INDIA has learnt its first lesson in global cyber-warfare: even a Nuclear Weapon State is vulnerable. The first known cyber-attack on this country occurred last week when specific computer systems were targeted in protest against the May 11 and 13 nuclear tests. And the attackers involved were not nation-states but groups of pimply-faced teenagers from around the globe.
Officially, BARC denies having lost any "sensitive" data. But there is a sense of nervousness about the booty the hackers decamped with. And about the ease with which they achieved their aim of refocusing global attention on India. A typical headline: "Is the atom bomb safe in the hands of people who cannot even secure their servers?"
Who did it? A group going by the name MilwOrm. Comprising six teenagers residing in the UK, New Zealand and the US, its youngest member, HamstOr, is just 15 years old. They claim to have hacked into a number of commercial sites as well as at least one US army server just two weeks ago. When BARC valiantly denied loss of data, the young hackers sent copies of the data they had obtained to a number of independent observers, and even posted some of it over the Internet. A large part of these claims appear to be verified by various observers.
At least two more attacks on Indian networks took place two days after the initial round. In the first, a cluster of about 30 machines was hacked into. Around the same time, another group calling themselves "Armageddon" broke into the Bioinformatics Centre at the University of Pune. MilwOrm and the other groups plan to "continue their attacks" and claim that they "should have everything and be finished with India in about a week". Pakistani networks are slated to be next.
What did they do? By merely tapping keys on their computer keyboards, MilwOrm claims to have downloaded five megabytes of information from BARC, opened e-mail between scientists and researchers, obtained the "test results", and taken a peak at "sensitive" internal memos. They also defaced the BARC home page (BARC.ernet.in) and replaced it by their own. BARC's home page has since been dysfunctional. The hackers substituted the BARC's home page with one displaying a mushroom cloud with the text, "If a nuclear war does start, you will be the first to scream...."
How did they do it? MilwOrm used a trusted and standard method to break in: they took advantage of the internal weaknesses in the BARC network. BARC's Internet server was connected to the internal line area network. This enabled the hackers to break into the BARC servers through a programme known as 'Sendmail'.
The loophole in the pro-gramme is well known and, in fact, a patch had been posted several months ago. But neither BARC nor ERNET appear to have acted on it. The hackers covered their tracks by breaking in to a series of computers starting in Turkey and followed by three US military servers. Internal BARC logs would show as if the break-in came from a US military server.
Is ERNET under threat? Yes. In the last three months, there have been at least two serious attacks on various nodes of ERNET. Break-ins into Web servers is almost routine. It happens to a fair number of servers and even "secure military" networks almost routinely. That is why the Web servers ought not to have any connection to anything valuable. However, isolating sensitive information from public networks (a standard security practice known as compartmentalising) was not done and it was negligence on the government's part to expose even relatively harmless data, never mind sensitive e-mail to the Internet. Insiders say ERNET is a "primitive horse and buggy" system compared to the current networks and security is "non-existent and borders on the abysmal". Further attacks in almost all probability cannot be ruled out.
Did the US know? There is sharp suspicion that it did. In fact it is quite likely that all data stolen by the hackers is in the hands of the US. The hackers reached the BARC network through a chain of US defence servers. According to experts, it is highly unlikely that the US defence department was not aware about the hackers' movements and their final destination. The US Defense Intelligence Agency and the US National Security Agency were aware of the hack and monitored the hack in real time. According to NBC News, CIA had obtained the material hacked from BARC and was "reviewing it". This "coup" of sorts was probably very handy after the spate of criticism that the agency faced after failing to predict the Pokhran blasts.
Is this war? It is, but it's a Net war, not a nuclear one. Cyber wars are not "real wars". Unlike traditional wars, they are not fought over military, economic, political and social matters. In contrast, they seek to disrupt and destroy the information and communications systems that increasingly govern human lives. That is, it's low-cost, maximum damage. Doomsday theorists are conjuring scenarios of crippling attacks on the US infrastructure from flight control systems to banking and finances that are totally dependent on networked computers.
Is the US itself safe? No. The US spends upwards of $7 billion (Rs 30,000 crore) or about two-thirds of India's entire defence budget on various offensive and defensive forms of e-wars and cyber-wars against an estimated 20,000 groups of hackers. Yet, there has been a spate of well-publicised attacks in the last three months.
In the first of these, a teenager accessed many of the Pentagon's secure networks and accessed "very sensitive information". It took an team of at least 100 investigators including 30 FBI agents to track this 18-year-old down to Israel. The teenager, going by the handle "Analyzer", had managed to obtain root—or administrator-level—access to a number of US military servers.
After the identification, the Israeli prime minister publicly praised the kid as "damn good...very dangerous, too". The US request to extradite him will probably be refused as the "Analyzer" after being taken into custody by the Israeli police was drafted into the Israeli army!
What can we do? The US has a stated policy against hackers, and their blood brothers (and sisters): crackers and phreakers. It has vowed to crack down on malicious and mischievous crackers probing computer systems, whether classified or not. Bill Clinton has just appointed a "tsar". The attorney general of the US is on record as recently as a month ago stating that the US would "work around the world and in the depths of cyberspace to investigate and prosecute those who attack computer networks".
Nuclear India doesn't have a policy, or the means to enforce it, against warfare that can bleed it dry with no drop of blood shed.
We at Outlookindia.com welcome feedback and your comments, including scathing criticism
1. Scathing, passionate, even angry critiques are welcome, but please do not indulge in abuse and invective. Our Primary concern is to keep the debate civil. We urge our users to try and express their disagreements without being disagreeable. Personal attacks are not welcome. No ad hominem please.
2. Please do not post the same message again and again in the same or different threads
3. Please keep your responses confined to the subject matter of the article you are responding to. Please note that our comments section is not a general free-for-all but for feedback to articles/blogs posted on the site
4. Our endeavour is to keep these forums unmoderated and unexpurgated. But if any of the above three conditions are violated, we reserve the right to delete any comment that we deem objectionable and also to withdraw posting privileges from the abuser. Please also note that hate-speech is punishable by law and in extreme circumstances, we may be forced to take legal action by tracing the IP addresses of the poster.
5. If someone is being abusive or personal, or generally being a troll or a flame-baiter, please do not descend to their level. The best response to such posters is to ignore them and send us a message at Mail AT outlookindia DOT com with the subject header COMPLAINT
6. Please do not copy and paste copyrighted material. If you do think that an article elsewhere has relevance to the point you wish to make, please only quote what is considered fair-use and provide a link to the article under question.
7. There is no particular outlookindia.com line on any subject. The views expressed in our opinion section are those of the author concerned and not that of all of outlookindia.com or all its authors.
8. Please also note that you are solely responsible for the comments posted by you on the site. The comments could be deleted or edited entirely at our discretion if we find them objectionable. However, the mere fact of their existence on our site does not mean that we necessarily approve of their contents. In short, the onus of responsibility for the comments remains solely with the authors thereof. Outlookindia.com or any of its group publications, may, however, retains the right to publish any of these comments, with or without editing, in any medium whatsoever. It is therefore in your own interest to be careful before posting.
9.Outlookindia.com is not responsible in any manner whatsoever for how any search engine -- such as Google, Bing etc -- caches or displays these comments. Please note that you are solely responsible for posting these comments and it is a privilege being granted to our registered users which can be withdrawn in case of abuse. To reiterate:
a. Comments once posted can only be deleted at the discretion of outlookindia.com
b. The comments reflect the views of the authors and not of outlookindia.com
c. outlookindia.com is not responsible in any manner whatsoever for the way search engines cache or display these comments
d. Please therefore take due caution before you post any comments as your words could potentially be used against you
10. We have an online thread for our comments policy:
You are welcome to post your suggestions here or in case you have a specific issue, to directly email us at Mail AT outlookindia DOT com with the subject header COMPLAINT