Serious Web security issues in India

We probably need an agency where top hackers would sit day in and day out trying to find security holes in our Internet infrastructure, and work closely with compliance agencies in the government to fix the holes found

A chief technology officer (CTO) of one of world's top mobile service providers is worried about the fact that his company routinely sources critical equipment from a top Chinese vendor. After all, Chinese vendors come ten times cheaper than other Western vendors and the decision is based on purely commercial considerations.

However, the worry is that when critical components in the telecom infrastructure are in control of a potentially hostile country, the whole network could be brought down by just sending a couple of broadcast packets.

Not that there is any evidence that the Chinese have planted Trojans or backdoors in such infrastructure. In fact, there is no evidence either way, but the technology needed to reverse-engineer such components is either not available or would require millions of dollars of research to develop, so we do not know.

The software as it currently stands may even be clean but a routine firmware update could plant software having such nefarious commands. So, the detection problem becomes even more complex. Given that the Chinese government has cyber-war as its high priority strategy, and given that it gives millions of dollars in aid/subsidy to Chinese telecom vendors—heck, we don’t even know who exactly owns Huawei, the top Chinese telecom company—there is surely reason for suspicion that control of telecom infrastructure via equipment sold by Chinese vendors could be part of the Chinese government’s strategy, and this control can then be leveraged in case of any cyber-war.

In the Indian context, BSNL and Reliance routinely source from Chinese vendors. A year back, a couple of hackers demonstrated at the Defcon conference in the US, how mass traffic from an Internet service provider can be completely redirected to another country using a critical routing software called BGP. BGP is software that helps two routers talk to exchange routing information. The interesting part is that the hackers didn’t take advantage of any bug in BGP. BGP written decades ago when the Internet was in the hands of academicians, is a trusting protocol that just believes the data that it receives is true. To give an example, all of a particular ISP's traffic from India that is bound for the US, could go through, say, a node in Dubai, which then forwards it to the US. Another route to the US could be via Pakistan or China. If the Pakistani node's BGP software sends a message to the Indian ISP's BGP router saying that a better route to the US exists via Pakistan, the Indian ISP's router would just believe the above, and change its routing table so as to send all US-bound traffic to Pakistan instead. The traffic can then be legitimately sent to the US from Pakistan, but meanwhile it could also be sniffed and thus all traffic viewed. 

So, to the end user, everything would look fine, just that the intermediate node's owner could have a look at all the traffic.

Given that today, economies are so crucially dependent on the Internet, ability to view a country's traffic is the equivalent of knowing nearly all what goes on in the country, something that could give huge leverage to competitive business, not to mention the criticality of this data if the two neighbours are hostile to each other. A new version of secure BGP is in the offing.

The question is: Have all our Indian ISPs updated their BGP protocols to secure BGP? We don’t know. {break}

A year back, when the Kaminsky vulnerability was announced worldwide, it was months before many of the Indian ISPs fixed the bug. Using Kaminsky vulnerability, websites could be hijacked as it was a vulnerability in the DNS servers. DNS servers are the ones which translate a website name such as www.icicibank.com to an equivalent IP address such as 203.x.x.x.

It at least appears that in India we seem to be as complacent as ever as far as security is concerned. Well, it is not just appearance but reality too reflects this point. There have been security bugs found in some of the major payment gateways of India for instance. Many of our home routers can be logged into as people do not change their default passwords. Moreover, our CERT-in seems to have as its high priority dealing with sites like savitabhabhi.com and going after guys hosting porn sites. That is not bad in itself, but surely it does not have the same level of visibility as the American CERT.

Our ministry of external affairs network has now been hacked a number of times by the Chinese and our army network too. Our Internet is forever vulnerable, and it would not take that much to bring down the whole of our Internet economy for some determined and well-financed hackers.

Home minister P Chidambaram is talking about increasing the bureaucracy. He suggests a new ministry of internal security, and says that it is partly luck due to which we have not faced another 26/11 type of attack this year.

Imagine a DDOS—distributed denial of service—attack on India for a week. A denial of service attack floods the Internet with useless traffic so that normal operation becomes impossible. How much would we tend to lose?

Add to it the fact that we are getting into other areas such as microfinance where embedded devices such as small microprocessor based hand-held devices or mobiles are going to have critical financial information inside them. How secure are these?

Skype is another area which is a potential security risk. Skype encrypts the communication; terrorists are known to use Skype to communicate, and as of last known reports, the Indian IB (intelligence bureau) has been unable to decipher Skype conversations. In fact, IB has recommended to DoT that they block Skype, a solution which I feel is akin to throwing the baby out with the bathwater. Nevertheless, it is important for national security that our intelligence agencies are able to listen to Skype conversations. The 26/11 handlers used VoIP and though at that time the terrorists themselves used regular mobile phones, the next time over they could use Skype or other encrypted VoIP and we may not be so lucky.

Decoding satellite communication is another issue. Some satellite vendors such as Thuraya for instance don’t have their presence in India and hence are not under Indian government control. Hence, IB cannot force them to decrypt the communication.

What we need is a more serious effort into tracking and fixing security bugs in our critical infrastructure and dealing with issues such as decoding encrypted conversations. Perhaps we need an agency where top hackers would sit day in and day out trying to find security holes in our Internet infrastructure, and work closely with compliance agencies in the government to fix the holes found. One argument is that it is all there, and the public is in the dark. Though it may be a possibility, from the reports emanating to the public, it is frankly hard to believe.

Finally, the above potential threat scenarios mentioned are not about crying wolf. With some investment, most of the above hackings mentioned can be shown to work.

(Dr Samir Kelekar has over 23 years of experience in the global IT industry. He is currently the founder-director of Teknotrends Software, Bengaluru).
 

User

COMMENTS

Manali Rohinesh

7 years ago

Just thought I should use this article to warn people of spam emails that are floating around that have the look-n-feel of the IT department's emails - complete with logo and tagline. When my CA showed a printout of this email (which apparently allowed me to claim my refund online), an IT officer suggested lodging a police complaint since the IT department does not ask people to claim refunds by filling anything online. The officer also showed him similar printouts that many other people had brought to him for verification.

The text of this spam email is below:

Subject: Online Refund Form

After the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 820.50 Rupees.

Please submit the tax refund and allow us 3-5 days in order to process it.

A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.

To access the form for your tax refund, please click here>>

Copyright © Income Tax India. All rights reserved. http://www.incometaxindia.gov.in

Banks not ready to withdraw prepayment penalty on foreclosure

The Competition Commission has sent notices to at least 15 banks, NBFCs and IBA seeking explanation on why they penalise borrowers who choose to foreclose loans

Indian banks have expressed concern over the intervention of the Competition Commission of India (CCI) on the home loan prepayment penalty issue as they fear that this would put pressure on their costs, increase risk and even lead to higher lending rates, reports PTI.

Last month, CCI, the apex body that operates to sustain and promote competition, sent notices to at least 15 banks, non-banking financial companies (NBFCs) and the Indian Banks' Association (IBA) seeking explanation on why they penalise borrowers who choose to foreclose loans.

In the communication, CCI is understood to have observed that loan prepayment penalties will suppress the competition in the home loan market by limiting the chances of a borrower to switch their loan to another lender.

Banks which have been asked to explain this matter include State Bank of India (SBI), ICICI Bank Ltd, Axis Bank Ltd, Punjab National Bank (PNB), Canara Bank, Indian Overseas Bank (IOB), Indian Bank, Oriental Bank Of Commerce (OBC) and HDFC Bank Ltd, amongst others. Besides, home financiers like Housing Development Finance Corp Ltd (HDFC) and LIC Housing Finance Ltd were also served notices by CCI.

According to sources, many of these institutions have already replied to CCI, to make it clear that the removal of prepayment penalty will result in higher lending risk and may cause asset-liability mismatch in banks.

IBA, which is the industry lobby of Indian lenders, said banks would send their responses individually to CCI as early as this week.

"IBA's view is that this (prepayment penalty) does not violate competition laws. Moreover, if CCI insists that banks should stop penalising foreclosures, banks will have to hike the lending rates by at least 0.25% to cover the risk," a top IBA official told PTI.

IBA would respond to the CCI's notice this week, the official said.

Presently, most banks charge prepayment penalty in the range of 1%-2% in the event of a customer opting to close the home loan prematurely. Banks do this with a view to cover the interest loss due to the foreclosure of the loan.

What irked CCI is the fact that some institutions are charging higher penalties as high as 3% to 4% to discourage customers from switching their loans to another bank or a financial institution, the official said.

SBI, which charges around 2% prepayment penalty for premature closures within three years of availing the loan, said the penalty is necessary in the system to avoid any asset-liability imbalances.

"Prepayment penalty is an accepted norm in all developed markets across the world. Banks give loans for a specified maturity and raise liabilities (deposits) to lend. During foreclosures, banks will have to take a hit in cost terms. This necessitates (the) prepayment penalty," a top SBI official said.

Besides, the costs of all borrowers are likely to go up if banks stop penalising customers for loan foreclosures as banks will be forced to hike lending rates to cover the interest loss, the official added.
 

User

COMMENTS

Ram

6 years ago

We are living in a country where thuglakh rule is followed. what RBI is doing? is RBI just watching a movie in how customers are looted by these banks. Banks should feel great that customers are paying their loans well ahead of schedule. Looks like RBI is also favor of these big banks by receiving hell and lot of money back door and kept queit.

Tinesh

6 years ago

I think this policy of charging prepayment penalty has to be abolished by the banks after a certain year like wise say after 3 years a person can clear his loan without prepayment penalties.

vadivel.r

7 years ago

What a stupid think of the banks, those who borrowed loan from bank willing to repay. but this banks charge them pealty. those who fraud against the banks are getting discount on payment. what a demoCRAZY think. The Government act on this is worst and True Civilian suffer.

Who put the bell to those cats?

US fiscal deficit to touch $1.6 trillion

The deficit for the current fiscal year will reach nearly $1.6 trillion, a new post-World War II high, with the addition of about $100 billion in additional tax cuts and public works spending that president Obama has proposed to spur job creation.

Read Article...

User

We are listening!

Solve the equation and enter in the Captcha field.
  Loading...
Close

To continue


Please
Sign Up or Sign In
with

Email
Close

To continue


Please
Sign Up or Sign In
with

Email

BUY NOW

The Scam
24 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
Moneylife Magazine
Fiercely independent and pro-consumer information on personal finance
Stockletters in 3 Flavours
Outstanding research that beats mutual funds year after year
MAS: Complete Online Financial Advisory
(Includes Moneylife Magazine and Lion Stockletter)