an inconvenient reality_final

8/9/2019 An Inconvenient Reality_Final

1/56

AnInconvenientReality

Theunaccountedconsequencesofnon-genuinesoftwareusage

A D V I S OR Y

I N F OR M A T I ON , C OM M U N I C A T I ON A N D E N T E R T A I N M E N T


2/56

Table of Contents

Foreword 1

Executive Summary 3

Key Drivers 7

Potential Implications 11

Involvement of Anti-Social Elements 15

Information Disclosure and Data Theft 17

Malware Attacks 21

Extortion Using Ransomware 25

Unsecured Business Environment 29

Network Effect 31

Academic Institutions Usage of non-genuine

software by students 35

Increased Security Exposure for Government 39

Reputation Risks 43

Seeing the larger picture 45

Appendix: Methodology 51


3/56


4/56

2009KPMG,anIndianPartnershipandamemberfirmoftheKPMGnetworkofindependentmemberfirmsaffiliatedwithKPMGInternational,aSwiss

cooperative.Allrightsreserved.

Foreword

ExplosivegrowthoftheInternetinthelasttwodecadeshasmadeitoneofthe

mostusedchannelsforacquiringsoftwarequickly.Atthesametime,higherprofit

marginsandminimalrisksassociatedwithcounterfeiting/crackingofgenuine

software,havegivenopportunitytoanti-socialandanti-nationalelementstomake

non-genuinesoftwareavailableontheInternetaswellasinthephysicalmedia.

Thiscombinedwithlimitedawarenessoftheimplicationsofusingsuchsoftware

inouruserpopulation,exposesourInformation,CommunicationandTechnology

(ICT)infrastructuretovariousinformationsecuritychallenges.

Theobjectiveofthiswhitepaperistosensitizereaders,endusers,government

establishmentsandenterprises,tothevarioussecurityimplicationsassociated

withusageofnon-genuinesoftware.Withthisintentionthepaperconsidersthe

resultsofourresearch,real-lifecasesandhypotheticalscenariostohighlightthe

potentialinformationsecurityconsequencesofnon-genuinesoftwareusage.

Theresearchperformedduringthedevelopmentofthispaperobservedthat

usageofnon-genuinesoftwarecannowbeconsideredasignificantvectorin

weakeningthesecuritypostureatmicroandmacroeconomiclevels.Theinformationandtestcasesassembledinthispaperdemonstratethatusingnon-

genuinesoftwarenotonlyincreasesthreatofdatalossandintrusionstopersonal

systems,butalsotocriticalICTinfrastructureofthesociety,therebythreatening

nationalsecurity.Therecannotbeabettertimeforcitizens,governmentsand

corporationstocometogetherintheendeavortomitigatetherisksarisingfrom

theusageofthesepotentiallydangeroussystems.

Akhilesh Tuteja

ExecutiveDirector

KPMGinIndia

1


5/56


6/56

Executive Summary

Itremainsawellestablishedfactthatuseofunlicensedorpiratedsoftware

resultsinbothimmensefinancialimplicationsduetoinfringementofthe

copyrightlawsaswellastarnishingofthecompanysmarketreputation.Studies

alsoindicatethatdeploymentofsuchsoftwareoftenleadstoorganization-wide

securityrisks,suchaslossofdataprivacy,systemfailuresanddowntime,and

reducedoperationalperformance.Additionally,a2009studycarriedoutbyKPMG

indicatesthatnon-genuinesoftwarecanpotentiallydisruptthesmoothfunctioning

ofanorganizationsoperationsbyadverselyaffectingthesystemsecurity

infrastructure.

Thispaperseekstoestablishthesignificantdirectandindirectinformation

securityimplicationsforgovernmentandcorporateorganizationsaswellas

individualswhendeployingnon-genuinesoftware.Thepaperelaboratesthekey

driversmotivatingthedeploymentofnon-genuinesoftware,thesecurity

implicationsthereof,andthesuggestedmeasuresandconsiderationswhich

governmentandcorporateorganizationscanadoptforincreasingawareness

amongusersregardingsecurityimplicationsofdeployingnon-genuinesoftware

wherebyreducingitsusage.

Drivers

Factorssuchaseasyavailability,lowercostsofacquisition,andconvenienceof

acquiringnon-genuinesoftwareaswellastheattractionofdeployingseemingly

effectiveyetfreesoftware,continuetodriveendusersandorganizationstowards

widerangedeploymentofnon-genuinesoftware.

Implications

Recentreportsindicateastrongdirectcorrelationbetweenusageofnon-genuine

softwareandsecuritythreatssuchasmalwareandbotnets.

Aspartoftheresearchconductedforthiswhitepaper,wereviewed50websites

offeringnon-genuinesoftwareand/orenablingtoolsandtechniquesforacquiring

suchsoftwarewhichrevealedthatmorethan60percentofthesewebsites

includeavaryingdegreeofthreatvectorsthatcanpotentiallyimpactinformation

systemssecurity.



60percentwebsitesproviding

cracks,keygens,warezor

counterfeitshavepotentialthreat

vectors

39percentorganizationssurveyedreportedsecurityincidentofnon-

genuinesoftwaredetectionintheir

ITenvironment

35percentorganizationscitedready

availabilityasthereasonfor

employeestousenon-genuine

software

Correlationcoefficientbetween

softwarepiracyratesandmalware

attacksisastrong0.74

Companiesusingnongenuinesoftwareare43percentmorelikely

tohavecriticalsystemfailures*

*Source:Impactofunlicensedsoftwareonmid-

marketcompanies-HarrisonGroup

3


7/56



4


8/56

Thesecurityimplicationsofdeployingnon-genuinesoftwarearemulti-

dimensional,includingthreatsthatdirectlyaffecttheend-userandorganizations

securityaswellasindirectthreatsleadingtoincreasedcostofprotectionand

remediation.Directlyimpactingsecuritythreatsincludelossofdataconfidentiality

andintegrity,aswellasreducedoperationalperformancearisingfrom:

PhishingAttacks

MalwareandBotnets

Ransomware

Indirectsecuritythreatsofdeployingnon-genuinesoftwareincludethe

organizationoruserunknowinglybecomingpartofalargernexusofanti-social

elementsfundingandoperatingillegalpiratedsoftwarebusinesses,thus

contributingtothenetworkoforganizedcrime.

Giventodaysnetworkedenvironment,wheremostcomputingdevicesare

connectedthroughtheInternet,suchthreatsarisingfrominfectednon-genuine

softwarehavefarreachingimplicationsforanentirenetwork.Asystemhaving

non-genuinesoftwarecanadverselyimpacttheoverallsecurityofanetwork.A

largenumberofhackersdeveloppotentiallydangeroussoftwaredisguisedas

softwarewithrichfunctionalitiestolureunsuspectingusers.Theseuserscanthen

becomepartofBotnetsandbecontrolledremotelyforexecutinglargescale

attacks.



5


9/56

Measures

Thepaperdiscussesthesecurityprogramsadoptedbyselectcorporations

acrossindustrysectorsfordiscouraginguseofnon-genuinesoftwareand

alsoprovidesrecommendationsformitigatingsuchrisks.

Someofthemeasuresthatthegovernmentandindustrymayconsider

include:

Creatingawarenessamongendusersinhomes,academicinstitutions,

publicandprivateenterprisesagainsttheusageofnon-genuine

software;thisincludesaprogramspeciallytargetedtowardsthestudentcommunity

Workingtowardseffectiveimplementationofthelegalandregulatory

frameworktodiscouragedeploymentofinfectednon-genuinesoftware

Facilitatingfasterandmorefocusedpunitiveactionfornon-compliance,

includingestablishmentofspecialcourts

Institutionalizationofaninternalprogramwithinthegovernmentand

privateorganizationstomanageandcontroldeploymentofsoftware

assets;suchprogramsshouldincludeperiodicreviews/auditsof

softwareinventoryandmanagementprocessesaroundit

Implementingcontrolstopreventanddetectusageofnon-genuine

software,especiallyoncriticalInformation,CommunicationandTelecom

(ICT)infrastructure

Spreadingthegoodword



6


10/56

At the outset Key Drivers

TheconsumerbaseforsoftwareinIndiahasoverthelastdecadewitnessedan

unprecedentedexpansiononaccountofasurgeinPCandInternetpenetration

acrossthecountry.Lowproductioncosts,easeofmanufacturingandhighprofit

marginshavefuelledthenon-genuinesoftwaremarketinthecountry.Asperthe

FifthAnnualBusinessSoftwareAlliance(BSA)andIDCGlobalSoftwarePiracy

StudyreleasedinMay2008,Indiahadapiracyrateof69percentin2007.

TheInternetservestobeoneoftheleadingchannelsforacquiringnon-genuine

software.Severalwebsitesandpeertopeernetworksofferinstallablenon-

genuinesoftware,productkeys,keygeneratorsandcracktools.Thereareother

equallypopularchannelslikephysicalmedia(CDsandDVDs)thatareeasily

availableaswell.AscanbeobservedinFigure1,irrespectiveofthemediumused

toobtainnon-genuinesoftware,therisksofgettinginfectedwithmalicious

softwarearefairlysignificant.

25

33.33 32

0

5

10

15

20

25

30

35

Possibility of

infection (%)

Websites Physical Media Key Generators

Medium

*Source:IDCStudy-TheRisksofobtainingandusingpiratedsoftware-2006andMicrosoft Internal

Study:DangersofCounterfeitSoftware

Figure 1: Possibility of infection through channel used for acquiring non-

genuine software

7




11/56



8


12/56

Informationsecurityisgenerallyassociatedwithtermslikevirusesandcyber

crime.However,keyinformationsecurityconcernsstemfromvarioussources

including:

Discontentemployees:Insiderthreatsinitiatedbydisgruntledemployees,

contractorsandconsultants

Internet:Cybercrime/attackssuchasbotnets,exploitingbrowser

vulnerabilities

Mismanagement:Databreaches/lossduetomismanagement

Terroristattacks

NeglectedendpointsandLANsecurity

Exploitedvulnerabilitiesduetoimproperpatchmanagement

Socialengineeringthatcanbeassistedbysocialnetworkingwebsites

Malwarelikespyware,virusesandtrojanswhichareusuallydownloadedfrom

theInternetbyunsuspectingusers

Theinformationsecuritychainisasstrongasitsweakestlinkandendusersare

usuallyfoundtobethisweakestlink.Asauserclicksonamaliciouslinkonthe

Internetanddownloadsunauthorizedsoftwareoremailattachments,he/shemay

becomeavictimofsocialengineeringattacksandsometimesknowinglyor

unknowinglyinstallcounterfeit/illegalorpiratedsoftwareonhis/hermachine.

WiththerapidriseoftheInternetandpersonal/mobilecomputingacrossall

walksoflife,theexposureofenduserstothesesecuritythreatshasincreased

manifoldandthusneithergovernmentsnorbusinessesareimmunetothese

threats.



9


13/56

Ouranalysissuggeststhatusersincountrieswithhighersoftwarepiracyrates

tendtobemoresusceptibletomalwareattacks(seeFigure2).Thecorrelation

coefficientbetweenthesetwoisastrong0.74.

1.8

23

5.2

25

5.3

27

5.7

25

6.2

69

25.4

78

27.8

67

29.2

57

0

10

20

30

40

50

60

70

80

Percent

JPN AUS GER FIN IND ALB MOR BAH

Country

Malware Infection Rate Software Piracy Rate

*CCM:ComputersCleanedperMilrepresentsthenumberofcomputerscleanedperthousand

executionsoftheMaliciousSoftwareRemovalTool

**MalwareInfectionRatesaspublishedintheMicrosoftSecurityIntelligenceReport2008

***PiracyratesaspublishedintheBusinessSoftwareAlliance(BSA)-2007GlobalSoftwarePiracyStudy

Figure 2: Malware infections are more in countries with higher softwarepiracy



10


14/56

Inthecontextofindividualsandbusinesses,increasedvulnerabilitytomalware,

damagetoreputation,reducedoperationalefficienciesandincreasedtotalcostof

ownershiparesomeofthedownfallsofdeployingnon-genuinesoftware.Froma

broadermacro-economicperspective,theuseofnon-genuinesoftwarehasthe

potentialtoadverselyaffectemployment,taxrevenues,industrygrowthaswell

asnationalsecurity.

AsFigure3demonstrates,developingnationssuchasIndiastillremainrelatively

illequippedindealingwithsoftwarepiracy.Non-genuinesoftwareexposesits

users,whethertheyareindividualsororganizations,toaplethoraofinformation

securityrisks.Thisisevidentinthehighcorrelationbetweennon-genuine

softwareusageandmalwareinfections1.

Anysuchsecuritythreatsviz.viruses,worms,spywareandTrojans,exploit

vulnerabilitiesintheoperatingsystemand/orthesoftware/applicationinstalled

onit.Whilecybercriminalsarecontinuouslyonthelookoutforthesevulnerabilities,softwaredevelopersarebusydevelopingpatchesorhotfixesfor

pluggingthesevulnerabilities.Itisaneverendingwarandtheusersneedto

continuouslydownloadthesepatchesandhotfixestoberelativelysafeinthe

cyberworld.However,usersofnon-genuinesoftwaresufferabigdisadvantage

andareconstantlyvulnerabletotheseattacksduetothelackofpatchesandhot

fixesbeingmadeavailabletothem.

EverytimesuchauserissurfingontheInternetordownloadingfilesthrough

emailsorPeertoPeer(P2P)applications,he/sheissusceptibletoaplethoraof

At the outset Potential Implications

15 205

21 9 22 823

1025

132

69

151

91

147

92 97 92

113

92

83

93

0

20

40

60

80

100

120

140

160

Units

USA LUX NZ JPN SWZ IND ZIM BAN AZB MOL ARM

Country

Human Development Index (Rank) Software Piracy Rate (%)

Revenue losses in Indiadue to software piracy

were estimated to be

USD 2 billion in 2007

Figure 3: Software piracy trends higher in developing nations

1Correlationcoefficientof0.74observedinFigure2



Source:BSA-2007GlobalSoftwarePiracyStudy/UnitedNationsHDIRankings

11


15/56

securitythreats.Inadditiontothis,userswhocontinuetodownloadmorenon-

genuinesoftwarefromtheInternetfaceadoubleedgedswordandarenotonly

vulnerabletoanynewthreatsbutarecontinuouslyexposedtomoreofthese

threatseverytimetheyvisitawebsiteprovidingnon-genuinesoftwareor

assistingincracking(installationwithoutlicense)genuinesoftware.

Ourstudy2 of50websitesprovidingvariousenablersforusingnon-genuine

softwareviz.cracks,keygens,serials,warez,etc.revealsthatthereisa

significantlyhighprobabilityofauserbrowsingtheInternetinsearchofnon-

genuinesoftwaretobeexposedtosecuritythreatsasindicatedinFigure4.

16

30 32

Percent

0

5

10

15

20

25

30

35

Pot ential Malware Auto Redirect ion / Pop up Unsolicit ed Cont ent

Threat vectors

Figure 4: Threat vectors on websites providing non-genuine software

Source:AnInconvenientReality,KPMGinIndia,June2009

2KPMGstudyof50websitesofferingnon-genuinesoftwareand/orenablerstoobtainsuchsoftware.

ReferAnnexureformethodology.



12


16/56

Asynopsisofthepotentialsecurityimplicationsofdeployingnon-genuine

softwareisoutlinedbelow.

InvolvementofAnti-SocialElementsEndusersofnon-genuinesoftware

contributetoachainwhichmaypotentiallyfinanceanti-socialactivities

InformationDisclosureandDataTheftUsersofnon-genuinesoftware

couldbelosingvaluablepersonalandfinancialdata

MalwareAttacksHiddensecurityandcostimplicationsofusingnon-

genuinesoftwareusage

ExtortionusingRansomwareFraudstersusingnon-genuinesoftwareto

extractmoneyfromendusers

UnsecuredBusinessEnvironmentsUsageofnon-genuinesoftware

lowerssecuritypostureofbusinessenvironmentsandcanleadtohigher

criticalsystemfailures,operationaldowntimesandincreaseinthetotal

costofownershipinthelongrun

NetworkEffectSecurityimplicationsofnon-genuineversionsofa

softwarethatismadeavailabletomassescanacquireexponentialproportionsduetopresenceofalargenumberofpeopleonthenetworks

whereitismadeavailable

AcademicInstitutionsandStudentsSignificantriskstoacademic

institutionsandstudentsthemselvesduetousageofnon-genuine

softwarebystudents

IncreasedsecurityexposureforGovernmentGovernmentsector

susceptibletocyberwarfareandespionageduetousageofnon-genuine

software

ReputationRisksUsageofnon-genuinesoftwarecanoftenhavelarge

financialandlegalrisksthatmayimpactreputation

Informationsecurityhasgraduatedfrombeingaboardroomissuetoanissueof

nationalimportance.Thefollowingpagesattempttodemonstrate,throughreallife

casesandhypotheticalscenarios,howacademicinstitutions,governmentsector

organizationsandunsecuredbusinessenvironmentscanbecomepotential

victimsofsecurityconsequencesduetothewidespreaduseofnon-genuine

software.

Thewayforward,forendusers,governmentandprivateorganizations,tomitigate

securityrisksduetousageofnon-genuinesoftwarehavealsobeendiscussed.



13


17/56



14


18/56



The story so farInvolvement of Anti-Social Elements

Setting the contextOrganizedcrimegroupsareoftenassociatedwithillegitimatefinancial

transactionssuchasmoneylaundering.Productionofnon-genuinesoftwareis

emergingasanothermeansofgeneratingrevenueforanti-socialelements.Since

theoperatingcostsamounttoonlyafractionofsalesrevenue,theremaining

revenueoftenendsupinalargerresourcebasebeingusedtofundcounterfeit

products,prostitution,weaponstrading,andpossiblyeventerrorism.

Consider thisIn2000,AliKhalilMehri,aLebanesebusinessman,wasarrestedbyParaguayan

authoritiesforallegedlysellingmillionsofdollarsworthofpiratedandcounterfeit

softwareandfunnelingtheproceedstoterroristorganizations3.Documents

seizedduringtheraidindicatethatthesalesofcounterfeitgoodswereusedfor

fundraisingbyterroristorganizationsintheMiddleEast.

InIndia,therehavebeenwelldocumentedcasesoforganizedcrimegroups

beinginvolvedintradeofcounterfeitgoodstofundtheiractivities.Theraidsin

20054,oflargescaleshipmentsofcounterfeitgoodsbelongingtothecriminal

organizationsoperatinginIndia,bytheUSandPakistaniauthorities,highlightthe

roleplayedbycounterfeitgoodsinfinancingthemurkyworldoforganizedcrime

andterrorism.

In the modern world, information

controls every aspect of

Governance and every sector of

economy. The security of ICT

(Information, Communication and

Technology) infrastructure,

resources and data, therefore,assume high importance, priority

and urgency which may even be

higher than the physical security.

We have a policy of periodic

review of our security policy for

ICT infrastructure, resources and

data to mitigate risks from various

threats. This is a big challenge

keeping in view the size spread

and capacity of the organization.

Our security policy prohibits

employees from using any non-

genuine software owing to their

high security risks. However, the

software vendors should also

support our cause by making the

software available at affordable

prices, at Purchasing Power

Parity (PPP), i.e. on the basis of

average earnings of a common

man. This would, on the one hand,

encourage the use of genuine

software; on the other hand this

would definitely help in

discouraging use of non-genuine

software in the country.

Nirmaljeet Singh Kalsi

Joint SecretaryMinistry of Home AffairsGovernment of India

Would you like to be part of a chain that potentially finances anti-

social / anti-national activities or would you much rather spend

that little extra and contribute to the security of our society and

country?

Why is software piracy such a lucrative business for organized crime groups?

HighMarkups Asmuchas1000percentowingtomarginalcostofproduction

HighDemand Highdemandasconsumersperceiveacostadvantage

LowEntry

Costs

Organizedcrimegroupsusetheirexistinginfrastructureasdistribution

cells

MinimalRisk

Level

Documentedevidenceontheinvolvementoforganizedcrimesgroupsis

sparseandevenwhenimplicated,thepenaltieslevied(INR50,000

2,00,000)aremarginalfortheselargeandwell-resourcedorganizations

Victimless

Crimes

Usersofnon-genuinesoftwareareusuallyawareoftheproducttheyare

buyingandarethusconsideredtobecomplicitinthecrime

Table 1

3MiddleEastIntelligenceBulletin:HezbollahsGlobalFinanceNetwork:TheTripleFrontierbyBlanca

Madani

4FilmPiracy,OrganizedCrimeandTerrorism"-RANDSafetyandJusticeProgramandtheGlobalRiskand

SecurityCenter

15


19/56



16


20/56



5SymantecAPJInternetSecurityThreatReport,Trendsfor2008,VolumeXIV,PublishedApril2009

Setting the contextWithrampantinstancesofmalwareinnon-genuinesoftware,datatheftand

disclosureofconfidentialinformationareoftenpotentialsecuritythreats.Arecent

reportfromSymantec5 showsthat82percentofthreatstoconfidential

informationintheAsiaPacificJapan(APJ)regionwereclassifiedasthreatsthat

exportuserdata(seeFigure5)

Information Disclosure and Data Theft

65

60

8082

69

0

10

20

30

40

50

60

70

80

90

Percent

Exports email

addresses

Exports

system data

Key stroke

logger

Exports user

data

Allows remote

access

Potential Threat

Figure 5: Threats to confidential information in the Asia Pacific Japan Region

Consider thisApplerecentlylauncheditsiWork09Suite.Posttheproductlaunch;non-genuine

copieswerereadilyavailableonfile-sharingsites.Severalofthenon-genuine

copies,however,containedTrojansoftwarethatwasbundledalongwiththe

installerpackage.Oninstallation,theTrojansoftwareconnectstoaremoteserver

overtheInternetandgrantsaremotecontrolleraccessonthemachinetoenable

maliciousactions.Morethan20,000peoplehavealreadyreportedlydownloaded

therogueinstaller,whichwasbundledwiththenon-genuineversionofthe

iWorks09Suite.

17


21/56



18


22/56



StatisticsfromarecentstudybyScansafe6,asillustratedbelowinFigure6,

indicatethatdatatheftTrojansasapercentageofMalwarehaveincreased

significantlyin2008(from6percentin2007to14percentin2008).

6ScansafeAnnualGlobalReport2008

7Impactoftheuseofunlicensedsoftwareinmidmarketcompanies,WhitePaperbyHarrisonGroup,2008

When you use non-genuine

software you could actually

be losing valuable personal

and financial data tomalicious users; this could

have far wider ramifications

in terms of reputational,

legal, financial or even

business continuity risks for

individuals and

organizations alike.

0

5

10

15

2025

30

35

40

45

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Percent

Monthly Volume Yearly Volume

Figure 6: 2008 Block Volume Data Theft Trojans

Otherstudiesindicatethatcompaniesusingnon-genuinesoftwareare73percent

morelikelytoloseconfidentialdataand28percentmorelikelytolosea

customerspersonalinformation7.Asaresult,therisksoflosingconfidentialdata

byusingnon-genuinesoftwarearesignificantforcompaniesaswellasfor

individuals.

19


23/56



20


24/56


25/56



22


26/56



Consider thisAuserfindsatorrent8 onapeer-to-peerfilesharingnetworkthatcontainscopies

ofAdobesoftwareandfilesthatappeartobekeygeneratorsforthesoftware.

Unknowntotheuser,Malwarearepackagedwiththetorrentdisguisedaskey

generatorsorotherexecutables.Whentheuserdownloadsthetorrentandruns

suchexecutables,themalwareinfectsthesystemandtypicallyinfectssystem

filesandmorphsintootherseeminglyusefulfiles.

Thelistbelowhighlightssomeofthetypicalactionstakenbysuchmalwarewhile

infectingamachine:

Createssystemtraypopups,messages,errorsandsecuritywarnings

Makesoutboundcommunicationtoothercomputers,phones,IMchatroomsandotherservicesusingIRCprotocols

Readsemailaddressandphonebookdetails

ChangesInternetExplorer(IE)optionsincludinghomepage,securitytab,color,font,advancedmenu

ModifiestheWindowsHostFilewhichcouldbeusedtostopusersfromvisitingspecificwebsitesbyredirecting

themtoalternativeaddresseswithouttheirknowledge

Deletesotherprograms

Infectsotherprogramfilestoincludeacopyoftheinfection

Hookscodeintoallrunningprocesseswhichcouldallowittotakecontrolofthesystemorrecordkeyboardinput,

mouseactivityandscreencontents

Polymorphsandchangesitsstructure

AddsaRegistryKey(RUN)toautostartprogramsonsystemstartup

Includesfilecreationcodewhichisusedtotestforinterceptionbysecurityproducts

8TorrentsarefilesdownloadedusingBitTorrentsPeer-To-Peerfilessharingprotocol

23


27/56

TheinstalledmalwarecouldbeanythingfromadatastealingTrojantoavirus/

wormorevenaremotely control ledbot.Symantecsrecentreport9 onInternet

securitythreatslistsIndiaasthemostaffectedcountryintheAPJregion,in

termsofdistributionofvirusesandworms(seeFigure8).

Top Countries

Rank Viruses Worms Backdoors Trojans

1 India India China China

2 China China India India

3 Indonesia Japan Japan Japan

Figure 8: Internet Security Threats in the APJ Region

9SymantecAPJInternetSecurityThreatReport,Trendsfor2008,VolumeXIV,PublishedApril2009



24


28/56



Setting the contextSeveralwebsitesclaimtooffergenuinesoftwareandutilitiesatthrowaway

prices.Fraudstershavefoundanotherinnovativewayofsqueezingmoneyoutof

theunsuspectingenduser.

Consider this...IfauserwishestoobtainacopyoftheAdobeAcrobatreadersoftware,anduses

thekeywordAdobereaderinaGooglesearch,GooglereturnsresultswithseverallinksofferingafreedownloadofAdobeAcrobatreadersoftwarealong

withasponsoredlinkleadingtoamalicious/spoofedwebsite.Clickingonthe

maliciouslinkredirectstheusertoaspoofedCNETDownload.comsitewhich

offersafreedownloadofacopyofAdobereader.Whenauserdownloadsand

runsit,afull,operatingcopyofAdobeAcrobatreaderisinstalled,butwitha

twist.

Extortion Using Ransomware

Figure 9: Ransomware message: An example

*Source:www.phirelabs.comandwww.zdnet.com

25


29/56



26


30/56

Afterinstallingtheprogram,usersareinterruptedwithmessageboxesatone

minuteintervals.TheMalwareitselfoffersafakeremedyintheformofapointer

toafakesitewhichispresentedasaRemoveallthreatsbutton.Afteraperiod

oftimeastheusertriestoaccessfilesontheSystemdriveoftheinfected

system,theransomwarestartsdisplayingamessagethatthefilesareencrypted.

Themessageclearlyindicatesthatthevictimneedstodownloadadecryptorfor

decryptingdataontheSystemdriveoftheinfectedsystem.Acceptingthe

messageredirectstheuserbrowsertoaMalwarewebsitewhichhoststhe

decryptorandwhichisavailablefordownloadataprice.

ArecentcaseofsuchransomwarewasthatofFileFixPro,aphonyutilitywhich

encryptstheusersdocumentsanddemandsthattheuserpurchaseadecryptor

forUSD50fordecryptingthesame.

Fakeanti-virusandsecuritysoftwareisapopulartargetforpropagatorsof

ransomware.ItisestimatedthatfraudstersmakeasmuchasUSD5million

throughplantingfakeanti-virussoftwarealone10.

Have you ever considered the possible security implications of

downloading software online from an untrusted source? What

could be the underlying motive for making popular software

available through alternative sources that are not trusted?

A question worth giving a hard thought to.

10ComputerworldSecurityOctober31,2008

Figure 10: An example message from ransomware asking for ransom



27


31/56



28


32/56

11http://www.microsoft.com/protect/promotions/us/wga_idc_us.mspx

Unsecured Business Environments

Setting the contextItisacommonmisconceptionthatuseofnon-genuinesoftwareleadstocost

reduction.Recentstudiesshowthatcompanies(includingSmallOffice/Home

Office(SoHo)organizations)whousenon-genuinesoftwarecanincursignificant

operationaldowntimesandmaintenancecosts,thusmakingtheuseofnon-

genuinesoftwareanexpensivepropositioninthelongrun.

Consider thisAsperthestudyImpactofUnlicensedSoftwareonMid-MarketCompaniesby

theHarrisonGroup,companiesusingnon-genuinesoftwareare43percentmore

likelytohavecriticalsystemfailures(someofthemlasting24hoursormore).

Apartfrommaintenancecosts,downtimeofITsystemscouldalsotranslateinto

lostrevenues,productivityandotherinvisiblecosts.

Additionally,theuseofnon-genuinesoftwaremakesitdifficultforcompaniesto

installsecuritypatchesandupdates,thusleavingthemexposedtomalware

attacks.Thecostofrecoveringfromsuchattacks/incidentscouldinsomecases

exceedUSD1,000,thusnegatingthevaluetheorganizationwashopingtogain

throughcounterfeitcopiesofsoftware.Thus,thecostsavingsofusingnon-

genuinesoftwareareeradicatedbyasinglesecuritybreach11.

73

43

28

24

9

0 10 20 30 40 50 60 70 80

Likelihood (%)

Loss of Sensitive Data

(Business)

Critical System Failure

Loss of Sensitive Data

(Personal)

Significant System Failure

Minor System Failure

Type

offailure

Figure 11: Likelihood of System Failure for companies using non-genuine

software*SampleSize:OriginalXPUsers144,PiratedXPUsers160*Source:MicrosoftAnalysisofRisksandIssuesAssociatedwiththeUsageofPiratedSoftware



29


33/56

ReinforcingthisisastudybyMicrosoftillustratedinFigure12,whichindicates

thatoveraperiodoftime,thetotalcostofownershipofpiratedsoftwareisvery

highowingtomaintenancecostsandopportunitylossesduetosystemfailures

andvirusattacks.

Forthepurposeofthisstudy,MicrosoftboughtandtestedCDsandDVDsfrom

variousroadsidevendorsandcarriedoutasurveyofbusinessesdividedbetween

usinggenuineandnon-genuinesoftware.

0.35 0.38

0.790.83

1.11

1.48

0

0.2

0.4

0.6

0.8

1

1.2

1.4

1.6

Total cost of

ownership

(INR Lakh)

2 years 2 -3 years 3 -4 years 4 -5 years 5 -6years 6 -7years

Duration

Figure 12: Increased Total Cost of Ownership

*Source:MicrosoftIDCBusinessSurvey

Organizations may perceive that usage of non-genuine software

reduces costs. However critical system failures, operational

downtimes and loss of critical data, may in fact, increase the total

cost of ownership in the long run.



30


34/56

Network Effect

Setting the contextToday,Indiaisbeingrecognizedasthefastestgrowingmobilephonemarketin

theworld.AccordingtoGartner12,IndiancellularservicerevenueswereUSD

8.95billionin2006andareprojectedtogrowatacompoundannualgrowthrate

(CAGR)of18.4percenttoreachUSD25.617billionby2011.

Consider this

Itisestimatedthattherearearound30millionChinesehandsetsinthecountrywhichlackanInternationalMobileEquipmentIdentity(IMEI)number13.TheIMEI

isa16-17digitnumberwhichhelpsinuniquelyidentifyingahandsetandits

locationonthenetwork.CurrentlytheCellularOperatorsAssociationofIndia

(COAI)andtheIntelligenceBureau(IB)aremullingoverthesecurityimplications

ofasoftwarewhichwhenuploadedtothesedeviceswouldprovidethese

deviceswithauniqueIMEInumber.Asapreliminarycountermeasure,the

DepartmentofTelecommunications(DoT)hasmeanwhileinstructedallservice

providerstodisconnectthesehandsetsfromtheirnetworks.

Theramificationsofanunlicensedmaliciousversionofsuchasoftware,if

created,areenormous.Evenifdownloadedbyasmallpercentageofthe30millionChinesehandsetusers,itcouldleadtolargescaletamperingofIMEI

numbers.Giventheincreasingroleofcellphonetranscriptsinmonitoringand

investigatinganti-socialactivities,usageofanon-genuineversionofthissoftware

couldleadtofailureoftheveryobjectiveofmitigatingtheriskduetopresenceof

cellphoneswithoutIMEInumbersonthecellularnetworksinIndia.

Additionally,amaliciousversionofthesoftwarecouldalsoincreasetheriskof

usageofthephonebyamaliciousthirdpartyasalaunchpadfromwhichworms

andTrojansmightlaunchattacksonthenetwork.

12http://www.gartner.com/it/page.jsp?id=509906

13TimesofIndia,dated04April2009



31


35/56



32


36/56

44

177

305

366

402

0

50

100

150

200

250

300

350

400

450

Malware

discovered

2004 2005 2006

(Average)

2007

(Average)

2008

(Average)

Year

Figure 13: Growth of Mobile Malware

*Source:http://www.cellphonehits.com

AsobservedinFigure13,thethreatofmalwareinmobiledevicesisrapidly

increasingyearonyear.

Unlikeacomputervirusthatcanbeobservedanddissectedonamachinethatis

disconnectedfromanynetwork,wirelessmalwarecanspreadinsomecases,

evenmaketransoceanicleapsthemomenttheinfectedphoneispoweredup.It

couldsendunwarrantedMMS(MultimediaMessagingService)andSMS(Short

MessageService)messagestoallcontactsontheinfectedphonewhichhas

maliciousfilesonit.Further,calllogsofthedevicecarryingallpersonaland

professionalcontactsanddataonthephonecouldalsobesenttoacommercial

Internetserverforviewingbyathirdparty.

The security implications of any non-genuine software for mobile

phones must be carefully understood. Imperative is to create

stringent safeguards to ensure that malicious non-genuine

versions of any such software are not made available.



33


37/56



34


38/56



Setting the contextAccordingtoastudycommissionedbyIpsos14 afewyearsago,61percentofthe

studentssurveyed,neverorrarelypaidforcommercialsoftwareprograms.In

addition,justundertwo-thirdsofthecollegeanduniversitystudentssurveyed,do

notconsiderswappingordownloadingdigitalcopyrightedfiles(software,music

andmovies)withoutpayingforthemasunethical.Amongstudentswhosaythey

wouldalwaysdownloadmusicormovieswithoutpayingforthem,27percent

saidtheyregularlydownloadandsharesoftwarethroughapeer-to-peer(P2P)

network15.Empiricalstudiesalsosuggestthatstudentstendtoretaintheir

attitudestowardsusageofnon-genuinesoftwareastheygraduatetohigher

studies.

Consider thisStudentswidelyuseP2PsharingnetworkssuchasLimewire,Morpheusand

KaZaAtosharefiles.Thesenetworksarealsoapopularsourceforsharing

software,keygeneratorsandcracktools.However,unknowntotheuser,these

filescancontainmalicioussoftwareintheformofTrojansandWormswhichpose

significantsecurityrisks.AsperastudyconductedbytheIDC,59percentofthe

keygeneratorsandcracktoolsdownloadedfromP2Pnetworkscontained

maliciousorunwantedsoftware.Anotherrecentstudy16 showedthat68percent

ofalldownloadableresponsesinLimewirecontainedarchivesandexecutables

containingmalware.SomeofthetypicalmalwareencounteredinP2Psiteslike

Limewire17 arelistedinTable3.

Academic Institutions

Usage of non-genuine software by students

14HigherEducationUnlicensedSoftwareExperienceStudentsandAcademicsSurvey,IpsosPublicAffairsMay2005

15HigherEducationUnlicensedSoftwareExperienceStudentsandAcademicsSurvey,IpsosPublic

AffairsMay2005

16AStudyofMalwareinPeertoPeernetworksAndrewKalafut,AbhinavAcharyaandMinaxiGupta

17AStudyofmalwareinPeertoPeernetworksAndewKalafut,AbhinavAcharyaMinaxiGupta

When a user illegally

downloads a movie, song,

game, or software his / her

computer is likely to have

been incorporated into the

P2P network, possibly

without the usersknowledge. It also means

that the users computer has

very possibly been exposed

to harmful viruses, worms

and Trojan horses, as well

as annoying pop-up

advertisements. There is a

real danger as well that

private information on the

computer has been

accessible to others on the

network providing

opportunities for identity

thieves to obtain personal

and financial information

from network users who in

most cases have no idea

that their data is

vulnerable.

Rajiv Dalal

Managing Director

Motion Picture Dist. Association

of India (MPDA)

35


39/56



36


40/56



Table 3

Thetablesuggeststhatfilesandunlicensedsoftwareobtainedbystudents

throughP2Pnetworksposesignificantinformationsecurityriskstoeducational

institutions.

Malware

FunctionDefinition Typical examples

Percentage

of Limewire files

infected

Downloader

Acomputerprogramthatisdesignedtodownloadfiles

ontoaPCusuallywithouttheusersknowledgeor

consent.Adownloadermayalsobeprogrammedto

performautomaticdownloadsinordertoupdateitself.

Win32.Zlobdx

Win32.Banload.n45.16percent

Worm

Aviruswhichcreatesitselfcopiesonotherdrives,

systemsornetworksandperformsothermalicious

actionswhichmaycausesystemstoshutdown.

Worm.Alcan.D

Worm.VB.-16

Worm.P2P.Poom.A

40.32percent

Backdoor

ARemoteControlSoftwarewhichallowsathird-party

(theattacker)togainaccessandcontrolofavictims

computer.BackdoorsconsideredtobeTrojans,can

bypasssecuritymechanisms.Backdoorsareasecurity

riskbecausetheycangainpersonalinformationoruse

avictimscomputertoattackaserver.

NetBus

BackOrifice25.81percent

Adware

Asoftwareprogramthatcandisplayadvertisingbannerswhiletheprogramisrunning.Adwaremay

trackauserspersonalinformationandtransfersthe

collecteddatatothirdparties,withouttheusers

knowledgeorconsent.

Adware.ABX.Toolbar

Adware.ActiveSearch

Adware.Adbars

Adware.AdBlaster

4.84percent

Dialer

Dialerisacomputerprogramusedtoredirectusers

telephoneconnectiontothemoreexpensivelinewith

higherchargesforacontentprovidedwithorwithouta

usersconsent.

Adware.Adhelper

Dialer.Antispy

Dialer.Asdplug

Dialer.AxFreeAccess

4.84percent

Keylogger

Amalwarethatcutsoffthedataexchangebetween

theuserenteringitandtheintendedrecipient

application.Itrecordsanyinformationthattheuser

typesatanytimeusinghis/herkeyboardandcansend

ittoathirdparty.Keyloggercreatesthelogfilewhich

canbesenttoaspecifiedreceiver.TrojanandPup

keyloggersarefunctionallyidentical.

Keylogger.Cone.Trojan

Keylogger.Mose

Keylogger.Stawink

3.23percent

37


41/56

Whilst, some educational

institutions in India have

documented policies in place

to discourage usage of non-

genuine software, the extent

of their effectiveness inserving as a deterrent to

students is debatable.

Effective student awareness

programs, counseling and

appropriate disciplinary

actions would go a long away

in curbing the rampant usage

of non-genuine software by

the student community.

Theriskscouldalsooftenberegulatorynon-compliance.Acaseinpointiswhere

theSoftwareandInformationIndustryAssociation(SIIA)18 wasinvolvedinan

investigationofauniversityinthemid-westregion(USA)wherethestudents

werecreatingWarez19 sites/contentoncollegeservers.

18 WhatisPiracy-ThePiracyproblem(SIIA)

19 "Warez"referstocopyrightedworkstradedinviolationofcopyrightlaws



38


42/56

Increased Security Exposure for Government

Setting the contextStudies20 showthattheITspendbytheIndianpublicsectorisoneofthefastest

growingamongstAsiancountries.Withinthepublicsector,asignificant

percentageofITspendisdonebythedefense,internalsecurityagencies(such

astheintelligence,immigration)andpublicsafetyagencies.

Typicallygovernmentdepartments/organizationsaretheoneswhoareinvolved

inlargeturnkeyIToutsourcingcontractswherethescopingofthedeploymentof

genuinesoftwareisseentoremainunclearamongstoutsourcingorganization,

serviceproviderandsoftwarevendor.Ithasbeenseenthatthisincreases

securityexposureduringlargedeploymentsorprojectsingovernment

enterprises.

Consider this...AgovernmentdepartmentdecidestoupgradetheirexistingITinfrastructure/

networkandinvestsinsubstantialnewIThardware.Whilstoriginaloperating

systemsarepurchasedforkeyservers,unlicensedsoftwareisinstalledonafew

endusersystems.Unknowntotheusers,theunlicensedsoftwareconsistsofa

backdoor,whichallowsthehosttoberemotelycontrolledbyacommand-and-controlserver.Subsequently,sensitivefilesareaccessedandrelayedtothe

controllersthroughencryptedschemesthatprovidecoverandstealthfrom

existingintrusionpreventionmechanisms.

20SuchasthestudyconductedbySpringboardResearch,aSingaporebasedfirmin2006



39


43/56



40


44/56

ArecentinvestigationconductedbyInformationWarfareMonitor21 showsthat

theabovescenarioisnotfarfetchedfromreality.Theinvestigationrevealedthe

existenceofaglobalmalwarebasedcyberespionagenetwork(termedasthe

GhostNet)whichcompromisedatleast1295computersin103countries,

including53IPaddressesinIndia.Alargepercentageofthetargetswerelocated

ingovernmentinstitutionssuchasembassiesandministriesofforeignaffairs,

includingseveralIndianembassies,asillustratedinTable4.



"Government departments

cannot use, or condone the use

of, unauthorized software. The

consequence of usage of non-

genuine software in our

department could be serious

from a security perspective.

The risk of compromise of our

databases not only impacts the

reputation of the department

and the ministry, but also is a

kind of ransomware that could

be used by malicious elements

of the society to track financial

positions of citizens and hold

them for ransom."

Neeraj Kumar

Joint Director of Income Tax

Directorate of Income-Tax (Systems)

Organization Confidence Location Infections

NationalInformaticsCenter,India L IN 12

SoftwareTechnologyParksofIndia L IN 2

OfficeoftheDalaiLama,India H IN 2

TibetanGovernmentinExile,India H IN,US 4

EmbassyofIndia,Belguim L BE 1

EmbassyofIndia,Serbia L CS 1

EmbassyofIndia,Germany H DE 1

EmbassyofIndia,Italy H IT 1

EmbassyofIndia,Kuwait H KW 1

EmbassyofIndia,USA H US 7

EmbassyofIndia,Zimbabwe H ZA 1

HighCommissionofIndia,Cyprus H CY 1

HighCommissionofIndia,UnitedKingdom H GB 1

*Source:TrackingGhostNetInvestigatingaCyberEspionageNetwork,InformationWarfareMonitor

(IWM),Canada,March2009

Table 4: Government of India institutions affected by GhostNet

21TrackingGhostNetInvestigatingaCyberEspionageNetwork,InformationWarfareMonitor(IWM),

Canada,March2009

41


45/56

As countries jostle for supremacy over the strategic cyber

domain, the threat of cyber espionage is an existing reality.

Installation of non-genuine / unlicensed software on any IT

systems in government offices may result in irretrievable losses

of strategic information to hostile third parties.

20.6

207.7

82

0.166

59

0.162

43

0.153

57

0.142

23

Units

0

10

20

30

40

50

60

70

80

90

USA China Brazil South

Korea

Poland Japan

Country

Botnet Attacks (USD Million) Software Piracy Rate (%)

In the list of Top 6 countries (in terms of botnet attacks), China, Brazil,

South Korea and Poland have medium-high software piracy rates

Figure 14: Correlation between software piracy and botnet attacks

*Source:BusinessSoftwareAlliance(BSA)-2007GlobalSoftwarePiracyStudy,www.Securityfocus.com

IncreasingadoptionofInternetenabledtechnologysolutionscombinedwiththe

highsoftwarepiracyratesinIndiacouldbeacontributingfactorinmakingthe

governmentsectormoresusceptibletoattackssuchasthebotnetattacks

describedabove.AsseenintheFigure14,severalbotnetattackscanbetracedto

countriessuchasChina,Brazil,SouthKoreaandPolandwherethereisamedium

-highsoftwarepiracyrate.



42


46/56



Setting the contextThegovernmentcancriminallyprosecuteanorganizationforcopyright

infringementandifconvicted,finescanrangefromINR50,000-2,00,000anda

minimumjailsentenceof7daysgoingupto3yearscanbeleviedaswell 22.

AccordingtotheBSA23,in2008,non-genuinesoftwarecostbusinessesinthe

UKasmuchas16millioninlegalfines.Lastyear,theBSAtook294legal

actionsonbehalfofitsmembersintheUKandmorethan3,000legalactions

wereconductedacrossEuropeandAfrica.

Consider this...InMarch2009,BSAreportedtohavesettledclaimsofUSD350,909fromfour

California-basedcompaniesforhavingunlicensedcopiesofsoftwareinstalledon

theircomputers.ThecompaniespaiddamagesintherangeofUSD70,000to

USD110,000forhavingunlicensedcopiesofsoftwaresuchasAdobe,Symantec

andMicrosoftsoftwareinstalledonitscomputers.Aspartoftheindividual

settlements,thecompanieshaveagreedtodeleteallunlicensedcopiesof

softwareinstalledontheircomputers,acquireanylicensesnecessarytobecome

compliant,andcommittoimplementingstrongersoftwarelicensemanagement

practices.

Reputation Risks

Wouldnt you rather be involved with improving business

efficiencies and productivity instead of wasting time and

resources in settling legal suits and re-establishing reputation?

22IndianCopyrightAct&http://www.nasscom.in/Nasscom/templates/NormalPage.aspx?id=6250

23http://www.itpro.co.uk/index.php/609881/pirated-software-costs-firms-16-million

43


47/56



44


48/56

Theintentofthiswhitepaperhasbeentohighlightthefarreachingimpactsof

usingnon-genuinesoftwareonthesecurityofindividuals,businesses,

governmentsandnations.Inthediscussionsabove,wehaveattemptedtobring

totheforefronttheevidentaswellastheconcealedimplicationsthatnon-

genuinesoftwareusagehasonitsstakeholders.

ThesurgeinInternetpenetration,whichprovideseasieraccesstonon-genuine

contentavailableonline,coupledwithnascentcomplianceinfrastructure,lowend

userawarenesslevelsandweaklegalenforcement,poseaformidablechallenge

incombatingnon-genuinesoftwareusage.

TheIndiangovernmenthastakencognizanceofthevariousinformationsecuity

threatsandhassetupCERT-IN(ComputerEmergencyResponseTeam-India)

withthechartertobecomethenation'smosttrustedreferralagencyofthe

Indiancommunityforrespondingtocomputersecurityincidentsasandwhen

theyoccur;thekeyobjectivebeingtoreducetherisksofcomputersecurity

incidents24.

InadditiontotheservicesprovidedbyCERT-IN,theGovernmentofIndias

CentralVigilanceCommission(CVC)hasissuedguidelinestocontrolthemenace

ofcounterfeitITproductsincludingoperatingsystems25.IndiasnewITActthat

wasrecentlypassedbytheparliamentalsochangesthecountrysapproachto

usergeneratedcontentandpiracyofcopyrightcontentonthewebandmobile.

ManybusinessestodayhavecreatedspecialrolesintheranksofChiefSecurity

officers(CSO)/ChiefInformationSecurityOficers(CISO)tolimitthehazardsof

informationsecuritythreats.Appropriatemindshareonissueslikeweaksecurity

controls,inadequatesecurityorganizations,non-genuinesoftwareusage,low

levelsofsecurityawarenessandmanagementcommitmenttowardsthe

informationsecurityprogram,helpprovidereasonableassurancethatthese

threatsareminimizedandmanagedwell.

The way forward

Seeing the larger picture



24Source:http://www.cert-in.org.in/mission.htm

25Source:http://www.cvc.nic.in/007crd008.pdf

45


49/56



46


50/56



Organizationsaretakinginitiativesforconductingsecurityawarenesssessionsto

maketheemployeesawareofthenumerousthreatsand,enablethemtotake

proactivemeasurestosafeguardthemselvesandtheirorganizationsfrom

becomingvictimsofthevariousinformationsecuritythreats.Inasurvey

conductedbyKPMG26,majorityofCIOs/CISOsstatedthattheirorganization

hadanemployeeawarenessprogramonsecurityimplicationsofusingnon-

genuinesoftwareandthattheywerewellawareofindustryinitiativesand

governmentregulationsaroundit(Figure15).

74%

26%

Yes

No

Employee awareness program on security implications of non-genuine

software

78%

22%

Yes

No

Aware of measures taken by industry / government to combat usage of non-

genuine software

Figure 15*Source:KPMGstudy

26KPMGsurveyofCIO/CISOs,AnInconvenientReality,KPMGinIndia,June2009

47


51/56

Oursurveyindicatesthatthepercentageoforganizationsstatingthat,significant

numberofitsemployeesareawareaboutsecurityimplicationsofusingnon-

genuinesoftware,ishigh.Further,thenumberoforganizationswheresecurity

incidentsarebeingreportedforidentification/detectionofnon-genuinesoftware

isalsofairlyhigh(Figure16).

9%

13%

26%

52%

0-25%

25-50%

50-75%

More than 75%

Percentage of employees aware of security implications of using non-

genuine software

39%

61%

Yes

No

Any security incident reported on identification of non-genuine software in

organizations

Figure 16*Source:KPMGstudy



48


52/56



Theaboveanalysisindicatesthatwhilesomeofthecorporateconsumersare

awareoftherisksofusingnon-genuinesoftwareandaretakinginitiativesto

discourageit,therestillexistsalargesectionofusergroupssmallofficeand

homeusers-thatareignorantofthepotentialconsequences.

Organizations should institute a program for discouraging use of non-

genuine software

Createaformallistcontainingprogramname,copiesavailable,serial

numbers,versionnumbersandfutureupgraderequirements

Runawarenesstrainingprogramsforemployeeandcommunicate

organizationscommitmenttogenuinesoftware

Obtainundertakingfromallthirdpartiestoensuretheyonlysupplyand

usegenuinesoftware

Ensurecontrolsareenforcedtopreventanddetectinstallationofnon-

genuinesoftware

Ensurecompliancebyperiodicaudits

Users need to be more aware

Buysoftwarefromgenuinesources

Checkonlineforauthenticityoftheserialnumbersonthesuppliers

genuineonlinewebsite

Validateforgenuineidentificationmarksontheinstallationmedia/

packaging

Assessthegenuineidentificationmarksonthewebsites,priorto

downloading,todistinguishbetweengenuineandfakewebsitesproviding

downloads

Preservealloriginallicensesanddocuments

Adheretopoliciesonusageofgenuinesoftwareintheworkplace

Asenduserscontinuetoperceiveacostadvantageinusingnon-genuinesoftware,thereisanimminentneedfortheindustry,academicinstitutionsand

thegovernmenttoplayanactiveroleincreatingawarenessontherisksof

softwarepiracy.Publiceducationcampaignsandawarenessdirectivesshouldbe

usedasamediumtohelpusersmakeinformedchoiceswithrespecttopurchase

ofsoftware.Educationalinstitutionsshouldimplementeffectivesoftwareasset

managementpoliciestoregulatetheuseofnon-genuinesoftwareintheir

facilities.

49


53/56

Theexistinglegalandregulatoryframeworksalsoneedtobestrengthenedand

rigorouslyenforcedtodissuadeindividualsandcorporationsfrombeingapartof

thenon-genuinesoftwarechain.Existinggovernmentinitiativessuchasthe

appointmentoftheCopyrightEnforcementAdvisoryCouncil(CEAC)andcreation

ofpiracytargetingcellsinStatePoliceHeadquartersshouldbeexpandedand

strengthenedbothinscopeandoperations.

Considerations for the Government

Developmentandrolloutofaprogramforsensitizingstudentsand

parentsalikeonthesecurityimpactsofusingnon-genuinesoftware

Facilitatefasterandmorefocusedpunitiveactionfornon-compliance;set

upofspecialcourtsdealingspecificallywithIntellectualPropertyissues

maybeconsidered

Obtainundertakingfromallthirdpartiestoensuretheyonlysupplyand

usegenuinesoftware

Ensurecontrolsareenforcedtopreventanddetectinstallationofnon-

genuinesoftware

Ensurecompliancebyperiodicaudits

Onlyaconcertedeffortfromtheindustry,thegovernmentandtheconsumers

canpossiblyensureminimizationofinformationsecurityrisksarisingfromusage

ofnon-genuinesoftware.



50


54/56



Themethodologydeployedinthedevelopmentofthiswhitepaperwasprimarilya

combinationoflimitedprimaryresearch,assorteddiscussionswithgovernment

andcorporaterepresentativesandsecondaryresearch.

Weperformedastudyof50selectwebsitesprovidingcounterfeitsoftwareand/

orvariousenablerstonon-genuinesoftware(suchascracks,keygenerators,

serialsandwarez),withtheobjectiveofidentifyingthreatvectorslikepotential

malware,auto-redirections/pop-ups,andunsolicitedcontent.Theapproach

adoptedwastovisitthehomepageandthepageforonesampledownload.

Inaddition,weperformedasurveyofagroupofChiefInformationOfficers/

ChiefInformationSecurityOfficers(CIO/CISO)oforganizationstounderstand

theirviewsonprogramsfor,andawarenessofsecurityimplicationsofusingnon-

genuinesoftware.Thissurveywasperformedusingasurveyquestionnaire

focusingonidentificationof:

Existenceofemployeeawarenessprogramonsecurityimplicationsofusing

non-genuinesoftware

Proportionofemployeesawareaboutsecurityimplicationsofusingnon-

genuinesoftware

Anysecurityincidentreportedonusageofnon-genuinesoftware

Reasonsforanaverageemployeetousenon-genuinesoftware

Awarenessaboutmeasurestakenbygovernment/industrytocombat

usageofnon-genuinesoftware

Thesecondaryresearchinformationsourcesinclude:

BusinessSoftwareAlliance(BSA)2007GlobalSoftwarePiracyStudy

ScansafeAnnualGlobalReport2008

HarrisonGroupWhitepaperonImpactoftheuseofunlicensedsoftwarein

mid-marketcompanies(2008)

TrackingGhostNetInvestigatingaCyberEspionageNetwork,Information

WarfareMonitor(IWM),Canada,2009

IDCwhitepaperonRisksofPiratedSoftware

SymantecAPJInternetSecurityThreatReport,Trendsfor2008,VolumeXIV,

PublishedApril2009

Appendix: Methodology

51


55/56



52


56/56

in.kpmg.com

KPMGinIndia KPMGContacts

Pradip Kanakia

Head of Markets

Tel: +91 (80) 3980 6100

e-Mail: [email protected]

Akhilesh Tuteja

Executive Director

Tel: +91 (124) 3074800

e-Mail: [email protected]

MumbaiKPMG House, Kamala Mills Compound

448, Senapati Bapat Marg,

Lower Parel,

Mumbai 400 013

Tel: +91 22 3989 6000

Fax: +91 22 3983 6000

Delhi

DLF Building No. 10,

8th Floor, Tower B,

DLF Cyber City, Phase 2, Gurgaon 122 002

Tel: +91 124 307 4000

Fax: +91 124 254 9101

Bangalore

Solitaire

139/26, 3rd Floor,

Inner Ring Road, Koramangala,

Bangalore 560 071

Tel: +91 80 3980 6000

Fax: +91 80 3980 6999

Chennai

No.10 Mahatma Gandhi Road

Nungambakkam

Chennai 600 034

Tel: +91 44 3914 5000

Fax: +91 44 3914 5999

Hyderabad

8-2-618/2

Reliance Humsafar, 4th Floor

Road No.11, Banjara Hills

Hyderabad - 500 034

Tel: +91 40 6630 5000

Fax: +91 40 6630 5299

Kolkata

Park Plaza, Block F, 6th Floor

71 Park Street

Kolkata 700 016Tel: +91 33 4403 4000

Fax: +91 33 4403 4199

Pune

703, Godrej Castlemaine

Bund Garden

Pune 411 001

Tel: +91 20 3058 5764/65

Fax: +91 20 3058 5775