You are being tracked

THE OFFICE SYSTEMS GUY, THAT NERDY, SOCIALLY INEPT PERSON WHO SITS IN A DISTANT ROOM IN THE midst of a mess made by umpteen circuit boards and half-open computer cabinets, illuminated by the blinking green and orange lights of servers. He is often the butt of jokes and what he does is rarely considered important. Except when you think of this: Edward Snowden was a systems guy.

Never mind the ethics or otherwise of l’affaire Snowden. The mild-looking systems administrator on contract with Booz Allen Hamilton at the U.S. National Security Agency (NSA), who walked out of NSA’s Hawaii facility with gigabytes of highly classified information, points to the single largest threat to data security: people. It emphasises the fact that data are only as safe as the people working with them; that no matter how many firewalls are erected, data are always vulnerable. As a corollary to that, hacking, once seen as a pastime for teenagers to show off their computer skills, is now a targeted and customised science that can be used to steal money and information.

It’s not just stealing credit card details—though that’s still lucrative sport. It’s about companies trying to steal secrets from competitors. It’s also about tech support trying to think like hackers to strengthen their own security systems. A study by security technology company McAfee pegs the cost of cybercrime to the global economy between $80 billion (Rs 5 lakh crore) and $400 billion. Symantec, another computer security giant, releases an annual study that covers, among other things, consumers’ security habits and the cost of cybercrime. The 2013 report pegs India’s loss due to cybercrimes at $4 billion.

So, what do hackers want? Often, it’s just stealing secrets. But increasingly, a relic of the 1980s has come back to haunt companies. It’s called ransomware and it is pretty much what it says it is. Hackers hold data (confidential files, financial information, or even operating systems) hostage, refusing to part with them unless they are paid. In late 2013, according to security experts, Cryptolocker, a form of ransomware, affected as many as 250,000 Windows computers worldwide.

The traditional response to cyber threats is: “It doesn’t happen in India.” Except, of course, that it does. And has been for some years now. In 2010, the digital assets of the CEO of one India’s biggest conglomerates were targeted by what is technically known as spear phishing. The criminals spoofed an e-mail from a journalist working with an international wire service to the CEO—the subject line indicated that it was the draft of an article that the journalist was writing. It looked clean, but on opening the document the computer became infected by malware (malicious software). Once the system is infected, it can then be controlled by the attacker, who can turn on the webcam, log key strokes, record audio, copy files—pretty much as if the attacker is sitting in front of the computer.

“When we investigated this affair, we found that 40 other businesses, particularly in the energy sector, were being spied on,” says Sahir Hidayatullah, a white-hat hacker (white-hats are good guys, unlike black-hats who hack for malicious reasons) and partner at Securus First, a Mumbai-based firm that focusses on corporate investigations, digital forensics, and security assessments. Hidayatullah and his colleague Raviraj Doshi had been asked to investigate the CEO’s security breach and discovered the vulnerable underbelly of India Inc.

CORPORATE ESPIONAGE IN india has traditionally meant bribing someone reasonably low in the food chain who isn’t paid too well but has access to confidential papers. In classic spy novel style, copies of documents would pass hands in temples, wedding halls, restaurants, and so on. Companies cottoned on, and soon began putting security measures in place—including digitising files and password-protecting them.

But as the spear phishing case shows, this is evidently not enough. I meet Hidayatullah and Doshi in their unmarked office in a swanky new block in Lower Parel to figure out what companies are doing to tackle corporate espionage in the digital age. What I got from them is far from encouraging for corporate India. “We have a new breed of corporate spy who is technically able. Technology has become very democratic and software tools that were earlier the domain of governments are now available to anyone,” says Doshi, partner-electronic investigations at Securus First. You can, for instance, pick up a phone-hacking software for $100 from any online store. “That will help you get call details, switch on the microphone on the phone, listen in, and get geo locations,” says Doshi. And then, to show how easy it is, he offers to hack into my life right then and there. I refuse this generous offer, but am intrigued.

The problem, the two tell me, is that companies take the physical security of its brass reasonably seriously but don’t pay half as much attention to their computers. Open USB drives, networked computers in open areas (reception lobbies, interview rooms, and so on), weak firewalls that allow users to bypass security, and the ‘bring your own device’ (BYOD) to work rule are all weak links in security.

In the spear phishing case, the malware was introduced in an e-mail that the CEO or his team would definitely have opened. And that’s where modern corporate hacking differs from hackers who use brute force or spam to steal credit card details and the like. In this case, say the Securus First pair, the attack wouldn’t have happened without someone spending significant amounts of time studying the CEO’s e-mail habits. An attack like this is called an APT, or advanced persistent threat.

Now the good news. Cyber-security firm Websense, which tracks malware through real-time telemetry (the process of measuring remote data), says that the quantity of new malware will decline over the next year. The bad news is that this will be because APTs will gain ground. The huge advantage for hackers going this route is that there are innumerable ways of hacking into the target computers. For instance, a tech support manager at a bank tells me that in the U.S., a bank was hacked into thanks to some of its staff picking up infected USB drives lying on the floor. These drives contained Trojans (malware that comes disguised as something useful or important), and the bank’s computers were at the mercy of the hackers till the system was shut down and cleaned.

Worryingly, hackers seem to know it’s not necessary to target the top person. To hack into a company’s databank, all the hacker needs is a toe in the door—often the back door. The USB drive trick, for instance, is more likely to work on a lower-level employee; for those higher up, all the hacker needs to do is send a fancy—and infected—drive as a gift.“We know somebody who was part of a delegation to China. The entire delegation was given these very ornate USB drives as a gift by their partner company. One of the delegates got suspicious and came back to us, and we found that it was loaded with malware,” says Hidayatullah.

COMPANIES TACKLE SUCH issues by banning USB drives, or setting up draconian physical security scans for people who choose the BYOD option. All of which sounds good and makes it seem that companies are finally taking digital security seriously. But this is not enough; by reacting to threats, companies have the wrong end of the stick. What they need to do is ensure that the people who have access to the network take security seriously. In that sense, data security is as much a function of the human resources department as it is of the tech department.

Most companies, Indian and global, come up woefully short when it comes to guarding their data, primarily because the approach to data security, particularly technology-based, is one where they just buy the best box of anti-virus or firewall protection off the shelf and leave it there, says Jagdish Mahapatra, managing director for India and SAARC at McAfee.

In many cases, adds a report from McAfee, companies aren’t even aware of what has been taken in the event of a breach. It is often because they are ignorant of how open data networks are, or choose to ignore vulnerabilities. Consider this real example. Details of a highly confidential board meeting regarding a potential acquisition found their way to a competitor. “They used level-one technology,” says Doshi of Securus First somewhat scornfully, explaining that this hack was low-cost and low-tech. Securus First had been called in to solve the mystery, as the victim company was convinced that high-tech hackers had been at work.

But when the investigators questioned employees, it was found that the competitor had bribed the canteen worker who served tea at the meeting. He was merely asked to wear a pair of spectacles when he was in the board room. The glasses hid a high-definition camera that recorded all the documents lying on the table—and transmitted the image files immediately. Doshi shows me a similar pair of glasses, which, I learn, can be bought online for around Rs 4,000.

The manpower on the ground is almost as easily available as the technology. Dinesh K. Pillai, CEO, Mahindra Special Services Group, says: “We are yet to come across large organisations that actually monitor what people are doing internally. It is worse with housekeeping, for example, who have more physical access than most employees. Nobody knows what they do.”

Some hackers are more daring and enter companies to install malware. All they do is hang around a nearby coffee shop, and wait for employees to come in. Many place their access cards on the table while waiting for their coffee; all a tech-friendly hacker has to do is scan the card even from a distance, make a fake card with real data, walk into the company and compromise the systems.

There are devices that look like USB drives but which a computer recognises as a keyboard (that’s to get around those companies that have blocked USB ports). This “keyboard” can, in less than a minute, search for specific files (all Excel files, for instance), zip them, and send the zip file from the e-mail account attached to that computer. Then it deletes all traces of intrusion, and downloads a program that allows the hacker remote control of that computer. There are more expensive options as well; for a few lakhs, there are fully functioning computers that are disguised as harmless-looking chargers or adaptors that can be plugged into, say, a stray data cable in the boardroom. Once on, the hacker can access the network, and even control the computer’s webcam.

Outsourcing the hacking is easy as well. There are large parts of the Internet, accessible only through browsers like Tor, where everything remains anonymous and where everything dark resides (from credit card info sellers to narcotic retailers to, of course, hackers on hire), available for a fee, often payable in bitcoins (or other alternative digital currencies). Remember, anybody, from rival firms to foreign governments to disgruntled employees, have access to these hackers on hire. Vikram Chandra, programmer and author, calls the idea of hacking a result of what he terms ‘geek machismo’. Combine that with the lust for cash, and you have hackers at your command.

IT ALL SOUNDS a little James Bond, but is scarily true. In fact, what we hear of is hardly a fraction of what is actually going on. While on a project to find security chinks in a bank in West Asia, Hidayatullah and Doshi cracked open their most secure banking channels four times in one month. Financial institutions take security very seriously and this one, they say, is famous for the measures it takes. But the duo did it by the most innocuous of methods, like making employees give their passwords over the phone while posing as HR administrators or by making employees run compact discs for the promise of an iPhone 5S.

They used Facebook and LinkedIn to identify the targets, the right people with privileges who are weak enough to be swayed. It’s called ‘social engineering’, and Hidayatullah says it works. “We found out a lot of things about their employees through Facebook. We created a profile of a pretty woman and we sent friend requests, chatted with them, and collected information on who works where.”

Once inside a network, slicing open the rest is a few days’ work for a hacker, says Doshi. “Once we got into the system from a branch office in Mumbai. Two weeks later, we were sitting on their core banking servers in West Asia. We could theoretically forge transactions and had an overview of transactions going left, right, and centre. Because we were the good guys, we didn’t transfer $50 million.”

Doshi and Hidayatullah’s boss is D. Sivanandan, a decorated Indian Police Service officer, who after retiring as the DGP of Maharashtra Police started Securus First and is its chairman. Explaining why companies wouldn’t want to report such intrusions, he says, “Foreign clients come and check how secure your systems are. Only after they are satisfied will they give you contracts.” The reputational damage caused by admitting to instances where data integrity was compromised is a big disincentive, says Sivanandan, to reporting cyber intrusions.

But it is not a completely lost cause. The data security industry, say experts, is moving from creating products that try to prevent intrusions, to products that try and detect them. The basic premise is that there is nothing like 100% security, and that hackers will get through, but once they get through there could be enough done to detect and limit damage.

The data security industry is looking at analytics as a key ally. As Arvind Benegal, VP-technology practices of software product and technology services company Persistent Systems, says, what will help in the way forward is that the worlds of data analytics and security are colliding. Security firms are investing in creating algorithms that learn about usage patterns of every employee, computer, and location, and can then flag down any activity outside of what it deems normal. McAfee’s Mahapatra calls it ‘real time visibility’. Consulting firm KPMG’s Sandeep Dhupia, partner & head forensic services, says companies must identify sensitive information assets, classify them based on vulnerability, and put in place protection to prevent frauds.

OF COURSE, ALL THIS is not even scratching the surface. Data security is now being challenged by BYOD and cloud computing. Mukul Srivastava, partner, fraud investigation and dispute services at EY (formerly Ernst & Young), says, “In one of the cases involving the leakage of IP at a big company in Delhi, one major source of the leakage was the devices that employees brought in as part of BYOD. They also used the cloud to copy data.” Symantec’s director, technology sales (India and SAARC), Tarun Kaura adds that when 66% of workers are believed to be using their own devices, enterprises are facing a challenge defining the security perimeter to begin with. He also stresses the need to classify data and encrypt accordingly, allowing access only to authorised people.

As if the problem wasn’t muddled enough, we are at the cusp of an era of connected devices—the Internet of Things. Most of these are expected to use software like Android, which carves many networks open for hackers.

Then there are the almost daily updates in international media: NSA implanting spyware in popular games; do-it-yourself hacking lessons online; the recent Target case where hackers stole credit card details of over 100 million customers of the U.S. retail chain; and much more. Sanjeev Sridharan, senior vice president at travel aggregator site Cleartrip, says he discovered that some of the site’s pop-up ads had been hacked. Clearly, absolutely nothing is safe online.

Little wonder then that the recently concluded Consumer Electronics Show (CES) in Las Vegas and the World Economic Forum in Davos included sessions on online security and the need for protection, whether from government agencies or other companies.

Of course, there are some steps that companies can take, particularly in classifying and then securing information, as Dhupia suggests. Symantec’s Kaura even recommends two-factor authentication, similar to what banks do online. But the bottom line remains the same: The real vulnerability is people; technology is merely a support act.