Naavi.org

The recently released Cyber Crime study released by Symantec captures the status of the Internet risks in 2014. Titled Internet Security Report (ISTR 20), the report with its annexures provides an indepth insight into the threats and vulnerabilities that most of us face on a day to day basis.

The first thing that any observer of Internet should note is that the study points out that in 2014, there were more than 317 million new pieces of malware created during the year meaning that there were nearly 1 million each day (leaving Sundays).

What is equally alarming is that the study points out that Symantec data base of vulnerabilities consist of 66400 recorded vulnerabilities from 21300 vendors representing over 62300 products.

With such a huge number of vulnerabilities in genuine software and the vast number of threats, the Cyber Risk poses an enormous challenge to everybody.

The report in fact marks that the year 2014 was notable because of the high profile “Vulnerabilities” such as “Heartbleed”, “ShellShock” and “Poodle”.

Another interesting observation that the study points out that apart from focussing on exploitation of Zero day Vulnerabilities, attackers moved much faster to exploit published vulnerabilities than the defenders moving in to release patches.

During the year 24 Zero Day vulnerabilities were discovered. Vendors took 204 days, 22 days and 53 days to release patches for the three top Zero day vulnerabilities. Top 5 Zero day vulnerabilities were used by attackers actively for a combined 295 days before patches were available. In 2013 this period on an average was only 4 days highlighting the increasing risk that the community faced during the year due to the inefficiency of the software industry.

These findings indicate that there is a lot of ground that the industry has lost to the Cyber Crime industry and this needs to be recovered.

We need to analyse the report in greater depth to understand how the growth of Mobile apps on the one hand and Cyber terrorism on the other has contributed to the growing insecurity in the Cyber world.

The findings of this report will inevitably have an impact on the Cyber Insurance industry which needs to take a re-look at its policies. premia etc.

(More details of the report would be discussed in the forthcoming articles)

Naavi

Today, I received a telephone call from the mobile number 90699 35661 which appears to be an attempted fraud. I am placing this for public attention so that people donot respond to the call. At the same time, the Internet Service Provider involved namely, Videocon is being notified for necessary corrective action.

The caller who was a lady made a call to my mobile at 14.50 hours and stated that she was calling from Consumer Court in Delhi and was informing that a 420 case has been filed on me. When I asked for the name of the person and further details of which court, she disconnected.  Afterwards, when I tried to call back, there was no response.

Some of my friends have subsequently informed me that they are aware of such calls and in one case the caller suggested help to resolve the case through a lawyer and wanted the person to contact the lawyer.

I would like the public to be informed of such fraudulent calls and request them not to respond.

I also hereby give public notice to the Mobile Service Provider which according to information taken from the web appears to be Videocon in Himachal Pradesh that this incident indicates that they are abetting a crime by providing facilities of telephone connectivity to the fraudster.

I am expecting them to take action to deactivate the account to prevent any further frauds.

I also expect Police in the relevant area to take suo moto action since this is not an isolated attempt but is an organized syndicate that is running a call center to commit such frauds. I wish some responsible police officer takes up this case and busts the racket.

Naavi

As could be expected after any global catastrophic event, the ISIS attack in Paris has also given raise to fraudulent e-mails. Some of them could be hoax emails and some could be carrying malware prompting the receiver to click on a link.

Public should be careful not to fall prey to such e-mails.

Some of these e-mails or messages are also circulating in WhatsApp.

Some of the reported hoax mails/messages  are:

1. Singapore  PoliceNotice

2. We All Paris Hoax

These may be considered as indicators of what is to be expected. Some of the fraudsters will include spear phishing mails which may say some thing as follows :

” Police in Paris identify an employee of xxx company as a suspect of Paris attacks. Click here for the photo released by the Police.”

Such an email may be sent to all employees of an organization named in the e-mail prompting them to immediately open the e-mail and see which of their colleague is a suspect and invite a malware.

Public should therefore be extremely careful to avoid opening any attachments in an e-mail and also avoid circulating hoax mails in the belief that it is true. Such forwards may entrap the receivers since they would consider it as a message coming from a known person.

Naavi

The Paris Attack of 13/11 (2015) by ISIS would be an event which will change the face of earth. On the one hand, it has galvanized France and other nations including Russia which suffered an attack a few days back in the form of a bomb on a plane, into an all out war on ISIS on ground. At the same time it has galvanized the powerful group of Anonymous Hacker Group to take down the Cyber Assets of ISIS.

It looks a little strange that one group of mercenaries who have enemies all around them including the neighboring Muslim states of Syria and Iraq can threaten the whole world and challenge countries such as France, UK, USA and Russia all at one time. But the power of “Terrorism” is such that as an asymmetric warfare  it has the power to challenge the conventional forces with greater fire power. The difference lies in the motivation to fight and the unconventional methods used to strike.

For these countries who fought two world wars as allies, this is the “Third World War” unfolding in the form of ISIS. It appears that they have a renewed resolve to fight ISIS after the Paris attack. But one has to wait and see how long this enthusiasm lasts. Will the allies go for the complete control of the ISIS controlled land like what Sri Lanka successfully did against LTTE or back off at some point of time for their own reasons, is difficult to foresee. But it can be expected that as the Allied forces succeed in pushing back the ISIS in the physical world, they will increasingly go underground, spread out and start attacking the world in a series of terrorist attacks.

Breaking the link to the command and control center over such distributed terrorists and starving them of money and ammunition would be an important requirement if these terrorists  need to be neutralized. It is in this context that winning the Cyber war against ISIS is as important as winning the war on land.

It is therefore interesting for us to watch the Cyber War that is unfolding between the Anonymous Hacker Group and ISIS. The Hacker Group has issued a statement that they would hunt down and destroy the ISIS on Cyber Space. (Read article here). It is reported today that the Hacker group has already brought down over 5500 twitter handles in the last two days. But this should be only the starting point. What is important is whether the terror plans can be disclosed before execution and forced into failed or abandoned missions.

The Group has also released a guideline on how to proceed hacking into ISIS assets. (See the report here)

During the Post Paris attack investigations, it has been speculated that the terrorists might have used Sony Play Station 4  game console for in-game communication to plan and execute the attacks. It is given that execution of any major coordinated terror attack (which some have called the Wolf pack attack) requires extensive planning and therefore a good stealth communication channel that can be sustained over a period of time.

Some experts donot agree that PS4 was used for communication in this case. It does not actually matter if PS4 was used or not used in this attack for communication. But the possibility of the “Video Gaming” platform being used for communication cannot be ruled out. In future these communication channels need to be monitored by the intelligence agencies to get the scent of what is brewing in the terror camps. Apart from the Sony Play Station or X-Box type of gaming consoles, there are many online gaming sites where groups can be formed apparently for a gaming situation and messages exchanged. It would be a near impossible task for the intelligence agencies to monitor such communication on real-time.

However, it should be possible to develop necessary algorithms to monitor the pattern of group formation and communication in these game situations to flag any suspicious activities that can be taken up for monitoring on an exception basis. Probably the companies such as Sony and Microsoft themselves may develop such tools to monitor the misuse of their properties.

Presently Sony Play Station privacy statement does provide that it retains the right to monitor and record the communication between the users of Play Station Network. This indicates that they do have the necessary backdoors that can be activated for monitoring user’s activities.

Creating an automated system of analytics is a logical step ahead given the fact that there are over 110 million users of which 65 million are active at any point of time. This is a Big Data challenge that needs to be overcome and would be over come perhaps in the immediate future.

It is also considered possible that terrorists may super impose cryptographic techniques to hide their messages. But such techniques  can hide the messages but not the suspicious pattern.

Breaking the communication network of ISIS is an important step in winning the Cyber War and whether the Anonymous Hackers can go beyond the taking down of twitter accounts into monitoring and revealing terror plans in advance to the law enforcement will determine to what extent the Hackers can help destroy ISIS as an organization that can survive beyond the physical annihilation that the Allies can inflict on ground.

Another significant part of the Cyber Warfare is to trace the monetary assets of ISIS on the cyber space and destroying them.  It is worth watching if Anonymous Hackers can attack the financial assets of ISIS and starve them of their funds.

While the Allies are expected to fight the war both in the physical space and the cyber space, the Anonymous hackers will fight only on the Cyber Space. But their contribution to winning this war for the sake of humanity in general is very important and history will recognize this contribution if it succeeds.

Technology is known to create problems and it is time technology also finds solutions to benefit the mankind. Hactivists now have a point to prove. Let’s see whether they can walk the talk.

Naavi

In the early days of E Commerce development, the undersigned had been a great fan of the “Brick and Click” strategy for business development. The idea was to leverage the strength of the physical presence of a business with the business potential in the cyber society . It was also considered that this strategy would  insulate the business from emerging competition in any one of these two domains and forces the challenger to also come up with a multi domain expertise. Some of services proposed by Naavi such as the CEAC, Cyber-Notice.com, etc are all trying to build themselves on this principle.

One of the developments that catches my eye now is the emergence of a mobile App named “Zopper”. This is an app which tries to challenge the hold that pure e-commerce players such as Flipkart have established in certain markets. It is an idea to leverage the “Reputation of Physical Presence” with the “Convenience of E-Presence”.

In simple terms, it is an aggregation service that enables the local stores find a presence on the e-space. Just as Practo gets doctors into the e-fold, Ola Auto gets the Autorikshaw drivers on the band wagon of mobile space, Zopper has the declared objective of bringing the local stores into the e-wagon. It is a good service to these less tech savvy retailers who otherwise need the assistance of an elaborate technical team to get onto the e/m-space.

(Disclaimer: This is not a promotion of Zopper app).

After the recent debacle of BJP in Bihar, I recall the number of times I have raised the issue of Chandrababu Naidu’s earlier experience of losing an electoral battle despite wonderful contribution in the IT space in Hyderabad.  Even in future Modi’s Digital India dream will continue to face these challenges. The Land Acquisition Bill has already been grounded. The GST bill is unable to make progress. Congress will continue to oppose every progressive step that the Government initiates and soon the Congress will start attacking Modi’s Digital India project.

I have been warning the Government that if there is any large scale information security breach and losses to the common people through aadhar misuse or credit/debit/ATM card misuse, then the blame will be placed on this Government. I will not be surprised if the opposition parties arrange a major hacking attack of the JanDhan scheme beneficiaries just before 2019 Loksabha elections to discredit this program on which Modi places repeated emphasis.

Hence I feel that not focussing on proper strategies for the Digital India will be harmful to the future of Mr Modi and for the development of India. Such strategies will be both on the aspect of “Security” which I have been highlighting on “Secure Digital India” concept but also on what kind of business/Governance can be run on e-commerce/e-Governance platform and how.

I find Zopper type of Apps as a tool to ensure that the “FDI policy in retail” will not harm the local retailers. Similarly, the price rise of Rice and Dhal which was one of the factors that affected BJP along with Caste equations can also be tackled by a proper E-PDS policy implemented through Zopper type of network of retailers who can distribute Dhal and Rice at reasonable prices to the public (Including the middle class).

If properly implemented, the Government can implement a Public Distribution System for Middle Class (PDS-MC) as a separate system at fraction of the cost of the current Public Distribution System for BPL families which can continue in its present form. The PDS-MC can focus on such goods as the Middle Class families may require and offer it at a reasonable price with assurance of quality and reliability. It could be like the old concept of Janata Bazaar. The SMEs and Public Sector enterprises may use this platform for marketing their products in direct competition with the Flipkarts, Snapdeals, Amazons as well as the Big Baskets, Pepperfrys or Peppertaps. Once the network of the local stores on the e/m-space gets established, Government can even think of FDI in multi brand retail without any backlash from the market or the political adversaries.

Just as there is a disruption in the finance sector with the mobile wallets, let there be a revolutionary disruption in the retailing segment through the e-Janata Bazaars.

I am confident that if properly handled, these  e-Janata Bazaars can work towards reducing the consumer price of essential commodities to the levels of 2014 when Mr Modi took over and restore the lost confidence in the Modi Government in part of the electorate.

Naavi