Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

Court Asks Facebook to reveal identity of a user

Posted by Vijayashankar Na on June 28, 2015
Posted in Cyber Law  | No Comments yet, please leave one

A Dutch Court has ordered Facebook to reveal the identity of a person who made a posting of an obscene video. According to Facebook, the posting was done from a fake account and was purged. The Court has however said that Facebook will have to submit its servers to eternal forensic investigators to extract the information.

Refer article here

It may be recalled here that Facebook faced an earlier law suit for payment of a damage of US $ 123 mn in which it took an unreasonably long time to delete a posting. In the instant case therefore it appears to have acted quickly to remove the content but now is caught in the controversy that it has not protected the legal interest of the victim.

It is considered as a compliance requirement under ITA 2008 for intermediaries, that  in such cases where the intermediary deletes the content once posted, it has to be archived for legal purposes.

Intermediaries should therefore ensure that their “Grievance Redressal Mechanism” includes appropriate guidance that while they remove the content after an initial internal enquiry, the evidence is preserved and produced when required by law enforcement.

Apart from Facebook and Twitter, such requirements also apply to websites such as Glassdoor, Mouth Shut etc which have created a business model out of posting  messages which could be considered defamatory.

While many of the Indian Companies operating in global markets try to comply with American law, most of the US companies are not so vigilant when it comes to complying with Indian law. Just as Facebook seems to have woken up with a $123 mn law suit, these companies will also wake up when they face a multi million dollar law suit.

Naavi

“Dyre” threat to Indian Bank customers

Posted by Vijayashankar Na on June 27, 2015
Posted in Cyber Law  | No Comments yet, please leave one

The threat of “Dyre” trojan discovered a few months back seems to have been upgraded with some recent reports with the finding of some variants. Dyre is a malware targetting customers of more than 1000 banks worldwide. Indian Banks are also in its radar and according to security researchers, it is one of the most dangerous trojans presently targetting Indian Banking scenario. It targets Windows computers and can steal Banking and other credentials.

The malware is delivered via an email message that comes with an attachment claiming to be a legal document containing a Zip or PDF document containing details about recent law modifications regarding fraudulent activity or any other information. The Trojan delivery spam emails may  include a PowerPoint attachment containing an exploit for the CVE-2014-4114 vulnerability in Windows operating system. The weakness is present in the OLE (Object Linking and Embedding) packager that allows download and execution of INF files.

Financial institutions, Payment services and HR related websites are the targets for the Dyre malware and India appears to be the sixth most targetted country for the time being.

Dyre’s money stealing activity follows a well-known pattern, with the web browser being hijacked for monitoring web sessions and redirecting the victim to fake websites or altering the content of the web pages on the fly to capture banking login credentials in man-in-the-browser events.

According to experts, the Dyre exfiltered data is difficult to distinguish since it is encrypted (with its own key) and appears like legitimate traffic. It includes log in credentials for a large number of global banks.

There are several prominent Banks which are targetted by the trojan including Bank of America, Citigroup, the Royal Bank of Scotland, Ulsterbank, and Natwest. At this point of time the list of Indian Banks in the Dyre’s radar is not clear though at least two Banks are reportedly in the list. One can expect ICICI Bank and HDFC Bank to be those Banks being the most prominent e-Banking entities in India. Customers of these Banks should therefore be extra careful when dealing with spam mails.

Simultaneously, we need to be also aware that the malware writers are getting more sinister as can be observed in the case of the “Rombertick” trojan which when detected could destroy part of the master boot record just to evade itself. It is a kind of a “Suicide Bomber” who when confronted blows himself.

E Bankers therefore are in a continuous attack from sophisticated trojans/viruses and are left to fend for themselves. It is therefore essential for the promoters of E Banking transactions which includes RBI in particular to mandate protection of Banking customers through appropriate Cyber Crime insurance. Bankers need to assume responsibility for malware activities and provide insurance cover along with their own secure web applications for customers to use.

Naavi

Related Articles:

India’s Financial Institutions sixth-most rargetted by Dyre Trojan malware-Symantec

Dyre Banking Malware Uses 285 Command and Control Servers

Researchers Analyze Dyre Sample with new features

Financial Institutions in “Dyre ” straits

Dyre Malware Developers Add Code to Elude Detection by Analysis Tools

In the domain of Global Warming and Pollution Control an innovative idea that has been used to incentivize good players and disincentivise bad players is the system of Carbon Credits. The system basically puts a cap on carbon emissions by nations and industries and in order not to be harsh on those who need time to change, a system has been developed that those who are above certain norms should buy Carbon Credits from the market. Those who have acquired Carbon Credits by their own green initiatives, will be rewarded with Carbon Credits which can be encashed by sale to those who need through appropriate exchanges. As a result farmers and plantation owners who absorb carbon dioxide from the atmosphere are given credits which can be sold to others who release carbon to the atmosphere. The philosophy behind this idea appears to hold promise to the development of an Information Security Eco System and we need to try the system in India at least as an experimental measure.

I propose to place some thoughts in this regard thorough this forum.

One of the problems in Cyber Security is that Cyber Space cannot be guarded like physical space by an army being placed at the border. Cyber invaders descend on any computer or mobile and spread across. Hence each individual device connected to internet can be considered as a Cyber Border and needs to be protected. If not, malware will get entry into the country.

Once malware is into the country it will get into critical IT infrastructure as well as the not so critical. All the corporate information security measures are aimed at creating pockets of secure zones which not only secure entry of malware and cyber criminals into their system and also in the process secure the cyber borders to which their own systems are exposed. If therefore a company has 1000 systems connected to internet and their information security is satisfactory, 1000 cyber border entry points are secured. At the same time another company which does not have similar security establishments will pose a threat to the nation by having a porous cyber borders.

What is therefore required in the overall context of securing the Cyber Space within the country is to encourage companies to improve their own security measures and discourage those who ignore the cyber security practices.

If therefore a company wants to introduce cyber security and is prepared to incur costs which its competitors are avoiding, there is a need to build incentive and disincentive schemes to even out the competitive pressures which make companies not implement available information security standard practices.

It is in this context that I propose that we introduce a system where by we define a norm say for each industry and also define performance measuring parameters so that we can identify those who do better than the norm or worse than the norm, keep a ledger of their performance and develop a system where the under performers pay an extra tax while the over performers get a subsidy. The effort is to encourage every body move to a given normative stage. Periodically the normative level can be redefined to ensure that the cyber security eco system keeps pace with the global requirements.

The Government has to obviously step in to define the normative levels and the measurement of performance. If possible industry regulators say RBI for Banks can also initiate similar measures. Once the system is in place, Info sec credits can be given to the over performers and infosec debits can be placed on the under performers. Then the under performers will have to buy credits and show a nil balance say whenever their financial balance sheets are drawn. Government can provide tax incentives and disincentives based on the info sec credit balances declared in the balance sheets.

Simultaneously, recognizing that “Cyber Security Awareness” is an important input to the development of a Cyber Security Eco System and whom so ever acquires cyber security knowledge in the form of certifications and whom so ever contributes to education of Cyber security knowledge should also be provided with appropriate credit points which can be traded in the secondary market for info sec credits or exchanged for tax credits.

It is envisaged that under equilibrium conditions, the market will pay for itself to upgrade the cyber security status of the eco system and the Government need not incur expenses on its own. However until a proper secondary market develops, the Government may provide “Tax Credits” in exchange of “Info-Sec Credits” so that those who earn such credits can encash the benefits.

Naavi

Comments are invited

 

Digital Signature Algorithms set to change?

Posted by Vijayashankar Na on June 24, 2015
Posted in Cyber Law  | No Comments yet, please leave one

When India started using Digital Signatures after the ITA 2000 was enacted, CCA had approved MD5 algortithm for hashing. Susequently, MD5 was disaccredited and SHA-1 was being used as approved algorithms. Global developments now indicate that time has come for users to move from SHA-1 to SHA-2 since SHA-1 has either been already cracked or is about to be cracked.

Related Article: 

Crypto experts inidcate that  by end of Dec 2015, Chrome may start providing browser warnings and by 2016-17, both Chrome and Microsoft may discontinue acceptance of SHA-1 in the applications. This may result in SSL/TLS authentication certificates need to be replaced by websites.

If SHA-1 is unreliable for SSL-TLS, it should also be considered unreliable for the Indian Digital Signature system which carries the judicial weight for non repudiation.

We are already in 2015 and many digital signature users may be using a 2 year  valid digital signature certificate which may overlap with the discontinuance of the SHA-1 certificates by the international community.

In order to preserve the sanctity of the Digital Signature system of India, it is necessary for CCA to take steps to migrate completely to SHA-2 which is already an approved system, by phasing out SHA-1 in time. Hopefully CA s are making necessary arrangements so that we are in tune with global security standards.

Naavi

 

Just yesterday, we were congratulating SEBI on its intended progressive use of technology for e-IPO. Unfortunately, today we need to point out the serious security issues that remain to be addressed when IT usage is taken to critical areas such as investments.

A whistle blower from Singapore has now revealed a major fraud which he alleges has been going on in NSE for a long time which has been hushed up by the Stock Exchange.

The enclosed document  provides in graphic detail the modus operandi used by certain broking firms to gain unfair advantage in trading with the connivance of the staff at NSE. (Also read this article in Moneylife)

Similar tactics were employed earlier in IRCTC which was brought to public notice by Naavi.org. However, in comparison, the impact of the present fraud in NSE is far far greater.

It is possible that NSE might have tightened up the security now. However there is a need to identify the individuals responsible for the fraud and send them to jail for life.

Hushing up is providing protection to such fraudsters who may re surface in other companies.

NASSCOM also has to issue a notice to NSE so that the “National Skills Registry” contains the correct information about these fraudsters.

People like Arnab who bark up the wrong tree need to address issues such as these instead of shouting on political rivals.

The incident also highlights how information security audit of NSE system has failed and can fail again in future.

We do understand that rather than blaming everybody in the administration, we need to appreciate the corrective measures taken and enable the management to set things right without any panic reaction that may cause more damage.

We look forward to a proper explanation from NSE authorities along with an assurance that checks and balances will be built to address such issues in future.

At the same time we need to thank the whistle blower for bringing the problem to public knowledge.

Naavi

One of the most exciting manifestations of the Digital India story is in the process of being unleashed in the Indian investment scenario shortly.  The undersigned was one of the financial professionals who has seen the Capital markets in all its glory when it was a retail market where millions of investors used to participate in IPOs. (It was then termed Public Issues). The undersigned had also created an index to project the investment potential of a proposed public issue at different prices etc. However subsequently, changes in the policy of SEBI converted the IPO markets from a retail market to a whole sale market.

Now the sunny days for the IPO market appears to back with SEBI finalizing a proposal for e-IPO. SEBI is expected to finalize a detailed guideline for e-IPOs by the end of this month as per this ET report.

SEBI’s discussion paper

SEBI had issued a discussion paper which provides some details of what may be coming forth. This is an attempt to use the current secondary market infrastructure where investors have been investing in various capital market instruments through their brokers using e-investment tools. Since IT provides  all the flexibility for auctioning, reverse auctioning, instant processing of applications etc, it is the ideal platform to involve a large number of Netizen investors directly in the process of IPO.

In fact just as Retail business has seen a sea change with Flipkart/Snap deal/Amazon etc coming into fray, the e-IPOs are sure to revive the retail interest in the primary markets which is very essential for the growth of Capital markets in India. This is bound to give a huge boost to the capital markets much more than a good monsoon this year or a RBI dropping interest rates or Inflation coming down etc which are being touted as huge market movers.

I congratulate SEBI on its move.

Before we end, there is of course a Cyber Law angle into the development since IPO applications need to be “Digitally Signed” and the Certifying authorities may be rejoicing the development. I recall that one of the first E-Commerce initiatives I had personally supervised was the hosting of public issue application forms of Corporation Bank some time in the mid 80’s with a running serial number which was a great innovation at that time. Lot of water has flowed under the bridge since then and we will now see an e-form being filled up and digitally signed, application electronically processed and demat shares issued all in the back end servers…. Three Cheers to ICT revolution..

Naavi