Conviction for Stalking in Maharashtra..Is it Cyber Stalking? or Physical Stalking?

A senior executive of a private company in Mumbai has been convicted for what is reported to be an offence of “Cyber Stalking” according to the media reports. (See this TOI report: First Cyber Case Conviction in Maharashtra). It is hailed as the first conviction case of cyber crime in the State since the cyber laws came into existence in 2000.

The case was prompted by a complaint from a lady stating that she was receiving e-mails from an unknown person indicating that the sender was following her physical world movements and that some of the messages contained some obscene pictures. Police traced the sender through IP address resolution and now he has been convicted with imprisonment of 4 months. It appears that there was also forensic investigation of two hard disks and mobile call details used as additional evidences.

While we appreciate the publicity that a Cyber Crime Conviction is getting, for academic purpose we may discuss if it was indeed a Cyber Crime or a Physical crime that was committed in this case.

At this point we are awaiting particulars whether the conviction was under ITA 2000/8 or IPC. Actually this was a fit case for Section 66A which  Supreme Court recently scrapped. The offence was clearly made out clearly under that section.

Just because the evidence is in electronic form, the crime itself does not become a “Cyber Crime”. In this case, annoyance was caused and fear was induced in the victim. But the fear was some body was following in the physical world. The threat was in physical space. The primary crime therefore appears to be in the physical space. Cyber space has been used for communication. But the moot question is whether the complainant felt harassed because she received the email? or because she realized from the email that she was being followed in the physical space when she went to a movie or to the temple? If it was an apprehension that she was physically followed and could be physically abused, it should be treated as a physical space crime.

We need to check if there was  a threat through email or if there was  obscenity in the content… then there is a case under ITA 200/8. But under the grand verdict of the learned Supreme Court judges, causing annoyance through email can still be within the definition of “Free Speech” !.

So to call this case as a “First Cyber Crime Conviction in Maharashtra” is perhaps not entirely correct.

However,we congratulate the Police for having presented the digital evidence in a manner that the Court accepted it and went for conviction.

We shall provide more information in these columns once the details are available.

Naavi

 

Share Button
Print Friendly

If NaMo is the CEO of Digital India.. who will be the CISO of Digital India?

The event on 1st July, 2015, in which our Prime Minister Modi launched the Digital India project along with the battery of industrialists was very very impressive.

I suppose Mr Arnab Goswami and the Congress must be squirming within themselves to some where find a fault. As luck would have it, an incident was reported yesterday that certain content changes were made on Wikipedia regarding Jawaharlal Nehru and his lineage and it was reportedly done from an IP address/email address traced to NIC. The ever eager Congress spokes person, Mr Sanjay Jha started saying that Modi Government is responsible for this and the more sinister TV anchor Mr Gaurav Sawant of India Today further prompted that this could have been engineered by RSS.

As long as such tendencies remain in the media and the opposition, any good intentioned project of the Government of India will be facing all kinds of opposition and the Digital India Project will also face a determined opposition both from irresponsible  opposition parties like Congress as well as motivated media.

It is therefore even possible that in future, the opposition may actually sponsor cyber attacks from NIC addresses or on Government assets only to deride the Digital India program of Narendra Modi. It is therefore to be considered that opposition parties and motivated media would be among the “Threats” that the Cyber Security planners need to factor in.

It was good to hear the PM speak of “Netizens” and “Cyber Security”, two terms which you find in abundance in our discussions in this blog over the last 15+ years. In fact a few years back when elections were being held in Karnataka for the assembly in which Congress won, the undersigned had proposed a “Charter of Demand” by netizens urging political parties to take it up as part of their election manifesto. I am sure that they did not understand the import of what was being suggested. But it is heartening to now hear Mr Modi speaking in similar language.

Skeptics will point out that making declarations and implementing them are two different things. By my personal experience, I have had enough disillusionment on various developments and therefore skepticism comes naturally even to me. However, being an optimist by nature, I always hope, that this time it would be different. Afterall Mr Modi has the right intentions and so far we never had a person like him at the helm of affairs. We only had persons like  Kapil Sibal or Manmohan Singh incapable of seeing beyond the political domain.

There is no doubt that India has enough talent in IT and it should also mean that we should have enough talent in Cyber Security. Before Mr Modi pointed out yesterday, even the industry champions would have never thought of the possibility that India should look to be a leader in Cyber Security !. Vision of Modi is therefore far ahead of Mukesh Ambani, Cyrus Mistry or Azim Premji. ..probably because these stalwarts have seen how the Governments used to function under the previous regimes and got used to the “Rules of UPA” where only money and personal connections worked. It is easy for some of the journalists to cry hoarse about “tainted” businessmen but we must agree that many of the businessmen became tainted by coercion from politicians. Now that the atmosphere has changed, there is a need to recognize that those businessmen who carry some “taint” in the past need to be given an opportunity to work honestly in the new regime.

However, persons like Arnab Goswami who donot care about the country are sure to put spokes into any new radical initiative of the Government including the Digital India concept and if this project has to succeed, we need to work our way around such malware in the society.

These thoughts were vindicated by the discussions on the TV media about the Nehru wikipedia issue. Most of us know that the objected content was already in circulation in You Tube and every body knew about it. Such contents will continue to be available on the Internet in the future also. We (also the media) should learn to differentiate the real cyber crime issues from random trolling on twitter or elsewhere. Rather than making statements on TV that Modi Government should take responsibility etc, I would have appreciated the media to have just warned of the dangers that the Internet presents and why some kind of regulation is essential if Internet is to be used for the benefit of the society.

Readers may be surprised to know that a few years back the Chief Minister Mr Yeddyurappa in a speech at the Cyber Security Summit in Bangalore declared Bangalore to be the “Cyber Security Capital”. In doing so it had been envisioned that Bangalore would undertake all necessary activties to make it the global center of cyber security activities. Of course it remained only a declaration in the summit and nothing much happenned there after. Presently Bangalore is ironically called the “Cyber Crime Capital” and no body is even concerned. We donot want the current Modi project to go the same way.

In this context we need to point out that the  media and several politicians including those from BJP hailed the decision of the Supreme Court when Section 66A was scrapped for all the wrong reasons. Only Naavi.org called it a “Black Day” and tried to draw the attention of everybody including the IT Minister all in vain. How can Digital India project take shape without a consesus on laws regarding cyber defamation and privacy, only God knows.

In the months preceding to Sec 66A scrapping, I have also brought to the attention of the Government about the serious gap in the Cyber Judiciary system with the closure of the Cyber Appellate Tribunal. Unfortunately the Ministry which includes the many scientists who work there have not been able to take corrective steps. In Bangalore one Adjudicating officer has redefined law to suit cyber criminals and the current Adjudicator is having such a closed mind that he is unable to see through the problem. This has rendered Karnataka a Haven for Cyber Criminals. But our politicians including the Union IT Ministry continue to talk  without even attending to small things on the ground.

In this background I would like Mr Modi to know that most Cyber Security professionals in closed circles are disbelieving the efficacy of the Digital India implementation.  But we all love Mr Modi and his honesty and therefore many may not raise their doubts in the public..except of course the undersigned.

In my opinion, industry can be counted upon to lay down the nation wide Optic Fiber network which Modi rightly called the I-Way. But the Government should be ready to ensure that the network is secured against vandalism and interception. Similarly, every E Governance, M- Governance project needs to be vetted for security..not from a China sponsored security group but a group supported only by the Government.

 This requires a policy today before the first set of Optic Fiber cables are laid down and first set of roads are laid in a smart city. The industry would be interested in selling and installing the cables but they would hardly be expected to worry about the security. We may therefore end setting up an entire infrastructure of I-Way which apart from carrying the digital data will also become the “CC-Way” i.e., a high way for Cyber Criminals.

If we donot understand this problem and take corrective action today, 5 years from now we will be ruing the very decision of setting up of the I-Way.

I donot expect Mr Modi as the CEO of the country be fully aware of these risks. The CTO of the country namely Mr Ravi Shankar Prasad may also be focussing more on the infrastructure build up and he may not be expected to take full control of the Cyber Security issue.  But it is the duty of the CISO of the country to take care of the security issues that accompany the Digital India project.

But the moot point is who is the CISO of Digital India?

Will the NIC be capable of taking up this responsibility? There is the recent warning signal and many in the past which does not provide the confidence.

Will the NSA be also the CISO of India?.. Perhaps it is too much to expect.

Of course there is a Cyber Security Advisor in Mr Gulshan Rai in the PMO. Will he be the designated CISO of India?

We may also ask, Will the CISO be a single person? or will it be a body like the IN-CERT? or will it a NASSCOM body such as DSCI?

If so, Where were they in yesterday’s Digital India presentation?

If we look at the threats around us such as the “Malicious Codes” -both digital and human that we need to confront with, and knowing the vulnerabilities of our administrative set up, the risks are too obvious.

But have we made a conscious effort to list down the risks and their “G0vernance Impact”? .. It is necessary for the Netizens of the country to be assured in this regard before we welcome the Digital India project whole heartedly.

During the Digital India launch, I wished that Mr Modi would speak of the “Cyber Insurance Industry” but no such discussion happenned. I want the Government to recognize that  Netizens cannot be exposed to the risks which even experts find it difficult to fathom when the Digital India, Smart City or IOT projects take shape.

When we need to move from Snail Governance to E Governance and then onto M-Governance and APP based Governance, we need to simultaneously assure the Netizens that they are protected from the risks arising out of this transition.

This is as much a necessity as the Health Insurance and Life Insurance schemes which Mr Modi has introduced as part of Social Security. In the Digital India, most of the Citizens will depend on the Government for security and Insurance when the security fails.

Hence Cyber Insurance should be a strong pillar on which the Digital India concept should be built up. I felt that this was not addressed by Mr Modi yesterday. It is perhaps the failure of the bureaucrats in not providing Cyber Insurance as a Risk Transfer mechanism for Netizens,  but I would still wait for Mr Modi to express his views on Cyber Insurance in the days to come.

I suppose the department of IT which should be monitoring posts such as these will bring it to the notice of Mr Modi so that some action can be worked out in this direction before it is too late.

I want to reiterate that the IT  industry whch will reap the benefits of the Rs 450,000 lakh crores is unlikely to advise the PM in this regard properly since “Security” and “Insurance” will increase the costs and reduce the profits. We have seen Banks declaring that “We will provide only that much security as is commercially feasible” and RBI does not even recognize the import of such policy statements.

Hence PM must have Cyber Security advisers who  will be empowered to question every IT project implementation from security angle even if it is implemented by  Reliance Geo or TCS or Wipro.

All this needs to be built into a “Cyber Security Governance and Management Infrastructure” that should be in place before the Digital India project takes off. But yesterday we have launched the Digital India project and banking on the old National Cyber Security policy which is not a full fledged implementable agenda.

I hope that in the coming few weeks some thing will happen in this direction.

I invite the attention of Mr Nandakumar Sarvade who has recently taken over as the CEO of DSCI to let us know what will be the role of DSCI in establishing a Cyber Security Framework which is Netizen oriented and not IT vendor oriented.

Naavi

Related Article: Charter of Demand on behalf of Netizens of Bangalore

Share Button
Print Friendly

Court Asks Facebook to reveal identity of a user

A Dutch Court has ordered Facebook to reveal the identity of a person who made a posting of an obscene video. According to Facebook, the posting was done from a fake account and was purged. The Court has however said that Facebook will have to submit its servers to eternal forensic investigators to extract the information.

Refer article here

It may be recalled here that Facebook faced an earlier law suit for payment of a damage of US $ 123 mn in which it took an unreasonably long time to delete a posting. In the instant case therefore it appears to have acted quickly to remove the content but now is caught in the controversy that it has not protected the legal interest of the victim.

It is considered as a compliance requirement under ITA 2008 for intermediaries, that  in such cases where the intermediary deletes the content once posted, it has to be archived for legal purposes.

Intermediaries should therefore ensure that their “Grievance Redressal Mechanism” includes appropriate guidance that while they remove the content after an initial internal enquiry, the evidence is preserved and produced when required by law enforcement.

Apart from Facebook and Twitter, such requirements also apply to websites such as Glassdoor, Mouth Shut etc which have created a business model out of posting  messages which could be considered defamatory.

While many of the Indian Companies operating in global markets try to comply with American law, most of the US companies are not so vigilant when it comes to complying with Indian law. Just as Facebook seems to have woken up with a $123 mn law suit, these companies will also wake up when they face a multi million dollar law suit.

Naavi

Share Button
Print Friendly

“Dyre” threat to Indian Bank customers

The threat of “Dyre” trojan discovered a few months back seems to have been upgraded with some recent reports with the finding of some variants. Dyre is a malware targetting customers of more than 1000 banks worldwide. Indian Banks are also in its radar and according to security researchers, it is one of the most dangerous trojans presently targetting Indian Banking scenario. It targets Windows computers and can steal Banking and other credentials.

The malware is delivered via an email message that comes with an attachment claiming to be a legal document containing a Zip or PDF document containing details about recent law modifications regarding fraudulent activity or any other information. The Trojan delivery spam emails may  include a PowerPoint attachment containing an exploit for the CVE-2014-4114 vulnerability in Windows operating system. The weakness is present in the OLE (Object Linking and Embedding) packager that allows download and execution of INF files.

Financial institutions, Payment services and HR related websites are the targets for the Dyre malware and India appears to be the sixth most targetted country for the time being.

Dyre’s money stealing activity follows a well-known pattern, with the web browser being hijacked for monitoring web sessions and redirecting the victim to fake websites or altering the content of the web pages on the fly to capture banking login credentials in man-in-the-browser events.

According to experts, the Dyre exfiltered data is difficult to distinguish since it is encrypted (with its own key) and appears like legitimate traffic. It includes log in credentials for a large number of global banks.

There are several prominent Banks which are targetted by the trojan including Bank of America, Citigroup, the Royal Bank of Scotland, Ulsterbank, and Natwest. At this point of time the list of Indian Banks in the Dyre’s radar is not clear though at least two Banks are reportedly in the list. One can expect ICICI Bank and HDFC Bank to be those Banks being the most prominent e-Banking entities in India. Customers of these Banks should therefore be extra careful when dealing with spam mails.

Simultaneously, we need to be also aware that the malware writers are getting more sinister as can be observed in the case of the “Rombertick” trojan which when detected could destroy part of the master boot record just to evade itself. It is a kind of a “Suicide Bomber” who when confronted blows himself.

E Bankers therefore are in a continuous attack from sophisticated trojans/viruses and are left to fend for themselves. It is therefore essential for the promoters of E Banking transactions which includes RBI in particular to mandate protection of Banking customers through appropriate Cyber Crime insurance. Bankers need to assume responsibility for malware activities and provide insurance cover along with their own secure web applications for customers to use.

Naavi

Related Articles:

India’s Financial Institutions sixth-most rargetted by Dyre Trojan malware-Symantec

Dyre Banking Malware Uses 285 Command and Control Servers

Researchers Analyze Dyre Sample with new features

Financial Institutions in “Dyre ” straits

Dyre Malware Developers Add Code to Elude Detection by Analysis Tools

Share Button
Print Friendly

“Infosec Credit Trading ” on the lines of Carbon Credit Trading proposed

In the domain of Global Warming and Pollution Control an innovative idea that has been used to incentivize good players and disincentivise bad players is the system of Carbon Credits. The system basically puts a cap on carbon emissions by nations and industries and in order not to be harsh on those who need time to change, a system has been developed that those who are above certain norms should buy Carbon Credits from the market. Those who have acquired Carbon Credits by their own green initiatives, will be rewarded with Carbon Credits which can be encashed by sale to those who need through appropriate exchanges. As a result farmers and plantation owners who absorb carbon dioxide from the atmosphere are given credits which can be sold to others who release carbon to the atmosphere. The philosophy behind this idea appears to hold promise to the development of an Information Security Eco System and we need to try the system in India at least as an experimental measure.

I propose to place some thoughts in this regard thorough this forum.

One of the problems in Cyber Security is that Cyber Space cannot be guarded like physical space by an army being placed at the border. Cyber invaders descend on any computer or mobile and spread across. Hence each individual device connected to internet can be considered as a Cyber Border and needs to be protected. If not, malware will get entry into the country.

Once malware is into the country it will get into critical IT infrastructure as well as the not so critical. All the corporate information security measures are aimed at creating pockets of secure zones which not only secure entry of malware and cyber criminals into their system and also in the process secure the cyber borders to which their own systems are exposed. If therefore a company has 1000 systems connected to internet and their information security is satisfactory, 1000 cyber border entry points are secured. At the same time another company which does not have similar security establishments will pose a threat to the nation by having a porous cyber borders.

What is therefore required in the overall context of securing the Cyber Space within the country is to encourage companies to improve their own security measures and discourage those who ignore the cyber security practices.

If therefore a company wants to introduce cyber security and is prepared to incur costs which its competitors are avoiding, there is a need to build incentive and disincentive schemes to even out the competitive pressures which make companies not implement available information security standard practices.

It is in this context that I propose that we introduce a system where by we define a norm say for each industry and also define performance measuring parameters so that we can identify those who do better than the norm or worse than the norm, keep a ledger of their performance and develop a system where the under performers pay an extra tax while the over performers get a subsidy. The effort is to encourage every body move to a given normative stage. Periodically the normative level can be redefined to ensure that the cyber security eco system keeps pace with the global requirements.

The Government has to obviously step in to define the normative levels and the measurement of performance. If possible industry regulators say RBI for Banks can also initiate similar measures. Once the system is in place, Info sec credits can be given to the over performers and infosec debits can be placed on the under performers. Then the under performers will have to buy credits and show a nil balance say whenever their financial balance sheets are drawn. Government can provide tax incentives and disincentives based on the info sec credit balances declared in the balance sheets.

Simultaneously, recognizing that “Cyber Security Awareness” is an important input to the development of a Cyber Security Eco System and whom so ever acquires cyber security knowledge in the form of certifications and whom so ever contributes to education of Cyber security knowledge should also be provided with appropriate credit points which can be traded in the secondary market for info sec credits or exchanged for tax credits.

It is envisaged that under equilibrium conditions, the market will pay for itself to upgrade the cyber security status of the eco system and the Government need not incur expenses on its own. However until a proper secondary market develops, the Government may provide “Tax Credits” in exchange of “Info-Sec Credits” so that those who earn such credits can encash the benefits.

Naavi

Comments are invited

 

Share Button
Print Friendly

Digital Signature Algorithms set to change?

When India started using Digital Signatures after the ITA 2000 was enacted, CCA had approved MD5 algortithm for hashing. Susequently, MD5 was disaccredited and SHA-1 was being used as approved algorithms. Global developments now indicate that time has come for users to move from SHA-1 to SHA-2 since SHA-1 has either been already cracked or is about to be cracked.

Related Article: 

Crypto experts inidcate that  by end of Dec 2015, Chrome may start providing browser warnings and by 2016-17, both Chrome and Microsoft may discontinue acceptance of SHA-1 in the applications. This may result in SSL/TLS authentication certificates need to be replaced by websites.

If SHA-1 is unreliable for SSL-TLS, it should also be considered unreliable for the Indian Digital Signature system which carries the judicial weight for non repudiation.

We are already in 2015 and many digital signature users may be using a 2 year  valid digital signature certificate which may overlap with the discontinuance of the SHA-1 certificates by the international community.

In order to preserve the sanctity of the Digital Signature system of India, it is necessary for CCA to take steps to migrate completely to SHA-2 which is already an approved system, by phasing out SHA-1 in time. Hopefully CA s are making necessary arrangements so that we are in tune with global security standards.

Naavi

 

Share Button
Print Friendly