent on security versus the value of assets that is being protected.

  

Any Risk Assessment activity starts with understanding and collecting system related information. The paper <link given below> from NIST elaborates on this activity. It classifies and gives details of the IT system related information which can be collected. It also enumerates some techniques to collect such information.

 

http://www.mirrorservice.org/sites/ftp.wiretapped.net/pub/security/info/reference/nist/draft-special-publications/sp-800-30-rev-a-draft.pdf

 

Another related activity is business impact analysis. It analyzes the impact associated with the compromise of information assets based on a qualitative or quantitative assessment of the sensitivity and criticality of those assets.  Identifying, classifying and associating a cost to the information helps to concentrate on realistic threats among the innumerable threat perceptions. It would also help in deciding quantity of investment and any other tradeoffs which would be made with respect to security. 

 

             We automatically do risk assessment and impact analysis when it comes to our personal security, to ensure a comfort level.  Organizations need to do the same but in a more systematic way. Only then, they will be sure on how much to spend on security and where to focus. It would also be a good beginning for measuring the Security Return on Investment (RoI).

 del.icio.us  Stumbleupon  Technorati  Digg 

VOIP and Security

TRAI has released a recommendation for VOIP on August this year (http://www.trai.gov.in/trai/upload/Recommendations/99/recom18aug08.pdf)

This has removed the final hurdle in terms of implementing VOIP on a large scale basis and has been hailed as the step in the right direction.

While benefits are many including cost savings, ease of implementation, convergence and value added services, it also brings with it a slew of security issues.

For Service Providers:

One of the interesting aspects, telephony being of national importance, is that of Lawful Interception. The recommendation while noting the vulnerabilities of internet as a medium notes that along with string encryption service providers need to make sure interception is possible. But given the real time nature of the VOIP networks, latency introduced by security is a big concern.

This adds a significant complexity for service providers. Moreover VOIP network is prone to frauds and sophisticated controls are needed to block the man-in-the-middle attacks and call frauds, to stop the unscrupulous people from stealing the network time.

For Customers:

Given the benefits, it makes business sense for enterprises to go for VOIP solutions. However one needs to take care of the security issues with VOIP. It is easy to spoof and is open for interceptions.

Security solutions including voice based firewalls (telecom firewalls) may need to be implemented to protect the VOIP network security. Regular audit of the telecom network is also a must to address to safeguard against known and newly found vulnerabilities.

It is essential to treat VOIP network as any other network and manage the security.

 del.icio.us  Stumbleupon  Technorati  Digg 

PCI DSS 1.2 and Wifi Security

Wi-Fi security has caught attention of laymen and the experts alike. After the recent frenzy in the media, it is now the turn of the regulators and compliance frameworks. PCI DSS 1.2 (https://www.pcisecuritystandards.org/pdfs/pci_dss_summary_of_changes_v1-2.pdf) has been released and is seen as an improvement rather than a replacement for PCI DSS 1.1. Of the few changes, two factors are significant, one the mandatory Application security aspect which was announced earlier and the other is the stringent measures suggested for Wi-Fi.

PCI DSS 1.2 now mandates use of 802.1x implementation for Wi-Fi networks. The current 802.11i implementation that use WEP and WPA need to be replaced. New implementations of WEP are not allowed after March 31, 2009. Current Wi-Fi implementations must discontinue use of WEP after June 30, 2010. 802.1x uses a client, service provider and an authentication server (such as RADIUS) as part of the access control and provides sophisticated access control. While the intention seems to secure the Wi-Fi network, this will in fact drive proper Identity and Access management throughout the enterprise.

Another interesting aspect is turning off SSID, is removed and is no longer a requirement. Reason given is it wouldn't help much, as SSID is available through other communication channels. Given that security is always a layered approach, I wonder what was the necessity of removing this? Convenience? Your comments are welcome!

 del.icio.us  Stumbleupon  Technorati  Digg 

Are you the culprit, if your Wi-Fi is hacked ?

There has been lot of news and noise being made about Wi-Fi hacking. Given the sensational background, it is justified and there are a lot of suggestions on do’s and don’ts -mostly directed at end consumers. This makes me wonder, whose responsibility is security?

One answer is, Yes it is the responsibility of everyone involved. But look at the scenario here in India. Government is very keen on providing broadband availability to the masses. However the average person who uses the internet is not very computer literate and definitely not very security aware.

Most people know only the bare minimum utilities to get the job done and many rely on the service provider engineer to take care of everything. Take the Wifi router for example, most service providers plug the the router in the socket, power it on and walk away. That is what they did in my home. In many cases they disable the wireless encryption key for ease of use. How would an average user know what the security aspects are and protect against it?

It is interesting to see legal aspects of this as well. Assuming a Wi-Fi modem is hacked –

      • Who is the culprit? Who should the law catch hold off?
      • How would they establish that it was hacked?
      • If the security is lax who takes the blame?

Ignorance in Indian law is not considered an excuse and given the highly skilled nature of security, would this still apply? I do not think these issues are addressed anywhere; but if you know please do send a note.


Finally needless to say do secure your Wi-Fi router. I would say follow the three steps depending on how concerned you are

1) Use WPA with strong encryption key,
2) Turn off the SSID broadcast,
3) Turn off the wireless router if you are not using it.

I would like to see your thoughts on this.

 del.icio.us  Stumbleupon  Technorati  Digg 

Design Flaws in Banking Sites

By now most of you would have seen the following news which says 75% of the banking sites have design flaws. http://in.news.yahoo.com/139/20080723/854/ttc-3-in-4-online-banking-sites-have-wid_1.html. Media is at it again playing the fud game and hyping the aspect relevant to them. Some in Indian media have played up the fact that the researcher is an Indian origin person, while many of them have played up the fear factor. What strikes me most important is the fact that the security flaw is a "Design" issue rather than the code issue. Many sites haven't given details on what the flaws are, but one site does put enough details and here is the link.  http://www.redorbit.com/news/technology/1491509/widespread_flaws_in_online_banking_security_found/index.html

Key factors are as below.

  • Placing secure login boxes on insecure pages: A full 47 percent of banks were guilty of this. A hacker could reroute data entered in the boxes or create a spoof copy of the page to harvest information. In a wireless situation, it's possible to conduct this man-in-the-middle attack without changing the bank URL for the user, so even a vigilant customer could fall victim. To solve this problem, banks should use the standard "secure socket layer" (SSL) protocol on pages that ask for sensitive information, (SSL-protected pages begin with https rather than http.) Most banks use SSL technology for some of their pages, but only a minority secure all their pages this way.
  • Putting contact information and security advice on insecure pages: At 55 percent, this was the flaw with the most offenders. An attacker could change an address or phone number and set up his own call center to gather private data from customers who need help. Banks tend to be less cautious with information that's easy to find elsewhere, Prakash says. But customers trust that the information on the bank's site is correct. This problem could be solved by securing these pages with the standard SSL protocol.
  • Having a breach in the chain of trust: When the bank redirects customers to a site outside the bank's domain for certain transactions without warning, it has failed to maintain a context for good security decisions, Prakash says. He found this problem in 30 percent of the banks surveyed. Often the look of the site changes, as well as URL and it's hard for the user to know whether to trust this new site. The solution is to warn users they'll be moving off the bank's site to a trusted new site. Or the bank could house all of its pages on the same server. This problem often arises when banks outsource some security functions.
  • Allowing inadequate user IDs and passwords: Researchers looked for sites that use social security numbers or e-mail addresses as user ids. While this information is easy for customers to remember, it's also easy to guess or find out. Researchers also looked for sites that didn't state a policy on passwords or that allowed weak passwords. Twenty-eight percent of sites surveyed had one of these flaws.
  • E-mailing security-sensitive information insecurely: The e-mail data path is generally not secure, yet 31 percent of bank Web sites had this flaw. These banks offered to e-mail passwords or statements. In the case of statements, users often weren't told whether they would receive a link, the actual statement, or a notification that the statement was available.

This is to me a is a classic SDLC (Software Development Life Cycle) issue.  As anyone worth their keyboard in Software Development world know, the earlier the flaw creeps in the cycle, the fix becomes more costly and time consuming. The root cause again is, security was never part of the original software development philosophy. It was always an afterthought or an add-on and even now when there is considerable awareness, security is limited to access control and encryption rather than comprehensive security. Its high time critical software development adapt thorough secure SDLC approaches.

 del.icio.us  Stumbleupon  Technorati  Digg 

SaaS, SaaS and Security of SaaS

Tapan Garg from GreatCIO (http://www.greatcio.com/profiles/blog/show?id=2034180%3ABlogPost%3A8236) hosted a breakfast event for CIOs in India where Lakshman Badiga from Wipro spoke about how to be Great CIO. At the end of the show all those were present were asked the new initiatives that they are planning in the current year. Everyone present mentioned variations of Virtualization, SaaS and SOA. Although prudish software architects will flame me for this, but I tend to club all these under the keyword SaaS (Software as a Service). BTW There are also mention of green IT, is there a concept called green security. But more about that later.

Looks like SaaS is here to stay and seems to have moved from concept and hype stage to mass implementation.

As a security person I have been a keen observer of this trend. On one hand we keep hearing about how hacking attempts have moved from external to internal, network centric to application centric and on the other hand even the internal applications are moving to external domain. Implications are quite obvious when it comes to security.
One can not rely on external controls alone for security. So in built security (software security) is a big stress point. Apart from building these securely there is also a need to constantly monitor these for Vulnerability Analysis.

Another key nature of the SaaS is the concept of multi tenancy. So access control is a key issue and this brings with it all the aspects of privacy, data security issues. So Robust identity and access management is essential not to mention compliance and regulation management.

What about Security as a Service (Another SaaS) ? All the above aspects I mentioned (in bold), needs to be part of the SaaS (Security one) infrastructure but in essence this infrastructure might itself be providing these services to others. I never stop getting amazed by these recursive patterns.

 del.icio.us  Stumbleupon  Technorati  Digg 

Blog Software