• Investment World
• eWorld
• Brand Line
• Mentor
• Life
• Canvas
• Praxis
• Urban Pulse
• Brand Quest
• The New Manager

Stocks

• Quotes
• SE Diary
• Scoreboard
• Open-End Mutual Fund

Cross Currency

• Rates
  
  

Shipping

• Ports
  
  

Archives

• Yesterday
• Datewise
• Resources
• In Focus
• In Depth

Group Sites

• The Hindu
• The Hindu ePaper
• Business Line
• Business Line ePaper
• Sportstar
• Frontline
• The Hindu eBooks
• The Hindu Images

R.K.Raghavan

After so many years of a career in law enforcement, followed by a responsible position in IT security, I am more than convinced that machines can help only up to a point in securing a system. Ultimately it is the men behind those machines, especially their perceptions, alertness and accountability, that would count for how effectively a system can stand the rigours of daily routine.

We know, for instance, that policemen’s failures to secure access control to VIPs have led to many avoidable assassinations of world figures. We also know of many air crashes that had been caused by so-called ‘human errors’ of pilots.

In the same manner, some recent instances of breach of IT networks can also be attributed to the human element. Many cyber intrusions may be described in simple terms as the outcome of slip-ups by those who had either devised a system or were responsible for its daily upkeep. Combined with a slight lack of ethics, in many instances, human failures could become a blunder that brings ignominy to an otherwise reputed organisation.

The US House of Representatives Committee for Homeland Security recently assailed a major IT firm, Unisys Corporation, for its failures in securing a system it had built for the Transportation Security Administration and the headquarters of the Department of Homeland Security (DHS), as a result of which hackers had a field day breaking into sensitive data and transferring it to a Chinese language Web site.

Interestingly, here, the miscreants managed entry into the system either late in the night or early hours of the morning and stayed there for several hours to copy information. The malicious software installed by them came to the notice of a Unisys employee as early as July 2006. He, however, chose to underplay this to the point of ignoring it. It was only two months later that the intrusion was taken serious note of by two DHS systems managers.

A DHS probe, thereafter, revealed that their system had been accessed by unauthorised outsiders with a hacking tool, and this had gone on for four months beginning mid-June 2006, affecting as many as 150 computers.

It was further found that of the seven Intrusion Detection Systems (IDS) that had been ordered and purchased in 2004, only three had been installed by mid-2006. The rest of the machines were just lying in unopened packages and gathering dust! The FBI is said to be investigating the incredible failures of several persons.

The presentation by a private security consultant firm, Comsec, at a recent conference of RSA (the security solutions provider) again revealed how individuals designing software sometimes fail to take into account the security needs of customers in possession of sensitive data. Here there was a tie-up between an Israeli bank and an unnamed online stock-trader, and the bank asked Comsec to do a penetration test of the trader.

Comsec’s shocking finding in the process was that the trader’s Web site did not use a Secure Sockets Layer (SSL) for log-in, and cracking the authentication method was therefore “child’s play.” Comsec found that “transactions were happening across an open socket with no encryption.” According to Comsec, the fault was not merely that of the designer.

It was equally of the person who defined the project and did not tell the developer that while looking for speed, he should not sacrifice security.

Here are instances of how two well-known organisations were recently embarrassed by what appeared to be the negligence of individual employees. In one of them, the high-profile Microsoft was guilty of inadvertently downloading its Windows Desktop Search (WDS) updates on to the machines of many customers without their approval.

The funny part is that the latter had not installed the original software, and customers were therefore surprised to be the unintended beneficiaries of software they had not paid for.

They were merely subscribers to Windows Server Updates (WSU). MS has apologised for this blunder and has advised customers wanting to be rid of WDS to use the Add/Remove programme.

An MS spokesperson has also said: “We are also working on improving our internal publishing processes to ensure this does not happen again." Is this a veiled admission that some individual employees had bungled? Or was it merely a case of a tool going haywire? In any case, this has many serious security implications for individual users. That someone can install a software in your system without your approval should give unholy ideas to mischief-mongers in cyberspace.

Somewhat similar to the MS goof-up was a bizarre happening in the British Computer Society’s (BCS) system. The BCS’s motto is: ‘Professionalism in IT’. But if one goes by a recent incident, the BCS may have to do some relabelling. The Society does a periodical online survey on customer satisfaction. This time it sent a questionnaire on the subject to 700 members without using the blind carbon copy field. As a result, every one in the 700 came to know which others had been queried, and more than that, got to know their e-mail IDs as well.

Possibly in India, where privacy as a concept and concern for it are nearly non-existent, this would have gone unnoticed. But in the UK, where privacy is highly valued, especially in the context of growing identity thefts, a case like this receives high-voltage publicity.

Many recipients of this e-mail have been furious, and have gone to the extent of wanting their names to be removed from the mailing list. Some have briefed the press as well.

Interesting was the response from the BCS, whose spokesperson said: "This is a simple case of human error. We did send this out to several hundred members. Anyone could make the same mistake.” This is certainly not contrition, but definitely a warning that this could happen again.

Finally, an interesting development in the CIA, which is often in the news for the wrong reasons.

It is soon to launch a social networking Web site called A-Space, which will be available to members of all the 16 intelligence agencies in the country. The idea is to strengthen inter-agency cooperation, the absence of which was cited as one reason why 9/11 happened.

Employees of these agencies will be encouraged to become members with a view to sharing stories and personal experiences, and as a writer at Financial Express London put it, “do all those things that spies traditionally don’t.”

Let us hope that unlike MySpace and Facebook, A-Space will not generate crime or scandals that would only tarnish the image of an organisation which has had a rollercoaster of history since it came into being 60 years ago.

The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.

More Stories on : Security | Economic Offences | Insight | Security Musings

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Still ticking

Copyright © 2007, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line