IR need Comprehensive Review of Information vulnerabilities in Communication Systems, Servers & Data Centres

New Delhi:   When a Station Master of Indian Railways from Punjab got a genuine-sounding call from an Indian Army officer in the recent past, he never imagined the caller would in fact be a Pakistan Intelligence Operative (PIO). The Station Master passed on the information the caller, who he thought had dialled from the Army headquarters in Delhi, asked for, which pertains to a train movement carrying Army personnel to J&K! The imposter had a free run until it was detected that the call came from Pakistan. This incident sent alarm bells ringing, but the top brass of India’s elite intelligence wing was not amused. Reason: the officials had encountered similar situations in the past as well.

This reminds us the deadly head-on collision of Brahmaputra Mail and Assam-Awadh Express at about 1.30a.m. on 2 August, 1999, when the Awadh Assam Express from New Delhi was stationary at the station, the Brahmaputra Mail from Dibrugarh, packed with soldiers and security personnel heading for the border regions at a very high speed of 130 KMPH was transferred onto the same track of the other train. Nobody noticed the error on either train, or in the signals office, until the Brahmaputra Mail train crashed headlong into the front of the Awadh Assam Express. The engine of the Awadh Assam was thrown high in the air, and passengers from both trains were blown into neighbouring buildings and fields by the force of the explosion. Inquiry Commission constituted by Indian Railways although concluded that the concerned railwaymen had 20 minutes time to avoid the accident which occurred due to error in operation and was a case of negligence of duty, the other side of the rumors cite a conspiracy behind the disaster. The official death toll released was set at 1000 or even more. Worst part is, because of the nature of the crash and fire the bodies could not even be identified properly; and 90% of whom are from the Armed Forces.  The station master of Gaisal station later committed suicide, unable to bear the trauma, psychological imbalance, prolonged inquiries and the disciplinary actions instigated against him.

Although such an attempt is akin to firing a shot in the dark, it is one of the most commonly used tricks of the trade to con gullible people into parting information.  Be it what it may, the crux of the situation is, supposing that this is a conspiracy, then how the information is leaked to anyone about movement of armed forces in train, and this reminds us the vulnerabilities in the functioning of railway system – be it at individual level or systems level – in whichever case, such an incidents have to be averted.

As regards the information vulnerabilities and data thefts, needless to mention that the anti-virus software in various PCs across the Indian Railways have not yet been updated, leave alone gross failure to prevent malware and spoofing from corrupting the systems in Railway offices all over.  Spoofing is a way of concealing one’s real identity and assuming a fake one. What caught the attention of the intelligence officials was the level of penetration that foreign spooks were able to do this.  In an another instance, it is reportedly learnt that last year, a series of emails were exchanged between the PIO agent and an unsuspecting Railway employee which culminated in installation of malware on Railway servers. Apparently, Railways hosts India’s largest logistics sector of the country under one umbrella. Spoofing is a routine exercise, but this particular incident was unique and generated much attention. The spooks managed to install a malware that corrupted some data,” says a top-ranking official who was part of the crack team that attended to the situation.  He adds the malware was flushed out but not before it caused limited damage. “It could have been worse.”

Even as the security establishment was still grappling with the Station Master incident, two days later a similar attempt was made on the elite National Security Guard (NSG). The PIOs had ostensibly called the agency headquarters in New Delhi to elicit information about the movement of its commandos in the wake of the Hyderabad serial blasts that killed 16 people and injured 117 on February 21. That day, the agency’s blast assessment team left Delhi on a special aircraft at 9.30 PM and reached Hyderabad after two hours.

In the ensuing months, more such incidents came to light. One report suggested the President’s Secretariat was spoofed. With these incidents becoming a regular affair, they also exposed the vulnerability of critical infrastructure to such attacks. Eventually, it forced the sparring but Technical and IT Arms of Railways like CRIS/RailTel/IRCTC/EDPM Centers on various Zonal/Divisional/Production Plants on Indian Railways to reconcile under one roof to find a solution.

Recently National Security Advisor (NSA) in one such brainstorming meeting with Intelligence Bureau (IB), Research & Analysis Wing (RA&W), Computer Emergency Response Team (CERT)-India, National Technical Research Organisation (NTRO), Defence Forces, DRDO Hqrs and the Department of Telecommunication (DoT), at one point, the top brass conceded and minuted that the Indian Railways servers and data centres are not only being targeted from outside, but can also be used to carry out attacks and hence an Advisory Note is being prepared and sent to Railway Board as a precautionary measure.

IB and RAW had earlier pointed out that during 2011, DRDO officials from Sena Bhavan Headquarers had gone for inspection of the Network Operations Centre of RailTel – a Telecom PSU under Ministry of Railways who have provisioned a number of high bandwidth links to DRDO and various other organisations like NIC, Banks, Defence, NKN etc and surprisingly found that some Chinese Engineers were deployed in RailTel NOC as part of the maintenance and management of STM-16 rings provided by M/s WRI (a Chinese Telecom OEM) for having supplied, installed and commissioned STM-16 equipments in the longhaul OFC communication network of RailTel on the Eastern Region of the Indian Railways covering approximately 10-11 states, and are managing it.  DRDO officials have asked for immediate removal of Chinese Engineer at NOC level and accordingly RailTel had taken corrective steps and informed the same to DRDO in writing.  IB and RAW hinted of such vulnerabilities in other organisations like IRCTC/CRIS/EDP Centers and Railway Board needs to also be identified and fixed immediately.

In fact, such incidents are on the rise. For instance, open proxy server systems, which are used to bypass network controls, have registered a significant growth. CERT-In identified 2,987 open proxy servers in 2012, up from 2,826 in 2011.  Later on, around 2,500 have been identified till February this year.  These proxy servers are a major source of spam on the Internet and are used to attack other servers as well.

Government officials pin the blame on the vulnerable anti-virus solutions for failing to prevent malware from corrupting the system. “National Informatics Centre (NIC) brought out that Servers are client-based. Commercial anti-virus solutions are either not updated or not effective, home grown trusted solutions is an emerging need. The case of Linux-based machines is even more problematic and upload of web shell can’t be detected.

Almost all the anti-viruses have weakness and limitations, the security demands of government and private individuals are different and should not be equated. Jiten Jain, a cyber expert and researcher on Chinese spyware, says most of the anti-virus programs are not of much help. They can only ward off threats, which are already identified. What if a new malware is generated using new codes or signatures every time? Then there is no central repository of threats detected by each individual software provider. The companies do not share data with one another,” he says.

Lack of trusted indigenous products has further compounded the problem.

According to Akash Agarwal, country head of EC-Council, which certifies course in ethical hacking, hardly anybody in the country is making anti-virus software. “Indians do it for other countries. There is no guarantee the foreign service provider will not override the systems in guise of anti-virus. There has to be people who can cater to demands of government.”

In fact, the Centre for Development of Advanced Computing (C-DAC) – Hyderabad has developed a malware detection system and it is undergoing logical tests. The government expects that once the system is in place, it will boost India’s cyber protection capability manifold.

Jagannath Patnaik, Director (Channel Sales-South Asia) at Kaspersky Lab, however tries to dismiss apprehensions about anti-virus companies. “We have the fastest updates in the industry and Kaspersky Lab’s response time to threats is much quicker than the competition. Any standard anti-virus program would need at least four hours to block the more than 200,000 malicious programs that emerge every day,” he says in an email response.

Around 30 anti-virus brands operate in India with a market size of nearly $300 million. However, this is not sufficient. On May 2, the government agreed that there is a need of hardening the NIC networks, which host almost all government and state websites.

At the same meeting, the deputy NSA directed the NTRO and CERT-In, both of which have the mandate to mitigate cyber threats and launch investigations, to share details of malware detection with other agencies.

IB has also issued an alert against all-out attempts of PIOs to scoop information from India’s defence establishments and other strategic organisations. It believes PIOs have employed the twin strategy of spoofing and snooping by installing malware.

The Inter State Intelligence (ISI) operatives are targeting the Indian Railways, banks, and serving and retired employees and civil contractors working for Military Engineering Services (MES) to collect sensitive and defence-related information”. “They (PIOs) have also been making telephone calls under assumed identities by using spoofed numbers to various CPMFs (central paramilitary forces), Railways, banks etc. They (PIOs) have succeeded in ferreting out sensitive information from the persons attending these calls. IB has been regular in highlighting the stratagem of PIOs using fake identities.

Senior officials in the Union home ministry say they regularly issue circulars about do’s and don’ts to government employees from sharing sensitive information with others. In one of these circulars, the home ministry advises government officials not to use telephone systems which are exposed to the external environment, mobile or any other type, for dissemination of classified nature.

The government believes heightened awareness among its staff could be the only effective way to counter attempts of foreign agencies.

  • Instructions to government officials on sharing information over telephone calls against the backdrop of spoofing and espionage.
  • Telephone systems, which have any part of their network exposed to external environment, should not be used to disseminate classified information.
  • Classified Information should be restricted to organisation’s own secure internal communication network.
  • Telephone instruments should have the facility to identify the caller.
  • As information security principle, confidential matter should never be discussed or transacted over phone. If circumstances necessitate, persons attending to a telephone call should identify the caller beyond all reasonable doubt before parting information.
  • In case, the identity of the caller is not established beyond all reasonable doubt, the person should be asked for his contact details.
  • The contact details should be immediately verified by calling back, as the most effective countermeasure.
  • If the caller tries to give reasons that only he can contact the recipient of the call due to technical reason. It should raise the strong suspicion that is a spoofed call.
  • If it comes to the notice that intruder has managed to secure information, the matter should be immediately reported to seniors for remedial measures.