Cyber Cafe Owner punished under Section 67C.. Now CISOs/CEOs beware!

india_insurance_logo_2

In a first of the kind verdict in JMFC Court, in District Pune, Khed, a Cyber Cafe owner was punished for not keeping the visiting register with an imprisonment of 15 days and a fine of Rs 10000/-

The conviction has been done under Section 67C of ITA 2008 and Section 188 of IPC.

Section 67C is for preservation of records and states as under:

Preservation and Retention of information by intermediaries

(1) Intermediary shall preserve and retain such information as may be specified for such duration and in such manner and format as the Central Government may prescribe.

(2) Any intermediary who intentionally or knowingly contravenes the provisions of sub section (1) shall be punished with an imprisonment for a term which may extend to three years and shall also be liable to fine.

Section 188 of IPC states as under:

 Disobedience to order duly promulgated by public servant.

Whoever, knowing that, by an order promulgated by a public serv­ant lawfully empowered to promulgate such order,

he is directed to abstain from a certain act, or to take certain order with certain property in his possession or under his management,

disobeys such direction,

shall, if such disobedience causes or tends to cause obstruction, annoyance or injury, or risk of obstruction, annoyance or injury, to any person lawfully employed,

be punished with simple impris­onment for a term which may extend to one month or with fine which may extend to two hundred rupees, or with both; and

if such disobedience causes or trends to cause danger to human life, health or safety, or causes or tends to cause a riot or affray, shall be punished with imprisonment of either description for a term which may extend to six months, or with fine which may extend to one thousand rupees, or with both.

Explanation.—It is not necessary that the offender should intend to produce harm, or contemplate his disobedience as likely to produce harm. It is sufficient that he knows of the order which he disobeys, and that his disobedience produces, or is likely to produce, harm.

Illustration An order is promulgated by a public servant lawfully empowered to promulgate such order, directing that a religious procession shall not pass down a certain street. A knowingly disobeys the order, and thereby causes danger of riot. A has committed the offence defined in this section.

It is interesting to observe that under Section 67C, the Government of India has not notified any rules. There is however a rule for Cyber Cafe owners under Section 79. This requires formalities of “Registration” for which a Registration Agency should be there. This has not been notified by the Central Government.

However certain States might have issued notifications under either ITA 2000/8 or other State Laws where the record requirements might have been specified. If no such orders are there, it is difficult to see how Section 67C can be invoked.

As regards Sec 188 of IPC, some annoyance or injury must have been caused to a person (probably a public servant) by an act of disobedience of an order. Not sure if not maintaining the records per-se falls into this category.

However, other information available indicates that the Cyber Cafe owner had earlier sent a “threatening” email to the Police Commissioner. Probably this case was originally filed under Section 66A and later that section might have been dropped.

Any way it is interesting to note that Section 67C might have been invoked for the first time for a conviction. This needs to be taken note of by all Companies  since there could be many non compliance issues of record keeping under ITA 2000/8 of which all of them are guilty. The CISOs and CEOs need to watch their backs.

Naavi


cyber_law_guru

An Android App Available on Google Store

Share Button
Print Friendly

95% of mobile users are under threat of Stagefright

In a grim reminder of mobile technology risks when more and more e-banking and e-commerce activities are moving onto the app platform, the “Stagefright” vulnerability is expected to expose all Android users including Lollipop 5.1.1 to risk of being hacked.

See details here

Also here

Stagefright is a multimedia library for the Android OS and is present in all the versions of Android from Froyo 2.2. The security risk is mainly related to an insecure code in Stagefright.

The vulnerability therefore encompasses 95 percent of Android smartphones  and tablets (nearly 1 billion devices) in use at present. It has been dubbed the worst vulnerability in the history of the Android mobile operating system, which was developed by Google.

Through Stagefright exploit, users can remotely take control of an Android device and access photos, cameras, private data and more. In Android devices that are running on Android versions older than JellyBean OS, hackers can gain control of the device, even if the MMS is not opened by the user. Moreover, on such devices, hackers will even be able to delete the problematic MMS without the consent of the user.

The Stagefright exploit is carried out by sending a malicious MMS to an Android device. However, the Android OS is unable to detect it as a security issue but only recognizes it as a video file.

Users of Google hangout are also vulnerable since the app may process the  videos for quicker viewing and hence receiving the message on Google hangout may be enough to make a user vulnerable.

It appears that the solution is not very complicated. In order to prevent such a hack attack, users are only required to disable the automatic retrieving feature for MMS. One can go to “Messaging”, click on “Settings” and “Remove the check on Auto Retrieve”.

Naavi

Share Button
Print Friendly

Section 66A(modified) to come back ?

According to this report in Deccan Herald the MCIT  has constituted a panel under the chairmanship of Mr T K Vishwanathan to rework on Section 66A which was struck down by Supreme Court in what is popularly referred to as the Shreya Singhal verdict.

We invite readers to go through all articles written on this site on the subject of Sec 66A here:

Site Search Google (New Posts) :66A:

Site Search Google (Old Posts) :66A:

Google Search Section 66A+vijayashankar

Duckduckgo search Section66A+naavi

In these articles written by the undersigned, it has been clearly argued that the decision of the Supreme Court in this matter was erroneous. Our contention has always been that this section 66A was not meant to cover “Defamation” and was wrongly mis-applied by Police in various states. Most of the times this was done at the instance of politicians to harass their opponents. However repeated mis-application actually made everyone believe that the section was actually meant to address defamation in social media.

We reiterate that “Publishing” a content on social media visible to many is different from “Sending” a message either in the form of e-mail or SMS is different. Messaging is a one to one communication. It does not result in “defamation” since no third party is privy to it unless one of the parties to the communication makes it public. However the personal message can cause distress, harassment, threat etc. Section 66A tried to address this and not defamation.

Unfortunately, neither the petitioner nor the battery of lawyers who participated in the discussions on Section 66A understood the legal intent behind the section. They all assumed that Police must be right in arresting persons under Section 66A for social media activities and therefore the section itself was to blame.

Regrettably, the bench which heard this petition was swayed by populist sentiments on upholding the sentiments on “Freedom of Speech” and went on to emphatically assert that “Section 66A” was applicable to “all” communication and not “any communication sent through a communication device or e-mail” and declare its commitment to uphold the democratic principle by murdering the section.

Politicians of the UPA Government who had repeatedly  misused the section to meet their political ends suddenly became the champions of free speech to welcome the judgement. Politicians of BJP were too confused and inadequately informed to have the courage to say anything different. The media persons particularly the top TV anchors were too naive and also swayed by their own populist instincts to say that this was a “land mark” judgement upholding the highest principle of democracy.

Naavi was in a minority stating that the judgement was a result of mis perception of the purpose of the section, and though upholding free speech is fine, what the Supreme Court was doing by scrapping the section 66A was actually promoting the use of social media for mischevous use.

Naavi tried to persuade the Government to apply for a review of the decision but could not succeed.

After a few months, it appears that the Government has finally come to realize that removal of Section 66A has the potential of doing more damage than the perceived benefits that it was supposed to bring and is reportedly considering its re-introduction.

It is good that Mr T K Vishwanathan is back to work on the required drafting. Mr Vishwanathan was involved in the drafting of the original ITA 2000 though  perhaps he was not involved in the drafting of the amendments of 2008 in which section 66A came in. But he is aware of the early discussions on the philosophy behind ITA2000 and hence should be able to sort it out.

The irony however is that  what may ultimately come out is actually a “E-defamation law” which was not available in ITA 2008. ITA 2008 criminalized “Obscene publishing” and not “Defamatory publishing”. Defamation was still a subject of IPC even when committed with electronic documents as defined under ITA 2000/8. This position will now change. There will now be a specific provision on defamation with the use of Twitter, Facebook and other social media vehicles. The so called “Free Speech Protectors” will have to ready themselves for another legal battle once this new law comes into being.

In the meantime, considering the need for National Security and the role of social media in this respect, the undersigned welcomes the move to regulate certain aspects of the misuse of social media.

We however hope that more than “E-Defamation”, what is required to be regulated is use of social media to spread false rumors, creating disharmony in the society etc.

The decriminalization of defamation is already under challenge in the Supreme Court and hence instead of attempting to define “Criminal defamation through electronic documents” as a replacement section of Section 66A,  we can simply link “E-defamation” to what is available in IPC by a clarification that any offence under Section 499 of IPC with the use of electronic documents shall be construed as an offence under IPC . The civil aspects of E-defamation can be covered separately with the introduction of a new section say 43B.

Additionally we should not forget to retain the other aspects of Section 66A which Supreme Court in its misplaced activist approach failed to protect. This includes harassment through e-mail and messaging through communication devices, the sending of phishing mails, spamming etc.

We trust that the expert panel under the chairmanship of MR T K Vishwanathan takes into account these suggestions before finalizing their recommendations.

Naavi


You can now seek any Clarification

on Cyber Laws of India through your mobile by using this Android App

cyber_law_guru

Available on Google Play Store

Share Button
Print Friendly

Does Your Vehicle Insurance also provide you Cyber Insurance?

Cyber Security specialists have recently demonstrated how a commercially sold car can be effectively taken control of by a remote “Hacker” leading to disastrous consequences.

This article in Washington Post graphically sketches how a hacker can cut off the engine or disable the brakes or even turn the steering wheel by hacking in to the Jeep Cherokee marketed by Chrysler. What is more alarming is that this is not a “Google Car” meant to be remotely driven but a conventional car with the infotainment connected to the internet and perhaps independent subsystems that are managed by electronic sub systems in the car.

Apparently, the hackers have gained access to the infotainment system through the internet and once into the subsystem within the Car’s electronic system was able to jump across to other subsystems taking control of each one of them.

It is obvious that malicious hackers can exploit similar vulnerabilities and cause death and mayhem on the roads.

While Chrysler in response has reportedly recalled about 1.4  million vehicles and also issued a patch to plug the vulnerability, the risk of cars being vulnerable to hackers is staring all Car manufacturers as well as Car users.

india_insurance_logo_2

The biggest beneficiary of this demonstration is however the info-sec community as it opens up more critical job opportunities for them in the automobile sector. But the automobile users will now remain under constant threat of being exposed not only to risks of mechanical failures but also the technological failures and additionally, the cyber criminals.

In the context of Cyber Insurance that we are discussing through these columns, it now appears that a Car accident can happen due to such hacking incidents and the Insurance companies may have to deal with claims of accidents that cannot be logically attributed either to a driver’s mistake or to any identifiable external reasons. The claimants will have a lot of difficult to explain the cause of an accident as finding evidence will be extremely difficult. Perhaps the damage assessers need to be not only mechanical engineers who check the mechanical failures but also “Cyber Forensic” specialists who will check the log records of all electronic systems in the Car.

The question that arises in settlement of the claim is whether the policy which covers “Mechanical Failures” will also cover “Electronic Failures” and “Cyber Crimes”. Ideally the current policy should cover damages occurring due to malfunction of a mechanical part whether it is because of internal defect or an external hacking, unless the risk is specifically excluded.

The publicity now generated to the hacking event should be sufficient to consider that the Insurance company is aware of such risks and hence if the risk is not specifically excluded, it should be considered as “Included”. In other words, the Insurance companies will have to accept the  uncomfortable truth that  the current Vehicle insurance policies are also “Cyber Insurance Policies”

The problem demonstrated in respect of the Chrysler automobile is also relevant to the managers of Digital India who need to manage an environment which includes “Internet of Things”.  With a similar argument we can say that the current insurance policies that insure damages of white goods or other properties should be also considered as covering risks arising out of electronic component failure either due to natural causes or through hacking.

While the manufacturers of internet exposed devices need to worry about the information security aspects, the Insurers need to worry about how they would cover these risks.

The future of the Cyber Insurance industry appears to be exciting.

Naavi

Related Article:

In USA today

In Cnet.com

If you have not yet responded to the online India Cyber Insurance Survey 2015, please do so now.

 

Share Button
Print Friendly

Why We cannot spare 20 minutes for a cause?

P.S: This is a reproduction of what I posted today at Linkedin.

Cyber Crimes is accepted as a big concern for all of us. When there is a phishing attack that wipes out the bank account of a victim or a cloned credit card is swiped to hoist a person with a crippling debt, we all bemoan about the risks of Cyber space. However, we the professionals think that we are immune to such attacks and think that it only affects our neighbor.

However a normal risk analysis indicates that since we the professionals use more of IT, app banking, app payments, e-retail purchases etc., we are more vulnerable than those who seldom use credit cards or e-banking and whom we dub as the digital illiterates who respond to phishing emails. Also with the growing use of malware to intrude our systems the traditional mode of stealing identity information by social engineering is only one method against which we may be immune. More breaches occur through simply being present on Cyber space…all of us are at higher risk on this account since we spend 18 hours of the day in Cyber space.

Further, in our professional environment, most of us have responsibilities to protect information of our company. We know that “Data Breach Risk” is very much present in our environment. Each day we feel lucky that yet another day has passed without a major information security issue in our midst. Many of us thank our stars that Indian public are unaware of their rights to demand compensation when their personal data is not protected by us as required under law. Otherwise incidents such as Anthem data breach can wipe out even our IT majors in a single data breach incident.  Despite this, at the organizational level we have not factored “Potential Third party Liability Risk” as a part of our dashboard.

In these circumstances, a group of professionals like me thought it necessary to wake up the Cyber Insurance Industry in India and in the process have undertaken an India Cyber Insurance Survey 2015 . 

The objective of this survey is to capture the perception of the user industry on what they expect  from a Cyber Insurance product.

Information about this survey with a request for participation has been sent to most of the Information Security professionals in India. However the response to participating in the survey is pathetic. The survey which takes hardly 20 minutes to complete (More if one wants to understand the questions and the import of each question) has seen very few information security professionals responding.

This apathy amongst informed professionals who should be able to appreciate the importance of Cyber Insurance for their own profession and the community in general raises an important issue of human behaviour which is important for all Information Security professionals.

The key here is “Motivation”. Obviousy, our IS friends are not motivated enough to participate in the survey. I am trying to analyze why there is this reluctance to participate in the survey and here are some of my thoughts drawn from my earlier observations  on the “Behavioral Aspects of Information Security” expressed at naavi.org.

In the “Theory of Information Security Motivation” that I have propounded, I have identified 5 elements to be managed for successful implementation of Cyber Security in an organization. I have also propounded that these five elements are like five walls of the security pentagon as shown below and have to be simultaneously managed for successful implementation of information security through management of people.

This theory may explain why our staff does not follow the policy guidelines even after a training (creating awareness) and what more needs to be done.

Applying this principle, I am trying to understand why the Information Security professionals are not responding to participating in the Insurance survey and would like to share my views in this forum so that readers can respond.

Through various forums such as email groups, and articles on naavi.org, enough awareness has been created on the survey, its purposes and benefits.

The next question is…Can this awareness be converted into “acceptance”?. In an organizational environment, “acceptance” can be achieved through “Ethical declarations”. But in a loosely connected social media network, “acceptance” has to come only out of self motivation. I however make an attempt by making this request to all my friends in this forum, at least those who are in India to take a vow today to complete the survey questionnaire during this week end and be part of the larger cause to start a national debate on Cyber Insurance. (More of my views on this can be seen at www.naavi.org)

The third element of the TISM pentagon is “Availability”. In the IS implementation context this represents the provision of technology tools to the employees by the organization. In the context of this survey, we have the tool as an online form easy to access through a single click.

Mandate represents the policy in the organizational context and cyber laws in the national context. Obviously, this cannot be used by us on the prospective survey respondents. Let’s agree to leave this wall open.

Inspiration represents the element which goes beyond the efforts of a CISO to push implementation and represents the self motivation instincts present in all professionals. Most of the members of this forum have an element of self motivation which has enabled them reach certain levels of professional excellence. Even those who have not yet reached professional high points, have come to this platform only to prepare themselves in the future.

I therefore see that out of the 5 elements of the pentagon, we have Awareness, Availability and Inspiration covered in our reach out to this forum. “Mandate” is out of the way and “Acceptance” is a shadow of “Inspiration”. With three and half walls covered, there is a interest leak in the other one and half walls that is perhaps delaying the professionals from responding to the survey.

I hope after reading this post, every one of this forum would complete the survey. I even invite my foreign friends to participate so that we do get a perspective different from the Indian friends.

So…the link to the survey form is : here: Click Now

Naavi

cyber_law_guruAndroid App available on Google Playstore

 

Share Button
Print Friendly

Hanover Survey on Cyber Insurance

india_insurance_logo_2

In November 2014, on online research was conducted by Hanover Research to understand the market for Cyber Insurance. (A Copy of the published Report is available here). The survey is supposed to have gathered information from 271 respondents, most of whom are from insurance underwriters in USA.

In the context of the first India Cyber Insurance Survey 2015 undertaken by the undersigned along with a group of IS professionals, the key findings of the Hanover survey is presented here for general information.

The Hanover survey focuses on capturing data on current prevalance of cyber security insurance and the policy forms it takes. Since Indian Cyber Insurance industry is in nascent form, the policy structuring used here is a replica of the forms used in USA and hence this survey findings have some indirect relevance to India as an influencer of what types of policies are made available by the Insurance companies here. On the other hand, the India Cyber Insurance Survey is attempting to capture the views of the prospective Insurance buyers and understanding what types of risks they would like to be covered in their perception of Cyber Insurance.

(P.S: The India Cyber Insurance survey is presently on and we are requesting as many respondents as possible to participate in it by completing the questionnaire available here  If you are reading this article, I request you to take 20 minutes off your weekend to complete this questionnaire)

One of the key findings of Hanover research is that even in US, only 46% of the Insurance underwriters have a Cyber Insurance practice, though 11% more intend to offer such services in the coming year.

Nearly 91% of the companies presently offering Cyber Insurance, appear to be providing the services only to an “admitted market” which we believe represents customers to whom other services are already being provided. In a way there is an attempt to limit the risk based on the “Known Client” rather than “Known Risk”. This is consistent with the hypothesis that Insurers are yet to understand the risks and cover it based on their perception of risk.

There is a general consensus that the market is set to grow though the expectation of around 25% is very small compared to what the Indian Insurers seem to be expecting which is in excess of 50%.

Interestingly the insurers appear to think that Data Breach is a risk different from Cyber Crimes and over a third of the respondents believe Cyber Crimes are more dangerous than data breaches. We suspect that the distinction is being made on the basis of whether a risk is triggered by an external attack (Cyber Crime) or through technology failure (errors and omissions which may include employee negligence).

The survey confirms that most of the prospective customers (40%) believe that they donot need cyber insurance and this is the biggest challenge faced by the insurance companies. An additional 30% feel that some form insurance against risks is already present in their systems. The apathy of 70% of the market is what is noted as a concern of the insurance industry. We hope to capture a more reliable information on this from the prospective insurance seekers in the India Cyber Insurance survey.

The survey also records that 69% of the underwriters donot have a dedicated staff to underwrite cyber security insurance and only 30% appear to have 11 or more persons working directly on drafting cyber insurance policies.  This supports the view that Insurance companies donot make a customized evaluation of risks and write policies and are not equipped to make such assessments.

The India Cyber Insurance Survey 2015 will be able to throw more light on the way Cyber Insurance should be structured based on the marker expectations.

We request all the readers to make a success of the survey by contributing their views and also persuading their friends to provide their views on the subject by participating in the survey.

Kindly circulate the survey form to all your collegues and friends and ensure large participation.

Naavi

Share Button
Print Friendly