Recommendations of the International Conference on Cyber Security
Nov 30: An international conference on Cyber Security was held
at New Delhi on November 29th and Nov 30th organized by the World Council
of Corporate Governance and Institute of Directors. After the debate a set
of recommendations were developed on behalf of the participants.. The
recommendations (which will be shared with the Government) along with some
rationale for the same are provided herewith for general information.
Details
5 Key Steps to Cyber
Security
Nov 29: Speaking at the
International seminar on Cyber Security organized at Delhi by Indian
Academy of Law and World Council for Corporate Governance, Naavi presented
what he called as Vision-2009 for Cyber Security. He highlighted that Cyber
Security is an essential part of National Physical space security and
identified need for development of Compliance culture, Development of
appropriate indigenous security standards such as LIPS1008, Cyber Crime
Insurance, Compliance software development, and development of an
integrated infrastructure on national scale to coordinate the
security work of different agencies were the 5 Key Steps required to be
taken towards achieving cyber security. (Gist
of his presentaion is available here.)
MySpace Case corroborates our interpretation
Nov 29: Naavi has
been in the forefront of developing cyber jurisprudence in India. One of
the key interpretations of Naavi was in interpreting the "Diminishing the
value of information or utility" under Section 66 which he has often held
as wide enough to cover misuse of genuine passwords. This view now stands
upheld by the US Courts in the Lori Drew case. Earlier, his interpretation
that Banks should be held liable for Phishing was also upheld in a German
Court. Some Indian luminaries are averse to the interpretations calling
them "Creative". But we are of the opinion that new laws in a new field
need new ways of interpretation.
Lori drew case report
Cyber Space and Physical Security
Nov 28: In the light
of the war launched on India by terrorists who landed in a rubber boat
landing right next to the Taj in Mumbai and then spanned out causing havoc
in Mumbai, a renewed thought comes up on how Cyber technology can help the
maintenance of physical security. Though there are CCTV cameras in some of
the public places they seem to be of no assistance in preventing such
assaults. It is necessary for an army of people to keep watching the CCTV
footages and raise alarm when there are suspicious movements. Alternatively
there needs to be automated alerts if technology permits. Perhaps there is
a need for research in the area of artificial intelligence to explore the
technological options. In the meantime, it is necessary for the CCTV
footages to be made available for vigilante groups for monitoring and
raising alarms where necessary. Naavi.org invites comments from the public
on "How Netizens and Cyber Technology can assist in fighting terrorism".
Cyber Threat Report-2009
Nov 23:
Georgia Tech Information Security Center (GTISC) has released its report on
the emerging cyber threats The report has highlighted the increasing
emergence of Botnets and Cyber Wars in Cyber Security. Threats to VOIP
networks and mobile have also been highlighted. The report also highlights
the emergence of Cyber Crime economy where the crime syndicates are
investing in technology to derive financial benefits. These observations
need to be carefully factored into the information security plans in India.
Detailed Report
Deccan Chronicle website infected with
Trojans.
Nov 22: Some time back, Naavi.org had pointed out Indian
Express and Deccan Herald websites having been infected. Now it is the turn
of Deccan
Chronicle . It appears that there is a specific strategy of the virus
distributors to use popular news paper sites for hosting the trojan
distribution activity.
Organizational
Responsibilities for Fraud Prevention
Nov 18: "Where there is Money, There
will be Frauds" is a truth every financial professional knows. The
increased use of technology in the Banking, Financial Services and
Insurance (BFSI) business has introduced the dimension of "Fraud
Management" as part of business responsibilities of BFSI business...
It is necessary for the BFSI
managers to recognize that it will not be long before the liabilities for
Frauds will be shifted to the institutions from the customers. World wide,
this is the trend. If some body wants to create a commercial venture built
on a technology platform, it is the responsibility of the owner of the
venture to make it safe for the customers. This principle is now part of
the legal mandate and often manifests itself in the form of "Legal
Compliance", and "Mandatory Information Security Audits"...More
3i infotech
licensed as Certifying Authority
Nov 16: 3i infotech became the eigth licensed certifying authority
in India when it received its license with effect from 7th November 2008.
Branded e-Mudra CA, the new CA
has stareted functioning with the standard set of digital certificate
products for e-mail signing and web form signing. The other licensed CAs
are NIC, IDRBT, TCS, MTNL, Customs & Central Excise, (n) code Solutions CA and
GNFC. It is however disappointing to note that as of 16th November, the
website is yet to function fully. Considering that Digital Signature
business is a "Zero Error Tolerance" technology field, it is necessary for
3i infotech to set right the website soon.
It is also
observed that even on the CCA site, the
link to the CPS is not working.
Since CPS is a pre-requisite for granting of the license, one cannot
understand how a week after the granting of the license, CPS is still not
available. It is also interesting to note that the column on
"Authorized Representative" in the
CCA site is left blank. Apparently the license has been issued in
a hurry. Can we expect the product to be bug-free? Has it been sufficiently
tested? Is there a process in the licensing for "Testing"?.. CCA needs to
clarify. (Ed: Copy of CPS was made available on the CCA site on 17th Nov
2008 after e-mail from Naavi.org.)
BJP IT Cell in Karnataka
Nov 16: BJP which has set up a national IT Cell with professionals from
different IT fields contributing to the policy formulations,
computerization in the party and e-Governance activities
has now appointed a coordinator for the Karnataka cell. (Accompanying news
report from Vijaya Karnataka, Bangalore ed 16th Nov 2008).
Mr
Janardhan, an Engineer with work experience in CISCO, DELL, SUN
Microsystems and Sasken amongst others and an American patent holder has
been nominated for the purpose. Such cells have been in operation in
Chennai and Gujarat.
The
IT cell could be a good instrument for a Public-Private partnership in
bringing the benefits of ICT to the e-Governance operations.
Naavi.org
which is in the process of implementing a Statewide Cyber Law Awareness
Movement (karnataka saibar kaanUnu prajnaaMdOlana) as a private
sector initiative for public good welcomes this development.
Explanation
from SBI Cards
Nov 14: As per the response sent by SBI Cards to the anomaly pointed out earlier,
it is stated that the monthly card statements show certain entries as
debits and credits. However the balance shown as payable is not calculated
out of these debits and credits. There is a second stream of calculations
which monitors the dues of the customer and the amount payable gets printed
from this calculation. In other words, a part of the contents of the
statement is printed out from the database of transactions and the part
from another application. If all the transactions during the month form
part of both streams of calculations then the statement appears correct. In
cases where there are adjustments which are not part of the current
transactions, the balance payable will not be a result of the summation of
the debits and credits shown in the statement. In other words there may be
an excess claim during one month and a short claim in a different month.
This leads to a total confusion in the customers who follow their expenses
separately and try to tally with the amount claimed. The mistake gets
compounded as in the subject case which we referred where there was first
an unauthorized debit in respect of a cancelled insurance policy and then
creation of an unauthorized EMI-loan against the payment. This
resulted in multiple entries both debit and credit in respect of the same
transaction leading to a complete messing up of the account. Hope SBI cards
will revise the monthly statement format to ensure that what we see on the
transaction list is what the balance is made off.
Fraud or Magic at SBI
Cards?
Nov 10:
At SBI Cards some magic appears to be happening. 2+2 is adding upto
some thing different than 4 and the managers seem to be unable to sort out
why it is happening?. I am giving below an extract of a statement from a
Card account which shows a one month statement of expenses for April
2008 including transactions booked internally by the Bank. According to
simple arithmetic, the statement adds up to indicate a net amount payable
by the client to the extent of Rs 4678.02. However, the Bank indicates an
amount payable of Rs 9453.42.
As an
Information Security observer, one of the possibilities indicated by the
incident is that the software of the card division might have been
fraudulently manipulated and at certain conditional fulfillment, it charges
customers an amount higher than what is payable.
Now through
this open forum the attention of SBI is being drawn once again to the need
for top management attention on the matter. The matter requires an
independent Source Code audit of the Card accounting software to determine
why the accounting is going wrong. In view of the possible fraud behind
this incident it is necessary for a CBI enquiry to be ordered to make an
impartial investigation...
Detailed Article
Church in
Pakistan opposes death penalty for Cyber Terrorism
Nov 9:
An attempt to make Terrorism through Cyber Space punishable with death
penalty in Pakistan has been opposed by Pakistani Church. If death
penalty for Terrorism is acceptable, the question arises if Cyber Terrorism
should be made an exception and if so why?
Related
Article :
Article 2
Article 3
Article 4
Naavi reiterates need for National Cyber Security Advisory Group
Nov 7: Chairing the session on "ICT and National Security" at the
BangaloreIT.biz, Naavi reiterated the need for a National Cyber Security
infrastructure to coordinate the activities of all security related
activities such as Cyber Crime policing, Private Sector Information
Security practice and CERT In. He said that strict laws alone cannot
provide the solution and underscored the importance of Cyber Security
awareness amongst the users. "We cannot secure some body unless they want
to be secured" he stated. Dr B A Mahesh, former SP Cyber Crime Cell,
Bangalore indicated the different types of cases handled by them. Dr
Gulshan Rai, Director, CERT-In introduced the activities of CERT-In and Dr
Kamlesh Bajaj, Director, DSCI presented the role of DSCI in assisting the
industry in Cyber Security practices.
Report in CIOL:
Report in TMC.net
Report in ITexaminer.com:
tmcnet2
:
Report in nationalsecurity.org :
individual.com
Blogger's Vicarious Liability
Nov 6: Here is an interesting
article on Blogger's liabilities. The author argues that "posters
should nonetheless be compelled to get up on their soapbox and stand behind
their words. It's far too easy for someone to be able to spew venom — even
falsity — around when nobody knows who he is". This aspect is covered under
the concept of "Due Diligence" in India and Naavi.org has been advocating a
voluntary "Blogger's Ethics" practice to be followed by Bloggers.
International Conference on Cyber Security
29-30 Nov 2008,
New Delhi,
India
Nov 3:To
address & debate Internet Security issues the World Council for Corporate
Governance of UK (WCFCG) together with its associate the International
Academy of Law, India (IAL), and in partnership with Cyber Law College are
organizing an International Conference on Cyber Security in
New Delhi on 29-30 Nov, 2008.
Its theme is “Legislation,
Monitoring & Enforcement of Cyber Laws”.
Law
makers, Governmental policy makers, Legislators, Business leaders, IT
experts, eminent jurists, enforcement organizations, academics, bankers &
reputation agents are expected to participate. The conference aims to tap
the rich tapestry of global experience to enrich thinking on cyber laws,
internet security and governance issues for public good. For Participation
details, visit www.wcfcg.net or
contact naavi@vsnl.com.
GOI to undertake Cyber Security Awareness Campaign
Nov 3:The MCIT is reportedly undertaking a project to conduct Cyber Security
Awareness programmes in different technical institutions. It may be
recalled that such efforts have been pioneered from Naavi who has conducted
several such programmes across the country from awareness lectures to three
day workshops in Engineering Colleges, REC(NITs) and Law Colleges etc as a
private initiative. Though a delayed reaction, the current move of MCIT is
welcome.
It may however be pointed out that Naavi has always been projecting such
programmes as "Cyber Law Compliance" or "Cyber Ethics" since there is
every possibility of such programmes unwittingly becoming initiation of
young technical brains into "Ethical Hacking". Since the College students
may include current and potential terrorist sympathizers, any discussion on
"Security" will turn into a discussion on "How it happens?" and tools of
hacking and sniffing become part of the discussions particularly if the
sessions are handled by persons who may be technical experts but not
trained teachers.
It is for this reason that Naavi has always been advocating that "There
shall be no teaching of ethical hacking without teaching of Cyber Laws,
consequences of non compliance of laws etc". Hence there is a need to
focus the training towards "Ethics" though the underlying discussion is on
"Security".
Article in IE
China Leads in Cyber Wars
Nov 3:In yet another reminder to the world, the emergence of China as the Cyber
War specialist is being indicated by many Cyber Security experts.
According to the UK National Infrastructure Security Coordination Centre,
around 300 UK government departments and critical infrastructure businesses
have been attacked so for. China has a plan for using industrial espionage
to turn their country into the mightiest industrial and military power on
the planet. China poses as a rising star in the world of commerce,
industry, technology and science. It is reported that
Fake British currencies are being printed in various cities. ID and visa
fraudsters are in alliance with the drug mafia and their networks. They go
through personal files and even employ desks to obtain names, job titles,
social security numbers, home addresses and other information available. In
addition, businesses, public organizations, and academic institutes
received highly politicized virus-laden e-mails from these networks.
Information networks of these groups jam TV and radio transmission. The can
hijack radio and TV transmission for a disinformation campaign. They
sabotage the transaction of stock exchange. During the Gulf war in 1991,
Dutch hackers stole information about the US troop movements from Pentagon
computers...etc.
The scenario is simply scary. Are we ready to defend our Country? If so
what is our strategy? Where does it begin? Who is responsible for this?..
are questions every Indian is asking. Does MCIT has an answer?
Related Article
Privacy Rights in India
According to Na
Vijayshankar, cyber law campaigner, the police are supposed to monitor any
anti-social activities in society and can take action on their own.
Vijayshankar, who is also the Chairman of the Digital Society Foundation of
India, says the organisation proposes to act as a vigilante unit. He points
out that his organisation even filed a PIL in connection with denigration
of Gandhi on You Tube. "I personally try to keep the police informed. I
strongly feel the police should maintain contact with voluntary
organisations to act as cyber informers."
Article in DH
US Lawyers Fight over interpretation of Cyber Law
Nov 1: The Lori Drew Case where the accused impersonated herself as
a young boy deliberately to befriend and later insult an unsuspect school
girl Megan Meir, causing her to commit suicide has drawn attention of
"Cyber Jurisprudents" in interpreting if certain provisions of the
"Computer Abuse Act" can be applied to the case.
The point under contention is that the MySpace terms prohibited
impersonation through creation of a false profile. Alternatively, the
registered profile created a virtual personality and the terms provided
access to a person matching the false profile and the real personality had
Unauthorized access.
In this case the
creation of a false profile was not only intentional, it was part of a
deeper conspiracy. It is true that creation of false profiles is a common
practice. But mostly it is a "Concern for Privacy" which may prompt persons
to give false information or use assumed names on the social networking
sites. But should such practices be checked? or at least brought under
"Good Faith and lack of malicious intention"? are some of the larger issues
involved in the case.
The facts of the case does
not seem to suggest that the accused deserve any sympathetic bail out due to technical reasons.
The larger issues may be debated as part of the "Due Diligence"
interpretation. In fact one of the beauties of Indian ITA2000 is that it
provides scope for an interpretation of what is "Due Diligence" at
different levels such as the "User" and "Service Provider". These would
have been helpful in resolving jurisprudential issues since every type of
interpretation cannot be part of the law book.
Details
Make "Security Informatics" part of Engineering Study
Nov1: As a response to the growing importance of information
security in the industry and the need to inculcate a "Security Culture"
early in the careers of young Indians, there is a need to encourage
Engineering Colleges in India starting a new discipline on Security
Informatics as a subject of study. The upcoming IT event in Bangalore viz
IT.biz has several activities centered around IT initiatives in the State
of Karnataka, Naavi.org urges the State Government to also consider an
action plan for introducing a suitable course in Security Informatics as a
part of Engineering Study in the State.
Australia Proposes Law for National Pornography Filter
Nov 1: A law has been proposed in Australia for
mandating national filters for blocking Child pornography on Internet.
Though the move has been opposed by business interests, it represents a
practical desire to rid the Internet of one of the most harmful menaces
that has an adverse effect on the society.
It may be recalled that in an article dated January 5, 2002, titled
"Declare a
War on Cyber Pornography", Naavi suggested "..For
the present I would like to state that the first attempt which is easy to
achieve is to prevent Indian Cyber Space being used for purveying
pornographic content. This can be achieved by a suitable administrative
guideline where by the State or Central law enforcement authorities can
after a due process of verification order the ISP s manning the Internet
Gateways to block "Objectionable Sites". In order to prevent misuse of this
provision, there could be a transparent system of approval of such
"Blocking" from a team of responsible members from the public."
In the
current times nearly seven years later, the threat from Pornography has
widened into an Information Security Risk since pornography is used not
only to corrupt young minds and make money but also to drop trojans, expand
botnets and commit other crimes for financial benefits as well as a part of
Cyber Warfare.
When
countries considered more permissive are taking such "Cultural Policing" of
Internet seriously, in India we are considering dilution of punishment
under Section 67 from 5 years to 2 years and exempting Intermediaries from
their due diligence responsibilities envisaged in ITA 2000 by amending the
ITA 2000. (See
here for more details)
Despite
several technologists as well as ISPs bitterly opposing our commitment to
make Indian Internet Space as clean as possible and the non cooperation of
agencies such as Police or CERT in the savitabhabhi website case, Naavi.org
continues to demand that India should make strong moves in fighting
pornography for the larger benefits of the society.
We also
urge at least one of the ISPs committed to a Better Indian Internet Culture
voluntarily sets up a type of filter proposed in the Australia referred to
here and lead the way.
![[Valid RSS]](http://www.naavi.org/image/valid-rss.png "Validate my RSS feed"){kind=small}
