Crime ware as a Service Model

June 29: Experts are predicting that trojans that download from legitimate websites (Refer Deccan Herald incident reported here on June 19) will be a serious threat in 2008 to the Cyber world. It is reported that the Olympics in China would be used as an opportunity to distribute malicious trojans through information sites. It is also reported that Criminals have started extensive collaboration to the extent that after downloading one malicious code, the user is often redirected to another malicious website. New real time security monitoring services are therefore required for web based activities in the coming days. Report in BS

First Adjudication Application in South India filed

June 26: Chennai which had recorded the first conviction under ITA 2000 in India recorded another first under ITA 2000 today. This was the first adjudication application filed under Section 46 of ITA 2000. The application was made by an NRI customer of ICICI Bank who has alleged that a contravention of ITA 2000 has occurred resulting in an unauthorised entry into his account and withdrawal of over 6 lakhs. More  : Related Article in Deccan Chronicle

Where is ROC Karnataka in Cyber Space?

June 21: Registrar Companies is an important department of any State Government and all existing and prospective investors who would like to invest in the State would be visiting the site for information on how to start and register a new limited company in the State. In terms of the image of the State, it is therefore an important department to be nursed by the State Government.

Until some time back, the website of Registrar of Companies, Karnataka had been hosted by NIC.  ...As of date the site was not available and "page Not Found" error is being displayed. This indicates the lack of interest by the department which generally reflects the dis-interest in e-governance.

 It appears that the new Government has appointed a new Principal Secretary in charge of e-Governance who comes with a good reputation for innovation and hopefully things would improve.  More

It happens even in UK

June 21: Naavi.org has repeatedly been pointing out that Police especially in places like Bangalore are not eagerly pursuing cyber crime complaints and are turning away complainants on some pretext or the other. As a result one of Naavi's initiatives namely Cyber Crime Complaints and Resolution Assistance Center has found it difficult to meet its objective of helping Cyber Crime victims. Now it appears that the situation is no different in UK as this report suggests. Report in computeractive.co.uk

Increasing Phishing Activities in India

June 21:  Vishal Dhupar, MD, Symantec India, has in an interview to CIOL stted that  there was an 18% increase in Phishing mails during the first half of 2007 over the previous six months. He stated that 196,860 unique phishing messages worldwide were detected by the Symantec Probe Network during this period.  What is alarming is that according to the Symantec threat  report released by on April 16, 2008, India was the fourteenth ranked country worldwide that hosts Phishing websites. Mumbai ranked highest in India in terms of phishing sites with 38 percent. Following in second position in this ranking, is New Delhi with 29 percent, followed by Bangalore and Chennai with 12 percent each.

There are three reasons why Phishing proliferates in India. The first is the lack of security amongst the Banking sector. The second is the lack of will for the Cyber Crime Police to pursue the cases  and the third is the lack of action by the "adjudicators". Naavi.org has been trying to raise the awareness level amongst Bankers, Police and the adjudicator's level to ensure that quick action is taken in casesof reported phishing activities.  Report in CIOL

Cyber Scam in Ahmedabad

June 20: Chennai Police has arrested an 3rd year B Com student from Ahmedabad who is alleged to have stolen credit card information and made fraudulent purchases worth more than Rs 3 lakhs on e-bay. The incident highlights the problems created by the online hacker community sites which take pride in teaching people how to cheat online. This should be thoroughly investigated and all those persons who can be apprehended should be done so and charged. Related Article in TOI

Deccan Herald Requires Cyber Law Compliance?

June 19: Some time back, Naavi.org had reported compromise of Indian Express website where in an banner advertisement was used to divert the visitors to an alternate site. Now a more serious incident has been reported on the Deccan Herald website alleging that the site hosts at least three malicious codes. Google reported that "Of the 28 pages we tested on the site over the past 90 days, 3 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 06/18/2008, and the last time suspicious content was found on this site was on 06/17/2008".

This alert was brought out when the site was visited with the newly introduced browser Mozilla Firefox3. We thank one of our visitors Mr Sameer Ahmed Khazi for having brought this to our attention.  This brings out the usefulness of the security plug in of this new browser. See the alert screens : More

State IPR Policy in Kerala

June 18: A new chapter has been written in the history of IPR legislation with the Indian state of Kerala taking a step to announce its IPR Policy with an objective of protecting traditional knowledge such as Ayurveda against the onslaught of globalization. Report in ::Hindu Draft Policy

Computer Abuse Act Invoked Against Cyber Bullying

June 17: The Megan Meier suicide case in Missouri (US) where the 13 year old girl committed suicide after being befriended and rejected online by a 49 year old lady posing herself as a 16 year old boy has attracted attention worldwide both for its tragic implications as well as the legal aspects involved in the trial which is now on.

Now it is reported that Federal Prosecutors  in California,  have  invoked the Computer Fraud and Abuse Act of 1984, which is usually applied against hackers to punish Lori Drew.

The prosecution has argued that the servers used by MySpace, which are maintained in Los Angeles, (hence the location of the trial) were violated by Drew and her unnamed co-conspirators who used false information to set up the account and therefore broke the website's terms of service. MySpace is not a party to the prosecution, but has not reportedly  protested against the action.

Naavi.org appreciates the initiative taken by the prosecutors in this regard though many legal experts may not be in agreement with the approach of applying the Computer Abuse Act to the case of Cyber Bullying. ..More

Career Opportunities for Information Security Professionals

According to a recent survey  by ISACA,  information security managers  are experiencing significant career momentum and move up  into management ranks and acquire more business-focused responsibilities. The survey also revealed that the top five most common activities performed by information security managers in their current positions are risk management, security program management, data security, policy creation, and maintenance and regulatory compliance. Report in newswiretoday.com

It may be noted that while ISACA and other institutions focus on providing knowledge inputs to professionals in the area of Technical aspects of Information security, Naavi's Cyber Law College focuses on the Techno legal aspects of Information security which includes regulatory compliance. If a professional has to develop into a well rounded Information Security professional, he needs to learn Cyber Law and its impact on regulatory compliance. Cyber Law College is providing this critical input to the Information Security.

Pakistani Cricket Official Sacked for E-Mail Leak

June 13: In an incident reminiscent of the earlier incident in India when an email sent by the then coach Greg Chappell to the BCCI president was leaked to the press, former Pakistani Test player Saleem Altaf as Director, Special Projects was sacked on charges of leaking of his e-mail to Pakistani team manager Talat Ali, where he had criticized the Pakistani team for their performance against India in the Bangladesh tri-series. Pakistani Board officials reportedly  said the decision to sack Altaf came after the chairman ordered his telephone to be bugged and recorded some eight hours of discussions he had with various people.

From the Cyber law angle, this case refers to the publishing of one's own e-mail sent to another. This can be considered as in-discipline under the Board's rules but not an offence under law. However the "Tapping" of telephone could be considered as an offence under law.

This case reflects a tendency of some people to resort to illegal means to prove what may otherwise be a legitimate cause. In the process they end up making a bigger mistake than the accused and face an awkward situation... More

e Bay held Vicariously liable for selling Counterfeit goods

June 11: The infamous Baazee.com (Now called ebay.in) case where the CEO of Baazee.com was once arrested by Delhi Police on application of the provisions of Section 67 of Information Technology Act 2000 (ITA 2000) has been a landmark case in India for ITA 2000 observers.

In this context, the recent decision of a French Court making e-Bay liable for selling Counterfeit goods and imposing a fine is of significance. In this case eBay has been convicted of selling counterfeit goods and ordered to pay $32, 497 (Approximately Rs 1.3 million) as damages to Hermes on charges that two counterfeit Herms bags were sold on the site.

The arguments which clinched the decision included

"eBay is an active player in the transaction because not only does it offer a number of services to improve the sale, but when it does not work well enough or fast enough, they intervene with the client," "They are perfectly informed of the transactions since they take a percentage cut."

..More

Security specialists urge for Cyber Crime laws in Qatar

Nasser al-Qahtani, an official at the Economic Crimes Prevention Division of the Ministry of Interior,  Qatar speaking in the first Doha Conference on Information Security urged for separate Cyber Laws to prevent Cyber Crimes.  He explained how “there are no separate laws, but they are part of the penal code.” and  described the difficulties faced with finding sufficient evidence for prosecution, as the people who perpetrate these kinds of crimes are often very intelligent and experts at covering their tracks.

ictQATAR Regulatory Authority’s legal and regulatory manager, Meegan Webb, said that ictQATAR had been involved with the drafting of the telecommunications law, as well as the draft e-commerce law which is expected to be passed in the near future, but has no specific timeline. She also said she wants to extend current laws to be able to cover businesses operating outside Qatar, but conducting business within the country. Details at gulftimes

US Supreme Court  limits Patent Rights

June 10: Close on the heels of the interesting judgement in the Autodesk-Vernor case discussed below, another Court decision in US has tried to limit the operation of Patent rights to prevent multiple royalties being charged.

The case revolves around a long-time Supreme Court doctrine that says the sale of an invention exhausts the patent-holder's right to control how the purchaser uses it. The decision  reaffirms the patent exhaustion doctrine, which entitles consumers to use, repair, or resell patented products that they have purchased.

This principle should now start reflecting on all IPR issues as the principle "Once Sold, It is Sold". Limited or Restricted sale concepts in IPR contracts will now be difficult to be protected.

The principle upheld in the above two decisions therefore represents a turning point in the history of IPR. .. More

Software.. is Sold not Licensed.. says US Court

June 10: In a significant ruling, the District Court at Seattle has upheld the rights of a software user to re-sell the software. The company (Autodesk) contended that its products are licensed and hence the licensee cannot sell it to another person. However the Court held that since the terms of transfer did not necessitate "return" of the product to the company, the transfer cannot can called a "License" but has to be held as a "Sale". This case Autodesk Vs Vernor is bound to be a land mark case in the copyright area since  there is an unfair tendency amongst some software sellers to prohibit further disposal of software by buyers. Copy of the judgement

Ahmedabad BPO accused of Data Theft

June 09: An Ahmedabad based BPO owner, Maulik Dave, has been accused of data theft from a Florida-based company and selling them to its rival companies in the US. His company Business Bee Solutions worked for a Florida-based Company Noble Ventures Inc developing and maintaining the website of Noble Ventures. Noble ventures itself is in business of selling US Citizen's data to marketing companies.  It has been alleged that after the contract was cancelled, Mr Dave tapped and sold 85 lakh records to some US companies. Based on a complaint from the US company the local police have arrested Mr Dave and also seized his computers. The total estimated loss claimed is around Rs 1 crore. .. More

Details at TOI Related Story in BNN

Karnataka Elections Website

June 09: Karnataka has recently completed an eventful state elections. In one of the first of its kind in India, the Karnataka State police put up a very informative website under http://www.kspelections.com containing day to day report on the law and order situation across the state.  The site is now under suspension since the elections are over but the archived site is still available for the public to browse through. This is perhaps one of the standing examples of a citizen centric e-Governance initiative which should be a model for all other States. More

Rights of Police to see E-Mails and Chat Transcripts

June 09: The much publicized Arushi murder case in Noida threw up for discussion the rights and propriety of the Police going through the private Internet conversation of the murdered Arushi and making the contents public. This article in CIOL tries to discuss some aspects sorrounding such a case.   Article in CIOL

As per the opinion of Naavi, the collection of information relevant to the investigation cannot be faulted but the publication of the information particularly when the investigation was under progress was not appropriate. By doing so they might have actually hampered the investigation. Unless the police can defend their action by stating that they seeded the information in public space so as to trap the real killer, there is no justification for their action. According to Naavi remedy in this case should be sought as a "human rights violation" since it amounted to character assassination of another person, more so when the person is dead, more so when it is a young girl.  

Is Nasscom Website off Air?

June 09: The website www.nasscom.in appears to be off air at 0845 am. It is not clear if this is due to routine maintenance or hacking. It could also be due to domain name problems. We await resumption of the site. The error message received is given here. at bloggers.net

P.S: It has been reported that the problem was due to a technical glitch. The site has since been restored.

Privacy Concerns in Indian IT law

June 08: The 18th annual Computers, Freedom and Privacy (CFP) Conference was held in the United States between May 20th and 23rd and focused on Technology Policy Issues. Amongst other things discussions about the status of Indian Privacy law int he light of the Black Berry issue came for discussion. ..More

ATM Fraud at Nagpur

June 07: An employee of the Bank is reported to have committed an ATM fraud in Nagpur by tapping a customer transaction and re sending it to the machine to make it dispense cash once again. The fraud has been committed by installing an interception device directly to the electronic cable.

Though the Bank has successfully resolved this case, had the customer not perhaps complained quickly or had the fraudster removed the device before being found out, it would have been extremely difficult to prove the fraud and the loss would have perhaps been borne by the customer. Normally in such circumstances the video from CCTV would be of assistance. However some Banks do not maintain the CCTV recordings beyond 24 hours and hence it would be of no use in most of the cases where the fraud comes to light after one or two days. It is necessary for RBI to mandate that CCTV recordings are kept for a period of at least one year to assist investigations in such cases. Alternatively, the CCTV recordings can be maintained in a black box from which the storage device is changed by an agency other than the Cash changing agency at periodical intervals and archived under the digital signature of the inspecting official.  Article in ET

Cyber War threats to India

June 07: Sources from the Ministry of IT have confirmed that in the last 24 hours "Low to medium intensity Cyber Intrusions into web servers maintained by Indian Government have been reported".  As in the past, CERT has stated that this is a routine affair since everyday about 19 sites in India are hacked.

 

It is necessary however to realize that the recent attacks are not from the "Script Kiddies" who normally hack websites just for fun nor from Pakistan backed terrorists but from China which appears to be specializing in Cyber Warfare. It is high time that Indian security specialists try to develop a national Cyber Security plan to meet this emerging new threat from China.

 Related Article in dnaindia   :: Related article in ET :: A scenario from the future

Mumbai Cyber Crime Police Station to Start Soon

June 06: One of the Country's largest dedicated Cyber Crime Police stations is coming into operation  by end of June in Mumbai .
The police station, which will deal exclusively with cyber crimes, has been set up in the Bandra Kurla Complex  and will have four assistant commissioner of police rank officials, four police inspectors, four sub-inspectors, 32 assistant sub inspectors and 60 constables.

VSNL Customers.. Beware of this Phishing Mail

June 05: A mail with the subject line "UPGRADE YOUR EMAIL ACCOUNT" sent from teamgrade@gmail.com is being distribtued to vsnl e-mail account holders with the object of phishing for the password. Users may ignore the same. In the event they have already replied to the same take steps to change your password immediately. It is possible that your account may be misused for committing frauds.

The body of the mail is as follows:

"Dear valued customer,

We are currently performing maintenance for our Digital Webmail Customers. We intend upgrading our Digital Webmail  Security Server for better online services.
 
In order to ensure you do not experience service interruption,Please you must reply to this email immediately and enter your password here (********) and Check out your new  features and enhancements with your new and improved Vsnl Account,To enable us upgrade your Vsnl Account for better online services please reply to this mail.
 
Thank You For Using Vsnl Account"

AXIS Bank Phishing Mail

June 04: Naavi.org has received a report about the recent circulation of a phishing mail attacking Axis Bank customers.

The mail comes from Axis Bank <customer.service@axisbank.com> with the subject line **AXIS BANK ALERT** : Please Re-confirm Your Internet Banking

The mail reads as follows:

During our regularly scheduled account maintenance and verification procedures, we have detected a slight error in your Account billing information. This might be due to either of the following reasons:

A recent updates in our billing server ( Due to slightly problem )
2. A recent change in your personal information ( i.e. change of address).
3. An inability to accurately verify your selected option of payment due to an internal error within our processors.

Please re-confirm your Internet Banking by clicking the link below:

https://www.axisbank.co.in/BankAway/SignOn.aspx?RequestId=714870

Thanks for your advance help.

Axis Bank
Customer Service.

Note that the link provided in the mail actually links to a different site. Netizens may avoid responding to the same and in case they have responded, contact the Bank immediately to disable transactions until a new password is set.

A Woman Hacker Arrested by Chennai Police at Bangalore

June 04: It has been reported (Source: Deccan Chronicle Chennai) that the cyber crime cell of CB-CID, Tamil Nadu police,  arrested a 25-year-old woman from Bangalore for allegedly hacking into the e-mail account of a defence employee from Nilgiris and misused his contacts for financial benefit.  Police identified the arrested woman as Ritu Anderson aged 25, mother of a six-month-old child.  According to Ms S. Mallika, superintendent of police, CB-CID, the police found that the hackers had impersonated as S.D. Paul a defence store keeper from Nilgiris and had sent an e-mail to his friend in Kuwait seeking Rs 75,000.

When his Kuwait friend informed Paul about the email, the latter lodged a police complaint about the impersonation.  The CB-CID team, led by cyber cell deputy superintendent of police Balu, arrested three persons - Neville Philips (35) Peter Francis(42) and Peter Anderson (38) from Bangalore. Further investigations led them to Ritu, who was picked up  for questioning and later arrested.  “We have enough evidence to show that that Ritu was the brain behind the operation,” Ms Mallika said. Ritu, wife of another accused Peter Anderson, is a graduate with computer knowledge and had been involved in a similar case in Bangalore earlier.  Ritu after coming to know about the email id and password of the complainant decided to use it ‘to generate’ funds with the help of the other accused. The accused then sent a mail to Mr Frank D’Souza, working in Kuwait seeking Rs 75,000, from the complainant’s id.

The above incident is a typical fraud in which the e-mail of a person would be hacked and all his contacts would be sent a mail saying that he is great trouble in a foreign country..lost his passport and wallet..etc and seek immediate help in the form of some money to be sent..

Chennai Police need to be congratulated in successful investigation of the case and hopefully it will be pursued for an early conviction.

Related Article: Baby held along with hacker family

"Get Rich" Schemes under Google Name

June 03: Google Adsense is a successful business model for publishers. It enables genuine content owners to monetize their content through ads served by the Adsense servers.

However, it appears that there is a proliferation of "Get Rich" schemes that are coming up across the globe which are becoming a source of concern.... More

God Fathers of Cyber Crime

June 02: As the world recognizes the risks of Cyber Crimes, the role of Crooked Intermediaries who proliferate Cyber Crimes by providing a safe haven for criminals in the form of secure hosting services, domain name services etc needs to be assessed. These Russia's Russian Business Network is considered one of the most notorious  service providers who provide refuge to more than 50% of the global Cyber Criminals. Now it appears that a network 3322.org in China is also trying to gain a pride of place in this notorious world of Cyber Crimes. This is said to be hosting facilities for launching over 10000 malicious codes (Viruses) in the Internet. One such virus was recently identified in US where a dangerous code "Poison IVY" was found in an attachment sent in the name of Pentagon to one of their vendors.  Related Article in Business Line :

Regulators and Security specialists need to address this issue of how to check the proliferation of these "Rogue ISPs" whose sole aim is to make money at any cost. Naavi.org has recently brought to the notice of CERT-In about the existence of one such "Rogue Site" specially aimed at corrupting the young kids in India with a request to disable the operations of this site. There appears to be a need for a more concerted national initiative in this regard and we are looking forward to emergence of a "National Security Forum" in India for this purpose

BSE Fights Over Sensex URL

June 1: BSE is facing a Trademark litigation on the right to the use of the word "SENSEX". Deccan Chronicle which launched its Bangalore Edition today has reported about a similar dispute which BSE has raised against a domain name owner. Report in Deccan Chronicle

Copyright Defendants Take law Into Their Own Hands

June 1: Media Defenders a company providing anti-piracy solutions has allegedly launched a denial of service attack on revison3.com as a part of their anti piracy drive. According to Revision3 sources "Revision3 runs a tracker expressly designed to coordinate the sharing and downloading of our shows. It’s a completely legitimate business practice, similar to how ESPN puts out a guide that tells viewers how to tune into its network on DirecTV, Dish, Comcast and Time Warner, or a mall might publish a map of its stores".

According to other reports, Media Defense uses “its array of 2,000 servers and a 9GBps dedicated connection to propagate fake files and launch denial of service attacks against distributors.”

This  denial of service attack is yet another incident of how the Copyright lobby is arrogating to itself the law to hurt another without a proper legal process. The action of Media Defense is nothing different from that of a Naxalite or a Terrorist who has his own reasons to strike at another bystander. This tendency needs to be checked.

Related Article in bloggersnewsnet : Article in revision3.com

Baazee.com Case Clarification

June 1: In partial modification of the earlier report on the Baazee.com case, it is now clarified in a new report at Indlaw that the case against the corporate entity of Baazee.com continues with charges under IPC Sections 292(2) (a) [Selling] and 292 (2)(d) [Advertising] along with Section 67 of ITA 2000. Charges under Section 294 on the Company has  been dropped. However, charges on Mr Avnish Bajaj under Section 292 of IPC as an individual has been dropped. The charges under Section 67 of ITA 2000 read with Section 85 of the ITA 2000 as applicable to individuals will remain.   Report in Indlaw