In the recent DDOS attacks on OVH and DYN, the attacks were committed with redirection of terrabytes of data using botnets of video devices.
It is already known that earlier botnets of millions of computers were being created to conduct such attacks. Now it appears that in certain cases, data traffic of as little as 4Mb per second could bring down networks.
A research organization TDC has reported that a single laptop producing around 180 Mbits per second can send certain commands that can trick the firewalls of CISCO and others to bring down the network.
Security managers need to check the vulnerability in their servers and implement the corrective steps that are being recommended by the security companies.
n amendment bill has been tabled in Australia to amend the Privacy Act 1988 to prohibit conduct related to the re-identification of de-identified personal information published or released by Government entities. (See Details here)
According to the provisions of the amendment, when an agency is entrusted with de-identified information, they shall not act in any manner that the de-identified information gets re-identified.
The exception to the rule is when
(i) the act was done in connection with the performance of the agency’s functions or activities; or
(ii) the agency was required or authorised to do the act by or under an Australian law or a court/tribunal order.
(iii) the entity is a contracted service provider for a Commonwealth contract to provide services to the responsible agency; and the act was done for the purposes of meeting (directly or indirectly) an obligation under the contract.
(iv) the entity has entered into an agreement with the responsible agency to perform functions or activities on behalf of the agency; and the act was done in accordance with the agreement.
(v) the entity is an exempt entity for the purposes of this section in accordance with a determination in force and the act was done for a purpose specified in that determination in relation to the entity and in compliance with any conditions specified in the determination that apply in relation to the entity.
The penalty for the offence could be an imprisonment upto 2 years and also civil fines.
There is also a provision for “Disclosure” if re-identification is done failing which there could be civil and criminal penalties.
The amendment indicates a specific attempt to focus on prevention of re-identification and enhances the Privacy protection.
In the Indian Context a protection of this nature is implicit in the contractual agreement of the sub contractor failing which the responsibility for disclosure lies with the agency (which is recognized as an “intermediary” in the ITA 2008)
Some time back, there was a lot of discussion in India about a video in JNU in which allegations that anti India slogans were raised. There were two versions of the video one in which there were clear indications that Mr Kannaiah Kumar was involved in anti India solganeering and another in which he was present but perhaps not participating in the sologaneering. Similarly there were also static pictures of two versions of the event one accusing the organizers about putting up anti India posters and another in which it was not.
Apart from the political discussions, it was a matter of interest for Cyber Forensic people also about how a video or a picture can be doctored and how some times, no evidence can be accepted without a discerning evaluation. It is extremely important for everyone to understand that modifying a digital image or video is eminently possible and is often used to create fake pictures circulated in the social media. Some times in the heat of a charged atmosphere, such doctored pictures gets circulated and re-circulated in WhatsApp groups and Facebook posts of innocent persons leading to innocent persons being hauled up by law enforcement people. The issue of arrest of more than 50 persons in Tamil Nadu for allegedly trying to spread false rumours on facebook about the health of Jayalalitha is a case in point in our recent memory.
In the ongoing US elections where there is a bitter battle between Mrs Hillary Clinton and Mr Donald J Trump, there is a virtual social media war that is going on in the You Tube. As the mainstream media is supposed to be very much in favour of Mrs Hillary Clinton, Donald Trump camp is more dependent on the social media for its own campaign. Trump Camp is extensively using You Tube for its campaign while Twitter and Facebook are supposed to have been favouring Hillary. It is alleged that Twitter and Facebook are not showing pro-Trump discussions in the “Trending Category”.
Even You Tube was accused of blocking the “Streaming Facilities” provided to one of the Trump Sympathizers though there are many other You Tube videos that talk about Wiki Leaks and Hillary Clinton’s misdeeds. There are also plenty of videos on other associates of Hillary including President Obama, Michelle Obama, Huma Abedin, her husband Anthony Weiner and so on. All these videos have their own positive and negative influence on the electorate and therefore it is essential that the voters need to be able to identify the truthful videos from fake videos.
It is necessary for we in India to learn from what is happening here because the same strategies that are used to produce fake videos may also be used in India when it is election time here and the Indian Election Commission needs to take up a “Cyber Forensic Training” to understand how Cyber Space can be misused.
One of the recent videos that attracted my attention was the one where a Cyber Forensic aspect became apparent. We normally know that a digital image is modified by using “Photoshop” editing software which has many features which try to create morphed pictures. But when it comes to manipulating the video, it is slightly different.
In the JNU video case, it was suspected that the audio stream and the video stream was bifurcated in the video editing software and an alternate audio stream was super imposed on the video stream to create a false video. When you have two video files with the same video stream but a different audio stream, it is not easy to find out which is the original and which is the fake.
Police will find it extremely difficult to find the difference particularly when they are building up a prima facie case which leads to an intense media trial in which some Scoot and Shoot politicians specialize.
In the US Elections, there is one debate which is going on about the health condition of Ms Hillary Clinton. One observation is that the injury that she suffered several year’s back to her skull might have created a blood clot near her right ear which some times causes her to go into a “Seizure” like condition for a few moments when she is unable to control her eye ball movements. Some say that this is an early symptom of the Alzheimer’s decease that makes her physical fitness to the US President suspect.
Recently, there was one Youtube video in which when Hillary faced a barrage of questions simultaneously from a few reporters around her, she suddenly seemed to go into a fit. We all know that people who suffer from epilepsy go into a seizure when they are exposed to strobing light or even flash bulbs. It appears that Hillary may be suffering from a similar “Audio Strobing trigger for Seizure” and when a simultaneous volley of questions are hurled at her, her mind cannot process the multiple voices simultaneously an goes into a state of confusion.
While I am not a medical expert and leave the speculation about such possibility to experts in the medical field, I would like to point out to one of the videos which was recently published in Youtube which is given here below for reference and is relevant for Cyber Forensics.
What this video says is that in one of the live interviews that was shot by NBC channel, Ms Hillary Clinton appeared to go on seizure and the channel tried to edit the video so as not to present an embarassing video to the public. But it is said that they did not do the editing properly and hence the doctoring of the video is evident on close observation.
In many Crime thrillers, we have seen a CCTV video hacking method where a small footage is recorded and made to play over and over again to hide the real streaming image. This works very well to cheat surveillance cameras normally used in perimeter security of an important physical asset.
As per the discussions available with the above video, it appears that the Channel might have used a different technique using a substitute frame as “Chroma Key” to morph a few frames of the video in which Hillary might have lost her control on her eye balls. The Chroma key is a video frame which is super imposed on another video layer so as to provide an indistiguishable frame over frame effect as if something is happening in the background. If you see a news reporter reading a report while his background shows a live video of a mountain stream, you know how Chroma key works. It is a common video mixing strategy used by all TV channels.
What is special in the above video is that the chroma key is simply one of the earlier frames of the same video and I find this as an interesting morphing technique used which we as Forensic analysists need to take note so that we are not fooled by such videos if we come across. I want the law enforcement people to specially analyze this technique and how to find them quickly to check possible misuse of social media through doctored videos.
I invite forensic specialists to comment on this video and the strategy discussed with an idea of how law enforcement can detect such doctored videos.
Needless to say that producing and publishing such videos would be an offence under ITA 2008 and channels will be liable for criminal prosecution either directly or as an “Intermediary who did not practice due diligence”.
The DDOS attack on the Internet service provider Dyn which suffered a massive DDOS attack on October 21 with 1.2 Terra Bytes of data directed from about 145000 CCTV/DVR instruments working as a botnet shook up US internet and brought down many critical services. (Dyn headquartered in New Hampshire offers DNS services to resolve internet addresses and when it fails, the users were unable to reach several popular websites.)
While the DDOS attacks on DNS service providers or others is not new, what attracted attention in this case was that the botnet consisted not of computer zombies but the CCTV cameras and DVRs working within many corporate networks and public utilities. These devices working on IP connections send the images captured to a central server and being a video files, the data size is large. Most of these devices are configured with a default password as supplied by the manufacturers which is either known or can be easily broken.
The available network of such devices with IP addresses are easily searchable in some search engines such as Shodan and therefore an easy fodder for those who are trying to do mischief.
In fact just a few weeks earlier, another similar attack had been launched on OVH a web hosting company. The attack on OVH failed to evoke preventive steps which lead to the next attack on Dyn. Even now if one searches Shodan search engine it spits out the IP addresses of about 27000 cameras in Germany, 26000 in US and about 1000 in India. Hackers use an exploit that can bruteforce these devices and divert the feeds to a target server to cause a DDOS attack.
The Shodan search engine also showed 48 Banking hosts in India whose IP addresses could be easily obtained for further analysis. May be these are not exploitable, but it indicates how the internet facing devices may easily be open to attacks from unknown persons. While servers used by Banks and other responsible users may have a tough password which cannot be easily broken, the same cannot be said of IoT devices used by common people.
The “Mirai” malware is one of the tools with which these DDOS attacks are being carried out. One can see the latest Mirai attack map (fossbyte.com) and how the attacks are spread all over the globe including India.
Now the news has just come that the latest Mirai Botnet attack has brought down the internet in the entire West African country of Liberia. (See report here). This could be a test attack and would be followed by another attack elsewhere soon.
In the map above India is showing a huge number of attacks.
A realtime Mirai botnet infection activity shown in the adjoining picture shows intense activity in India including around Bangalore. How these infections will play out is anybody’s guess. If there are any further DDOS attacks in which the devices owned by the infected systems participate, there would be a “Cyber Crime” incidence and possible prosecution under Section 66 read along with Section 79 of ITA 2008.
If the attack is on a nation crippling attack like the Liberian attack then such devices would be exposed to the charge of a “Cyber Terror Attack” or participating in a “Cyber War” on an otherwise friendly country.
Information Security professionals working in companies in which any Internet facing devices are being used need to first check if these devices are secured from external attack. Each CCTV exposed to IP should be secured like a “Server” containing “Confidential Data”.
At a time we in India are facing cyber attack challenges from Pakistan and China, it is essential that we take care that our assets are not part of an international botnet that can cause DDOS attacks elsewhere.
Some of these devices may actually be owned an operated by Government agencies where the security awareness may be insufficient. Just yesterday, it was reported that the Digital India website had been hacked indicating the security vulnerabilities of high profile websites maintained by the Government. I will therefore not be surprised if there are a number of IP devices including CCTVs in Government hospitals, Departments, Public sector companies and also with the Police as part of traffic management systems which are capable of being compromised and made part of the Mirai botnet.
I therefore urge the Government to undertake a study of the security of IP connected CCTVs to start with and secure them before it is too late.
It has been pointed out in these columns that after the recent changes made in the account numbering system in Corporation Bank there have been many customer service issues. One issue that was pointed out was that though the account numbers were changed a few months back and the new cheque books carrying the new account numbers have been issued to the customers, the back end system is still not migrated to the new systems.
As a result, I had pointed out that any NEFT remittances sent to the new account number was not being accepted by the system and is being returned. It was pointed out that this amounted to a “Denial Of Service” to the customer which amounted to both “Deficiency of Service” under Consumer Protection Act and a cognizable offence under ITA 2008.
Today I observed two other issues. some of the customers who had linked their Gas Agency accounts to corporation bank account for the purpose of LPG subsidy are finding that the subsidy is not getting credited to their account. This means that the gas agency is sending the payment to the old or new account number which is getting rejected by the system. If this money goes back to the gas agency there is a possibility that it can never be recovered from the Indian Oil or HP.
I also observed that within the branch, the systems are still working under the old account system and the system is not able to recall the specimen signatures of the customers with the new numbers. The staff therefore has a problem to identify the old number and pick up the specimen signature before a cheque can be passed.
All this indicates that there is a serious flaw in the implementation of the new account numbering system. First of all it is not clear why the Bank had to change the account numbering system. They had already migrated from the old manual system to a 15 digit account numbering system which had the IFSC code, the account code and the old account number as part of the number. It was easier to remember and was already in use. The new account numbering system is a completely new set of numbers which does not identify the branch IFSC or the old account number. It appears that who ever provided the core banking system could not use the legacy account numbering system of the Bank and persuaded the bank to change its account numbering system to suit the deficient core banking system and this has led to all the problems.
There is an indication that a deficient system was thrust on the Bank without proper technical evaluation. Some body must be held accountable for this decision which is apparently does not indicate a good business decision.
I will be happy to know from the Bank if this inference is incorrect.
In the meantime, the status of the system gives rise to a possible information security risk which needs to be attended to. If the mapping of the old and new account numbers is not working, then it is quite possible that the linkng of mobile numbers of the customers to their accounts as well as their Debit and ATM cards may also get affected. This could result in problems for the customers and phishing opportunities for the fraudsters who may call the Bank customers with offers to change the ATM/Debit cards and ask for card details for committing frauds.
It is also possible that the accounts may be wrongly linked to other accounts. (Recently I found such a flaw in the NPCI when my HDFC Bank account was linked to an unknown mobile number which was subsequently corrected on my complaint). This could result in fraudulent encashments as well as denial of genuine service requests.
There is therefore a need for RBI to make an information security audit of Corporation Bank system pertaining to the new migration of accounts from the old system to the new system. Additionally the share holders of the Bank should demand that the management explain if the decision to change the systems was warranted by any business requirement or was a result of somebody puling the right strings.
As a part of the Digital India program, the Government of India is encouraging hospitals in India to make use of the “Online Registration System (ORS) framework to link various hospitals across the country for providing some services such as booking appointments, collecting lab reports etc.
The framework will enable aadhar based eKYC process if patient’s mobile number is registered with UIDAI.
Presently about 53 hospitals have gone online under this framework . Some of the Hospitals that have gone onboard now include AIIMS at different places, PGIMER, and GMC at Chandigarh, NIMHANS and K.C.General hospital, Bengaluru, JIPMER, Puducherry, etc. There is no doubt that this is just a small sample of Government hospitals.
At present around 1000-1500 appointments per day are being booked under the system and since its launch on 1st July 2015, about 448700 appointments have been booked under the system.
There is no doubt that there is a long way to go before the scheme could be called successful.
For Privacy practitioners, it is necessary to realize that even before the HDPSA draft is available with the public, a major initiative to collect and link the hospitals in India on a common portal is underway. The Government has developed an “Online Boarding Manual” as a guideline for hospitals (Details available here).
At present the appointment registration will collect the Sensitive Personal Information of Aadhar along with the department contacted, the purpose of contact etc which are also considered health related information of an individual and hence can be classified as Sensitive Personal Information under Section 43A of ITA 2008 requiring “Reasonable Security Practices”.
It appears that the individual hospitals just link to the ORS portal and the information processing is done at the ORS portal. Hence the Privacy and Security obligations fall on the portal.
In order to understand how the system seems to be used, I checked the NIMHANS OPD website which is one of the users of this framework.
The Privacy policy disclosed and notified under the NIMHANS website just relates to the visitors of the website and not to people who seek appointment. When the link on appointment on the Nimhans website is clicked, it takes the registrant to the ors.gov.in website where there is no declared Privacy policy.
It is also not clear how the information collected for appointment at the ORS website is re-transmitted to NIMHANS or made accessible to them.
Obviously, the system must be considered as being under the pilot run and a lot more thought needs to be given.
When HDPSA kicks in, these hospitals suddenly realize that they have already put a huge chunk of Sensitive personal Information which ought to have been protected from a back date and they will be in default from day one.
I hope some responsible persons in the management of these hospitals would take some corrective steps in this regard.
