STEALTHY SEEDING : A VIEWPOINT
There has been sharp increase in publicly disclosed vulnerabilities across security products during 2012 and future prediction is of increased attacks on security products, companies or solutions and that majority of vulnerabilities discovered will not be
Eavesdropping is not new to India. Numerous phone tappings have been reported in the past Giani Zail Singh’s bedroom and office taped in Rashtrapati Bhavan throughout his tenure as President. Organisations like NTRO would obviously tap phones and computers when ordered. Then are foreign agencies that can be hired, example being tapped conversation of Musharraf in Beijing during Kargil intrusions.
So, elaborating on Edward Snowden’s disclosure that the US National Security Agency (NSA) has been snooping globally through its programme codenamed Prism, the Guardian has brought out that targets included friends, allies and foes. There have been anxious voices in India whether the Indian Embassy in Washington, D.C., was targeted, one minister voicing the issue should be inquired into and the other saying no data was stolen, though the latter cannot be established. The NSA access system is built into every version of the Windows operating system now in use and Windows source code is said to be highly compartmentalised, making it easy for modifications to be inserted without the knowledge of even product managers, which effectively compromises your entire operating system.
In fact, there is evidence that Snowden did steal data, which may eventually be leaked gradually like Wikileaks. But then snooping is an age-old phenomenon. In the mid-1990s, the Central Intelligence Agency (CIA) had technology to plug in the power source five kilometres away and extract data from computers, which forced the Japanese Ministry of Defense and all the services headquarters cut off regular power supply and switch to in situ generators. Now consider the distance from the US Embassy in Chanakyapuri to the North and South Blocks in New Delhi.
Admittedly today is an era of firewalls, but what about where they are installed, what is the strength of these firewalls and can they be breached. After all in a country like the United States so advanced in cyber warfare, where were the firewalls that Julian Assange and Edward Snowden could steal all that they did so easily? Then if China has been able to even physically penetrate the Federal Bureau of Investigation (FBI) to steal technology, could Snowden be their agent or doubling on a price.
Now our National Security Council Secretariat (NSCS) has warned against Chinese gear makers, especially Huawei and ZTE quoting the Intelligence Bureau (IB) reports that these companies are involved in the People’s Liberation Army (PLA) project for strengthening army’s electronic warfare capabilities. ZTE maintains a diverse relationship with PLA encompassing collaborative research with military and civilian universities, including satellite navigation, data link jamming techniques, training of active duty PLA personnel, and as prime supplier of customised telecom service and hardware to the PLA. Similarly, Huawei has an ongoing relationship with PLA and Chinese political leadership, and trains PLA units in networking design and construction. Now look at their products in India. Ironically, we have bulk computer parts, telecommunication equipment, even pen drives coming from China. Chinese global bot armies apart, we do not know what malware has been embedded in these equipment at the manufacturing stage itself and have no capability as yet to undertake any worthwhile checks. Then there had been reports in the past that China has devised a system to snoop on the data in computers whenever Skype is in operation.
Significantly, iViZ Security Inc in its latest report titled ‘(In) Security in Security Products 2013’ says the very security products we use can themselves have vulnerabilities which can leave us susceptible to attacks. The report highlights successful hacker attacks during 2012 on security software giant Symantec Corporation, cloud security company Panda Security, e-mail security solutions provider GlobalCerts and Barracuda Networks.
There has been sharp increase in publicly disclosed vulnerabilities across security products during 2012 and future prediction is of increased attacks on security products, companies or solutions and that majority of vulnerabilities discovered will not become public. On balance, we have to live with this reality till we develop indigenous operating systems, hardware, software and chips.