Cyber Laws For CxO
Be Aware... Be Empowered
May-June 2010
Editor
Naavi
www.naavi.org
Publisher
Ujvala Consultants Pvt Ltd
www.ujvala.com
News Snippets
Manchurian Microchip
Viruses and Trojans that come via e-mail attachments or SQL injections have been known for some time. However, as Cyber Crime developed as an industry, new dimension of Cyber Crimes as “Cyber Terrorism” followed. In these new avatars of Cyber Crimes, the resources available to criminals increased manifold.
In the last few years, yet another up gradation occurred to Cyber Crimes with the evolution of Cyber Wars where the State supported setting up of an infrastructure within the enemy territory which could be exploited in times of need.
“Manchurian Chip” is the outcome of such a development. It represents the rogue microchip embedded in hardware devices, programmed to provide a backdoor entrance to a designated network. While it could be useful for remote servicing by the manufacturer, it could also be used maliciously by any person to steal the information of the user or otherwise usurp control of the user’s computer.
A concept which emanated out of a 1959 novel “The Manchurian Candidate”, where a POW is brainwashed to act under the control of an enemy force upon a trigger, has now assumed greater relevance because of the exploits of Chinese in the hardware market.
According to highly placed intelligence sources in USA there is a distinct possibility of Computers assembled in China and using Chinese made hardware could be embedded with such spying microchips.
Scotland Yard has identified such chips in the Credit Card swiping machines supplied to the UK market by a Chinese firm. It was speculated that these machines were doctored to send credit card information to a Chinese IP address and could have been used by AlQueda for terror funding.
Hardware related risks are therefore the biggest challenge to Information Security professionals. Just as we need to insist on “Source Code Audit” in respect of Software, it has become necessary for hardware purchasers to extensively check for possible presence of Manchurian Microchips in the hardware supplied to them.
Telecom Security Certification Authority
In order to overcome the risks of secret codes embedded in software and hardware supplied by international vendors it is necessary to ensure that any software or hardware used in India in the telecom industry, should be subject to a “Security Certification” where an accredited agency would check the software/hardware appropriately and certify them as safe to use.
Indian Government has recognized this risk and has initiated some counter action in this regard. Accordingly, the Telecom Regulatory Authority has made it mandatory for Security Certification in respect of Telecom equipments supplied to Indian service providers.
Presently, the Telecom industry proposes to use British Telecom to check the security of Chinese Telecom equipments.
Such certification is also necessary for the IT industry particularly in Government establishments and other “Critical Infrastructure Resources” as defined in ITA 2008.
While ITA 2008 takes the responsibility of introducing enabling provisions in law to make the suppliers of such software or hardware liable under Section 66F of ITA 2008 for Cyber Terrorism and impose a maximum of “Life Imprisonment”, the mechanism for implementing the certification is still in its infancy.
Will the Indian Government develop in-house capability for such testing and certification? Or will it depend on commercially available international security certification agencies? Or will it take the assistance of US Security agencies that otherwise provide such support to the US Government? are some of the issues which still require to be sorted out.
Terrorists use Hacked Website to Mobilize Resources
Some of the recent Phishing and hacking of E-Commerce websites in India indicate that the offence was committed by persons who used the benefits for either raising cash for the terrorist operations or to meet some of its expenses.
Unfortunately, neither the affected Banks nor E-Commerce Websites seem to have understood the seriousness of such attempts and refuse to even keep the authorities informed. Reserve Bank of India has also failed to impose the necessary discipline in the industry to ensure that all Cyber Crimes in the banks are appropriately reported though a system for such reporting does exist on paper. Hope this comment will wake them up at lest now.
Cyber Security Summit in Dallas
In the first week of May, a Cyber Security Summit was held in Dallas USA in which experts from many countries participated and discussed relevant issues. Though the organizers hailed it as the “First” Cyber Security summit, people in India remember that Karnataka Government organized Cyber Security Summit 2009 last year in Bangalore which was a highly successful event and a path breaking event in India.
What was interesting to observe was that many of the Security functionaries in the Indian Government who skipped the Bangalore Summit did not miss an opportunity to attend the US summit.
Hopefully they have come back with an International Perspective which they can share with the Indian public when the next Cyber Security Summit is held in Bangalore.
US Military Will Respond to a Cyber Terrorist Attack
Indicating the seriousness which US attaches to Cyber Space security, the US Military has confirmed that it would use full force if necessary in response to a Cyber attack against United States.
India needs to appreciate that the kind of attacks we experience from Pakistan is in the form of a proxy war and what we face from China is in the form of a preparation for a future dominance. We need to retaliate on both fronts.
Today US Cyber assets reside not only within the US geography but also elsewhere. India is one of the major outsourcing partners for US and holds a big chunk of US Cyber Assets in a proxy form. If an event where US Cyber assets in India are attacked, the US military may consider it as its right to intervene in the defense.
Indian Companies who hold US cyber assets and US companies in India need to recognize the US approach and develop suitable compliance mechanisms.
Dow Jones Drops by 1000 points
Week ending 15th May saw a huge drop of over 1000 points in the Dow Jones industrial index in US raising speculation of a possible Cyber Terrorist attack. The Securities Exchange Commission (SEC) has denied any confirmation of a cyber terrorist attack which triggered 17 million transactions within 1 hour and 66 million transactions on a single day. However the abnormal activity which overcame the circuit breaker mechanisms also indicates the vulnerability of the stock market system to software induced crashes. Whether the reason was an error in entry of some transaction or a cyber terrorism attack or a kind of virus, only further investigations would reveal.
What is the Next Target for Cyber Terrorists in India?
Security analysts predict that the next target for Cyber Terrorists in India is the UIDAI which is setting up a database of Indian residents with sensitive information which would in due course be the base information for issue of Passports, Driving Licenses and to perform KYC for Bank accounts.
It is suspected that terrorists would be planting some of its sympathizers into UIDAI as employees and registration agencies and ensure that in a couple of years the “Human Bombs” inside UIDAI would help the terrorist organizations to access information from UIDAI which can be misused.
Let’s watch how UIDAI is addressing the security issues both from Technical, Legal and Human angle.
[Collected from various sources]
A PDF Copy of the News Letter would be sent by e-mail to all persons who subscribe. Subscription is free.