About Puru Naidu

Author Archive | Puru Naidu

Mind map of the Russian Influence Campaign on the US 2016 Presidential Elections

There is a myriad of information, along with conflicting views of whether and how Russia influenced the 2016 US Presidential elections. With multiple stakeholders on both sides of media and intelligence agencies attempting to convince or confuse the populace, the issue gets complicated to make sense of even the basic aspects of this information war.

So we mapped out a simplified version of the issue.

Russian Information Influence Campaign

 

Note:

  • This map gives the basic information on purpose, strategy and tactics allegedly used by Russia.
  • It does not include all information that’s public regarding this issue. We will include more information as I continue to work on it based on its relevance.
  • The goal is get a basic grasp on  the issue for a better understanding of the current geo-political climate.
  • This is part of a bigger research project about Indian vulnerabilities to foreign influence such as the above.

What vulnerabilities does India face? Who has the most to gain from interfering in our affairs? Do they have the capacity to do so? What are the triggers or indicators that can give away their positions? How can we safeguard from such interference?

We welcome your comments and suggestions on this.

Comments { 0 }

India needs a Guccifer of its own to play in the big leagues

Russian influence campaign against US 2016 elections shows the need for India to develop its own information warfare capabilities, not only to protect itself from foreign influence, but also to launch offensive operations to protect its national interests.

During the 2016 US Presidential election race, Wikileaks leaked over 19,000 emails and 800 attachments from the members of the US Democratic National Committee (DNC), the governing body of the US Democratic Party. The leaked information shed light into the some of the DNC member’s “corrupt and bias” nature of their actions acting against Bernie Sanders while in support of Hillary Clinton. Consequently, four of the DNC members, including the Chairperson, resigned their positions due to their involvement in the scandal.

The DNC leak was the smoking gun that significantly influenced public trust in the democratic process of the country, pushing away lot of educated voters from voting for Clinton.

The hacker Guccifer 2.0 was behind the data theft and penetration of the DNC email networks. The name Guccifer 2.0 is named after a legacy left by a Romanian hacker called Guccifer, currently serving sentence in US prison, who victimized numerous US politicians and celebrities with many scandals. The list included Colin Powell, George Bush’s sister, Sidney Blumenthal (the former aide to Bill Clinton), and members of Council on Foreign Relations.

Per the recent joint Intelligence report by CIA, FBI & NSA, leaking DNC’s sensitive information was part of the Russian sanctioned influence campaign to interfere with the 2016 US elections, and get Trump elected. In addition to the data leak, Russia supposedly deployed anti-Clinton propaganda via its international media channels and social media, mostly via RT news and Sputnik, to sway public opinion.

In other words, Russia launched a massive information war interfering with the US elections, and helped Trump, who is supposedly pro-Russia, get elected. This level of foreign interference in other countries’ governance systems isn’t something new. The whole of cold-war can be simplified as an information warfare between US and Russia to attain global dominance. The US itself has been behind many military coups and regimes changes post World War II, notably Iran, Guatemala, and Chile.

This shows the significance and the need of enhancing one’s information warfare capabilities. Not only to protect oneself from foreign bias and interventions, but also to be able to launch offensive operations that protect our national interests, economic development and international relationships.

Hence, as India emerges as a global economic power, we need to step up our information warfare capabilities. We need our own Guccifers that can launch sophisticated cyber operations and gather information on our counterparts. We need our own RTs and Sputniks that can bolster our image and neutralize foreign bias against us.

Comments { 0 }

Giving encryption keys and back-door access to government is paving way to an authoritarian regime

Considering the current state of unaccountability with our government, government’s access to encryption keys and backdoor access inevitably leads to abuse.

You’re probably going “that’s too far fetched”, is it really?

Last year, the government caused a huge ruckus by releasing a draft National Encryption Policy (NEP), with people calling it draconian. It was in fact draconian in nature. The policy expected businesses to hand over the encryption keys and access to communication logs in plain text for 90 days, raising concerns over privacy and free speech.

While the government withdrew it immediately, it opened up a dialogue among the different stakeholders about the necessities for an NEP and the issues facing it. On one hand, some claim that having a encryption policy sets a standard, which will strengthen our cyber-infrastructure and increase foreign investments. On the other had, some think there shouldn’t be any encryption policy, we should just let the market figure that out by itself.

Either way, why does the government want it? The government remains vague as to why it really needs access to encryption keys or backdoors. The general narrative is likely along the lines of the need for real time surveillance for preventing terrorism and cyber crime, and enhancing our national security.

But, whats really at stake here? Enhancing policing tactics in exchange for what? eavesdroppingWe live in an opportunistic society, where breaking laws and cutting corners saying ‘chalta hai’ is the norm. If you don’t follow this norm, a few glaring eyes and smirks abound. It would be naive to think that this doesn’t reflect within our government system, especially within the police system. More troubling is that we not only lack the “right to privacy” in our constitution, but also lack proper oversight architecture that holds the government and its employees accountable when it comes to abuse and corruption. The bad apples are most likely to abuse the access and get away with it scotch free. Hence, given the access and easy surveillance, it is inevitable that this government or the next will abuse it to get rid of opposition and enhance its power, eventually moving towards an authoritarian regime. There is no guarantee against it.

Where is the balance? How can the government investigate and prevent crime without the use encryption keys or backdoor access?

Few things it can do is improve other strategies in preventing terrorism and crime. Stronger Human Intelligence network for instance is a great tactic and provides real time access. Other approach can be to request live monitoring access, via a special court, on terrorist groups or crime syndicates that pose a real threat. Sure, this may not be as good as having instant access, but that’s a trade-off the government has to make to maintain society’s trust with its governance.

Image Source: Flickr user pyride

Puru Naidu (@Brocolli88) is a Research Analyst at the Takshashila Institution.

Comments { 0 }

Attributing Cyber-attacks: The cyclic nature of it

The cyclic nature of cyber-attack attribution and maintaining anonymity online presents a conundrum to the security industry.

A few days ago, the Indian Congress vice-president Rahul Gandhi’s Twitter account appeared to be hacked, followed by dozens of offensive tweets being posted. Within minutes of the first hack, the Twitterati engaged in a game of ‘whodunit?’ On one hand, people accused PM Modi’s followers for the hack, and on the other, some called it a staged drama by the Congress Party. Premature at best, the accusations were baseless and lacked evidence, highlighting the challenging nature of attribution.

Attribution

The most common factor leading the attribution dialogue today is the un-traceability of a cyber-attack. Attacks do not come with a return address. Tools available to obscure an attack’s origins are becoming more and more sophisticated by the day. Even if an attack can be traced to a system, there are chances of it being a deliberate misdirection.

Anonymity

Anonymity online is crucial for legitimate reasons, privacy at the heart of it, and also being able to voice concerns against strict government rules without reprisals, which is a basic right under any democratic government. There are sophisticated ways to maintain anonymity; you can mask your IP address, use fake accounts, virtual machines, strong encryption, etc.

The Cyclic Natureattribution_cycle

Better tools for anonymity consequently lead to either lack of attribution or improper attribution on cyber-attacks. The lack of proper attribution gives way for increased cyber-attacks, consequently leading to improved techniques for better attribution from the “anti-anonymity” group. Hence, to continually thwart the efforts of anti-anonymity groups, pro-anonymity groups come up with better technological capabilities to maintain their anonymity. This shows a recurring nature between the need to fight against anonymity and the need for anonymity. The recurring nature is the status quo.

Conundrum

This status quo of recurring nature begs the question: Why waste time on attribution when those resources can be better spent on enhancing one’s security and capability?

In his article about attribution, Lital Asher-Dotan, the founder of cyber security company Alfa Tech, argues that the security industry spends too much time and resources in attributing cyber-attacks, which is highly inefficient. According to him “a company’s limited security resources are better spent understanding how the attackers infiltrated the network and their capabilities and using this intelligence to prevent future attacks”

While I agree with Lital that attributing is highly inefficient, I disagree with the notion of not giving enough significance to attribution.

Let’s take the extreme version of this where we do not spend any time or energy into answering the “Who did it” and that time and energy is spent on enhancing security systems. The other side of this coin is that, the lack of attention to attribution leads to a counter response with increased cyber-attacks without fear of reprisals; more creative and dangerous attacks at that. The likelihood of successfully infiltrating a security system increases with disastrous consequences. So, this extreme version of scenario does not yield well.

Even if attribution may not yield to anything, it is an essential aspect of cyber-security. Eliminating attribution is not a logical option. It acts as a deterrence. Hence there is a heightened need to strike the right balance between energy spent on attribution and defending cyber-attacks, where one does not need to compromise resources from the other.

 

Puru Naidu (@Brocolli88) is a Research Analyst at the Takshashila Institution

Comments { 0 }

Beware the security risks before you jump onto digital payments bandwagon

Deficit in cash flow has forced users into digital payments. Without proper precautions and security policies, the highly reactive nature of cyber security leaves us vulnerable to cyber-attacks.

chaiwalla-paytmImage source: DNA India

The whole demonetization of currencies has shaken our country to its core. In the past week, we saw how it affected people at all levels and how they were coping with it, hoping for the better in the near future. While the challenges still persist, it has nudged people towards digital transactions even for their daily needs using virtual wallets, PayTM and others. Companies that enabled digital payments acted as buffers soaking up some of the pressure. In fact, there was a surge in digital payments hitting records high over the past week; PayTM saw a 200% increase in its mobile application downloads and a 250% increase in overall transactions. MobiKwik saw an increase of 200% in its application downloads within few days. Other companies within this domain such as, Oxigen and PayU have also seen a rise in their service usage.

Resultant trend maybe vulnerable to security threats

This new trend is certainly heading in the right direction towards digitization, however there is risk of casting a blind eye towards the security aspect in the whole process of adapting to this digitized lifestyle. The Nordea Bank Fraud incident that occurred in 2007 is a classic example of e-banking cyber-attack, where perpetrators infected unsuspecting customers’ systems with a malware that stole login credentials, and made off with over 1.1 million US dollars. Not even major financial corporations like VISA, PayPal, and MasterCard are invincible from cyber-attacks.

The security standards and precautions have certainly evolved since these high profile attacks. But the speed of technological developments and its integration into our economy far supersedes that of the defense mechanisms and protocols in place to mitigate any cyber-attack on these developments. It goes to show that they are unparalleled and reactive in nature which ultimately begs the question: Is it safe to utilize these new payment platforms?

PayTM for instance is certified under the Payment Card Industry Data Security Standard (PCI DSS) 2.0 certification, which is the current industry security standard set by American Express, Visa International, MasterCard Worldwide and few other international dealers. This is an essential certification for companies that store credit-card info. PayTM also uses 128-bit encryption technology to crypt any information transfer between two systems. It takes more than 100 trillion years for a hacker to crack a password under 128-bit encryption. Needless to say, transactions via PayTM are fairly secure. Other companies like MobikWix also employ the 128-bit encryption technology. This is a common security measure that companies dealing with credit card information and transactions deploy, hence there is little doubt that companies taking advantage of demonetization are employing their share of precautions for secure transactions.

Is that secure enough?

But, these precautions won’t make us invulnerable. There are other things aside from the login credentials that hackers target these days. For example, just few days back, hackers breached a British mobile company, Three Mobile’s database and stole private information on six million users. Another example is the recent massive data breach of Indian bank networks that compromised over three million users’ financial data. The breach occurred between May 25 and June 10, victimizing major banking companies, including HDFC Bank, ICICI Bank, YES Bank, and Axis Bank. This stolen data can be sold underground, used for identity theft, or strengthen brute force attacks for further personal attacks.

These breaches may appear sophisticated, but there are other easier methods that anyone with basic IT skills can deploy. For Instance, here is an article by a hacker displaying the html code on how to fake the PayTM website. Using a spoofed site, a hacker can use phishing tactic to gain login credentials from unsuspecting users. Other tactics include fake mobile applications or spyware that steal information, social engineering tactics that make you reveal your login credentials, etc. This is nothing new however; spoofing, phishing, and spyware have plagued the IT security industry for more than a decade, with their tactics getting increasingly sophisticated.

But, if companies like HDFC and ICICI, which are most likely proactive in updating their security systems, still experienced cyber-attacks, what does that imply about unsuspecting users? Most new users were forced onto the digital payments bandwagon due to the currency demonetisation. Especially street-vendors, who were primarily reliant on cash payments before the demonetization, such as the Chai-wallas and Pan-wallas that were quick to adapt so as to maintain their revenue. Are these new users aware of the security risks involved here? I highly doubt it. Even if they are aware of the risks, whose responsibility is it and what precautions can they take to minimize damage from future attacks?

Whose responsibility is it?

It is not a single entity’s responsibility. Everybody involved in the process, including companies offering the service, the customers, and the government should do their share to mitigate cyber-attacks and minimize its damages. The following is a three pronged approach for companies, customers and the government to mitigate security risks:

digital-payment-risk-management

Companies

All companies that offer platforms or services enabling digital payments should, first and foremost, increase awareness of the risks among their customer base and educate them on ways to secure themselves. Employ behavior analytics and pattern analysis at their fraud departments to predict suspicious behavior. Stay proactive in looking out for any spoofed applications or websites that masquerade their service. Proactively monitor discussion boards, social media platforms, and forums that discuss hacking and fraud tactics, and implement proactive measures to thwart their tactics.

Government

The Government should also do its share to protect its citizens by minimizing vulnerabilities. It should check if the current policies regulating this platform are adequate, and update it if necessary. Educate the populace on the risks involved. Enforce strict policies and hold companies accountable for not meeting security standards. Minimize benefits that come from overlooking security precautions. And, strengthen public-private partnership on live information sharing about cyber-attacks and fraud.

Customers

Customers should do their share to minimize damages. They should educate themselves about the risks involved, and take appropriate precautions. Minimize vulnerability with two-factor authentication and routine password changes. Check for applications’ authenticity by looking for the number of downloads and reviews by other users; the higher the number of downloads and reviews are, the higher the chances that the application is legitimate. In addition, check for other application releases from that developer. Check for website’s authenticity by checking for proper spelling of the web address, or if the website is secure by checking for a green padlock symbol on the left to the web address, and that the address starts with ‘https:’ Keep the web browsers updated as they can recognize illegitimate sites easily. Do not share sensitive information including login credentials over emails, phone calls, or chats. Lastly, trust your instincts and double check to make sure you don’t leave yourself vulnerable.

Puru Naidu (@Brocolli88) is a Research Analyst at the Takshashila Institution

Comments { 0 }