Naavi.org

The DDOS attack on the Internet service provider Dyn which suffered a massive DDOS attack on October 21 with  1.2 Terra Bytes of data directed from about 145000 CCTV/DVR instruments working as a botnet shook up US internet and brought down many critical services. (Dyn headquartered in New Hampshire offers DNS services to resolve internet addresses and when it fails, the users were unable to reach several popular websites.)

 (Report in Wired.com). ( Also see earlier report on OVH attack in naavi.org)

While the DDOS attacks on DNS service providers or others is not new, what attracted attention in this case was that the botnet consisted not of computer zombies but the CCTV cameras and DVRs working within many corporate networks and public utilities. These devices working on IP connections send the images captured to a central server and being a video files, the data size is large. Most of these devices are configured with a default password as supplied by the manufacturers which is either known or can be easily broken.

The available network of such devices with IP addresses are easily searchable in some search engines such as Shodan and therefore an easy fodder for those who are trying to do mischief.

In fact just a few weeks earlier, another similar attack had been launched on OVH a web hosting company. The attack on OVH failed to evoke preventive steps which lead to the next attack on Dyn. Even now if one searches Shodan search engine it spits out the IP addresses of about 27000 cameras in Germany, 26000 in US and about 1000 in India. Hackers use an exploit that can bruteforce these devices and divert the feeds to a target server to cause a DDOS attack.

The Shodan search engine also showed 48 Banking hosts in India whose IP addresses could be easily obtained for further analysis. May be these are not exploitable, but it indicates how the internet facing devices may easily be open to attacks from unknown persons. While servers used by Banks and other responsible users may have a tough password which cannot be easily broken, the same cannot be said of IoT devices used by common people.

The “Mirai” malware is one of the tools with which these DDOS attacks are being carried out.  One can see the latest Mirai attack map (fossbyte.com) and how the attacks are spread all over the globe including India.  

Now the news has just come that the latest Mirai Botnet attack has brought down the internet in the entire West African country of  Liberia.  (See report here). This could be a test attack and would be followed by another attack elsewhere soon.

In the map above India is showing a huge number of attacks.

A realtime Mirai botnet infection activity  shown in the adjoining  picture shows intense activity in India including around Bangalore.  How these  infections will play out is anybody’s guess. If there are any further DDOS attacks in which  the devices owned by the infected systems participate, there would be a “Cyber Crime” incidence and possible prosecution under Section 66 read along with Section 79 of ITA 2008.

If the attack is on a nation crippling attack like the Liberian attack then such devices would be exposed to the charge of a “Cyber Terror Attack” or participating in a “Cyber War” on an otherwise friendly country.

Information Security professionals working in companies in which any Internet facing devices are being used need to first check if these devices are secured from external attack. Each CCTV exposed to IP should be secured like a “Server” containing “Confidential Data”.

At a time we in India are facing cyber attack challenges from Pakistan and China, it is essential that we take care that our assets are not part of an international botnet that can cause DDOS attacks elsewhere.

Some of these devices may actually be owned an operated by Government agencies where the security awareness may be insufficient. Just yesterday, it was reported that the Digital India website had been hacked indicating the security vulnerabilities of high profile websites maintained by the Government. I will therefore not be surprised if there are a number of IP devices including CCTVs in Government hospitals, Departments, Public sector companies and also with the Police as part of traffic management systems which are capable of being compromised and made part of the Mirai botnet.

I therefore urge the Government to undertake a study of the security of IP connected CCTVs to start with and secure them before it is too late.

Naavi

It has been pointed out in these columns that after the recent changes made in the account numbering system in Corporation Bank there have been many customer service issues. One issue that was pointed out was that though the account numbers were changed a few months back and the new cheque books carrying the new account numbers have been issued to the customers, the back end system is still not migrated to the new systems.

As a result, I had pointed out that any NEFT remittances sent to the new account number was not being accepted by the system and is being returned. It was pointed out that this amounted to a “Denial Of Service” to the customer which amounted to both “Deficiency of Service” under Consumer Protection Act and a cognizable offence under ITA 2008.

Today I observed two other issues. some of the customers who had linked their Gas Agency accounts to corporation bank account for the purpose of LPG subsidy are finding that the subsidy is not getting credited to their account. This means that the gas agency is sending the payment to the old or new account number which is getting rejected by the system. If this money goes back to the gas agency there is a possibility that it can never be recovered from the Indian Oil or HP.

I also observed that within the branch, the systems are still working under the old account system and the system is not able to recall the specimen signatures of the customers with the new numbers. The staff therefore has a problem to identify the old number and pick up the specimen signature before a cheque can be passed.

All this indicates that there is a serious flaw in the implementation of the new account numbering system. First of all it is not clear why the Bank had to change the account numbering system. They had already migrated from the old manual system to a 15 digit account numbering system which had the IFSC code, the account code and the old account number as part of the number. It was easier to remember and was already in use. The new account numbering system is a completely new set of numbers which does not identify the branch IFSC or the old account number. It appears that who ever provided the core banking system could not use the legacy account numbering system of the Bank and persuaded the bank to change its account numbering system to suit the deficient core banking system and this has led to all the problems.

There is an indication that a deficient system was thrust on the Bank without proper technical evaluation. Some body must be held accountable for this decision which is apparently does not indicate a good business decision.

I will be happy to know from the Bank if this inference is incorrect.

In the meantime, the status of the system gives rise to a possible information security risk which needs to be attended to. If the mapping of the old and new account numbers is not working, then it is quite possible that the linkng of mobile numbers of the customers to their accounts as well as their Debit and ATM cards may also get affected. This could result in problems for the customers and phishing opportunities for the fraudsters who may call the Bank customers with offers to change the ATM/Debit cards and ask for card details for committing frauds.

It is also possible that the accounts may be wrongly linked to other accounts. (Recently I found such a flaw in the NPCI when my HDFC Bank account was linked to an unknown mobile number which was subsequently corrected on my complaint). This could result in fraudulent encashments as well as denial of genuine service requests.

There is therefore a need for RBI to make an information security audit of Corporation Bank system pertaining to the new migration of accounts from the old system to the new system. Additionally the share holders of the Bank should demand that the management explain if the decision to change the systems was warranted by any business requirement or was a result of somebody puling the right strings.

Naavi

As a part of the Digital India program, the Government of India is encouraging hospitals in India to make use of the “Online Registration System (ORS) framework to link various hospitals across the country for providing some services such as booking appointments, collecting lab reports etc.

The framework will enable aadhar based eKYC process if patient’s mobile number is registered with UIDAI.

Presently about 53 hospitals have gone online under this framework . Some of the Hospitals that have gone onboard now include AIIMS at different places, PGIMER, and GMC at Chandigarh, NIMHANS and K.C.General hospital, Bengaluru, JIPMER, Puducherry, etc. There is no doubt that this is just a small sample of Government hospitals.

At present around 1000-1500 appointments per day are being booked under the system and since its launch on 1st July 2015, about 448700 appointments have been booked under the system.

There is no doubt that there is a long way to go before the scheme could be called successful.

For Privacy practitioners, it is necessary to realize that even before the HDPSA draft is available with the public, a major initiative to collect and link the hospitals in India on a common portal is underway. The Government has developed an “Online Boarding Manual” as a guideline for hospitals (Details available here).

At present the appointment registration will collect the Sensitive Personal Information of Aadhar along with the department contacted, the purpose of contact etc which are also considered health related information of an individual and hence can be classified as Sensitive Personal Information under Section 43A of ITA 2008 requiring “Reasonable Security Practices”.

It appears that the individual hospitals just link to the ORS portal and the information processing is done at the ORS portal. Hence the Privacy and Security obligations fall on the portal.

In order to understand how the system seems to be used, I checked the NIMHANS OPD website which is one of the users of this framework.

The Privacy policy disclosed and notified under the NIMHANS website just relates to the visitors of the website and not to people who seek appointment. When the link on appointment on the Nimhans website is clicked, it takes the registrant to the ors.gov.in website where there is no declared Privacy policy.

It is also not clear how the information collected for appointment at the ORS website is re-transmitted to NIMHANS or made accessible to them.

Obviously, the system must be considered as being under the pilot run and a lot more thought needs to be given.

When HDPSA kicks in, these hospitals suddenly realize that they have already put a huge chunk of Sensitive personal Information which ought to have been protected from a back date and they will be in default from day one.

I hope some responsible persons in the management of these hospitals would take some corrective steps in this regard.

Naavi

Cyber Issues have never dominated an election process as much as it now has the US Presidential elections of 2016. Whether Trump will win or Hillary will prevail depend on how the Cyber activities in US have affected the electoral minds.

The early use of “Information Technology” in election was in India in the form of the electronic voting machines (EVM). Naavi.org has discussed the issue of Cyber Law Compliance in EVMs in the past and also suggested methods of overcoming the compliance issues.  (Check Here).

There were PIL complaint filed in this regard and a demonstration of the hackability of the EVM for which one activist was even arrested. Even Mr Subramanya Swamy had undertaken some activity in discussing the legality of EVM usage. But nothing came out of these discussions and now this discussion is in the past.

Some improvements have been made and EVMs have been accepted in Indian electoral process with whatever manual checks and balances that have been built to prevent its misuse.

In more recent days, the point of discussion in India has been on the use of Social Media for election campaign. Mr Modi was the first to make effective use of “Social Media” to take his messages across and “Digital Campaigning” became an integral part of election campaigning in India. Out of the other parties, AAP also made good use of social media to carry its message across.

What we are now seeing in US elections is however a different type of discussion.

First the discussion was Ms Hillary Clinton’s inability to secure her official e-mails while she was the Secretary of State and her use of a private e-mail server. This was exposed with WikiLeaks hacking into the server and revealing the e-mail correspondence for public gaze. Obviously, this contained many e-mails in which US policies on international relations and other private correspondence which all revealed what her rivals called her duplicity and political maneuvering. This has become an issue of defining her character and her suitability for Presidency.

Ms Clinton’s team have accused the hands of Russian hackers in this hack indicating that the issue is more like a Cyber war to influence the results of the election in favour of Mr Donald Trump. No body is saying that the e-mails are not existing but they are only complaining that they have been revealed in a wrong manner.

However, what complicated the issue is that Ms Clinton after receiving a notice from FBI on handing over the e-mails for investigation proceeded to delete over 33000 e-mails. This directly amounted to tampering of evidence and became an independent offence in itself completely unrelated to the content of these e-mails. Some of the e-mails which have surfaced now also indicate that there was full knowledge that the e-mails contained incriminating evidence and were deliberately deleted.

It appears judicially infeasible to defend this action unless the Judiciary turns a blind eye for political reasons.

Additionally, in an unrelated investigation on “Child Pornography” in one of the laptops of a person whose wife was an aide of Ms Hillary Clinton, a set of e-mails (650,000 in number) related to Ms Clinton seems to have surfaced. The speculation is that these e-mails were kept as a back up to secure the person against any adverse action by Ms Clinton. (i.o.w. as a tool of self defense by blackmail).

The fact that FBI had reportedly closed the case of e-mals earlier and has now indicated reopening of the case indicates that there may be some substance in all the allegations. Also the FBI wanted to hedge itself for a possible Trump win which could make FBI complicit in a criminal offence for its earlier action of closing the case prematurely.

The developments indicate

a) negligence in securing e-communications of a Government official,

b) hacking by a foreign Government and hactivists, tampering of evidence,

c) child pornography etc., all different kinds of Cyber Crimes.

Besides there could be corruption issues revealed in the relationship between donations made to Clinton Foundation and the Quid Pro Quo if any.

If Mr Clinton wins then there will be further discussion on covering up by the Government or Impeachment of the President, both of which will occupy public discussion space for years to come.

We in India have heard of several serious allegations against the previous UPA Government of similar nature. But these have taken years now in investigation by CBI without reaching a conclusion. But possibly US justice could be faster.

But it is difficult to expect the US DOJ going against the elected president. If Mr Trump wins, whatever FBI or DOJ does will be dubbed as “Vindictiveness” as we frequently hear in India.

The next 7 days to the election, it is expected that WikiLeaks could be coming out with more revelations that could damage Hillary Clinton and hence the stock markets are already indicating the probable victory for Donald Trump.

Whatever may be the political outcome, the developments will be a watershed moment in national elections and every other country including India needs to take note that foreign Governments may use their Cyber War capabilities to change the electoral outcome in enemy countries.

India is exposed to similar risks from China which in supporting Pakistan would like Congress to come back to power at the center and Mr Modi to lose. Probably planning may already be in progress in Chinese Cyber War rooms and we may see a test run of it during the next January polls.

I therefore caution the Central Government to take necessary counter measures to ensure that China cannot interfere in the Indian Electoral process by hacking into either the Jandhan yojana, the NPCI or the GST system.

Do we have the Skill and the Will? ….or do we continue with “All is Well” and “Chalta Hai” attitude…?..only time will tell.

Naavi

Two incidents reported yesterday in two different hospitals highlight the risk in automation of health care processes and the criticality of information security.

In one of the incidents, a virus left three hospitals in disarray and cancellation of all routine operations and outpatient appointments. (Read the Story Here)

The Virus infection affected two hospitals namely the Northern Lincolnshire and Goole NHS Foundation Trust (NLAG). Due to use of some shared services, a third hospital United Lincolnshire Hospitals NHS Trust (ULHT) also had to cancel operations.

Hopefully this is more like a “Denial of Medical Services” and unless some of the cancelled operations were time critical, the damage may be contained with some inconvenience.

But the incident highlights how a normal information security incident gets into “life Threatening” mode in a health care scenario making Information security that much more of a critical care issue.

There was another incident which is also of concern which indicates how some times human intervention should always be at standby when we use automation in health care.

This incident (See Report here) occured during a robotic surgery when a laser beam being used in surgery caught fire at Tokyo Medical University Hospital. The cause of the fire was unfortunately farting (passing of gas) by the woman during the surgery. The gas being inflammable was ignited by the laser beam and caused severe burns in the 30 year old women undergoing ovarian surgery.

This fire incident may not directly be called an “Information Security Incident” but it must be recognized that the robotic surgery was not equipped to stop the laser beam instantly when the surrounding environment changed due to an unforeseen incident.

The incident is similar to the automatic brake system of a Google car failing when a crash is imminent. It must be attributed to the failure of the safety system in the automation of the health care process.

This could eventually be considered as “Negligence” of the “System” and the company manufacturing the equipment and the user (hospital) may be held negligent as an “Intermediary” and have to bear the liabilities.

When HDPSA is drafted, it will incorporate certain aspects of the “Telemedicine Act” which was once contemplated in India and abandoned which had elaborate provisions for the medical equipment manufacturers to be registered and monitored.

Naavi