[ISN] The cyber security spy ring

From: InfoSec News (alerts@private)
Date: Sun Jul 09 2006 - 23:03:16 PDT


New Delhi
July 8, 2006

When India tested its nuclear weapons in 1998, the US got a shock of 
significant magnitude. CIA officials said they did not know about the 
tests until then prime minister Atal Bihari Vajpayee went on television to 
announce it four hours after the event. Till then, the seismic data, from 
which the test could have been detected, had apparently not been analysed 
yet. The fleets of US spy satellites had been fooled; the multi-billion 
dollar intelligence network of the only superpower on earth had egg on its 

This spurred the US to focus on its intelligence gathering in India. It 
would appear that the efforts have borne fruit.

If the suspicions being expressed by Indian intelligence agents are true, 
the US may now be in possession of information on Indias war plans for the 
army, navy and air force. The atomic energy establishment, which no 
foreign agency is known to have breached significantly in the past, may 
also have been compromised. Even ISRO data is thought to have leaked to 
the US spy agencies. Put together, it represents a leak of massive 

It happened because of some smart work on the part of the US agents, and 
the curious chalta-hai type of loophole that is so typical of India. The 
National Security Council Secretariat the repository of all this 
information is not secured anywhere near as well as the individual 
intelligence agencies and military headquarters are. In fact, even its 
staff comprises a large number of part-timers on short contracts. Many of 
them receive meagre salaries in the range of Rs 15,000-Rs 20,000 a month.

The story so far is that SS Paul, a disgruntled computer analyst with the 
NSCS, passed on secret data from NSCS computers to Rosanne Minchew, third 
secretary in the US embassy in Delhi, for $50,000 (Rs 23 lakh). He did 
this by storing the data on USB drives and taking it out. The operation 
was on for about a year. Paul eventually got caught because a wing of 
Delhi Police knew Minchews role in the US embassy. They put her mobile 
under observation and found she was receiving SMS from a number that 
turned out to be Pauls. He was put under surveillance, and was found to be 
passing classified information to her.

Investigations in the case showed that Paul had been introduced to Minchew 
by Commander Mukesh Saini of the NSCS. Saini was the man heading the 
National Information Security Coordination Cell, and was an important part 
of the Indo-US Cyber Security Forum. In his capacity as National 
Information Security coordinator, he was in touch with sector cyber 
security officers and systems administrators in various ministries, 
departments and security forces. Investigators now believe Paul was not 
the only one who Saini introduced to US intelligence. At least five others 
are under suspicion for passing information to Paul, who passed it further 
to Minchew.

The case has prompted the Intelligence Bureau to ban cell phones with 
advanced features from its premises. It already has software, specially 
developed for its use, to detect the use of USB drives on its intranet. 
This software logs the time a USB drive is inserted into a computer and 
the time it is taken out, gives the ID of the computer and its user, and 
lists the files accessed. The log report is sent to a designated computer.

This software was not deployed at the NSCS. Sensitive ministries and 
departments also dont have this software.

However the problem is being seen by experts as more human than technical. 
If the people tasked with cyber security themselves sell out, it cant be 
considered a technical failure, they point out.

Cyber security expert Subimal Bhattacharjee points out that India does not 
have a policy on critical infrastructure protection. Moreover, security 
systems are not properly deployed, he adds, otherwise checks and balances 
would exist so that a persons colleagues would get to know if he was 
taking out data. His views are echoed by J Prasanna of K7 computing, who 
says system administration and cyber security responsibilities should 
never be concentrated in one person. Banning cellphones, or USB devices, 
or keeping computers off the Internet do not ensure security, he adds. 
Monitoring use is a better option.

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Mon Jul 10 2006 - 08:44:22 PDT