Monitoring of Employee Internet Activity

After the recent incidents involving corporate employees engaging in terrorist activities, there is an increasing necessity for companies to monitor the employee’s internet activities.

The Hyderabad police have reportedly advised companies to monitor the social media activities of their employees as a part of anti terrorist measures.

From the Information Security point of view it therefore becomes mandatory for companies to put in place appropriate technology measures to monitor the activities of their employees at least when they use the IT assets of the company.

Further the HR department needs to device methods to monitor the behavior of their employees that indicates any pattern of activities that indicate radical leanings of the employees towards ideologies that may nurture terrorism.

This is the new challenge to CISOs following the Mehdi Masroor incident in Bangalore.

Naavi

Share Button
Print Friendly

Current Status of Cyber Appellate Tribunal

Recently press appears to have discovered a new interest on reporting the current status of the Cyber Appellate Tribunal in India.

Last week the Mumbai press reported the number of cases decided by the Maharashtra Adjudicator Mr Rajesh Agarwal who has become the “King of Adjudicators” by deciding on a number of adjudication complaints. In particular, on 20th January, TOI Nagpur reported the case of a senior citizen who got a relief of Rs 3 lakhs from State bank of India. on 14th January, TOI had also reported that in recent times six banks and a telecom operator had been asked to pay compensation under ITA 2008 in different decisions.

This development is encouraging. After the Tamil Nadu adjudicator Mr P W C Davidar kicked off the trend with the Adjudication in the case of S.Umashankar Vs ICICI Bank and ordered ICICI Bank to pay compensation to the phishing victim, and followed it up with another similar decision, Banks started fighting back to defeat the system. First the Banks tried to manipulate RBI through policy changes which however did not succeed. In fact RBI through the Gopala Krishna Working Group report on E Banking security reiterated the liability of Banks in such cases. However after the new Governor of RBI took over different wings of RBI has not been focusing on E Banking security and there is a danger of the system turning anti customer in due course.

The undersigned has been running a crusade to ensure that the well intentioned system of fast grievance redressal system envisaged under ITA 2000 which could provide compensation to cyber crime victims withing 4 months under adjudication and settlement of the appeal at the next level within 6 months through a simple process.

After the initial successes with the TN adjudicator, except for the island of wisdom running in Maharashtra through Mr Rajesh Aggarwal, there is gloom alround the country when it comes to cyber crime victims.

I reiterate again and again that neither Mr Narendra Modi our honourable Prime Minister nor the minister of IT Mr Ravi Shankar Prasad has shown any inclination to remove the gloom.

Let me record here once again why I am forced to make such a strong statement against an otherwise commendable performance by Mr Modi in other sectors and as I continue to watch the Republic Day celebrations.

First reversal to the fortune of Cyber Crime victims occurred in Tamil Nadu when Ms J Jayalalitha took over as the CM. As a matter of routine, she shifted Mr P W C Dawidar from the post of IT Secretary. Other IT Secretaries who followed never discharged their responsibilities as “Adjudicators” to the extent Mr Dawidar had done.

The second major reversal occurred in Bangalore which is otherwise supposed to be the repository of IT wisdom in the country. Here a conflict of interest intervened a decision in which Axis bank was one of the respondents because it also happenned to be a Banker to the E Governance activities of the Government. The result was that the adjudicator dismissed the complaint for the reason “The word Person used in Section 43 of ITA 2000 does not include a company and hence no complaint can be entertained if filed by a Company or against a Company”. This effectively kept Companies outside the purview of most of the ITA 2000 and no complaint either civil or criminal could be filed either by a Company or Against a company. This converted Karnataka into a “Cyber Crime Haven”.

Despite the Karnataka Human Rights Commission taking up the issue and the Legal department of the Karantaka Government confirming that the word “Person” in law includes a body corporate, the current IT Secretary has made it an ego issue and refuses to accept that a mistake was made.

Karnataka High Court as well as the Chief Minister of Karnataka have also failed to intervene effectively to correct the situation.

Now the only legal means available to the Cyber Crime victims is to get the order of the Karnataka Adjudicator reversed through an appeal at the Cyber Appellate Tribunal.

Here in comes the greatest disappointment. It has been more than 3 years since Justice Mr Rajesh Tandon retired as the Chair Person. Since then the Government of India has been unable to appoint a successor. Yesterday’s article in New Indian Express has rightly captured the developments and drawn the attention of the public to the unacceptable situation that prevails in the country when the apex cyber judiciary authority remains non functional due to non appointment of a chair person.

It is necessary to point out that this bizarre situation has been brought to the notice of all relevant Ministers, Chief Ministers, Prime Ministers, President of India as well as the Chief Justices of Karnataka and the Supreme Court as well as political party leaders, at different points of time.  But it appears that no body is able to find a solution to the problem.

During the days of the UPA Government it appeared that the department wanted to push through one appointment which the then Chief Justice of India did not approve and hence there was a delay. But now that there is Mr Modi’s Government and a new Chief Justice it appears that this issue is simply not in the priority list of activities either for Mr Ravi Shankar Prasad nor Mr Modi.

I wish some body responsible in the PMO takes up this issue and brings it to the knowledge of Mr Modi.

I would like to ask our action oriented Prime Minister, if the appointment of a Chair Person to the Cyber Appellate Tribunal more difficult than forging a friendship treaty with Mr Obama?

I would like to ask the lawyer turned IT Minister Mr Ravi Shankar Prasad, whether it is possible to speak about Cyber Security without having a proper Cyber Crime judicial system in the country?

I would like to ask the Secretary of the MCIT, whether it is not possible to find a suitable candidate acceptable to the Chief Justice of India or there is no willingness to act?

I wonder who is the beneficiary of this grand negligence? Any guesses?

Or Should we ask Mr Modi’s friend Barak to use his good offices and make it a part of Indo-US security related discussions!

Naavi

Share Button
Print Friendly

The Risk of Keeping a USB port open.. Beware of USBdriveby !

apna_ad_nov24

Here is a demo of how an open USB port can be used by a hacker with a 30 to 60 sec access using a “USBDriveBy”.

The device which is small enough to be worn around the neck (or carried in the pocket) when connected to a USB port will emulate as a mouse or key board and establish connect to the OS and establish a remote control to the hacker’s computer completely compromising the computer.

See the detailed report

Now we need to start worrying about how to lock and unlock USB ports. Refer here for ways to disable USB ports in windows.

Naavi

Share Button
Print Friendly

Is What’s App bound by Section 67C of ITA 2008?

apna_ad_nov24

TOI has reported today that the Nagpur Bench of Mumbai High Court has dismissed a PIL filed by Advocate Mahendra Limaye demanding that What’s App should retain the data for a specified period under Section 67C of ITA 2008.

The Court has held that since the service is voluntary and free, there is no public interest in the requirement.

Recently I had a discussion with some senior police officials who informed that in several investigations they were unable to obtain information from What’s App because of which their investigation could not proceed on the desired lines.

From the published information it appears that What’s App stores the personal data of its subscribers and also the contacts of the subscribers. To that extent, What’s App is exposed to Section 43A of ITA 2008 requiring “Reasonable Security Practice”. This also requires adherence to data retention requirements under Section 67C. They are also bound by Section 79 of ITA 2008 as an intermediary. Under the circumstances it appears that What’s App is bound by ITA 2008 and therefore there is a stake for Indian public on What’s App being compliant to Indian law.

However, it is the business model of What’s App that they only store the contact information and allow the content only to pass through. According to information available at http://www.howdoeswhatsappwork.com ,  the messages are temporarily saved on What’s App servers and automatically deleted after 30 days.

It is also known that What’s App proposes to charge a service fee after a trial period though they have indefinitely postponed the charging on the service. Now that Facebook has taken over the management of What’s App it is only time that What’s App would be a paid service or an ad supported service in a short time. The contention of Nagpur Court on “What’s App is free” is therefore not correct.

Further one grey area of What’s App operations is that they are acquiring “Contact” details of the subscribers and using it. A question arises in this context whether the subscriber has the consent of his contact to part with the mobile number and name to What’s App and whether this would be subject to privacy right of the contact. Since the subscriber is only sharing the number as associated with a name he has assigned to the contact, it may be argued that the data ceases to be that of the contact.

After the Uber and Bitcoin controversies on Interpretation Internet based business models, What’s App also needs to be understood properly if it is a purely “Peer to Peer” service or a “Server Based Service” and if so, whether What’s App will have liability to retain data at least when demanded by law enforcement etc.

Naavi

Share Button
Print Friendly

After the sophisticated Sony attack, It is now the simple J P Morgan attack!

apna_ad_nov24

Just as the IS community is absorbing the lessons of Sony attack, the JP Morgan security breach involving a suspected data theft of 76 million records has disturbed the community.

See Report 

According to the New York report it appears that the J P Morgan attack resulted from one of the servers being out of the 2F authentication which prevented the breach on close to 100 other servers. Though the 2F authentication is in itself not fool proof, the fact that every small step towards security can have its own ROI is proved from this incident since the servers which were hardened with 2F authentication seems to have escaped the attack.

It is interesting to note that hackers donot always need zero day exploits to make big hits. There are many negligent IS practitioners who can facilitate exploits which could have otherwise been prevented with a “Reasonable Security Practice”.

Naavi

Share Button
Print Friendly

Has Sony Experience Changed the Security Perception?..How should Indian Government respond?

apna_ad_nov24

It appears that the hacking of Sony pictures in which corporate data has been destroyed and compromised has exposed the new dimension of a kind of Cyber warfare. According to FBI, the hack was attributed to North Korean Government and the motive was the prevention of the release of a Hollywood movie involving a theme of assassination of a North Korean leader. Of course North Korea has denied the charge.

The issue highlights the potential for damage to corporate business assets arising out of such state sponsored high impact attacks. Such attacks can occur on other corporates  in future as a targeted attack as a part of Cyber terrorism.

Indian corporates face the specific risk of Pakistan sponsored attackers intending to damage the Indian economic infrastructure.

It is time therefore for Indian Companies to initiate appropriate security measures to ensure that they can ensure business continuity if such debilitating attacks are targeted at them.

Apart from hardening of the security on an ongoing basis, most companies need to revisit their Disaster Recovery Programs (DRP). Many companies need to establish a DRP where there is none and upgrade if they have a basic facility.

As a result of this new threat perception and the necessary mitigation measures, the cost of maintaining the IT infrastructure would increase significantly.

The Government of India needs to therefore think what is its responsibility in providing a security blanket to Indian Corporates against such attacks coming from enemy states. It appears that this is a National Defense Responsibility rather than an information security responsibility of an individual company.

There are two immediate actions that the Government may contemplate.

1. First requirement is to provide some kind of a defense cover to the Indian corporates by offering financial support directly promoting higher cyber security investments by corporates. This could be in the form of setting up a National Secured Data Center at different parts of the country where in companies can be provided DR hosting facilities at a reasonable cost.

2. Second is to  recognize that such attacks on private citizens of one country by another state actor  is  “Terrorism” and handled as such by the international community India should join an international consortium with US to develop a “Global Cyber Security Force of Democratic Nations” that can attack and bring down the rogue states who mount cyber wars on the citizens of other countries.  This should be discussed during the visit of Mr Obama to India during the next month.

The Sony attack is a defining moment in the global cyber security and we cannot afford to ignore the event as the next such attack can come upon one of our own global players.

Naavi

 Related Articles:

5 ways how Sony Hack will Change how America will do business

Hollywood Reporter

Security Week

US Cert Advisory

Share Button
Print Friendly