[vc_row][vc_column][vc_column_text]In Feb 2024, a finance manager Ravi (name anonymized) received a message from his CFO. The message said their company needed to make a secret payment, and asked Ravi to join a video call to discuss details. Ravi was initially suspicious. But, he put aside his early doubts when he joined the video call and saw his CFO and other colleagues on the call. He followed the CFO’s ask and authorized a payment of $25 million to the account provided.

It turns out that all the faces and voices on the video call were AI-generated deepfakes. This is a real incident from Hong Kong.

We live in interesting times. AI is having a wide-ranging impact on the planet, both good and bad. It enables amazing new use cases. It is displacing jobs. But most importantly it is challenging the foundational element that made society possible – trust. This article covers one slice of that topic, AI’s impact on cybersecurity[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

Artificial Intelligence 101

ChatGPT has caught the world’s fancy in the last two years. There is much more to AI than ChatGPT. Here is a quick flyby, enough to appear informed at a social event!

Artificial Intelligence refers to the ability of a computer to perform tasks “commonly associated” with humans. There are, broadly speaking, two ways in which AI may be applied.

• Predictive AI is used when the goal is to pick the best choice (according to a given scoring method) from a pre-determined range of choices. Examples: Deepblue from IBM beat then-champion Garry Kasparov, using predictive AI that could analyze 200 million moves in one second to pick the best move. A self-driving car picks which way and how much to steer based on what it senses in the environment. Netflix recommends the shows you are most likely to enjoy. Google, Meta, and Bing rank the ads most relevant to you.

• Generative AI is used when the goal is to generate new content. Large Language Models (LLMs) are the most popular cases for Generative AI. They are designed to generate text. ChatGPT is the most famous application for LLMs.

[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]The way AI systems learn has greatly evolved. In the early days, humans programmed the system based on their knowledge. In the 1990s, machine learning picked up. In this approach, you first train an AI system by feeding it large amounts of input-output pairs and letting it find patterns. Once trained, the AI system, aka model, can predict the output for any new inputs you give it. Deep learning builds on this by using multiple layers of such a system. All well-known AI systems today learn via deep learning.[/vc_column_text][vc_column_text]

Fun fact: Machine learning and deep learning use Linear Algebra, which every student at IITB learns in the first year.

(more…)

[vc_row][vc_column][vc_column_text]Your Processor Goes Brrrr… and Leaks Sensitive Data!!

Imagine you’re super careful about your data security. You only run trusted apps and software on your phone or computer, and you make sure they’re free of bugs. You’d think your data was completely safe, right? Well, not quite. Even if the software you use is flawless, modern processors, the brains of your devices—can still make mistakes. In order to run faster, they try to “guess” what might happen next (this is called speculative execution). Sometimes, they guess wrong, which might give them access to information they aren’t supposed to handle, like passwords or private. Even though this access is brief, it can still leak information through very sneaky side effects, which are called side-channels.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]So, what is a side-channel? One simple example involves the time it takes your device to do things. Imagine you’re opening a locked box, and depending on how long it takes you, someone could guess whether the box was already unlocked or not. In computers, attackers can measure how long it takes the processor to retrieve data from its memory. By studying these tiny differences in time, they can figure out what kind of information is being accessed, even without directly touching it.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

In 2018, researchers discovered two major security flaws, Spectre and Meltdown, that let attackers take advantage of this guessing behavior, in virtually all processors used in mobiles, desktops, and tablets, manufactured in the last 20 years by Intel, AMD, Apple, Qualcomm, IBM, etc.

Spectre tricks the processor into accessing data it shouldn’t by misleading the system’s guessing mechanism, while Meltdown takes advantage of a weakness in how certain processors separate user data from critical system data. Both allowed attackers to peek at sensitive information, like passwords or browser cookies, even if they weren’t supposed to have access. (more…)

[vc_row][vc_column][vc_column_text]In this article we will look at the types of cyber frauds that scamsters perpetrate in banking and payments, and see how the variety, risks, numbers and sophistication of such frauds grew with the growth of computerisation of banking operations resulting in customer convenience. As the role of computerisation in banking grew and became more sophisticated, so did the variety and sophistication of cyber fraud. We will also see what banks do to minimise the risk of such frauds, and importantly, what we as customers of banks can do to avoid falling prey to such fraudsters. A caveat – this article talks only about cybersecurity in the context of banking as it relates to the handling and transfer of money. It does not deal with cyber fraud related to securities transactions and insurance – that will take another couple of articles.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]Forgery 

In the 1970s, before computers came into banking operations, you had to go to a bank branch to do any kind of banking transaction, starting from opening a bank account, to depositing or withdrawing cash, or transferring money to another account. You could write a cheque and hand it over physically or by post to whoever you wanted to transfer money to. That person would have to go to his or her bank and deposit the cheque into their bank account by filling in a slip. The cheque would then travel to a local cheque clearing centre, from where it would go to the payer’s bank branch. If the cheque was from another city (an “outstation” cheque), then it would have to be sent by post to the bank branch where it was drawn. If there was sufficient balance in the account and the signature matched with the sample signature with the bank, then the cheque would be “cleared” and retained by the payer’s bank branch. Banks had a specific number of days to reject the cheque if there was insufficient balance or a signature mismatch, and the cheque would travel back to the payee’s bank branch, and the payee would be informed about the cheque being “returned”. This process would often take several days, until which time the payee had no idea if his/her account had been credited. If one wanted a guaranteed document, then the payer had to make out a bank draft by going to the branch, filling up a form and the branch would issue a bank draft payable to the payee.

In those days, the only way somebody could steal money from your account was to steal your chequebook and forge your signature.

The reason for explaining the process in so much detail is for younger readers who have not seen what banking was like in India before computerisation to understand the breathtaking transformation that has happened in banking in the last forty to fifty years.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]Frauds in Inter-branch Reconciliation

In the days of manual processes in banking, a cheque deposited in a branch that belonged to a different cheque clearing centre had to physically travel by post from that branch “for collection” to the branch on which the cheque was drawn. The branch where the cheque was deposited often provided early liquidity to the customer by “purchasing” the cheque and crediting the customer’s account. Fraudsters, with the help of insiders at the bank or post office, would intercept and steal the cheque before it reached the destination branch, so that the account on which the cheque was drawn never got debited. The manual process of inter-branch reconciliation would often take weeks before the fraud was discovered. So the first giant step in bank computerisation was in reconciliation of accounts of different branches, by matching of transactions that span across two branches. This threw up anomalies where the payee’s account got credited (because the bank “purchased” the cheque), but the account of the customer who wrote the cheque never got debited as it should have. I remember that in my earlier years at Tata Consultancy Services in the early 1980s, the banking group used to manage the massive job on inter-branch reconciliation for State Bank of India on a Burroughs mainframe computer. The data of all inter-branch transactions used to be punched on cards, transferred to tapes, and sent to the TCS computer centre for overnight processing. This was a “batch” process, with input data of cheques being fed through punched cards or magnetic tape, and the output reports being printed on reams of stationery. But it did alert the bank to mismatches in cheque transactions between branches.[/vc_column_text][vc_column_text]Phishing

Jamtara is a backward district in Jharkhand. According to the last census in 2011, Jamtara had a population of around 800,000, a low literacy rate of 62.58% and a high unemployment rate of over 58%. There has not been a census since 2011, but my guess is that the numbers do not look much better now. Not many people outside Jharkhand would have heard of Jamtara, if it was not for the fact that it gained ignominy as the cybercrime capital of India. It was made (in)famous by a widely watched TV serial on Netflix simply called Jamtara.[/vc_column_text][vc_column_text]

Around 2015 or so, a few unemployed youths from a small, backward village from Jamtara district came up with a brilliant idea to scam people all over the country using a simple mobile phone.

(more…)

[vc_row][vc_column][vc_column_text]To a gamer, the phrase “Capture The Flag” might bring into mind several first-person and third-person shooter games where the objective is to capture the opponent’s flag to establish dominance and win points to attain victory. I would be lying if I said that was not my first encounter with the phrase “Capture The Flag”, and even though I no longer frequently game, I have very fond (if not violent) memories of the genre. However, given that this article is in the cybersecurity section, one might be led to think “Capture The Flag” likely has to do with something else (unless it’s about hacking into shooter games, but that’s a topic for another day). In fact, one would be right![/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]Imagine a hacking competition where you have to break into systems and exploit vulnerabilities. To stress, I do not mean “hackathons”, which are albeit pretentious names for coding competitions or other generic tech competitions far removed from real hacking. These actual hacking competitions are called CTFs. What is the rationale behind such a name? After you have successfully compromised the system under interest in a challenge in this competition, you find a string of text called a “flag” which you then submit to the competition server as “proof of hack” to get credited for successfully completing the challenge. This attempt at capturing “flags” across challenges is what gives CTFs its name.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

Kinds of CTFs

[/vc_column_text][vc_column_text]CTFs occur in a variety of flavours. They could be conducted as an offline event, or as a large-scale online event. They could be an individual CTF, a team-based CTF with teams capped by a maximum size limit, or a team-based CTF without an upper cap on the team size.

They are usually conducted for 24 hours or 48 hours and often spawn challenges from a variety of cybersecurity categories, the common ones being Cryptography, Digital Forensics, Reverse Engineering, Binary Exploitation, and Web Exploitation.

There are many other categories which one finds in CTFs nowadays which cover several new and important technologies in cyberspace, including but not limited to Cloud Security, Blockchain Security, Zero-Knowledge Proofs, Post-Quantum Cryptography, Game Hacking (and I shall now resist my temptation to connect cybersecurity CTFs with shooter CTFs), and many more.

A CTF style is more than the categories of challenges it provides; CTFs can also be in different formats. The most popular format is called “Jeopardy CTF”, named after the famous American game show. You are explicitly presented with various categories and several challenges in each category, and you can pick and choose which one you want to solve and when you want to solve it. There is no restriction on parallelism, you can work on several challenges simultaneously.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]

Why CTFs?

[/vc_column_text][/vc_column][vc_column][vc_column_text]Do CTFs actually help cybersecurity other than just being a fun competition? Very heavily so!

CTFs often involve real vulnerabilities, and exploring those vulnerabilities provides very practical hands-on experience with recognising, patching, and exploiting insecure systems.

It teaches a budding cybersecurity enthusiast where to look for security bugs and how they can be exploited to afflict maximal damage. This recognition helps them to also patch insecure software to prevent them from being attacked by malicious threat actors. (more…)

[vc_row][vc_column][vc_column_text]CyberSecurity has gained prominence in the past few years with the proliferation of the Internet and Mobile handset. The mobile handset has put the Capitalise internet in everyone’s palm. On the one hand the Internet changed the way we communicate, conduct business, engage with people and businesses, but on the other hand the Internet also enabled anonymous entities to access your always connected devices by exploiting weaknesses in your devices or by exploiting weak passwords. In more recent times exploits target weaknesses in human psychology.

The goal of all exploits is to compromise your device, gain control of your device or gain access to your privileges on some other device, a server on the Capitalise internet (your photos or work data on a google drive or on an Amazon S3 bucket). Increasingly it is to gain control or access of your data. Devices are less valuable than the data that reside in those devices.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]Cybersecurity is the practice and application of tools, techniques and processes to secure your devices and privileges on third party devices. The tools can be broken down into multiple specialised sub domains. This image-pdf (from Optiv) provides a nice classification of the different cybersecurity solution providers.

Some solutions target the network pathways through which malicious activity is carried out or malicious content is planted/distributed. Some solutions ensure robust authentication is present in all pathways. Some solutions monitor device activity to watch for any anomalous behaviour (either via artefacts on the device or via artefacts on the network wire. Please note ether is the wire in wireless). Some other solutions prevent data export from devices by locking down all possible ways by which data can be sent out (block hardware interfaces such as USB, block email attachments etc). Many solutions target the device directly. They monitor the device health continuously ensuring the device is always healthy. In summary Cybersecurity is a not a single point solution, but involves practising and applying defence in depth.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]Asset Management is the branch of Cybersecurity that focusses on device health. It is often said you cannot secure what you do not know about. Once you know all your assets, you must ensure they are healthy “continuously”.

Brian Krebs, a reputed Cybersecurity expert summarised very succinctly thus (Sourced Credit: Kerbsonsecurity)
1. Do not install what you did not go looking for.
2. If you installed it, take care of it by ensuring it is up to date and free of known shortcomings/bugs.
3. If you are not using it, remove it.
This applies to enterprises as well as personal devices. It is vital that you identify all your devices and ensure they are running only such software as is needed and such software is the latest and the best the vendor has to offer. Ensure there are no unnecessary software on the device.[/vc_column_text][vc_column_text]Lay persons believe that devices are “hacked” because of “hacker’s” skills and ingenuity. While skills and ingenuity are / may be needed, the primary reason devices get “hacked” are because of “owner’s” carelessness and naiveté. (more…)

[vc_row][vc_column][vc_column_text]Introduction

In an age where military operations are increasingly driven by digital technologies, cyber security has become indispensable for national defence. The growing dependence on cyber systems for communication, intelligence, and logistical coordination has amplified the risk of cyberattacks, positioning the defence sector as a prime target. Both India and the global community face escalating cyber threats on multiple fronts. Protecting military assets and ensuring the integrity of defence operations requires robust cyber security frameworks.[/vc_column_text][vc_column_text]This article explores the evolving landscape of military cyber security, focusing on key strategies, challenges, and future directions, with insights from both Indian and global perspectives. (more…)

[vc_row][vc_column][vc_column_text]In India, 63 million Micro, Small, and Medium Enterprises (MSMEs) contribute employment of 164 million, 30% of GDP, and around 40-50% exports. However, according to global reports, 43% of cyberattacks target small businesses, and one in two small and medium enterprises (SMEs) has a chance of a cyber breach. Without cyber security protection, these businesses could hamper the country’s economy, as they contribute significantly to the economy.

According to the latest research conducted on MSMEs in India, where 82 top management of these organizations shared their valuable inputs, Figure 1 shows an overview of the cybersecurity posture of these companies. More than 51% of these companies responded they have some kind of cybersecurity control in place. Few of these MSMEs had adopted some kind of standard or framework, such as ISO 27001 (more than 21%) and NIST CSF (around 6%). Around 63% of these organizations do not have any cybersecurity standard or framework adopted. Among those who had responded with some kind of cybersecurity adoption in place, around 29% of those are not having any security policies, guidelines, and guidelines. Closed-Circuit Television (CCTV) (around 17%), security guards (more than 11%), and fire suppression (around 11%) were mostly popular as physical controls among MSMEs. Also, antivirus software (around 30%), firewalls (more than 20%), and authentication solutions (around 14%) were the most popular technical controls for MSMEs.[/vc_column_text][vc_single_image image=”14479″ img_size=”large” add_caption=”yes” alignment=”center” title=”Figure 1: Overview of MSME’s Cybersecurity Posture”][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]Figure 2 shows the various gaps and problems faced by MSMEs in India. Human beings are always considered the weakest link causing successful cyberattacks. Hence, cybersecurity awareness training plays an important role in strengthening knowledge about the latest cyber threats within organizations. [/vc_column_text][vc_column_text]

More than 40% of MSMEs never conducted any cybersecurity awareness training for their employees, which is the biggest threat helping cybercriminals targeting these companies, as illustrated in the figure.  Around 39% of MSMEs are sure they have faced cyberattacks. (more…)