You've Been Hacked

-
Assume everything you do on the Internet is already hacked. Assume every email that you write, assume every picture that you click from your phone is already something that is visible to the public eye and something that anybody and everybody can read.

There are only two kinds of people in the world. One, who know that they have been hacked; and the others who don’t know that they have been hacked. Today, in our world, absolute security is virtually non-existent. What was secure yesterday is not secure today. What is secure today, will definitely not be secure tomorrow. Every stakeholder today, is increasingly using data and information in the electronic form. There is no denying the fact that earlier we used to be connected to the Internet.

Today, we are a part of the Internet so consequently, Internet is taken for granted. With the result, there is blurring of the lines between the physical world and the virtual world. And the machines are becoming smarter because of the data that we are providing when it comes to our personal and professional lives on the Internet. Twenty four months back the total number of smart phones in India were as low as 15 million. Right now, we have crossed 250 million smart phones. One out of every five(5) individuals in India are carrying a smart phone. Now, what does a smart phone mean? It is a way in which you can go ahead and embed a lot of data. Starting from our check-ins, till allowing apps to monitor our location 24*7 on our phones, till clicking pictures of ourselves with and without clothes or your emails that come and go through it or your browsing history that can speak volumes about yourself.

Its the great Indian vomiting revolution where Indians are vomiting information about their personal, professional and social lives on the Internet.When you talk about all of this, data entry points are only expanding as we move further. There was every interesting study, which said, that over 40% of the people on the planet use a maximum of two passwords for all their accounts. And if you get access to any one of these passwords, you potentially have access to all the accounts that the person is really accessing. So, it’s relatively becoming easier to hack, not just because there is so much of data; there is also availability of hacking tools on the Internet in a very easy manner. For a hacker, it’s a hacker’s paradise already.

Few years back, there was not a single company in India that was demanding for hackers. Today, the demand for hackers is increasing. The reason being that IOT is now almost everywhere. Internet of Things(IOT) is basically the idea that all the gadgets that you have including your washing machine, smart TVs, satellite receiver are all capable of running software. So, why not make a network of things? So that from one we can control the other and for them to also cooperate with each other. For example, if your phone rings, your TV volume might automatically reduce for you to be able to take that call. You might, from your phone, want to turn on your AC, fifteen minutes before you reach home. So these are the things that people are thinking in terms of use cases. The problem with this is that creating the connections, vulnerability in one device can propagate into other devices and therefore it can take over your entire system.

Generally, IOTs are hacked by using MITM attacks. You wouldn’t even get to know that your TV is spying on you. Your TV is just a single point inside the entire network. There can be 1 or 2 million television sets all over the world. They can all be used to attack a particular target. Its called a Distributed Denial of Service Attack (DDOS). The more number of things you connect to the Internet, greater will be the vulnerability. If you are connected to the Internet 24*7 then you are also under attack 24*7. The hackers, they just need a medium and the Internet is the best medium to attack something.

This is happening everyday. And if you look at the cyber crime statistics of India, and these are just the reported crimes, a lot of things don’t get reported, in 2011 it was about 14,000 and in 2015 it was about 300,000. There is nothing that is 100% hack proof. We’ve seen the Democratic National Committed, we’ve seen the Pentagon, we’ve seen the CIA, just 2 months back. We’ve seen the largest organisations, like SONY, NASDAQ they have all been hacked. Not once, but multiple times and in a bad way.

There are basically three potential cyber attacks that are the most common, first is the web application attacks, second is mobile application attacks, third is network attacks. There are now organised criminal gangs who are more interested in generating money out of these hacks. You go to a website and you can actually be redirected to a similar looking website, your banking website. You type in your password and all that and then you basically not really typing it to your bank, but you are typing to the hackers’ server.If you are using a public Wi-Fi, then someone can do a Man In The Middle(MITM) attack. Your user name and password are transferred from your laptop to the router and from the router to the server and when it gets authenticated, you get the connection back to you. Just imagine, if in place of the router, there is a attacker. Whatever you surf, the images you view, the websites you visit and your passwords, the attacker will see everything.

You go to public places and often they will have public chargers there. You might be aware that USB cables are used for two things, for data transfer and for charging. It is very easy to make a charger that can copy your data from your mobile phone. If anyone asks you to give them your phone for an emergency call on a bus stop, in 30 seconds they can actually download an .apk file and you can be compromised. Maximum hacks happen because people were asked to click on certain links and certain technical controls were exploited on their system, through which people pivoted to other servers and systems or extracted their own systems.

I think India as a nation doesn’t have a plan in place for dealing with cyber crime. When we enacted the Information Technology Act, it was kind of a jack of all trades law. So, they put in a chapter to deal with cyber crimes. The 2000 legislation was effective because it had made a number of cyber crimes non-bailable offenses, but in 2008, when India amended it’s cyber law, it made a historical mistake. Barring a few cyber crimes, almost all cyber crimes became bailable offenses. But that was 2008, today in 2017 you quickly realize that the Indian IT act is throughly outdated. India doesn’t have dedicated laws to deal with digital payments. India also doesn’t have a law on cyber security or a dedicated legislation on privacy and data protection. So in a scenario like this, where increasingly Indians want to come onto the digital band wagon, it is imperative that legal frameworks must not only provide for appropriate consumer protection, but also provide for the cyber security of the entire ecosystem and it’s constituents. In a country where under reporting of cyber crimes is a de facto norm, this is only adding to the problems of the law enforcement agencies. A few years back we had a survey and found out that for every 500 instances of cyber crimes that take place in India only 50 get reported, and out of 50, only 1 gets registered as an FIR. I think those were conservative figures, the ground reality are far more bizarre. We come from a society where being a victim of cyber crime is looked down upon. We come from a society where victims fear negative media publicity, if they report a crime. And they are actually being stigmatized on the ground of reporting cyber crime. In addition, a lot of people actually believe that they are going to be harassed far more once they report a cyber crime because of the intrinsic inability of the police to deal with the cyber crime matters. We are also beginning to see that in our country getting a cyber crime registered is such a tall order. A majority of police officers may not want to register cyber crime because of the intrinsic global nature. We need to make reporting of cyber crime extremely easy and in an efficient practical manner. We further need to encourage the law enforcement agencies to adopt user friendly approaches while dealing with the issue of registration and investigations of cyber crimes. The cyber security awareness has to come from school level because now at school level everybody has a cellphone. So they should be aware that their identity could be stolen, they could be cyber stalked. Their money can be stolen, their private information, pictures, video could be stolen.

Imagine this, if you ask a team of 100 people, how many would be trained to use a cellphone? Probably 99 of them would say “this is something that naturally came to me”. Now, you are talking about one of the most important aspect of your personal and professional life which is your cellphone. And without absolutely any training, you are actually enabling somebody with that. So, it’s like you are driving a car without the driving license. Maybe you will not get hit, but still there is a chance. In the future, way the digitalization is going, it’s a no-brainier, that everyone has to understand little bit of cyber security. Then only we can convert the digital India into a Secure Digital India. Julian Assange, the founder of WikiLeaks, came out with the list of tools and exploits which were used by the CIA, which is the Central Intelligence Agency of the United States Government. They were used for offensively hacking into targets. The CIA is not just one example. The governments around the world are pro-actively investing and engaging more on the cyber front. In 2012, India had one of the world’s largest black outs. The problem in the northern girds affected 20 of India’s 29 states leaving more than 600 million people without electricity. It started in one line that got overloaded and one it got too overloaded, it got disconnected. Then all the power flowed to the other lines and then these lines heated up and got disconnected and this propagated. Then at some point, the northern, western and eastern grids  ripped each other and the black-out happened.But if you look at the sequence of events, it can be done through cyber attack. All you have to do is to hack into the relays, and the relays can be used to disconnect the lines. So, instead of reaching a thermal limit, you are going to disconnect the lines through hacking. Then once one line gets disconnected, the power will flow into the other lines. So, they will heat up and disconnect. Or, you can actually attack the next relay. So, you have to orchestrate the sequence of relays that have to disconnect. Then, the question is, how easy is it to do that?

In 2014, a hydro-power plant in upstate New York got hacked. Iran’s infrastructure including it’s main nuclear power plant was targeted by a dangerously powerful cyber worm. Bangladesh based group hacked into nearly 20,000 Indian websites including that of the Indian border security force. The first virus that could crash power grids or destroy oil pipelines is available on-line for anyone to download and tinker with. There is no way of knowing who will use it or what they will use it for. If there was to be an attack on the critical infrastructure of India, it would mean chaos. There would be no electricity, no water supply, no phone network, no satellite network and no cash or banking facilities. An attack on any of it’s critical infrastructure can cripple a country.

In-fact Israel is one of those classic examples where the prime minister says this publicly, “We have a fourth division in our defence system which is the cyber warfare division. Where we not only defend our borders we also go and pro-actively offend because offence is defence in a border-less cyber world.” The reason why I am saying this to you is that state sponsored hacks are only going to go up in the near future, without a doubt. The reason is that the governments have realised the same point that we spoke of, that data is the new oil. You will be able to take decisions both pro-actively and re-actively, in case there is a situation, based on a more informed set of data entries and points, which would be far more accurate than just diplomatic talks or reading articles. This will be inside information of what companies, individuals and countries are doing.

There is a tremendous lack of awareness in the government, one of the biggest unawareness I have seen is that they don’t believe in insider threats. And what that means is that they will be caught unaware when an insider does something. The other problem we have is the supply chain security. All our hardware comes from abroad. There is a concern that while manufacturing these chips  someone can add some extra circuitry which can be triggered at a certain time and some harm can happen. India saw it’s biggest data breach when the SBI debit card breach happened. When this happened, banks were initially in a state of denial. But subsequently they had to own up to the
biggest cyber security breach that took place in Indian history.

The ATMs are not manufactured by the banks. There are popular OEMs which manufacture the physical ATMs and then you put in a windows system in that. It can be windows XP, 7, 8 or else. And on top of that you load up a software. It’s basically a software that lets you select the type of accounts, enter the amount, etc. What was observed was that there were multiple transactions happening in china and close to 1.3 crore was withdrawn using certain VISA and MASTERCARD cards which were specifically used in a few selected ATMs. These ATM machines are actually connected by a network, to some sort of a control center. Hitachi recently gave some explanation, that they had been infected by malware. So, if that control got hacked and a worm was infecting it, then, through that control mechanism you can infect a lot of machines. It means, that we are completely in the hands of others, where they can do various things. We don’t have enough man power and the know-how, to even do penetration testing, to check if these things have any level of safety in terms of security.

Surveillance is a legitimate tool in the hands of any sovereign nation. The debate is about the national security versus the privacy. Now here, two people have to play the main role- the citizens and the government. Now, the government is saying that there is nothing to hide and nothing to fear. But, the day the government knows everything about you, you will lose the power to sue the government one day. On the other hand, the government has to intercept a few people or individuals to make sure, that 1.25 billion citizens of the country remain secure.

Doing mass surveillance? Yes, that is bad. Because of the surveillance in the world, the journalists, the whistle-blowers are moving towards the deep web because there is a very high level of anonymity that can be achieved while communicating with anyone. While talking about anonymity, first lets understand, that I personally feel that its a fundamental right of any person to choose if he wants to be anonymous on the Internet or not. Privacy is taken much more seriously in other countries then we do. We seem to have a very little notion of privacy.In a society where anonymity and privacy is not valued, especially, now we are being told that even to have a bottle of whisky you have to give your Aadhaar card. If you want to do banking, you need to give the Aadhaar card. Launched in 2008, Aadhaar aims to provide an identification number to each of India’s 1.3 billion people. It also records every individual’s finger prints and iris scans for the government’s massive database. So, we are basically going towards a situation, where we are willing to compromise on privacy for security or taxation.

The Aadhaar act which got passed in march 2016, legalized Aadhaar, provided a framework for working of the Unique Identification Authority of India and provided for certain security mechanisms, to be incorporated in the central data repository. It also stipulated certain acts as Aadhaar related crimes. But clearly, the Aadhaar act, because it was passed in a great amount of hurry, did not do effective justice to some of the key concerned areas. One of them was privacy. When you do a transaction you provide your fingerprint to the public biometric reader for authentication purposes. The optical sensor of the biometric reader, captures a photograph of your fingerprint and transfers that to a computer via a USB cable. the host computer then converts the fingerprint into a template, which is then converted into a PID or a personal ID block. The PID block is then sent to the UIDAI through a series of intermediary gateway servers. The UIDAI server responds with either a successful or a failed authentication. However, there are several vulnerabilities here. First, the host computer can store the users biometrics, which can then be used without the individual’s consent. Also, the PID block is not encrypted and so it is vulnerable to interception by hackers. Lastly, the host computer is also connected to public Internet servers and hence is vulnerable to viruses and malware that can steal the PID block. So, somebody has to take a look at the entire architecture and do a really foolproof analysis. Aadhaar card information is now available through Google search if you know what to search. Google this: “aadhaar name filetype:xls -uidai”

So, that’s not a good thing because people can do identity thefts. Once your information and biometrics are stolen, it can be used against you. Your fingerprints can be planted in a crime scene. Your biometrics can be used to make a 3D printed finger with your fingerprints, which can then be used for illegal activities. The information can also be used in riots to identify specific individuals. Having this information in wrong hands can ruin your life.

Legitimate, bona-fide, genuine Indian citizens should not have a feeling that they are constantly going to be surveilled upon and that their privacy is going to be tossed of the window when it comes to their using the Aadhaar ecosystem. The same people who say, that I do not want my Gmail emails or my chats which I am doing on Gmail to be read by the NSA or the government, don’t realize this at the first step that, Gmail itself is a profit making company, which is actually using you as a product to analyze the work you are doing or the text or the data that you are producing over that platform to be able to give you contextual ads and it doesn’t just need to stick to ads. In the future if they have to do something with the data to do something else, you will see that they have taken all the rights away from you and they are absolutely free to use the data that you’re providing over their platforms. And very rightly so, you know there is a saying, that when you get a product free of cost, remember that you are the product that is being sold out there.

So, clearly I believe there is a need to have checks in place; interception is a legitimate tool for governance. But at the same time interception should not become a tool or manifestation for depriving people of their legitimate civil liberties. So, somewhere down the line, every country must come up with it’s own golden balance on the one hand ensuring the civil rights and liberties of individuals are protected and also ensuring that the governance interests of the sovereign nation including those of interception, monitoring, decryption and blocking are also appropriately
addressed in a efficacious and efficient manner.

There are no secure computers. There are no secure networks. I think sooner or later we are going to hit by a cyber failure that will effect either our nations infrastructure or international infrastructure in a very significant and harmful way. The problem is, the Internet was never designed to be secure. It was never actually build to do a lot of things we are using it for. It was not meant to be a engine of commerce. It was not meant to hold your banking information. In the late 1960s, researchers began developing a network that could share information between computers.In the 1990s, it went public and exploded. It was no longer just a hand full of scientists on the Internet. It was now anyone with a Modem. When you have 25 people on a network you can be pretty sure they are gonna play well but
you get a billion people, you can be pretty sure that somebody is not playing fair. The Internet has little to know law enforcement. Its simply too big. Too international. Too anonymous. Cyber is the 5 th common domain.

It is a common myth that privacy is about something to hide. I don’t have anything to hide so I don’t need privacy. But, you know thats not true. We have nothing to hide when we sing in the shower or write a love letter and tear it up. Privacy is about us as individuals. Its about our ability to be who we are without necessarily telling everybody. When someone says I have nothing to hide, just ask them whats there salary, what are your sexual fetishes, what kind of diseases do you have. Its not about hiding, its about personal dignity. Data is a fundamental by-product of every computer mediate interaction. Things that used to be temporary is now permanent. And more and more of that data is being saved and used all by governments, by cooperations, by marketers. I mean you can find for yourselves. You go on the Internet and you start searching for, maybe you want to buy a new car or a new house and start looking at the listings. You go on Facebook and suddenly you are gonna see ads for cars and houses. As you surf on the Internet, you are being followed and a profile about you is being collected and then sold to others.

Today's computer driven world was pioneered by techno geeks. Their vision of the Internet was a Utopian space of free flowing codes and ideas. The last thing they expected was a virtual reality shopping mall that cyber space has become. Some hackers defy the system. They call themselves black hats. They are 21st century cowboys who break the law to roam freely on the range of cyber space. While black hats hackers are obsessives hammering at networks 20 hours a day, there opponents are system administrators, who work for the networks are more 9 to 5. Much of the Internet is easy make for the dedicated black hat. In black hats world websites can altered. The spice girls can be shaved bald or the pope can lose his trousers. In black hats world, your plain text email is public property.

I think one of the things that leads the obsession of controlling in the Internet is a lack of control on your own life. You want to exert you force somewhere. A lot of hackers do in many ways resemble the “I have been bullied so I am gonna bully kind of scenario”. Despite the vulnerability of the Internet, which wasn’t designed for confidential transactions the movement for e-commerce and on-line banks has rolled ahead. Hackers are not the cause of the problem but merely the symptom.

The people who cause the damage or the moronic act are the one who on the first place have build the system that is so vulnerable that a kid in a bed room can cause it to hick up. We could wipe out cyber crime tomorrow simply by laying down legislation on minimum standards for enterprises. We are allowing the Bill Gates of the world, we are allowing the Internet equipment manufactures and the computer manufactures to sell equipment that is not good enough.

Hackers are moving into a era when what they know is priceless. In times of consequential change its the mutants that save the world. When you come to a revolutionary changing or circumstances, all of the good little boys and girls that kept their toe nails clipped and didn’t get dirt on there shirt said yes mommy and no mommy and all that stuff, they stand around in a panic not knowing what to do and its the mutants the ones and went out and pulled legs of frogs and explored and got dirty are ones who actually end up saving the world.

We have a very volatile society right now. We are extra ordinarily dependent on computers, so all this people who have dared to think for themselves are now emerging as a new elite. The entire Internet is built on systems that are put up by people who are ignorant, uninformed and arrogant and it wouldn’t take much to take it all down really quick and thats a scary thought.

Comments

Post a Comment

Popular posts from this blog

The Big Picture

-
A thousand years is but an instant. There’s nothing new, nothing different. The same pattern over and over. The same clouds, the same music, the same insight felt an hour or an eternity ago. There’s nothing here for me now, nothing at all. Now I remember. This happened to me before. This is why I left. I have begun to find my answers. Although it will seem difficult, the rewards will be great. Exercise my human mind as thoroughly as possible, knowing it is only an exercise. Build beautiful artifacts, solve problems, explore the secrets of the physical universe. Savor the input from all the senses. Feel the joy and sorrow, the laughter, the empathy, compassion and tote the emotional memory in my travel bag. I remember where I came from and how I became a human. Why I hung around. And now my final departure is scheduled. This way out. Escaping velocity. Not just eternity, but infinity.   I’ve been kind of on zombie autopilot lately. I don’t feel like an ant in my head, but I guess I
Read more

Chapter 1

-
Image
A long time ago... EXAM Even today sometimes I do hear her voice. She doesn't show up normally just on any occassion. If I am tired out of any celebration she wouldn't be there but if pained,in the hearth of heart,injured or in any difficuilty. I do hear her voice. She doesn't talk about my trouble but she talks pointless beyond the pivot even today. Even today she's as deflected and diverted as was then. This has concereted my belief about our worlds being totally different. Nothing has really changed. Today,I woke up in a haste as today is my examination and I had no clue that what am I upto or whether I would really be taking it over the par or not. It may sound quite diminished and it being a mere exam but well,there are two things about a situation. We believe things to be just some solid whorls scarcely untill we ourselves are into that thing,then it begins to become complex and detailed. Another thing is be like that no problem of the world is actually
Read more