Tuesday, August 27, 2013

Plugging Leaks

The Government of India's new rules for email security may not be enough.

Anyone who has interacted even briefly with India's bureaucracy knows this: most babus rarely check their official email accounts. In fact, most Government of India businesscards display a webmail address such as Gmail, Hotmail or Yahoo at the bottom. This is true not just of individual officers, but of entire departments.

There are three reasons for this: ease of use, reliability and storage space. The problem is this doesn't just look unprofessional, it's also a major security risk. This summer Britain's Guardian newspaper revealed a global email snooping program by the US National Security Agency. PRISM gave the NSA backdoor access to the very email servers used by India's babus and diplomats around the world.

Imagine if a certain neighbour intercepts sensitive defence plans forwarded by the MoD; or if talking points for New Delhi's diplomats in Afghanistan are accessed by rival governments looking to upstage India there.

To guard against such snooping, India's IT minister Kapil Sibalannounced new email security measures last week. India's missions abroad would be the first to implement these. The measures include the use of virtual private networks (VPNs) and one-time-passwords (OTPs). And there would be no more Gmail and Hotmail – only email from the National Informatics Centre (NIC). Unfortunately, if these are the only security measures planned, the government's official communications are still far from safe.

For secure communication, you need to lock down three separate stages. First, at the end points – the computers from which the emails are sent and read. Second, 'data in transit' – that is the cables and networks along which an email is transported between computers and servers. And finally, 'data at rest' – while it sits on the server in your mailbox.

The first of Sibal's measures – VPNs – protects data in transit. VPNs use a program to create an encrypted and protected connection between a user's PC and the server. This protects data from being intercepted while on the move. Many companies already use VPNs to securely connect employees working in remote locations to their corporate servers. However, once the data reaches its destination, it relies on server-side security to stay safe.

The second measure – OTPs – offer limited protection for data at rest. Anyone who uses internet banking has had some experience with OTPs. Each time you want to sign in, the server generates a new password using complex algorithms and sends it to your mobile phone. Each password can only by used once, hence the name. This eliminates the need to remember passwords, which can be guessed by hackers. At best, OTPs prevent someone from logging into specific email accounts. However, a hacker who has backdoor access to the server (like the NSA does through PRISM) can still easily read your emails.

That's where the third measure comes in – official NIC emails. The problem is NIC servers have become something of a joke. They are routinely hacked and data stored on them – including emails – has been stolen or modified. Government websites hosted on NIC servers are regularly defaced. Sachin Pilot, India's junior IT minister told Parliament last year that as many as 270 government websites had been defaced between January and July. By comparison, 308 government websites were defaced over the entire 12 month period the year before. Hacking NIC servers has now become a rite of passage for so-called 'script kiddies' – young hackers who are looking to prove their mettle.

In short, NIC server security needs to be vastly improved if the government wants its emails to be stored safely. You can be rest assured the NSA and other advanced adversaries such as China and Pakistan are probably already planting bugs to siphon out emails.

The two most reliable ways of defeating threats to 'data at rest' are stronger server security and email encryption. This way, even if someone gets past the improved security, the encryption will make the emails unreadable. While there are many tools to implement both steps effectively – both free and paid for - none were found in Sibal's plans.

Most importantly though, I saw no mention of the most important part of communications security, the end-points. If the sender's and receiver's computers are compromised or if they follow unsafe practices, no amount of security for data in transit and at rest will help.

Government offices are highly irregular with patching their computers with virus and security updates. Just last year, suspected Chinese hackers compromised as many as 12,000 government email accounts by sending them infected documents. These viruses can do anything from sweeping the computer for sensitive data and uploading it to the hacker's servers, to logging every keystroke so the hacker knows what's being typed. This way, even before you can encrypt and send your email or documents, the hacker already knows its contents.

That's why user awareness is the most important aspect of data security. Without it, even the most technically-advanced security measures are useless. The Indian government wants to train 500,000 IT security professionals over the next five years. I'd wager that it would get more benefits by first training current employees to use their computers more safely.