WhatsApp camera bug could lead to misleading digital evidence

WhatsApp has become a powerful communication app which is used by many to also take photographs which are immediately sent out to groups or contacts at minimum effort. No doubt this is a great feature and very useful for the users.

However, I observe that there is a practical issue connected with the camera function which could render it an instrument of “Manipulation of Digital Evidence”.

If one uses the WhatsApp camera button and clicks a photograph with the front camera, then the image is stored with a lateral inversion. An example is shown below.

The problem occurs when a person takes an action picture such as one writing a letter with his right hand. The picture may show that the person is writing with his left hand.  At first glance therefore the person would appear to be a leftie. This could vitiate immediate evidentiary value of the photograph and adds a new dimension to accepting such photographs as digital evidence.

This is a technical bug which should be corrected by WhatsApp by introducing an automated operation to recognize that a picture is being taken with the front  camera and immediately make a lateral inversion of the picture before it is stored in the application and forwarded to the addressee.


Print Friendly

Principle of Secure Technology Adoption..creating a secure ecosystem for Cyber transactions

Ever since the demonetization, the pace of technology adoption  in India by common people particularly for financial transactions, is on the increase. The UPI system supported by the multi banking platform such as the BHIM has brought digital payments within the reach of every common person holding a mobile. JIO now has announced that it will be releasing LTE enabled feature phones at Rs 999/- and along with its data offers, will further ensure that the mobile penetration will reach deeper and deeper into the lower strata of our society.

It is a matter of pride that India is progressing in the use of digital communication and adopting it even for E Governance, E Commerce and E Banking.

But some times I feel as if it is a kind of joy which a parent feels when their young child who has just learnt to ride a cycle wants to go out into the streets on his cycle. It is a joy to recognize that the child has grown up but  it is a  joy that is peppered with a concern on what risks the child would face on the streets. Some parents would be so overwhelmed by the concern that they would never allow the child the permission to go out. But some may try to facilitate the child to go out on the streets and also try to manage the risks that may arise in the process.

A wise parent  is not paranoid about the risks nor would ignore the risks. He/she may advise the child about the risks to the extent necessary but to the extent to scare him/her off of his/her enthusiasm to go out cycling on the streets.

Cyber Security professionals today are in this dilemma….

….Should we support and encourage the Government and the people to go ahead and adopt to technology? ..ignoring the risks?.. or

……Should we put our foot down and block the technology adoption?.

May be we should also consider the third option…

…….Should we act like a wise parent who takes such steps as to enable “Safe Cycling on the Streets for the Newbie”?

Naavi.org has been confronted with this difficult choices from time to time in its quest for “Building a Responsible Cyber Society” which is the motto with which the undersigned embarked on his journey into spreading the message of  Cyber Law around 1999 using the internet as the media.

At times we have been highly critical about the unplanned developments that are pushed through by commercial interests and even blamed the Government agencies and RBI for their inability to moderate the introduction of technology. But more often we have always ended with the thought that technology is welcome but its adverse impact needs to be recognized and citizens need to be protected. It is under this thought that we have always focussed on “Cyber Law Compliance” on the one hand and “Cyber Insurance” on the other hand.

The next wave of cyber security risk would be unleashed with the Aadhaar Enabled Payment Systems which on the face of it looks incredibly attractive but at the same time opens up a huge level of risks for the user as well as the intermediary organizations.

In the light of this development, we would like to flag the possibility of Cyber Fraud risks that may arise from the “Stored Biometric Replay Attack” that can be used to authorize fraudulent payments which could put the public in a direct war path with the authorities particularly the Banks and RBI.

UIDAI has protected itself through legislation to avoid liabilities but the intermediary Banks will be exposed to the risks of vicarious liability under ITA 2008 and the limited liability principles under the RBI guidelines.

The Banks are of course trying to persuade RBI not to confirm the “Limited Liability Principle” (Check RBI Circular of August 11, 2016). If RBI yields and Prime Minister Mr Modi and Finance Minsiter Mr Arun Jaitely continue to ignore our repeated reminders , the Banks will successfully push the liability for frauds on the public.

Public will then turn their anger against the rapid technology adoption without corresponding initiation of security measures. Mr Modi should remember how his demonetization policy was opposed more for the bad implementation rather than the policy itself .

We therefore urge all the three stake holders namely the Cyber Fraud victims, the Banks and the Government to take appropriate actions in their respective spheres of activity to ensure that the Cyber Risks particularly in the digital payment eco system is managed effectively.

We need to therefore urge all these stakeholders to find out ways and means of “Secure Technology Adoption” and not be drawn into technology adoption because it is the “fashion of the day”.

The principles discussed above in the context of  Banking and Digital Payment system are even more relevant when we take into consideration the Internet of Things, Digital Medical devices/implants, Driver less Cars, Smart Cities etc.

In this context, we would like to present for academic discussion the “Theory of Secure Technology Adoption” . The dimensions of this theory are explained in greater detail in the subsequent post/s.


Print Friendly

Security of Aahaar again comes for review

The recent news report that UIDAI has initiated investigation on three firms suspected to have violated the rules of aadhaar authentication by sending stored biometrics to UIDAI server for authentication. The firms involved are Axis Bank, Suvidha Infoserve and E Mudhra. (Refer article here). UIDAI claims that the data received for authentication multiple times was an “Exact Match” which is statistically impossible and hence indicate a “Stored Biometric” being sent for authentication. The firms on the other hand have stated that the authentication request refers to “Testing” of some applications and not any attempt in committing any fraud.

While in this particular instance, there may not be any fraudulent intentions on the part of the three parties involved, the incident has confirmed what we have been indicating as a possible security risk where the biometric can be stored in soft form and re used.

In the past we are aware that Certifying authorities have been indulging in the practice of keeping copies of private keys which can later be used for committing digital signature forgeries. Neither the CCA or the Government has taken corrective steps.

Now the entire “Aadhar Based Payment System” is in jeopardy because of the revelation of this incident. As one of the security professionals has pointed out (Refer article here), it was naive for UIDAI to announce in the public how they were able to identify the potential violation of Aadhaar authentication  in this case. Like it often happen when Police officials conduct press conferences to boast about a successful investigation, the revelations made by UIDAI will be information to future fraudsters on how to bypass known security measures.

Now, having committed one mistake too many, it is the responsibility of UIDAI to harden their authentication mechanism without necessarily giving out too many details to the public. It is of course still possible to secure  the authentication mechanism through innovative methods. But UIDAI may or may not be capable of identifying such mechanisms nor they may be interested, since it is the characteristic of UIDAI that they have been always in denial mode whenever security weaknesses are pointed out.

We hope that without first resolving the security issues, UIDAI does not jump into Aadhaar based payment systems through NPCI and land Indian citizens in trouble.


Print Friendly

Why GDPR is a threat to Indian IT industry

GDPR (General Data Protection Regulation) introduced by EU in replacement of the Data Protection regime hither to in place has opened up a debate on whether it is an “Opportunity” or a “Threat”.

IDC predicts (Refer article here) that a substantial opportunity would be created for security and storage software vendors since the severity of fines would drive for a shake up of data protection practices. According to IDC, the total market opportunity created is of the order of $3.5 billion. Of this the securty software from GDPR concerns is expected to raise from $811 million in 2016 to$ 1.8 billion in 2019, and storage software would grow from $258 million in 2016 to $1.7 billion in 2019.

There is no reason to disbelieve this projection. However if one part of the industry is making $3.5 billion, it has to be spent by another part of the business. In the case of GDPR driven business change, the data processing industry will incur the expenditure while the data security and storage vendors including the cloud storage product vendors will gain the corresponding revenue.

Additionally, the data processing industry has to also incur expenditure on “Compliance Consultancy” and “Cyber Insurance” which is not a small expenditure by itself.

Also, though the GDPR is discussed globally as if it is an issue between EU and US, the Indian IT industry also has a huge stake since it works both for the US and EU clients and needs to provide a “GDPR Compliant Data Processing Service”.

Indian IT industry needs to observe that the GDPR is proposed as a “Global Regulation” and imposes restrictions which would mean that no Indian Company would get EU business if it is not compliant with GDPR and if it tries to be compliant, it has to confront the following penalty structure.

Fine: 10,000,000 Euros or 2% Global Turnover, for offenses related to:

Child consent;
Transparency of information and communication;
Data processing, security, storage, breach, breach notification; and
Transfers related to appropriate safeguards and binding corporate rules.

Fine: 20,000,000 Euros or 4% of Global Turnover, for offenses related to:

Data processing;
Data subject rights;
Non-compliance with DPR order; and
Transfer of data to third party.

It would be essential for all Indian IT companies to plan for

a) GDPR Compliance measures such as Creating awareness, making gap analysis etc

b) Hardening the Security and Storage

c) Obtaining Cyber Insurance Cover

d) Auditing suspected data breach incidents

e) Incurring the expenditure on penalties if any

Obviously, the industry has to be prepared for at least a 5% increase in its data processing costs which along with the increasing VISA costs coming from the US markets, make it difficult for them to remain profitable and competitive.

I urge NASSCOM to take suitable steps to ensure that the impact of GDPR on India is not adverse. At the same time strategies to harness the benefits that may flow from the global implementation of GDPR should be drawn up urgently.

The DeiTy also needs to evaluate measures that it may contemplate to ensure that GDPR does not hurt the IT industry in India.


Print Friendly

GDPR Knowledge Center opened

In a bid to continue the legacy of naavi.org as an endeavour to “Build a Responsible Cyber Society”, Naavi has started yet another educational website that should complement the current activities in promoting Cyber Law Compliance in IT industry in India. This new effort is to build awareness about the “General Data Protection Regulation” (GDPR) which has replaced the Data Protection Regime in European Union and is set to change the landscape in Privacy practice in India and elsewhere in the globe.

Indian IT industry being a dependent on data processing of which a large share of business may come from the EU countries need to ensure that we donot lose business or incur liabilities on account of non compliance of GDPR.

SMEs and Mobile App companies specifically require knowledge input and consultancy to ensure that they are on the right side of the regulations to protect their business.  Towards building a knowledge infrastructure in this regard, Naavi has now started a new website www.gdpr.ind.in dedicated to the presentation of the regulation. This will be supplemented by analysis and discussions on  www.privacy.ind.in (Privacy Knowledge Center) besides this parent website.

Naavi recognizes that the field of Privacy is vast and we can only be a catalyst in starting what we can call as a “Knowledge Center”. For it to truly become one, contributions are to be made by other like minded professionals who can share knowledge for public good.

I take this opportunity therefore to invite Privacy professionals to contribute their thoughts to the building up of the knowledge related to compliance of Privacy Laws such as GDPR so that India may in due course becomes a country recognized as  the best GDPR compliant country. The articles may be published on the Privacy Knowledge Center with due acknowledgement of the contribution.

Come, let us start our journey towards making India the best GDPR compliant country.


Print Friendly

Cyber Swatchhta kendra inaugurated

A welcome initiative of a dedicated website aimed at Cyber Security support for the public was launched today at Delhi in the form of www.cyberswachhtakendra.gov.in

The website is operated by CERT-In and appears to be supported by Quickheal and is promoted as a Botnet Cleaning and Malware Analysis Center”. One of the objectives of the CSK would be to detect botnet infections in India and notify, enable cleaning and securing systems of end users so as to prevent further infections.

The site proposes to provide Cyber Security information as well as free scanning tools from Quickheal for malware.

It may be noted that during the evolution of Naavi.org over a time, links to many malware removal tools and anti virus tools had been provided (See the archive of a page in 2005 showing link to panda scanning software and virus information links on the left menu) along with the educational aspects now proposed by Cyber Swatchhta Kendra. Naavi.org can take the pride that several years before securing Digital India concept evolved at Government level, we were already setting the trend. Naavi.org has evolved subsequently but we hope that many of its services and suggestions will continue to motivate and guide other institutions including Government agencies in the coming days.

We welcome the CSK  initiative and hope it will be maintained properly as it is expected to attract special attention of attackers with an intention to tarnish the image of the Government.

(CSK was a popular abbreviation used by  Chennai Super Kings, a team of the Indian Premier League (IPL). Since it is no longer in operation as an IPL team, the abbreviation CSK can be used for Cyber Swachchta Kendra. It has otherwise been referred to as the Botnet cleaning and Malware Analysis Center with the abbreviation BCMAC)


Print Friendly