A cyber security strategic perspective on India’s security interests

-By Vinit Goenka, Chairman, Association of MSMEs, IT (AIM-IT) 

India, as a nation, today is facing a lot of heat from both its neighbors - China and Pakistan. With a territorial conflict dating over four decades between these nations, digital war has given a new shape and magnitude to the sovereignty of India. China and Pakistan have shaped up as all-weather allies as India makes a diplomatic shift in relations with the United States in recent years - with their primary agencies seeing India as the new friend in the era of developmental politics. In a 21st century warfare, the best tactic deployed by adversaries is to attack the psychology of the citizenry by creating mass dis-believe over their government machinery and creating a state of restlessness and panic.

Vinit Goenka, Chairman, Association of MSMEs, IT (AIM-IT)

#BankingBreach

In October 2016, as media reports flourished about a financial data breach, the commoner went erratic - dialing their respective bank customer care centers to know if their money was safe and rushed to change their pass phrases. But, it is worrisome, as I read in Hindustan Times/ Economic Times where it reported similar incidents dating back to February 2016. Our establishment was clueless until the digital adventures of private firms in early September caught other agencies off-guard and pointed out a breach risked 3.2 million cardholders. With a budget of Rs. 77383.12 crores for internal security, Rs. 2.58 lakh crores for defense and Rs. 24543.48 crores for telecom and IT infrastructure allocated by the Central Government during the Union Budget 2016, India stood helplessly in front of the data thieves. In this article, I shall express my views about India, as the nation needs to address and rectify to prevent such damage.

In Reuters, it mentions that the issue stemmed from a breach in systems of Hitachi Ltd - a Japanese company, subsidiary Hitachi Payment Services, which manages ATM network processing for Yes Bank Ltd. It will interest you to know that a possible compromise of one of the payment switch (a switch is part of the back-end network aiding ATM operations) provider's systems was responsible for data stolen from 90 ATMs, directly affecting 641 customers with loss of 13 million rupees from 19 Indian banks. As per data available with the World Bank, 0.689 billion people in India today hold a banking account – and most come with an ATM card in name sake of ease of operations. The problem didn't exist at Indian banks but at the switch as pointed by the NPCI Chief Executive A.P. Hota; and the spread to 19 banks was possible because of the convenience we exercise of using our cards at third-party ATMs.

My understanding tells me that to infect all the banks, the hacker doesn’t need to, technically, place a malware in all banks – it’s like a influenza, you infect one host with the germ – malware, the rest will automatically be done by the carrier agent – ATM customers. Here, to have your details sent out to the identity thieves, the basic requirement was to have the customer make transaction in an ATM connected to the infected switch, and to have fraudulent transactions happen over eight months clearly indicates how seriously Hitachi Payment Services did their security audits and maintain their infrastructure.

Most ATMs are basically PCs running on Windows XP, which makes them vulnerable as Microsoft itself has stopped support for the operating system. Also, most ATMs work on XFS standard – a set of standardization norms for ATM software – which is really old. CEN/XFS or XFS (eXtensions for Financial Services) provides a client-server architecture for financial applications on the Microsoft Windows platform and was last updated in 2011 as XFS v3.20, released by CEN.“XFS requires no authorization for the commands it processes, meaning that any app installed or launched on the ATM can issue commands to any other ATM hardware units, including the card reader and cash dispenser,” said a spokesperson at Kaspersky Lab, an international software security group. It is a dangerous event as when a malware successfully infects an ATM, it receives almost unlimited control over that ATM.

Given my knowledge on the subject, and as a policy influencer, my foremost suggestions would be that – One: ensure physical safety of the ATM, so that no virus can be planted physically i.e. round clock surveillance of all ATM sites – which the banking players avoid to save costs. Secondly, the XFS standard must be improved to help the software protect itself better – machine learning or AI, at later stage may be implemented to understand and react to transactional behavior. Lastly, “authenticated dispensing” must be implemented to exclude attacks via any counterfeit processing centers that imitate the bank software, and also all data transmitted between hardware units and the PCs inside ATMs must be encrypt with military grade security – as banks and the infrastructures are the targets in digital and economic war.

Now, the thought that worries is that if 90 ATMs can cause this havoc, how much loss can over 1.5 lakh ATMs bring to the Indian economy?

#DynDNS

As always, I was following news from the cyber world – switching from national happenings to international, ATM cards were sufficient to my national appetite, when I discovered news of the Internet broken by a million automated hackers – IoT devices. According to famed security intelligence firm Flashpoint, ‘Mirai’ bots were detected driving much, but not necessarily all, of the traffic in the distributed denial of service attacks against DynDNS. The Domain Name System (DNS) is an entity that associates information with domain names assigned to each of the participating entities – it is like a phone directory that stores the numbers – IP addresses (200.224.192.25), with their concerned holders – the domains i.e. www.vinitgoenka.in.In order to understand, we need to what is ‘Mirai’? Mirai is a piece of malware that targets Internet of Things devices such as routers, and security cameras, DVRs, and enslaves vast numbers of these compromised devices into a botnet – one we saw in the franchise series – Terminator, which is then used to conduct DDoS attacks. Since, the source code of Mirai Botnet has already made available to the public; anyone can wield DDoS attacks against targets. This type of attack is notable and concerning because it largely consists of unsecured IoT devices, which are growing exponentially with time.

These devices are implemented in a way that they cannot easily be updated and thus are nearly impossible to secure. Manufacturers majorly focus on performance and usability of IoT devices but ignore security measures and encryption mechanisms, which is why they are routinely being hacked and widely becoming part of DDoS botnets used as weapons in cyber-attacks. Foremost users of these devices are engineering students and hobbyists, who will fall prey of attacking their own smart cities in days to come if the issues are not addressed at the right time – which is now.

This massive Distributed Denial of Service attack against Dyn, a major domain name system (DNS) provider, broke large portions and brought the Internet on its on Friday, causing a significant outage to a ton of websites and services, including Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify. An online tracker of the Mirai botnet (image below) suggests there are more than 1.5 million infected devices on the Internet, with over 185,000 devices active right now. In short, botnets like Mirai are growing rapidly, and there is no easy way to stop them until strict policies and firewalls are in place, because cutting of the Internet is no solution.

As you can see, the East Coast of United States has a lot of IoT devices that are often used for DDoS attacks on the strategic assets of the nations as well as multiple highly visible corporate websites with enormous traffic. It will also interest to learn that French internet service and hosting provider OVH, was also targeted by the similar Mirai Botnet. It is a known process that data takes the shortest path, and with India by 2035 having another million devices in form of smart cities, connecting every possible aspect of our daily life is a new threat for DDoS attacks to the Indian establishment. Are we ready to mitigate a 1Tbps scale of traffic on the national Internet backbone? Will we be prepared to disconnect the flood control equipment and lighting from the Internet and yet manage it in 2040, if a then equivalent scale of traffic hits the infrastructure?

With smart cities, autonomous intelligent vehicles will be the new trend in couple of years – and one such hacked vehicle will be no less than an armed aggressor with AK-47 open firing in public places. A rogue nation with many advances in cyber-warfare nearby has already contributed enough pain to the Indian establishment, any delay in seeing these threats will cause widespread havoc when India will have tens of them.

The threat today is from foreign powers, terrorist organizations, criminal syndicates, miscreants and innocent cyber bullies.

While policy makers are continuously reformulating existing policies and laws to keep a check on anti-social elements and the above-mentioned threats, law enforcing agencies are constantly struggling to match the pace of these challenges. We must actively involve existing academicians and young minds from our schooling system to generate awareness and cohesively counter these cyber threats so that our nation is safe, secure and future-ready.