Security in Computer Usage

nandu

Senior Member
Joined
Oct 5, 2009
Messages
1,913
Likes
163
Security in Computer Usage

Moustaches Droop and Eyebrows Raise in Indian Armed Forces

The Head Quarters of Western Command of the Indian Army at Chandi–Mandir conducted a confidential activity. A computer security expert was invited to talk to the senior brass consisting mostly of starred Generals. The visitor asked one question: 'Do you have any emergency drill in place, which is to be followed in case of an attack on your computer system by virus or by a snooper?' Moustaches drooped and eyebrows went up – the language was 'Greek' to the audience. They were informed that the first virus 'Sea Brain' is alleged to have originated in Pakistan.

Information Technology and telecommunications merged some years back. The standalone computer is already part of history worthy of being placed in a museum. The advantage in having this tool gets multiplied many times in a network. From a local area network to Internet it is a great leap forward, yet achieved in a few years. A network is inevitable in any environment and the administrators are worried about the aspect of security of information more than ever before. The traditional C3I, command, control, communication and intelligence is now C4I with computer added.

E- INSECURITI

e-Security is a much debated word, the world over; India has awakened to this gray area only recently. A national seminar on e*Security attracted the presence of some top ranking officers of the Indian Armed Forces *though only a dozen – among two hundred and twenty seven participants. One officer from the Indian Navy in attendance, is expected to head the information technology hierarchy at the Naval Head Quarters. Another from the directorate of Signals and two others from the Air HQ along with a few from the Software Development Institute, Bangalore of IAF were present.

Strangely Indian Army was disproportionately represented with only a few officers. The Indian Army is improving its AREN, Army Radio Engineering Network and ASCON, Army Static Communication Network. The voice, telegraph, link and the medium were thought of but the computer is giving the jitters. The CIDSS, Command Information Decision Support System, made some effort with a secret delegation under a three star general and a security expert going abroad in 1986-'87 and again in '94-'95.

An invisible group from the Government Intelligence Agencies sat through the seminar too. A few days later the Central Bureau of Investigations announced the formation of Cyber Crime Research and Development Unit in addition to Cyber Crime Investigation Cell. It is not clear how much of computerisation and networking is implemented in the intelligence agencies of the country and what is the level of information security in their network.

E-COMMERCE IS INEVITABLE

Many others from the corporate business world, stock exchanges and banks are naturally interested, primarily to protect their data and business transactions. Motive in this sector is to protect their profits and to reduce losses if any, due to information leakage. Some vendors of e-security software package, which is a business enabler and not just a protective device, were present to make high pitch sale of their wares.

DRDO CYPHER SYSTEM


About a decade back a Scientific Analysis Group was formed in the Defence Research and Development Organisation. The Integrated Data Cypher System was designed by the group, which was headed by a scientist well versed with cryptography. Between 1992 and 1994, a three level 'key management system' with message key, system key and network key was arrived at with indigenous proprietary algorithm. It was put in operation in many establishments. Further developments to make it adaptable to the Windows environment was necessary though the original algorithm was independent of Operating System.

The technology is proven and was transferred to Bharat Electronics Limited. The Director of Computers, who was also in the Review Committee, Technology Development Phase Software Group, was instrumental in its development. Yet, it may need a re-look in the present, changed environment.

Absolute security is a misnomer. Like the computer virus which cannot be stopped or eradicated but at best is only managed, so is it with security of computer based information. Strangely, in the acronym savvy world of IT, the same nomenclature, 'hacker' who introduces virus, is used to refer to the snoop, who steals information.

Any number of firewalls, encryption algorithms, coding and decoding can never be secure for a longer period – the term 'longer' being decidedly relative. Storage devices of the bits in the computer such as memories, integrated circuits can be opened and analysed to determine the rows of zeroes and ones, which lead to an understanding of the information inside. When a computer is connected to an information super highway and to servers in many countries, the interface components are vulnerable to determined hackers who can 'milk' the bits. 'Buffer Overflow' is a technical term in software which is identified as one common avenue to attack the security of a system – this is in the knowledge of computer experts since four decades but is still used to. steal information by hackers.


Neither profit and loss nor cost is the criteria in a security environment in defence establishments – at least in India. A retired Major General and a serving Air Commodore feel that 70 to 80 percent of information exchanged in the armed forces unnecessarily carries a higher security tag than what it deserves. The General, who believes that the weakest link in any security environment is the 'human', recalled a short report on a Military Courts Martial carrying a few lines which was to be classified as Top Secret.

MUDDLE IN IAF

Interestingly, the vested interests within the hierarchy of the Indian Air Force appear to fear the increase in authority that gets attached to the Directorate of Signals if information security is given paramount importance. In smaller pockets of the hierarchy, the officers conversant with software and who show eagerness are encouraged to develop systems of e-security. This will be counterproductive without a centralised control but provides for unhealthy competition, which is easily exploited. Perhaps the Ministry of Defence needs to intervene.

TATA Infotech Limited is engaged in a big way with the Indian Navy to network a few establishments through fibre optic cables *information security and confidentiality of transaction is an embedded element. A logistics network using Very Small Aperture Terminal, VSAT for the IAF is slowly getting into place notwithstanding a continued insistence of non-technical commissioned officers to look after the highly technical components and systems, which remains an enigma. Unfortunately, considerations other than merit, logic and need still prevail. The procurement channels that reach off shores being an attraction for various reasons. The fact of the matter is that e-security in Indian Armed Forces is dependent on foreign hardware.

UNLEARNT LESSON FROM USA

In the USA, National Security Agency which is the repository of all Master Keys used in computers in USA, Computer Security Institute and Advanced Encryption Standard are constantly combating the vulnerability of security in any computer network. In India one does not come across any similar organised approach. A recent addition in the USA is a qualification, Certified Information System Auditor. The Defence .Advanced Research Projects Agency, DARPA in the USA is said to have invented the Internet concept and is constantly evaluating computer viruses and security breaches to develop constant updates. In India, National Association of Software Servicing Companies, NASSCOM, Manufacturers Association of Information Technology, MAlT and Computer Society of India, CSI behave as independent bodies, at times vying with each other.

PRESS IS ADVERSARY

The Ministry of Information Technology in Government of India, which should be the nodal agency for such effort, surprisingly chooses to list 'press (media)' along with hackers and other components as 'adversary' to an environment of security. A scientist official, presumably from the Security Cell, spoke on 'Security Realities in the age of e-revolution'.

He feels that the Press is intent on snooping into government files. He added that computer snoop would be a new role instead of awaiting and accepting leaked information from the government. Sad, that the spread of awareness and caution due to the media are ignored.

There is a good reason to believe that others in the GoI are bewildered too. The National Informatics Centre, NIC is rightly segmenting the scenario that needs security into (a) Link to Link (b) Node to Node and (c) End to End. But NIC seems to have wrongly taken up a model, which they call as Highway Model. It involves security for a car, security for the car with a driver on the move, security for the road on which the car with the driver is moving and of course, security at both the nodes, the starting point and destination. One should be thankful that a bullock cart and a muddy village path were not chosen as an analogy.

When computer hardware, the operating system and some application programmes were proprietary, the interoperability problems faced abroad are for everyone to see. Proprietorship has given way to public domain. Telephones are in the public domain and the armed forces out of necessity and convenience had to use this public domain. Wireless telecommunication is a public domain but effectively in use in the armed forces. In contrast, computer started as a private tool and has become a very cheap public utility in a very short time compared to the other two stated above. One who peeps in or peers into is invariably smarter than the user or administrator who controls this tool. 'India wants to avoid the proprietary problem and to leap frog ahead' says NIC.

But one is yet to start. A fundamental concept in computer security is that a user or one who inquires cannot disown the activity. Non repudiation is an in built facet in e-security.

COMPUTER FORENSICS

Forensic science deals with the detection methods to link crimes with weapons used and the user. Computer forensics is just being talked about today. One expert feels that whatever be the digital encryption method and algorithm in the key in use, the last component in the integrated chip and processor is an 'analogue gate' which is vulnerable to attack by snoopers.

The ubiquitous Pentium III microprocessor from Intel Corporation can keep a record of the machine from which a transaction originated. A licensed machine is not difficult to locate. A programme can be attached *unknown to the user – which automatically signals a remote server whenever a particular machine with a particular microprocessor is booted into action. The actual content in the activated operation is yet another field of study. Self-Programmable On chip Micro controller or SPOM can be dangerous to a secure but inadequately literate user – literacy in computer usage is indeterminate and never complete.

INFORMATION RETRIEVAL IN COMPUTER

If a chip or integrated circuit or microprocessor or controller, which has been used for a number of transactions, is stripped to its bare essentials, kilo bytes of its Read Only Memory can be reconstructed by looking into it through a micro scope using reverse engineering process. Between adjacent minute sensor lines, minute holes can be drilled which can be refilled with metal and a minute cross can be placed – now it is ready for micro probing access. For example, a read only memory in a computer, ROM can contain some embedded programme, which could be carrying defence secrets.


The hard disk in a computer stores information in files in the form of bits in clusters. When one works on files and modifies them, deletion and addition of data takes place through overwriting. When a file is deleted or erased, it can be reconstructed unless the clusters in the hard disk on which the bits were written in, has been over written at least about eight times.

In other words, deleted files are retrievable and as a corollary, passwords can be reconstructed too. Organised institutions without much expenditure and overheads can indulge in such operations.

Smart Card is said to add a new dimension to e-security. A bio-metric dimension such as the finger print of the owner of the Smart Card can be added on to the card. A cardholder may have access to a Top Secret area. Each entry and the time of entry can be recorded. The processor in this card, if stolen, can give out information. Smart Card is magnetic and liable to damage; a new Laser Card developed recently has passed 1 7 stringent tests by the US Army.

A professor and head of the department in an Indian Institute of Technology has been heading a 'Smart Card' project for the last four years with sixteen partners. He states, 'those who cannot crack passwords are not admitted into his Master of Technology, M Tech programme!' He means that a postgraduate at that level must have developed intellectual probity and that any password is never secure.

THE IT ACT AND CYBER LAW

The IT Act 1999 which is being notified now as the first set of cyber laws in India, does not emphasise Smart Card technology. Concept of secure Digital Signature is inadequately explained. The e-security as it is understood today works on two layers – a public key and a private key. A foreign specialist says that the private key can be adopted in more than one way. Choice of length of the key involves complexities – longer it is more secure it can be. The present technology can offer a key length of 2,096 bits. Primal testing is a method used to identify the 'prime number', which is needed to generate a key.

PUBLIC AND PRIVATE KEY


The public key works under a public key infrastructure, PKI. Authentication is through the public key, Digital signature gets added on to this. It ensures confidentiality; a user can change it randomly. Each user has a unique set of one public key and one private key. Yet, if the user uses a public key and a private key, it can be tracked by sheer iteration and by monitoring the time it is used and the frequency of use. The earlier concept of Symmetric Key visualised the same key to encrypt and to decrypt to get the message or content. It is giving way to asymmetric key, where the key for decryption is mathematically related to the encryption key through a hashing algorithm, but is not the same. Asymmetric key came into being in 1976.

The 'smart' professor raises a question, 'how secure are the security digital keys?' Key storage and distribution, which is the first step in e-security, is an issue. Master Keys are being talked about too.

When a security tool to prevent unauthorised access in a network is purchased, the buyer is only building a barrier which would be overcome later and is banking on the time delay that a hacker will take to pierce the security mask. It is stated that by mid-2000, the web site of the Ministry of IT and the Indian Parliament, both were penetrated by hackers. A year and a half back peripheral computer system at the Bhabha Atomic Research Center was looked into by hackers in the USA. It is said that a programme is afloat on the Internet that enables one to get a free Internet account of one of the leading Internet Service Providers, unknown to them! Some time back Railway reservation service in West Bengal was allegedly compromised.

The single biggest computer fraud on record is alleged to be the embezzlement of$ 300,000 from a bank in South Africa, the culprit actually blackmailing the establishment for an equal sum to stop him from telling others, 'how to do it'. Due to the absence of cyber laws in that country the person is said to have gone unpunished. As a corollary, such misappropriations in other financial establishments and banks might have gone unpublicised elsewhere, for fear of losing clients and customers. Whither e-insecurity in Indian defence establishments? Guardians of secrets are in unison in vouching for the vintage style with the hand written document in a brief case, which is chained to the wrist of the courier and locked, as the best mode of confidential transaction yet discovered by human being.

http://www.indiandefencereview.com/2010/06/security-in-computer-usage.html#more-2380
 

anoop_mig25

Senior Member
Joined
Aug 17, 2009
Messages
5,804
Likes
3,151
Country flag
it seems there is bug in indian policy makers mind that they think in future there isnt going to any war between indo-pak or indo-china so this people are all relaxed. they some perceived notations if its indo-pak war then pakistan will loose somehow and we will back to where we where i.e status quo.And china wont attacked india after all we are having business relationship between then even if attacked america,russia will always help. so now u know why our policy makers are so stupid.god save this country
 

Latest Replies

Global Defence

New threads

Articles

Top