Securing the world against Rogue Robos

Posted on December 20, 2018 by 98410spice

Several Movies have captured the ugly face of Technology.  Most of the time this is because technologists intoxicated with the power of technology often create monsters without knowing the consequences. With the growth of Artificial Intelligence and humanoid robots, the dangers are increasing everyday and we need to respond to this alarming situation.

A Scary incident has now been reported from a Lab in Japan. The incident reportedly occurred in August 2017 and a whistle blower has revealed it now. In this incident 29 humans were killed in a lab producing autonomous war robots. The four soldier robots went rogue and started shooting the humans. Out of these three were dis assembled physically by the workers while the fourth was smarter and was searching the satellite data base on how to re-arm itself.

Ultimately this also might have been dismantled but the fact remains that the dangerous phase of AI is now before us and if we continue to act intoxicated and donot learn from our mistakes, we are creating  robot monsters which will destroy the humanity.

But some of the videos in the link Six scary things about AI raise concern about the capacity of the robots to think on their own and also express views about conflicts with the human race make everyone sit up and take notice of the possibility that the movie kind of situation may become a reality too soon for comfort. We may not be able to find a Rajnikant in real life to save us from the damages that rogue robots may create.

It is time that the international community takes some corrective action to ensure that “Artificial Intelligence Does not over ride the “Isaac Asimov Principles of  Ethical Robotics“.

Japan was instrumental to the first atomic bomb being dropped and now it appears that it can be the source of the next great tragedy on the planet.

Imagine what could be the consequences of terrorists either acquiring these “Autonomous Military Robots” or hacking into some of them. If we donot have a security solution for such incidents, it is better we donot create these monsters.

Earlier Incidents

From January 25, 1979 when an accident at the Ford Factory claimed the first human life by a Robot to the reported death of 29 persons in a Japanese lab by a “Rogue Robot Soldier” being manufactured, there have been several accidents where Robots have claimed human lives.

Some of them are captured here.

  1. 25th January 1979: Robert Williams killed in the Ford Factory at Flat Rock, Michigan. This was dubbed as an accident since the worker ignored a safety measure and accidentally switched on the machine while trying to repair it. (Refer here).
  2.  May 7, 2016: Joshua Brown killed in a self driving car accident when his Tesla failed to distinguish a Tractor trailer in front from the sorrounding bright sky and drove under the 18 wheel trailer and crashed. This was clearly a failure of the software and caused by the negligence of the developer and deficiency of testing.
  3. 2007: Nine South African Soldiers were killed and another 14 wounded after an anti aircraft weapon (Oerlikon GDF-005) started shooting by itself. It could be termed as a techno mechanical failure where the gun jammed and exploded before going berserk and firing 250 rounds. Software failure was not ruled out.
  4. July 7, 2016: Police in Dallas used a robot to kill a dangerous killer who had killed several persons and hiding in a building by attaching a grenade to a robo and sending it to the garage where he was hiding and exploding it. The person killed was Micah Johnson but the use of the “Bomb Detecting Robot” to execute the human was perhaps a justified action of the police under the circumstances. (P.S: It would be interesting to know how the pseudo human rights activists and the Indian Judiciary would react if such action is taken in Kashmir by the Military)
  5. 9th December 1981: An accident at Kawasaki heavy industries killed Kenji Uranda, a 37 year old man who was trapped by the working arm of the robot when it was being repaired. (Refer here). This also can be identified as an accident caused by the negligence of the worker.
  6. 2015: A man was reportedly killed in Baunatal, Germany in the Volkswagen plant when he was grabbed by a robot and pinned against some metal sheets causing injuries to which he succumbed later. It was again classified as an accident caused by human error.
  7.  March 2017: A lady, 57 year old Wanda Holbrook  was killed by a robot at Ventra lonia Mains Plant in Michigan where she worked as a maintenance specialist. In this incident a robot picked up a trailer part and dropped it on her skull. (Refer here). This could be a planned murder because there were unexplained multiple faulty maneuvers it carried out resulting in the death.
  8. 2009: 40 year old Anna Vital was killed by a robot at Golden State Foods in California, when a robo grabbed the worker like a box it was supposed to handle and crushed her to death while she went near it to correct an error….another accident by human negligence.
  9. 2015: 24 year old Ramji Lal working in a SKH Metals factory in Manesa India was stabbed to death by a robot. He had tried to correct the position of a metal piece which had been lifted by the robot when the moving arm hit him. The case was wrongly recorded as a case of electrocution and not as a “Death caused by a robot” perhaps to avoid the payment of compensation. (Refer here)
  10.  June 2016: Regina Elsea, a 20 year old was killed by a robot at Ajin USA, a South Korean owned plant in Alabama while trying to repai a faulty robot. Several safety violations  by the unit to maximize profits were revealed during the enquiry.
  11. July 2017: There was also an incident of a Robot suicide (Refer here) when a security robot in Washington drowned itself in a pond but the incident could be considered as an Accidental fall”.
  12.  May 2018:  The Uber Car accident (Refer here) can be also added to the above list. In this incident Uber had deactivated the emergency braking system and relied on the human driver to act. The obstruction was detected 6 secs before the accident and the emergency brakes could have been deployed about 1.3 secs before the crash had it been active. But in this case the human driver was not alerted in time to act. (Refer here). This was both a technical error and human negligence.

It is estimated that prior to the current incident. over 61 deaths and injuries have been caused by industrial robots (Refer here).

Isaac Asimov laws

The legendary scientific fiction writer Isaac Asimov had in 1942 itself laid out three laws of robotics which was a guidance to be followed by all programmers. While some of the cases referred to above are clearly accidents, it is clear that there are errors caused by faulty programming in many of these cases.

The three laws which he wrote were as follows:

  1. First Law – A robot may not injure a human being or, through inaction, allow a human being to come to harm.
  2. Second Law – A robot must obey the orders given it by human beings except where such orders would conflict with the First Law.
  3. Third Law – A robot must protect its own existence as long as such protection does not conflict with the First or Second Laws

When Asimov wrote his fiction, I am not sure if he could visualize the full impact of the “Artificial Intelligence” as we find today and the nature of the society that abounds in financial greed and religious fanaticism. The current scenario appears far more dangerous than what Asimov could have envisioned.

It is time therefore for the Information Security Community to start thinking of the safeguards that we need to build to ensure that AI is not used indiscriminately by unethical and negligent software workers.

Naavi

Also Refer: Six scary things about AI

Posted in Cyber Law | Tagged , , , | Leave a comment

Is Rs 1 Crore fine on Indian Bank a sufficient deterrant?

Posted on December 12, 2018 by 98410spice

The Reserve Bank of India in a press release dated December 11, 2018 imposed a monetary penalty of Rs 1 crore on Indian Bank for non compliance of its directions under the Cyber Security Framework of 2016 and the Master directions on Frauds reporting.

RBI has in the process clarified that

“This action is based on deficiencies in regulatory compliance and is not intended to pronounce upon the validity of any transaction or agreement entered into by the bank with its customers.”

Considering that in the past RBI has been content with fines of Rs 5 lakhs and Rs 10 lakhs for failures in KYC, the imposition of a penalty of Rs 1 crore appear eye-popping.

It is certainly a departure from the past in the fact that the fine is relatively significant and it is for “Non Compliance” of an order related to “Cyber Security”.

One of the complaints we always had about Banks is that they donot take the RBI’s instructions seriously and RBI is content in just sending circulars but not imposing its decisions on the Banks. We have often pointed out that Banks like ICICI Bank and SBI are so powerful when it comes to policy making by RBI that often it is the Banks which dictate the terms to RBI rather than the other way round, through the combined strength of the Banks through the IBA.

It is therefore refreshing to note that this time RBI appear to say that it is serious that its directions are taken seriously.

Many of the Banks openly declare that they would provide only such security as is “Commercially Feasible” and make security a trade off with its own profits. This fine therefore does raise the bar a little higher than what it was earlier.

However, will this be a sufficient deterrent?… In our opinion, not necessarily…for  the large Banks. Afterall this fine of Rs 1 crore will be an indirect burden on the public since the Bank will factor it in its service charges or simply let it be borne by the shareholders.

When the ATM security was in public discussion a few year’s back, Banks started charging extra money per transaction to cover the security guard’s cost etc., but soon the charges remained while the services promised never happened.  The same thing will happen now and Banks will pay off the monetary fine from their profits and except for a small ripple, continue to function the way they do now.

If real improvements are to be brought in the service of the Banks, a part of such burden should be imposed on the officials who were negligent in implementing the security guidelines. Such responsibilities need to be imposed even on the Board of Directors, the CMD as well as the CISO. The fine can be in the form of a percentage of their salary to be recovered say for about a year so that every month they are reminded of their dereliction of duties. Even the Board of Directors need to be imposed a penalty in the form of an individual fine out of the sitting fees or remuneration.

I hope the RBI will take note of this suggestion for the future.

Naavi

 

Posted in Cyber Law | Tagged , , , | Leave a comment

“Tweets are not Facts”….” WhatsApp” is not “Whats up”

Posted on November 30, 2018 by 98410spice

Speaking in the context of the Rafael deal the French Ambassador has reportedly made a comment “Look at Facts…not the Tweets”. This was as much an advise to the traditional media which is sensationalizing the social media posts of  Congress whose political ambitions has made the Tweets as a tool of spreading disinformation. The obliging media picks up anything and everything thrown at them and convert it into a political narrative.

It could be Rafael or RBI Board meeting, the CBI internal politics or even the quality of currency notes. Media is capable of converting it into an anti Modi narrative and keep shouting.

In this unfortunate situation, the innovative technical tools such as Twitter or Whats App have become more tools of creating false narratives and defaming people. The politicians should be credited with the successful corruption of an innocent tool created by the Internet to give “Voice to the Ordinary people”.

Today, even the owners of these business are carried away by the increased use that these false posts create and think they are generating more revenue like the TV media that goes after TRP at any cost. But in the long run this trend is eroding the credibility of the system and as soon as the election fever is over, the backlash will hurt these services to the extent that in due course they will be extinct.

In the interest of survival of these social media vehicles, it is necessary that they donot mis-interpret “Free Speech” as “Freedom to spreading falsehood”. If they do, they will be digging their own grave.

It is therefore time for the society to think and implement such measures that would enhance the “Trust” in these social media usage.

Though it looks ridiculous to many, there is a valid argument for the creation of “KYC based identified accounts in Twitter and WhatsApp and an Ethical declaration to be open to being banished for deliberate false postings”.

Twitter has the system of “Verified” accounts but it is not being implemented properly. Twitter’s approvals are biased and genuine accounts are often denied the “Verified Tag” without any reason. There is a need for introducing a new system of “Identified Social Media Postings”. The Face Book and WhatsApp should join this consortium.

Probably these business entities will not see the value of such “Identified Accounts”. I therefore call for a new Start Up business in India which runs an “Identity Service” to issue “Verified Tokens” to users of Social media so that there is more responsibility for social media users.

Of course this is not a solution for the Political parties posting false narratives for political gain but still, it would go a long way in establishing a “Responsible use of technology”.

Naavi

Posted in Cyber Law | Leave a comment

UK DPA strikes at Uber: Delivers a lesson in Password construction

Posted on November 28, 2018 by 98410spice

Uber has been fined by the UK DPA for UK sterling 385000/- (Approx Rs 3.5 crores) for failing to protect its customer’s data during a breach.

Refer report here

The breach occurred in November 2016 when GDPR notification was in place and UK was part of EU. It involved a Cyber attack on a US server of Uber maintained by Amazon Cloud service which was compromised and about 2.7 million accounts of UK citizens with names, email addresses and cell phone numbers of the users having been potentially accessed.

In US, Uber had reached an agreement with all the 50 states to pay a compensation of $140 million (approx Rs 1017 crores) for the same breach.

The ICO’s notice indicates that the attackers acquired the credentials for access to the cloud server by accessing a private repository of codes on GitHub by a trial and error based method akin to a brute force attack on a combination of user name and password. (Credential Stuffing).

Uber paid a ransom to the attackers amounting to US $100000, which they treated as a “Bug Bounty” payment and then introduced additional security to change the keys.

From the incident it appears that the  user name and passwords used by 12 Uber employees on the GitHub which was available in a code in plain text was first accessed and the combination tried on the Amazon cloud server. Since the same username-password combination was used by the employees on the Amazon account, the attackers were able to access the cloud server.

The decision may appear erudite but it must be debated whether this incident indicted a “Negligence” on the part of Uber and if so, the extent of such “Negligence”. Was the security otherwise used was “Reasonable”.

Once a breach has happened, any amount of security appears inadequate. The regulator has to ideally put itself in the shoes of the Company and evaluate whether under the circumstances in which the storage was designed, the security was adequate. The regulator should avoid penalizing the business entity with the benefit of hindsight and demonstrate its power to penalize.

Further to take objection to how Uber treated the payment to the attackers whether it was “Bug Bounty” or “Ransom” was perhaps beyond the scope of the authority of ICO. It could have avoided treading into this domain which could have been an accounting necessity. It could have been dictated by the insurance coverage needs. The procedure for bug bounty not having been adopted is an matter which is of no concern to ICO.

It appears that ICO exceeded its boundaries in this respect which may be  indicative of a bias with which the decision of penalty could have been arrived at.

It is also strange to observe that ICO has placed a disincentive on the Company’s right to appeal (by offering a discount if appeal is not resorted to) which may not be entirely legal.

This was a case fit for a nominal fine meant to flag a kind of attack against which companies need to guard against.

The lesson to be drawn from the incident is that “Users should not  use the same user ID- Password Combination” across different services.

This will now become a new paragraph in the Password policy of every organization.

Naavi

Posted in Cyber Law | Leave a comment

EY flags Crypto Currency as a threat. Will Supreme Court take note? or Ignore?

Posted on November 26, 2018 by 98410spice

Ernst and Young recently published a survey on “Responding to Cyber Crime Incidents in India”. Some interesting insights are reported in the survey.

One of the insights which is important from the point of view of the Supreme Court hearing on legalization of Bitcoins requires to be taken note of.

The survey speaking on “Crypto Currency” as an emerging area of risk, states

“The challenges in using virtual currency is that these systems are capable of facilitating tax evasion or illegal activities because of the anonymity factor which is built into the system. As a result, Bitcoin is a preferred mode by hackers for ransomware. …. The rise in usage can lead to a surge in cyber-attacks, raids and fraud. “

The Government of India and the Supreme Court which are under tremendous pressure from the Bitcoin industry and the supporting media should take note that “If Bitcoin is legalized in India, the country’s economy would be doomed”.

The Bitcoin being the “Currency of the Criminals” and “Currency of the Terrorists”, the easy movement of crime money across the entire economy and across borders would provide an easy channel for rewards to be distributed for different forms of crimes. Once the tracking of crime money becomes fuzzy, financial crimes will become difficult to be prosecuted since Courts would demand “Evidence of Money Trail” which will go dark with the use of Bitcoins.

The Supreme Court has to ask itself the question,

Is the Court able to understand the adverse impact of Bitcoin on the Country and be honest and bold enough to ban Bitcoins? or

Will the Court hide behind the technicalities and try to give breathing space for Bitcoins?.. which all the corrupt elements of our society worship…

Citizens of this country will draw their own conclusions on who is on the side of Corruption and who is not based on the arguments that will follow in the Supreme Court.

At present it appears that Naavi is a lone warrior in the social media fighting against Bitcoins.

Traditional media including the CNBC TV, Bloomberg, Business Standard, Economic Times, Republic TV, Times Now are all either in direct support of Bitcoin or exercising restraint on passing any adverse comment on Bitcoins.

There is an organized PR team working at planting favourable stories in the media to influence the Government to come up with a favourable view under which the Supreme Court can pass a favourable decision.

Mr Modi appears to be too distracted with the politics around him to be able to respond decisively. I am reminded of the Mahabharata war where Arjuna is dragged out of the main battle scene when the Kaurava’s planned a Chakra Vyuha which consumed Abhimanyu. Similarly, the election politics is dragging Mr Modi out of the Bitcoin scenario leaving the decision entirely to Mr Arun Jaitely.

Will Mr Arun Jaitely be able to stand up to a commitment of eliminating the Digital Black Money called Bitcoin?…So far he has not shown any indications of the same. Hope this time, it will be different.

However, I hope there are many silent supporters who may not be vocal but their silent voices would reach the Supreme Court.

Naavi

Posted in Cyber Law | Tagged , , , , | Leave a comment

RBI needs to Fight with Mazar Virus rather than fighting with the Government

Posted on November 17, 2018 by 98410spice

The Reserve Bank of India is in the news for picking up a fight with the Central Government on the right to use its reserves in a manner it deems fit. The fight whether RBI is over capitalized with the retention of reserves or not and whether part of it should be made available for bridging the fiscal deficit or not is not a debate for this platform. We leave it to the economists to debate and resolve hopefully in the November 19 Board meeting.

However, we would like to point out to the RBI that its functions apart from being Banker to the Government includes as the “Regulator of the Banking System in India”. RBI in this capacity is responsible for the security of the Banking system in India.

Whether RBI  should fight to defend its right over the disposal of its reserves or not is left to the economic experts but the Common Citizen who is a customer of the Bank is really concerned that RBI is not perhaps discharging its duty in protecting the interests of the Customers adequately.

We acknowledge that RBI has taken some right steps in the direction of safety of Banking transactions in the Digital Banking era, both by refusing to succumb to the pressure of the Bitcoin lobby and also by issuing the “Limited Liability Circular” to introduce the “Zero Liability” for Banking frauds.

However, the fresh outbreak of the Andorid Virus identified as the “Mazar”now poses a fresh challenge to the RBI and poses a question as to the adequacy of the measures initiated by the RBI.

I feel that RBI should start fighting Mazar on a priority rather than fighting with the Government on the issue of who should have a say in the disposal of its reserves.

The Mischief that Mazar is capable of

Just to make things clear, Mazar is a mobile virus which can be spread through an innocuous SMS message and enables the fraudsters to take over the mobile’s messaging function so that the OTP messages for Banking transactions are compromised.

Since the virus is known to be spread not through the messages linked to Banking transactions but through other messages such as

“The Income Tax Department is pleased to advise you that your return for the FY 2017-18 has been processed and refund has been processed. For details of the refund, kindly check here ……. (A shortened hyper link)”

it is a risk which is considered beyond the scope of normal alerts that the banks normally send to the customer such as “We donot ask for your password ..etc”

As we approach the elections or the IPL, we may see that messages linked to political issues or IPL or even to the controversial decisions of the Supreme Court such as the Sabarimala verdict etc can be used to lure the recipients into clicking such links.

If therefore an SMS is received saying ” Flash news…. Supreme Court all set to ban entry of women to Sabarimala temple. Click here for details…..” or “Virat Kohli meets with an accident in Sydney and hospitalized. Click here for details…”, there would be millions of Bank customers who would click the link in a blink and get their mobiles infected.

Are the Bankers and RBI prepared for such contingencies?

Are our Police and Courts ready to handle the flood of complaints that such messages may generate?

Mazar is a Risk Beyond Reasonable Capability 

Mazar is a security risk which is beyond the reasonable capability of mitigation by a customer and has to be recognized as part of the fundamental flaw of the digital banking architecture for which the Bank and RBI are alone responsible.

SMS is not a reliable means of communication

Mazar indicates that the SMS has ceased to be a reliable means of communication between the Bank and the Customer and should be replaced with some other form of communication.

If RBI does not act in this direction and force the Bankers to switch over to  a more secured form of communication which legally should be a “Digitally Signed message” or some other form of secure messaging, RBI will be failing in its duty.

I reiterate that RBI has addressed this issue in the past by mandating use of Cyber Insurance by the Banks but Banks have ignored the mandate and they should be pulled up for this lapse.

Adaptive Authentication

Further, Bankers have failed to introduce appropriate methods to identify unusual transactions through “Adaptive Authentication” which has been suggested by RBI earlier. Most of the fraudulent transactions including one which may use Mazar virus often happen at the dead of the night when the customer is not awake to respond to the SMS that may be sent by the Bank.

This “Nocturnal Transactions” need to be flagged by the system and subjected to a higher level of security verification. Banks cannot be blind to the fact that no sensible customer does transactions that wipe out the entire balance in the account through a series of transactions in the dead of the night.

Need to Reject Insecure CBS software

Not programming the CBS system to recognize the location of the origin of the transaction and the time of transaction and linking  it to an alert system is a fundamental draw back of the software including the popular Core Banking software systems.

RBI should therefore re-visit its approval of software such as Finacle or Flexcube and any implementation that does not have a proper adaptive authentication system should be declared as unacceptable.

Beware of what happened in Pakistan

We must be aware that recently there has been a large scale hacking of Banking systems in Pakistan and there is no reason why we should not expect a similar attack on the Indian Banking system.

In case the Mazar has already been spread and installed in many mobile devices, it could be a tool to compromise a large part of the Indian Banking system. There could be a serious crisis looming ahead for the Indian Banking system which can be attributed to the failure of the supervisory system.

As has been pointed out in the earlier article Mazar is a notorious risk because it creates “Fake Evidence” against the Customer which Courts may find it difficult to understand.

If the Governor and Deputy Governors of RBI donot recognize that this threat is larger than the “Autonomy to decide on the disposal of the Reserves”, they would be doing a great disservice to the Indian citizens.

Steps which RBI should initiate

As a first step, RBI should warn the Banks about this Mazar Virus and remind them that in all cases of digital frauds the “Onus of proof” rests with the Banks and hence Banks should not unfairly hoist the liability on the customers.

RBI should reiterate the point which it has already made regarding the “End Point Security” being the responsibility of the Bank and such responsibility extends to the user end devices.

Banks should mandate implementation of such security measures as are used by Companies in allowing BYOD devices to securely access Corporate digital assets and stop Mobile Banking transactions until a satisfactory solution is found for Mazar kind of viruses which compromise the OTP system.

I once again reiterate that Mr S. Gurumurthy should raise this issue in the Nov 19 meeting even ahead of the reserve related issue.

P.S: Bank Customers  may check their mobiles and deactivate App permissions which have been granted earlier to read SMS for all Apps besides avoiding clicking on any hyper links and more so the shortlinks (eg: bitly..)

Naavi

Posted in Cyber Law | Tagged , , | 1 Comment