The Hindu Business Line : Tech vs the underworld

The ongoing investigation into the passport/visa racket linking a few Members of Parliament with some unscrupulous Hyderabad and New Delhi travel agents is a revelation of sorts.

The facts emerging do not surprise a hardboiled policeman like me. The average citizen who thinks a world of all of our security arrangements in the public domain should, however, be aghast that such a thing can happen when enforcement agencies claim that they have a nearly foolproof system in place to check the antecedents of those who either seek a passport/visa or those who get into commercial airlines.

Are all the computerised databases accessed by our law enforcement agencies so worthless that anyone with sufficient daring - as most of our Members of Parliament are - can beat the best of systems?

The point is there is nothing fundamentally wrong with the databases, except for an odd slip-up. But there is everything wrong with a system that depends heavily on the human element. If an ID such as a passport can be so easily tampered with, say by substituting the photograph on it, there is a big hole.

This replacement of a picture is not always easy. What seems to have happened — if we go by all press reports on the recent episode — in the present case reported from the nation's capital is that a smart Immigration official, either on his own or on a tip-off, found a person travelling with the MP in question did not resemble the one on the passport. Then we have the rest of the story that continues to hog the headlines.

This shows that databases that carry a `stop list' of those who should be prevented from leaving a country are worthless, if there is connivance between a bad character and the man at the Immigration counter. Only innocent and law abiding persons like us have to go through the humiliating procedures at an airport (especially if you are travelling within the US) prescribed, of course, with good intentions but unimaginatively applied as a rule of thumb.

This is the irony of a world that has been battered by the mindless terrorist. It is now more than well established that the best of technologies can be quite easily overturned by a crooked mind.

Prank and its implications

This is what a Ph.D student at Indiana University recently tried to establish, much to the chagrin of the officials of the Transportation Security Administration (TSA), who are the US counterpart of our CISF that mans our airports.

A New York Times report gave a graphic account of how the student, Christopher Ohioan, created a Web site which he labelled as a `Northwest Airlines Boarding Pass Generator'. Ohioan proved that a person who wanted easy access to the airport beating all security procedures in place to restrict admission only to genuine passengers, had to merely enter the Web site and type his name. Ohioan's software was sleek enough to print out a boarding pass in that name, which a genuine passenger who had bought a Northwest ticket could normally generate at home, much before arriving at the airport.

Of course you cannot board a flight with this, because at the boarding gate, the airline official checks the boarding card with the genuine list of passengers in the airline's database who had paid for a ticket. But the fake boarding pass can be used to enter the airport and even go past security till you arrive at the boarding gate.

As the New York Times writer reporting on Ohioan's adventure said: The T.S.A. is... ... talented ... . in the theatre arts than in the design of secure systems ... .. the agency's security procedures are unable to withstand the playful testing of a bored computer-science student.

I hope this episode does not give ideas to any of our own bad elements! My expectation is that such reports of possible mischief will help to keep our officials on their toes so that they can apply their minds to devising systems with minimum holes.

Falling victim to phishing

The futility and unequal contest between technology and a fertile criminal mind is again illustrated by a recent report of how some customers of ABN Amro Bank were taken for a ride by those who earn a living out of phishing.

The victims were four customers who allowed themselves to be duped, even though they had the protection of a two-factor authentication system. (This is a system in which you will get access to your account with the help of a combination of your basic password and an additional one for each occasion that, in conjunction with a token, generates a code, which lets you into the page in the bank's Web site from where your account becomes accessible.)

In the instant case, it is obvious that unwitting customers, in spite of clear instructions from the bank, had acted on a deceptive e-mail from the fraudsters which led them to a spurious Web site (very similar to ABN Amro's own Web site) where they had surrendered their personal banking data.

This episode again lays bare the vulnerabilities of online banking, especially when a genuine customer is gullible, indisciplined and chooses to ignore words of caution received from their bank. If you have online banking the fundamental thing to remember is that your bank will never ask for your password through an e-mail. You will discard this advice at your peril.

Closely associated with the technique used by Phishers is the growing ability of those in the cyber crime business, especially rigging of Web sites, to hide their malicious code. According to a leading software engineer, Jose Mazarin, the actual code (invariably Java) used to attack PCs is either hidden in Flash animations or is scrambled beyond identification. In his view, the obfuscation tools available to crooks are "primitive but effective." At any point of time, there are tens of thousand Web sites that are employed to install a malicious code on to a computer. In the final analysis, it is the eternally vigilant computer user who can prevent a major disaster.

White House episode

Finally, there is interesting news from the US that amplifies a long-held view that cyberspace spawns a wide variety of sophisticated crimes that may be difficult to solve.

It is learnt that some White House staffers are guilty of deleting mail or transferring it to a non-official e-mail service so that they can keep such mail confidential or retrieve it at will, almost unnoticed.

In the instant case, the belief is that at least some of the mail pertained to the irregular sacking of some US attorneys for which Attorney-General Gonzales is now facing the music. Computer users involved in such undesirable practices mistakenly believe that electronic messages deleted by them can never be retrieved.

A White House investigation is now on, to find how often such practices take place and whether the messages so deleted can be termed confidential.

While we await the findings of the outcome of this enquiry, it is clear that sensitive public office-holders are going to increasingly resort to communicating through an e-mail system that is different from the one used for official purposes. This may not amount to indulging in any illegal activity. It will, nevertheless, be subject to criminal investigation so as to ferret out all missing links in an incomplete investigation.

(The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.)

More Stories on : Security | Security Musings | Economic Offences

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Update your contacts - the easy way

The message and the medium

Tech vs the underworld

`Don't take VC money too early'

Quiz

Political unrest can be costly to offshoring biz

BlackBerry goes white!