New Cyber Espionage Malware Named Uroburos/Snake Detected By Cyber Security Researchers

The traditional Cold War Era may be over but the Technology Assisted Cold War is still in vogue. Developed Nations have been making and using Sophisticated Malware that is well beyond traditional and modern Cyber Security Mechanisms. Even well trained Cyber Security Professionals cannot detect them till these Malware have already achieved their Surveillance and Espionage tasks.

For instance, Malware like Stuxnet, Duqu and Flame have simply proved this point. They kept on creating havoc for many years in an undetectable and covert manner. They were detected only recently and since then their variants have been making rounds in the Cyberspace.

These Malware are not the tasks of a group or company but expert malware makers that are supported by Developed Nations. The United States has been accused of making these Malware in the past and it is also believed that U.S. is the biggest buyer of Malware in the World. U.S. has also been accused of using a combination of Radio Waves and Malware to spy upon other Countries. It is well known that Global Cyber Espionage Networks are being actively and covertly used to Spy on other Nations. This is evident from the fact that the Command and Control Servers of Malware FinFisher were also found in 36 Countries, including India.

Countries across the World have started to strengthen their Cyber Security Capabilities. While protecting their own Cyberspace domain, various Countries must understand that Cyber Security is an International Issue (PDF) and not a National one. Therefore, an International Cyber Security Treaty is Required (PDF). In the absence of international harmonisation in this crucial field, countries would keep on attacking one another in the Cyberspace.

In the latest news in this regard, G Data Security experts have analysed (PDF) a very complex and sophisticated piece of malware, designed to steal confidential data. G Data refers to it as Uroburos, in correspondence with a string found in the malware’s code and following an ancient symbol depicting a serpent or dragon eating its own tail.

According to G Data Uroburos is a rootkit, composed of two files, a driver and an encrypted virtual file system. The rootkit is able to take control of an infected machine, execute arbitrary commands and hide system activities. It can steal information (most notably: files) and it is also able to capture network traffic. Its modular structure allows extending it with new features easily, which makes it not only highly sophisticated but also highly flexible and dangerous. Uroburos’ driver part is extremely complex and is designed to be very discrete and very difficult to identify.

BAE systems have labelled it as “Snake” (PDF) and it has identified two distinct variants, both highly flexible but with two different techniques for establishing and maintaining a presence on the target system. In general, its operation relies on kernel mode drivers, making it a rootkit. It is designed to covertly install a backdoor on a compromised system, hide the presence of its components, provide a communication mechanism with its command and control (C&C) servers, and enables an effective data exfiltration mechanism. At the same time, Snake exposed a flexibility to conduct its operations by engaging these noticeably different architectures.

According to media reports, ‘Uroburos’ has been stalking its victims since as far back as 2005 and large enterprises and governments need to pay urgent attention to the threat it. It now transpires that Snake has been slithering silently around networks in the U.S. and its NATO allies and former Soviet states for almost a decade, stealing data, getting ever more complex and modular and remaining almost invisible.

Culling data from malware research sites (i.e. those to which suspected malware samples are submitted for inspection), it has been spotted 32 times in the Ukraine since 2010, 11 times in Lithuania, 4 times in the UK, and a handful of times altogether from the US, Belgium, Georgia, Romania, Hungary and Italy.

These are very small numbers but cyber security firm(s) believes that on past experience they are highly indicative. While they represent a tiny fraction of the number of infections that will have occurred in these countries and beyond, they can be used to reliably infer that Snake has been aimed at Western and Western-aligned countries pretty much exclusively. While none have specifically named Russia as the originator for this malware yet some have put the country under suspicion.

Hints of the malware’s provenance have surfaced from time to time. In 2008, the U.S. Department of Defense (DoD) reported that something called, Agent.btz had attacked its systems, an incident later attributed on more than one occasion to the Russian state without further elaboration. Beyond that the evidence is circumstantial and it is very difficult to attribute Cyber Criminality with great certainty.

Source: International Legal Issues Of Cyber Security.

National Security Policy Of India Some Techno Legal Suggestions

National Security is a very vast and complicated field to manage as it encompasses various facets of security. It includes traditional security of borders and infrastructure to Cyber Security of the Indian Infrastructure and Cyberspace. India has been lax on the front of National Security in general and Cyber Security in particular. The National Cyber Security Policy of India 2013 has been drafted recently and its actual and full implementation is still missing.

Further, various components of National Security are still operating in vacuum and independent of each other making the entire concept of National Security a façade. For instance, the Cyber Security Policy of India is still not a part of the National Security Policy of India. In fact, we have no National Security Policy of India that is presently implemented by Indian Government. The Cyber Security Policy of India must be an “Essential and Integral Part” of the National Security Policy of India.

DNA India has reported that the current UPA Government led by Prime Minister Manmohan Singh is set to unveil a draft of National Security Policy for public debate. The National Security Advisor Shiv Shankar Menon has already started working in this regard so that a well defined strategic policy framework can be adopted by the new Government after a public debate. It seems the intention is to make the National Security Policy of India operational after the 2014 Elections are over. This is logical as well as such crucial policies cannot be implemented at time of uncertainties. The National Security Council (NSC) has already proposed three pronged Cyber Security Action Plan for India.

The UPA Government has its own share of successes like securing Indian borders and avoiding any big threat from outside, getting the non-permanent member status of the UN Security Council, obtaining a permanent seat at the Arctic Council and a chair at G-8 negotiations, etc. So the “Failures and Achievements” of the present UPA Government are somewhat balanced in nature.

India already has a doctrine for its defence as well as strategic forces, both for conventional and sub-conventional wars. But the new doctrine will be over-arching, comprehensive and will incorporate elements of foreign and internal security policies.

Though the proposed draft of the Policy is still at the infancy stage yet it may act as a resource guide to deal with Indian National Security issues. The proposed Policy would look at all aspects of National Security including the Economic, Technological, Political, Cyber as well as Scientific. It would also streamline the Security Strategy and address the systemic lacunae in the absence of a clear and comprehensive policy.

A “Special Focus” upon Cyber Security is need of the hour. To start with a dedicated Cyber Security Law of India must be formulated. A robust and comprehensive Telecom Security Policy of India must also be immediately formulated. Further, Draconian and Disabling Laws like Information Technology Act, 2000 and Indian Telegraph Act, 1885 must be “Repealed” as soon as possible. Civil Liberties and National Security Requirements must be “Reconciled”. A dedicated Privacy Law of India must also be formulated immediately to strengthen Privacy Rights in India.

During the exposure of engagement of E-Surveillance by the National Security Agency (NSA) of U.S., James Clapper confirmed that NSA is targeting Foreign Citizens for Surveillance. This E-Surveillance is further “Combined” with Tactics and Techniques of Cyber Warfare, Cyber Espionage and Cyber Terrorism, etc. The traditional Cold War Era may be over but the Technology Assisted Cold War is still in vogue. Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, etc have simply proved this point.

These Malware are not the tasks of a group or company but expert malware makers that are supported by Developed Nations. The United States has been accused of making these Malware in the past and it is also believed that U.S. is the biggest buyer of Malware in the World. U.S. has also been accused of using a combination of Radio Waves and Malware to spy upon other Countries. It is well known that Global Cyber Espionage Networks are being actively and covertly used to Spy on other Nations. This is evident from the fact that the Command and Control Servers of Malware FinFisher were also found in 36 Countries, including India.

These Malware used Cyber Attack Methods and Vectors that are far beyond the Capacity of Traditional Cyber Security Mechanisms to Trace and Prevent. This becomes a serious Cyber Security Issue when Critical ICT infrastructures are at stake. For instance, the critical Infrastructure Protection in India and its Problems, Challenges and Solutions (PDF) are still to be looked into with Great Priority by Indian Government. It is only now that India has declared that NTRO would protect the Critical ICT Infrastructures of India. Similarly, a Tri Service Cyber Command for Armed Forces of India is in Pipeline. Nevertheless, the Cyber Security Infrastructure of India is Weak and it must be improved as soon as possible.

Countries across the World have started to strengthen their Cyber Security Capabilities. While protecting their own Cyberspace domain, various Countries must understand that Cyber Security is an International Issue (PDF) and not a National one. Therefore, an International Cyber Security Treaty is Required (PDF). As far as India is concerned, the Cyber Warfare Policy of India (PDF) and E-Surveillance Policy of India (PDF) must be urgently drafted and implemented. Similarly, Self Defence and Privacy Protection in India must be ensured.

India’s own Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), Internet Spy System Network And Traffic Analysis System (NETRA) of India, etc are violative of Civil Liberties Protection in Cyberspace. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. The proposed National Security Policy of India must address this issue as well on a priority basis.

Source: International Legal Issues Of Cyber Security.

Intelligence Agencies Of India Demand Legal Immunity Against Cyber Deterrent Acts

India has been working in the direction of strengthening its Cyber Security Capabilities. As India is a late entrant in this field, Cyber Security in India is still not upto the mark. The Cyber Security Trends and Developments in India 2013 (PDF) provided by Perry4Law’s Techno Legal Base (PTLB) have proved that India is weak in the field of Cyber Security. The Offensive and Defensive Cyber Security Capabilities of India are yet to be achieved.

We have no dedicated Cyber Security Laws in India as on date. The Information Technology Act, 2000 (IT Act 2000) is the sole Cyber Law of India that also indirectly talks about Cyber Security.  The IT Act 2000 is silent on the issue of conferring legal immunity to hackers and other Law Enforcement Agencies while countering cyber attacks and this is a cause of concern for the Intelligence Agencies of India. It is also true that the Intelligence Agencies of India are also not subject to Parliamentary Oversight that is need of the hour.

International Legal Issues of Cyber Attacks are a cause of concern for India and India need to upgrade her Cyber Security Capabilities. Intelligence Agencies of India are planning to acquire such capabilities with “No Legal Obligation Attached Whatsoever”. This is a draconian power that cannot be conferred to them as that would violate the Civil Liberties Protection in Cyberspace of Indian Citizens. To make the matter worst, we have no dedicated Privacy Laws in India and Data Protection Laws in India (PDF). Even the Right to Information Act, 2005 is not applicable to Intelligence Agencies and many Law Enforcement Agencies of India. India “Must Reconcile” the Civil Liberties and National Security Requirements that is presently not happening.

It has been reported that following security agencies’ demand for legal immunity in cyber deterrence cases, the Deputy National Security Adviser is working on setting up An Inter-Ministerial Group to look into the issue. The Intelligence Bureau has said legal authority for cyber deterrence is very important for agencies in dealing with matters like terrorism. Citing the example of some countries, which have oversight mechanism, agencies have demanded legal immunity.

For example, the United States has a mechanism in place to monitor foreign accounts. However, U.S. is also making its Intelligence Agencies “Accountable” to the Parliament and there are many Statutory Protections against “Abuse of Powers” of these Intelligence Agencies. In India there is no such “Procedural Safeguards” and Intelligence Agencies are openly violating various “Constitutional Protections” and Civil Liberties.

India’s own Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), Internet Spy System Network And Traffic Analysis System (NETRA) of India, etc are violative of Civil Liberties Protection in Cyberspace. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny.

Now the Intelligence Agencies are demanding the power of “Hack at Will” without any “Legal Ramifications”. National security is not a “Blanket Protection” against Illegal and Unconstitutional E-0Surveillance and Eavesdropping. It seems the Intelligence Agencies of India are asking for this “Illegal and Unconstitutional Power” that “No Sensible Government in its Right Mind” would allow.

In a recent meeting on Cyber Security, a representative of the Department of Telecommunication (DOT) said the Department could make some provisions in the Calling Line Identification (CLI) Guidelines that will enable monitoring of at least Foreign Nationals in the country.

The Deputy National Security Adviser, Nehchal Sandhu, is working on setting up an Inter-Ministerial Group comprising the Law Ministry, the Department of Electronics and IT, the Department of Telecom (DOT), IB and the Home Ministry to identify gaps in existing legislation and regulations as well as measures to bridge them.

However, there are “No Such Gaps” as are contemplated by the Deputy National Security Adviser. In effect, the Group is considering how to “Further Confer” Illegal and Unconstitutional Powers upon the Intelligence Agencies. This is really unfortunate as the Group must consider how to make the Intelligence Agencies and Law Enforcement Agencies of India Accountable to the Parliament and how to “Safeguard” the “Constitutional Rights” of India Citizens that are openly violated by these Agencies.

Source: International Legal Issues Of Cyber Security.

Cyber Security Breaches Are Increasing World Over And India Must Be Cyber Prepared

Cyber attacks have not only become sophisticated but they have also increased significantly in terms of numbers. Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc are example of the contemporary Malware that are far beyond the reach of present cyber security mechanisms. These Malware are stealth in nature and till the time they are discovered the damage is already done.

It has been reported by the ICS-CERT of United States that a U.S. public utility was cyber attacked and its control system network were compromised. Similarly, E-Bay has asked for change of passwords after breach of its database containing account information. Before that Target Corporation was targeted by cyber criminals and as a result of that Target Corporation faced litigation threats around the world.

The cyber attack scenario has shifted its nature and territorial scope from being fun and regional to become a potential tool of cyber warfare and cyber espionage. We have no globally acceptable international legal regimes for cyber attacks as on date. Thus, international legal issues of cyber attacks are yet to be resolved.

Cyberspace also put forward complex problems of authorship attribution for cyber attacks and anonymity. Cyberspace also gives rise to conflict of laws in cyberspace where multiple laws of different jurisdictions may be applicable at the same time. Thus, cyber security and international cooperation cannot be separated in these circumstances.

Meanwhile, nations around the world are streamlining their respective cyber security capabilities. We must also develop offensive and defensive cyber security capabilities of India. As per the cyber security trends and developments of India 2013 (PDF) India is lagging far behind than required cyber security initiatives.  Cyber security in India is still not upto the mark in the absence of a dedicated cyber security law of India.

Even compulsory cyber security breaches notification norms are missing in India. Recently the National Security Council Secretariat (NSCS) requested Reliance Jio Infocomm to share potential cyber security threats on India’s telecom networks. India has announced that cyber security breach disclosure norm would be formulated very soon. However, till now no such disclosure norms are applicable in India against companies/telecom companies/ISPs of India and this could raise serious cyber security issues for India in the near future.

These cyber security breach disclosures are important as critical infrastructures of India like automated power grids, thermal plants, satellites, etc are vulnerable to diverse forms of cyber attacks. This is the reason why NTRO has been assigned the task of protecting the critical infrastructure of India. Till the national cyber coordination centre (NCCC) is put into place, national level cyber security coordination would be missing. The cyber crisis management plan of India and the cyber security policy of India must also be made operational as soon as possible.

Strict enforcement of the license conditions (PDF) against telecom companies operating in India and the proposed national telecom security policy of India 2014 may strengthen the cyber security infrastructure of India. However, nothing is better than formulating a good cyber security law of India that can establish a regulatory regime for compulsory cyber security breach notifications on the part of companies/telecom companies/ISPs.  Let us hope that the new Indian government would do the needful as soon as possible.

Source: International Legal Issues Of Cyber Security.

Cyber Security Challenges Before The Narendra Modi Government

As Mr. Narendra Modi is all set to swear to the post of Prime Minister of India he has to face unlimited challenges that have accumulated over a period of time. Thanks to our bureaucratic set up and all pervasive corruption, public reforms have always been kept at bay. There was no dearth of money and skilled people to accomplish the projected targets but still a dominant majority of projects in the last decade have failed to materialise.

Now that Mr. Modi has asked for a brief but accurate report and analysis of the situation, our bureaucrats are sweating and are in high stress. Even if they may somehow justify their non action and national reforms massacre still they would not be in a position to accomplish the mammoth tasks that have yet to be achieved. Decades of corrupt practices, incompetencies and indifference cannot be defeated in few years especially by retaining the same bureaucratic and ministerial structure.

Although there are hundreds of issues of national importance yet I would like to confine myself to a single issue that is closely and intrinsically related to our national security. The issue that I am talking about is the cyber security of India that is in a really bad shape (PDF). For decades our bureaucrats and Indian government did not consider cyber security as an essential part of national security policy of India. As a result cyber security has been grossly neglected and this has created a situation of high alert.

Even on the legislation front, India has failed to do the needful. For instance, we need to repeal the laws like Information Technology Act, 2000 (IT Act 2000), Indian Telegraph Act, 1885, etc but for some strange reasons our bureaucrats and Indian government kept them intact. I have been suggesting this recourse for the past five years but till now nothing concrete has happened in this regard. Similarly, crucial laws are absent from Indian statute books. These include law regarding privacy, data protection (PDF), telecom security, encryption, cloud computing, etc.

Mr. Modi would be required to not only overhaul his cabinet structure but also cleanse the bureaucratic circles that have been plaguing Indian reforms. Bureaucrats and politicians with clean image, hard working reputation and reforms oriented approach must alone be part and parcel of the Prime Minister’s Office (PMO) that may emerge as a “centralised national reforms point” of India. The approach regarding the proposed PMO is much required as that may be a game changer for India.

The previous PMO of India has already sanctioned a plan to spend 1,000 crore over the next four years to strengthen the cyber security capabilities of India. All Mr. Modi has to do is to make it sure that this may not be another proposal with no actual implementation. It must also be ensured that the allocated money is not only utilised but corrupt practices must also not take place while executing the cyber security project.

Obviously India needs to establish both offensive and defensive cyber security capabilities. This is important to protect the critical infrastructures (PDF) of India that are dependent upon information technology. A cyber warfare policy of India (PDF) must also be formulated as Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc are far beyond the reach of present cyber security mechanisms. These Malware are stealth in nature and till the time they are discovered the damage is already done.

Skilled workforce is also need of the hour and for this purpose cyber security courses must be introduced at the university level. Online education must be encouraged so that online cyber security courses can be imparted in India.

In short, the cyber security challenges before the Modi Government are institutional, skills driven, time sensitive and urgent in nature. We have already delayed strengthening of our cyber security capabilities and any further delay should not be tolerated by him.

Source: International Legal Issues Of Cyber Security.

Indian Cyberspace Must Be Protected On A Priority Basis

A robust cyber security is essential to protect critical infrastructures (PDF) and public services rendered through information technology. If world wide events are some hints then India must seriously think in the direction of ensuring effective cyber security for Indian IT infrastructures and cyberspace. However the new Government would face many cyber security challenges as India has ignored cyber security for decades.

Meanwhile, Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc have been written to subvert the cyber security of Nations around the world. They are clearly made with the objective to indulge in cyber espionage, cyber warfare and cyber terrorism. If India establishes a counter terrorism centre, cyber security would be integral part of the same. In fact, the intelligence agencies of India have been working in the direction of acquiring a legal immunity for themselves while indulging in cyber deterrent acts.

India would revise her national security priorities now as the new Government is more committed towards that. The same would be techno legal in nature as considering traditional security alone would be counter productive in the long run. Cyberspace has emerged as a new security frontier and the new Government is well equipped to deal with the same.

However, companies, business houses, Government departments, public utility service providers and defence forces must also change the way they are presently managing their cyber security affairs. The cyber security obligations of stakeholders like law firms, e-commerce websites, directors of companies, Government departments, thermal power sector, power and energy utilities, etc must be properly understood and effectively implemented in India.

In order to achieve this, the Government must take pro active steps. For instance, there is an urgent need to formulate and actually implement cyber security breach disclosure norms and cyber crisis management plan. Similarly, National Critical Information Infrastructure Protection Centre (NCIPC) of India, National Cyber Coordination Centre (NCCC) of India, Tri Service Cyber Command for Armed Forces of India, etc. must also be constituted and made active immediately.

The cyber security trends of India (PDF) have shown that Indian cyber security initiative and efforts are grossly inadequate and poorly coordinated. There is no centralised coordination between various cyber security projects of India and all are operating in an independent manner. At times this creates a conflict situation between them and the end result is very disappointing.

There are little efforts towards modernisation of law enforcement and intelligence agencies of India. Cyber forensics methods and techniques are also not widely used (PDF) by our law enforcement and intelligence agencies like Enforcement Directorate (ED), Central Bureau of Investigation (CBI), etc in the absence of techno legal expertise. Even investigations into the cases of IPL match fixing, Nokia’s software download, etc was not upto the mark. The regulations and guidelines for effective investigation of cyber crimes in India are still awaited and many cyber criminals are not prosecuted effectively.

All these lacuna and shortcomings have created a vicious circle of problems that is detrimental to Indian cyberspace. We have to systematically cure these defects and shortcomings one by one as they are interrelated in nature. While doing so we must keep in mind the fragile and precarious nature of Internet and cyberspace that would create troubles for India in the near future.

Source: International Legal Issues Of Cyber Security.

Intelligence Community, Social Media And Open Source Intelligence

Intelligence Community has been engaged in “Intelligence Gathering Activities” for long. This may be covert or overt, technological or non technological, legal or illegal and so on. But this gathering exercise was there and it is going to be there in future as well.

However, modern practice of Intelligence Gathering is crucially different from traditional practices. Traditional Intelligence Gathering was more on the side of Human Intelligence (HUMINT) whereas the contemporary one is based more upon Information and Communication Technology (ICT).

As far as Technological Intelligence Gathering is concerned, Social Media is a “Favourite Destination” for Intelligence and Security Agencies. Social Media is a favourite destination because it is a “Gold Mine” of valuable and voluntary information available for ready reference. Social Media also provides the best platform for Open Source Intelligence (OSINT).

Social Media also, in majority of cases, provides a “Legally Obtainable” and “Legally Relevant” Evidence. Since the “Information” or “Evidence” is available “Openly” and to “Public at Large” and in a “Non Confidential” manner, generally any such acquired Information or Evidence can be “Relied Upon” in a Court of Law. However, “Admissibility” of such Evidence is subject to the “Discretion” of the Court and well established “Legal Principles”.

Besides Intelligence Agencies, Military Forces are also using Social Media to gain Information relevant to their uses. Military and Intelligence Agencies have been using “Fake Profiles” to get such Information. The aim may be to get a “Predictive Behaviour or Trend” or to obtain any other Information that is of “Strategic Importance”.

Getting Information from Social Media requires good Communication and Data Mining Skills. However, while doing so, one must not violate any Civil Liberties or Laws Protecting such Information. Although many countries have Social Media Laws, we have no dedicated Social Media Laws in India. Even we do not have any Social Media Policy of India.

Social Networking Laws in India are urgently required. To start with, we must have a Social Networking Policy of India. Open Source Intelligence through Social Media Platforms would raise a number of Techno Legal Issues, especially Civil Liberty Issues. For instance, questions like what constitutes “Public Data”, how can a Person Legally obtains Data, what is the “Relevancy” of such Information/Data, how the “Admissibility” of such Information/Data would be decided, etc would be asked.

Similarly, Privacy Issues, Speech and Expression Issues, scope and nature of E-Surveillance, etc would also be required to be resolved in future. This is a new field for both Law makers and Law Enforcers and needs an “Urgent Attention” of Parliament of India.

Source: International Legal Issues Of Cyber Security.

Techno Legal Analysis Of Gameover Zeus Or GOZ Botnet And P2P Malware

The present era belongs to highly sophisticated and accurately targeting malware that are compromising computer systems at will. Not only they have the capabilities to infect even the most secured and sophisticated systems, they are also designed to remain under the radar and work in a stealth mode. Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc just few examples that we are aware of and there are many more still operating that we are not aware of at all. Some of them are operating in the hidden Internet or deep web using encryption and anonymous systems.

Financial institutions and financial credentials are widely targeted by Malware for obvious reasons. Besides targeting financial organisation, botnet are used for all sorts of illegal activities over the Internet. For instance, for online advertisement industry alone, botnet are causing losses upto the extent of $6 million a month.

One such Malware is known as Zeus that is well known for stealing banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads, spam and phishing techniques. Infected systems can also be used to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks. The latest variant of Zeus is known as Gameover Zeus, or GOZ botnet.

According to a good research analysis (PDF) of GOZ botnet, Zeus is a family of credential-stealing trojans which originally appeared in 2007. The first two variants of Zeus are based on centralized command servers. These command servers are now routinely tracked and blocked by the security community. In an apparent effort to withstand these routine countermeasures, the second version of Zeus was forked into a peer-to-peer variant in September 2011. Compared to earlier versions of Zeus, this peer-to-peer variant is fundamentally more difficult to disable.

Due to its lack of centralized C2 servers, P2P Zeus is not susceptible to traditional anti-Zeus countermeasures, and is much more resilient against takedown efforts than centralized Zeus variants. The main P2P network is divided into several virtual sub-botnets by a hardcoded sub-botnet identifier in each bot binary. While the Zeus P2P network is maintained and periodically updated as a whole, the sub-botnets are independently controlled by several botmasters.

The Zeus P2P network serves two main purposes. These are: (1) Bots exchange binary and configuration updates with each other and (2) Bots exchange lists of proxy bots, which are designated bots where stolen data can be dropped and commands can be retrieved. Additionally, bots exchange neighbor lists (peer lists) with each other to maintain a coherent network. As a backup channel, P2P Zeus also uses a Domain Name Generation Algorithm (DGA), in case contact with the regular P2P network is lost.

According to researchers, P2P Zeus has evolved into a complex bot with attack capabilities that go beyond typical banking trojans. They believe that P2P Zeus is used for activities as diverse as DDoS attacks, malware dropping, Bitcoin theft, and theft of Skype and banking credentials. Researchers have also found that till recently bot traffic was encrypted using a rolling XOR algorithm, known as “visual encryption” from centralized Zeus, which encrypts each byte by XORing it with the preceding byte. Since June 2013, Zeus uses RC4 instead of the XOR algorithm, using the recipient’s bot identifier as the key. Rogue bots used by analysts to infiltrate the network typically use continuously changing bot identifiers to avoid detection. The new RC4 encryption is a problem, because a rogue bot may not always know under which identifier it is known to other bots, thus preventing it from decrypting messages it receives. In addition, RC4 increases the load on botnet detection systems which rely on decrypting C2 traffic.

Zeus uses RSA-2048 to sign sensitive messages originating from the botmasters, such as updates and proxy announcements. In all P2P Zeus variants researchers studied, update exchanges and C2 messages feature RC4 encryption over an XOR encryption layer. For these messages, either the identifier of the receiving bot or a hardcoded value is used as the RC4 key, depending on the message type. Each Zeus bot runs a passive thread, which listens for incoming requests, as well as an active thread, which periodically generates requests to keep the bot up-to-date and well-connected.

The researchers have concluded (PDF) that P2P Zeus is a significant evolution of earlier Zeus variants. Compared to traditional centralized versions of Zeus, P2P Zeus is much more resilient against takedown attempts. Potential countermeasures against P2P Zeus are complicated by its application of RSA-2048 signatures to mission critical messages, and rogue bot insertion is complicated by the Zeus message encryption mechanism which makes the use of random bot identifiers impossible. Poisoning attempts are forced to use widely distributed IPs due to a per-bot IP filter which only allows a single IP per /20 subnet. The network’s resilience against takedown efforts is further increased by its use of a Domain Generation Algorithm backup channel, and by an automatic blacklisting mechanism. P2P Zeus demonstrates that modern P2P botnets represent a new level of botnet resilience, previously unseen in centralized botnets.

On the legal side, the creator and users of Gameover Zeus are difficult to prosecute. This is because the cyber attack scenario has shifted its nature and territorial scope from being fun and regional to become a potential tool of cyber warfare and cyber espionage. We have no globally acceptable international legal regimes for cyber attacks as on date. Thus, international legal issues of cyber attacks are yet to be resolved.

Cyberspace also put forward complex problems of authorship attribution for cyber attacks and anonymity. Cyberspace also gives rise to conflict of laws in cyberspace where multiple laws of different jurisdictions may be applicable at the same time. Thus, cyber security and international cooperation cannot be separated in these circumstances. Nevertheless international cooperation among law enforcement agencies of different Nations and entering of extradition treaty among themselves can be a good beginning. Some success has already been achieved in this regard and more international cooperation is expected very soon in the cyber law and cyber security fields.

Source: International Legal Issues Of Cyber Security.

Intelligence Agencies Reforms In India Are Urgently Needed

Intelligence Agencies play an important role in protecting National Security of a country. They help in maintaining Internal and External Security of a Nation. The very nature of their functioning and work requires some degree of Anonymity, Secrecy and Confidentiality. However, this must not be confused with “Non Accountability” and “Lack of Transparency”. Unfortunately, Indian Intelligence Agencies have become synonymous to Non Accountability and Lack of Transparency.

World over it has been accepted that there must be a balance between National Security and Civil Liberties Protection. The United Nations (UN) Third Committee has also approved a text titled Right to Privacy in the Digital Age. This is in recognition of the Privacy Right in the Information Era that has gained prominence off late. It also means that the Big Brother must not “Exceed its Limits” as prescribed by the Human Rights and Civil Liberties Protection in Cyberspace.

India is clearly inclined to become an “Endemic E-Surveillance State” with no respect for Constitutional Rights and Civil Liberties. The journey of India “From Welfare State to E-Police State” began in 2009 with the notification of Information Technology Amendment Act, 2008 and it became complete in the year 2014 with the introduction of E-Surveillance Projects like Central Monitoring System (CMS) and Internet Spy System Network And Traffic Analysis System (NETRA) of India. I even suggested in May 2013 that Indian CMS must be subject to Prime Minister Office (PMO) “Scrutiny and Intervention”.

Nevertheless, the Big Brother Initiatives in India remained unaffected. In fact, the Congress Government made it “Absolutely Sure” that various E-Surveillance Projects are not only “Kept Alive” but they should also be “Made Immune from Judicial Scrutiny”. Our Constitutional Courts also did not consider it necessary to interfere and take appropriate actions.

To make the matter worst, we have no E-Surveillance Policy of India. It is now well known that Indian Government forced Telecom Companies like Vodafone to install “Secret Wires” to indulge in Unconstitutional E-Surveillance and Phone Tapping. Similarly, Indian Telecom Infrastructures have been constantly used for indulging in Unconstitutional E-Surveillance Practices as we have no implementable Telecom Security Policy in India.

In other jurisdictions, new methods of E-Surveillance are devised on regular basis. For instance, use of Radio Waves and Malware United State’s NSA for World Wide E-Surveillance is well known. The Department of Justice (DOJ) has recently announced a New Reporting Methods for National Security Orders. India on the other hand, is not at all interested in making its Intelligence Agencies and E-Surveillance Projects “Accountable to the Parliament”. This is a situation that needs to be urgently changed as it “Undermining the Constitution” and “Rule of Law” has no meaning and significance in these circumstances.

Indian Government does not understand and accept that Law Enforcement and Intelligence Work is “Not an Excuse for Non Accountability”. For some strange reasons Intelligence Infrastructure of India has become synonymous to Unaccountability and Mess. There is neither any Parliamentary Oversight nor and Transparency and Accountability of the working of Intelligence Agencies of India.

Perry4Law has already provided a “10 Point Legal Framework for Law Enforcement and Intelligence Agencies in India” (PDF) to the Government of India in September 2009. However, the Indian Government failed to act upon the same and to formulate a Techno Legal Framework accordingly.

In a Recent Landmark Judgment (PDF), the constitution of CBI was held Unconstitutional by Gauhati High Court. In my personal opinion, the decision of Gauhati High Court declaring CBI unconstitutional is “Legally Sustainable”. Although almost all have criticised this decision of Gauhati High Court yet it is “Neither Absurd nor an Uncalled One”. Parliamentary Oversight of any Law Enforcement Agency is the “Core Requirement” under Indian Constitution. However, our Intelligence Agencies and many Law Enforcement Agencies, including CBI, are not governed by any sort of Parliamentary Oversight.

Unfortunately, the Supreme Court of India stayed this decision. This may be for a good cause if the Modi Government utilises this opportunity to formulate suitable Law for CBI and other Intelligence Agencies of India. However, this exercise of Supreme Court would be the “Most Unfortunate One” if there is no action in this regard by the Modi Government. So what should be the Modi Government’s next step?

Firstly, there is an urgent need to repeal draconian laws like Telegraph Law and Indian Cyber Law. Secondly, there is a dire need to formulate dedicated Telephone Tapping Law of India as soon as possible. Thirdly, India “Must Reconcile” the Civil Liberties and National Security Requirements but the same is presently missing. Indian Government is also “Not Serious” about formulating a dedicated Privacy Law for India. Data Protection and Privacy Rights in India are in real bad shape.

Fourthly, India’s own Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), NETRA, etc are violative of Civil Liberties Protection in Cyberspace. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. In short, Intelligence Infrastructure of India needs Transparency and Strengthening to make it “Effective and Accountable”.

With the new Government some action in this regard is expected but only time would tell whether Modi Government would “simply step into the shoes of Congress” or actually protect the Constitutional Rights of Indian Citizens.

Source: International Legal Issues Of Cyber Security.

India Opposes Proposal To Include Cyber Security Technologies Under The Wassenaar Arrangement

One of the ways to prevent technologies and weapons from falling into wrong hands is to restrict and regulate their export out of the jurisdictions possessing the same. By putting export restrictions, weapons and technologies can be exported according to set norms and under scrutiny.  The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (Wassenaar Arrangement) is one such arrangement between many western countries.

The Wassenaar Arrangement has been established in order to contribute to regional and international security and stability. Participating States seek, through their national policies, to ensure that transfers of restricted items do not contribute to the development or enhancement of military capabilities. The decision to transfer or deny transfer of any item is the sole responsibility of each Participating State. All measures with respect to the Arrangement are taken in accordance with national legislation and policies and are implemented on the basis of national discretion.

The Wassenaar Arrangement is focusing primarily on the transparency of national export control regimes and not granting veto power to individual members over organisational decisions. It is not a treaty, and therefore is not legally binding. However, through its collective decision making process, it can prohibit the transfer of a particular technology to non member nation(s). India is one such non member Nation and she has keen interests in import of technologies like cyber security software and hardware.

UK, France have now proposed amendments to Wassenaar Arrangement to include cyber security technologies. Naturally, India has expressed her concerns regarding this attempt as India is primarily dependent upon foreign nations for her cyber security related requirements. Changes were made to the Wassenaar Arrangement in December 2013 at a plenary meeting held at Vienna following the Snowden revelations.

"These changes could have severe impact on India’s cyber security programme — both software and hardware — as these would come under export control regime, the entire inventory of high-end cyber technology is with the Western countries like the US and they may deny products to Indian organisation,” said a senior Government official.

A high level meeting of the National Security Council was recently held to discuss the next course of action. The problem is that the products included in the control list have not yet been made public and the next round of plenary meeting to be held at the end of this month is expected to see the formal adoption of this agreement.  Since India is not part of the agreement, it does not have access to the decisions or means to influence the proceedings. Therefore, Indian may seek membership to the exclusive club.

“The best way to deal with this would be to have our own technologies and invest in R&D but that would take time. We would like to engage with countries like US and UK to take our view on board before listing out products under export control,” said a Government official directly dealing with the issue.

The official also said that as a pre-emptive move India was looking to purchase critical technology before the new arrangement is finalised. An expert committee has been set up to figure out the future course of action, including negotiating with six countries — the US, the UK, Israel, Germany, France and Canada.

CERT-In has claimed that some softwares supplied to India are tweaked which become prone to hacking. India was given a solution of the “Heart Bleed” malware, which impacted security of softwares, by vendors after a year of its discovery. Software companies under the product sale agreement are bound to provide solution of any vulnerability found in their product(s) immediately after detection.

Sources said Ministry of External Affairs was of the view that high technology items are always an issue for the US but India could influence the decision by seeking membership of the Wassenaar Arrangement.

Source: International Legal Issues Of Cyber Attacks.