The Hindu Business Line : Heed the warning

As the US Presidential race is hotting up, there comes the news that the passport files of three candidates, Senator John McCain, Barak Obama and Senator Clinton, had been breached by the staff of a firm that had been contracted to maintain systems at the State Department (equivalent of our Ministry of External Affairs, MEA).

While Clinton’s files had been accessed unauthorisedly in 2007 itself, the others had been exposed only in the past few months. Actually, Obama’s files were opened without authority thrice since January. This has caused quite a furore and triggered a controversy as to whether such compromise was intentional and motivated or it was just an accident.

According to an official spokesperson, the files in question carried scanned images of passport application, birth date and basic biographical information, besides renewal particulars. The US government has, no doubt, apologised to the three leaders. It has also said that it would take immediate steps to strengthen security of data in its departments. We in India may not be all that exercised because privacy concerns here are as low as they can be. We still do not have a criminal law that prohibits unauthorised viewing of online data pertaining to an individual, however important he may be.

Such happenings cannot and should not end with an apology of the kind attributed to the State Department official. Merely saying that one should expect such breaches in a large organisation is tantamount to defeatism of the most objectionable order. Governments need to build systems that are impregnable as otherwise the security of a nation can be imperilled.

Fundamental is the physical protection of servers that facilitate storage and transmission of sensitive information. Next comes the restriction of access to these servers to known and trustworthy employees. It is surprising that in the State Department, outsiders — employees of a contracted agency — could gain such access. Obviously, the system handling passport information had not only been built by the external agency. It was also running it on a day-to-day basis. Ultimately it is the organisation’s assessment and decision — in this case the State Department — whether an outsourced agency could be so trusted. It is difficult to believe that the department did not have its own personnel to run a simple system like this, instead of leaving it to an external agency whose accountability is much lower.

This incident in the US should serve notice on our MEA to initiate its own exercise to check on the vulnerability of its database. While controls are essential, training of staff in the area of cyber discipline is even more important. We should build incentives for correct online behaviour and penalties for sloppiness and indifference to basic requirements of security.

Early warning system

Against this backdrop I am happy to hear that the Government of India (GOI) is taking the threat from malicious codes very seriously, and is contemplating the launch of an early warning system. The trigger has been provided by increased attacks on official Web sites. There were more than 80 security-related incidents in last January alone.

According to one report, sites belonging to TRAI, Railways, Customs, BSNL, etc, have been broken into by hackers. It is usual to believe that such attacks have been engineered from across the border. But we need more than reasonable proof to make such assertion.

Nevertheless, every possible precaution needs to be taken to make government sites as secure as possible. One such move is said to be based on dispensing with servers situated outside the country, and insisting on government sites being hosted by servers run by the Department of Information Technology (DIT).

‘DaisyDukes’

Security concerns are raised not only by actual attacks or violations of the kind that occurred in the US State Department, but also by the growing sophistication of hacking devices that arrive in the open market at regular intervals.

One such tool, presented at the CanSecWest security conference held in Vancouver recently, is a sniffer that extracts the passwords and texts of documents within minutes. The claim is that ‘DaisyDukes’, name given to the sniffer by its developer, IntelGuardians, a penetration testing firm, can reside on a USB device which can be plugged into an unattended machine that is turned on but has been locked. The tool is built on the work of a research team from Princeton University, Electronic Frontier Foundation and Wind River. It can reboot the machine off a compact operating system contained on the drive.

It is capable of sniffing out data such as a password or unlock a user’s private encryption key. Depending on the user’s needs, it can capture all the data stored in computer memory, or concentrate only on required select data. Many organisations that are smug because their machines have disk encryption will have to watch out. Penetration testers will also have their work cut out if ‘DaisyDukes’, still in beta version, becomes a commercial proposition that performs satisfactorily.

The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.

More Stories on : Security | Security Musings

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Every inch of space counts

An eye on the action

Changing drive settings

Of slowdowns and blind IT budget cuts

4 threats to Indian software industry

Towards the best blend

Heed the warning

Quiz

Strategy is what we do

Cartoon