Have Russian Hackers entered India?.attacking State Bank of Mysore and Bank of Baroda?

Recently two bank fraud incidents have been reported one from State Bank of Mysore in Karnataka and another from Bank of Baroda in Lucknow where security specialists have suspected hacking of the Bank’s servers without any compromise of information at the POS or the customer side.

Reference:

Hindu and Hindu Business Line on SBM fraud

TOI on BOB fraud : P.S: Though this was a case of hacking into dormant accounts by an insider, there is a failure of information security even in this fraud.

nyooz.com on BOB

In the background of these frauds, one can read the article in Kasparesky published a few months back titled: “Dozens of banks lose millions to cybercriminals attacks” and “APT-Style bank robberies on the increase..

This article states that Kasparesky which exposed a sophisticated bank fraud gang last year by name Carabanak has now identified threats from of two more gangs by name Metel (or Corkow) and GCMAN. It also said that Carabanak has reemerged with new targets. Some of these attacks indicate a spear phishing attacks on the Bank employees.

It appears that the recent attacks in India may indicate the activity similar to what has been reported here.

One of the strategies that is reportedly used is to first gain access to one of the user’s computer and plant a trojan. The trojan may crash some application such as Microsoft Word and it is expected that  the admin will be called to set things right. When the admin logs into the victim’s computer with his password, his credentials are captured by the attackers. Using this, the attackers slowly get into other systems until they are able to compromise the fund transfer systems leading to further frauds.

What we have seen in SBM now with small amounts being transferred may be only a testing of the fraud and we may soon see a major break in SBM which may shake the Bank and put its customers into great pain. May be similar threat is there in other banks also.

The recent failure of basic information security principles in an otherwise reputed company like TCS leading to a Rs 6000 crore damage on the Bank is an indication that most of the companies (including the Banks) have very weak security culture.

Additionally the opening of Unified Payment Interface opens up the mobile network to one part of the Banking servers which can be used by hackers to worm their way up the network into the core banking servers and launch a major attack to bring down a bank.

Knowing the attitude of Banks and RBI, nothing constructive is expected to be done to prevent such attacks and hence it would not be long when this prognosis may sadly come true.

I would therefore advise Bank customers to manage their risks by ensuring that they spread out their bank balances into multiple Banks and ensure that all the eggs are not in a single basket. Better still, spread it across smaller banks including cooperative banks without internet and mobile banking  so that their hard earned savings are protected.

Naavi

Share Button
Print Friendly

Beware of CIBIL Report Fraud

I would like to bring to the notice of the public a fraudulent e-mail that is being sent in the name of CIBIL.

The copy of the email is reproduced below:

 

cibil_fraud

Normally the CIBIL Transunion score is expressed as a three digit number and not as single digit such as 8.3.

On verification of the header information, it is found that the e-mail has emanated from notification@solveerrors.com. Return path is : ..@smtp1.perfectpriceindia.com>

The IP address from which the mail has been sent appears to be 206.183.107.64

Public are requested not to respond to this fraudulent e-mail.

At the same time, I hereby give a notice to CIBIL that they are now been informed of an attempt by some body to cheat the public in their name and if they donot take suitable steps to prevent such misuse of CIBIL’s name, they will be considered as “Negligent” and providing indirect “Assistance” to fraudsters.

I request the Police anywhere in India also to take cognizance and issue notices to the concerned web hosting service providers as well as CIBIL to ensure that this fraud is stopped immediately.

Naavi

Share Button
Print Friendly

Digi Locker Beta Release

Government has opened the beta version of the Digital Locker operated by CDAC and UIDAI which provides 10MB free storage space for every Aadhar number holder. It envisages that members can upload their ID documents and share it with other Government agencies if required.

The service is available at   http://digilocker.gov.in. It can also be accessed through http://digitallocker.gov.in and http://elocker.gov.in.

The site carries a digital certificate from an Indian Certifying Authority unlike many other web sites which are using certificates issued by verisign which is not licensed in India. However it is surprising to note that instead of using a digital certificate issued by the Government owned NIC, the site uses the certificate from (n)code solutions which is a private sector certifying authority. Also, some of the practices used by (n)code solutions for issue of digital certificates to public is not in accordance with the legal procedures suggested under ITA 2008. It is therefore surprising that the project has preferred to use their services instead of NIC or other more Cyber Law Compliant Certifying Authorities.

At the time of account creation and for certain other operations, the site uses OTP as a verification mechanism. It appears that an “e-sign” procedure is envisaged for users to individually authenticate the documents. But this is not yet working properly at present. It is also not clear what is meant by e-sign in this context.

The documents would be made available to designated agencies of the Government. Users can also send the document to another person through email.

While the concept of making available a free digital document storing place is welcome it is necessary to note that the site is short in the implementation of ITA 2008 compliance measures.

The website is silent on the issue of storage of information and it is unlikely to be in an encrypted state. We draw the attention of readers to my immediate previous post about the data breach in Anthem Inc, USA and the consequences. We are already aware that the Aadhar data base has been compromised in parts many times and lakhs of aadhar records would be available with cyber criminals as well as the enemy states of India. Now if the linked information is also leaked, it is a goldmine for terrorists in Pakistan or ISIS as well as countries like China who are preparing for Cyber space domination.

Government of India may be unaware of the risks that it is undertaking in this project and Modi Government should be prepared for a huge embarrassment at some time in future.

Employers should also be ready for a completely faked employee IDs with fake marks cards etc which may completely compromise their background verification systems. This can enable more Mehdi’s to find employment in critical sector and compromise the national security interests.

We hope the authorities will take a deep breath and review the security of the system before proceeding further.

Naavi

Share Button
Print Friendly

I call for an “All India Cyber Law Awareness Movement”

In another regrettable incident, a talented young person from Patna who was earlier praised by none other than Dr Abdul Kalam for his technical skills has been arrested now for a criminal activity.

The 25 year old tech genius by name Shivendu Madhav from Bihar had reportedly earlier developed and demonstrated a search engine like Google to Dr Kalam in one of the exhibitions and   received accolades. He had also sold one of his technical blogs to an US professor for Rs 4.5 lakhs. He was therefore neither short of money nor recognition and future career prospects. Yet he decided to use his talents to develop a fake railway recruitment portal www.rrbbpl.org and duped lakhs of jobless youths promising them jobs via RRB Bhopal.

Refer Article in TOI

The youth has since been arrested and some of his accomplices are now being traced. Law will take its course and probably this young genius will be punished. As a routine we can also congratulate the police team and appreciate their work.

However, as information security professionals we need to sit back and reflect why such things happen. I am reminded of an earlier case where a youth was arrested in Bangalore for ATM frauds and it was found that he had a very lucrative employment. It appears that the traditional behavioral science theories are being over turned in the current generation where “Negative Motivation” influenced by unrealistic material expectations in the society over ride the traditional motivators such as “Security”, “Reasonable Money” and “Recognition”. People seem to be greedy for more and more money and are willing to risk their future for immediate gains.

This indicates

a) Lack of Ethical training in our IT education.

b) Lack of fear of the law.

I therefore call upon the Ministry of Information Technology to initiate an all India program of ” Creating an Ethical IT Work Force” as a part of the Cyber Security initiative. Such a program requires Cyber Law Education and  Awareness of the consequences of violation of Cyber Laws right from the XI standard when Compute science knowledge gets imparted to our students. We may call this “Cyber Ethics Education”.

Mr Modi has embarked on a “Clean India” program in memory of Mahatma Gandhi from today. I suppose what Mr Ravi Shankar Prasad has to initiate is a “Cyber Law Compliant Mindset Development Program”.

As regular followers of this site are aware, the undersigned has been pursuing “Karnataka Cyber Law Awareness Movement” or “saibar kanUnu PrajnaaMdOLana” (ಸೈಬರ್ ಕಾನೂನು ಪ್ರಜ್ಞಾಂದೋಳನ) and done several programs across Karnataka in the last decade. During the days when Mr H.K.Patil was the law minister of the state under S.M.Krishna’s regime as CM, the undersigned had also discussed several such initiatives with the then Karnataka Government authorities. KLE Society of educational institutions had provided support for the initiative in a big way. But over the years the interest appears to have waned as agencies other than Naavi’s initiatives failed to sustain the movement and Naavi’s initiatives could not sustain on their own due to lack of resources.

In fact one of the activities that these initiatives highlighted was the celebration of October 17 as the “Digital Society Day” to commemorate the notification of ITA 2000. This year this could be a day which Mr Ravi Shankar Prasad should consider to promote some positive action in improving the Cyber Law Awareness in the country.   “Bangalore Cyber Security Summits” conducted in Bangalore during the days when Mr Ashok Manoli was the IT Secretary were also part of such an effort with the participation of the local Government. They need to be revived.

Unfortunately over the next few years the movement withered out and slowly Karnataka lost the momentum it had gained as a “Cyber Law Capital of India”.

The current incident reminds me once again that the concept of “Cyber law Awareness Movement” retains its relevance and needs to be pursued. IIIT Law (International Institute of Information Technology Law), a trust based in Bangalore, Cyber Society of India (CySi) in Chennai are two surviving institutions co-promoted by the undersigned in the past to address the work related to Cyber Law Awareness in the community. Of these CySi is active and doing some good work in Chennai. IIIT Law has lost steam and efforts are being made to pull it back on rails.

I call upon the Karnataka Government as well as well private educational institutions and other related bodies with necessary resources to take up the cause of rebuilding the Karnataka Cyber Law Awareness Movement and also extend it as an “All India Cyber Law Awareness Movement”  (AICLAM).

Such a movement of this type  is an essential part of “Cyber Security” which Mr Modi stressed during his UN General Assembly address recently and therefore meets the objectives set forth by the current Government at the center.

Will Mr Ravishankar Prasad, the IT Minister in Delhi and the PMO consider this?

Naavi

(I Invite suggestions from the public in this regard. Please also spread this message widely)

Share Button
Print Friendly

Cyber War Risk with China is evident

Despite the recent visit of the Chinese premier to India and the pledging of the possible investment of US$20 billion, the utterances of the Chinese prime minister after his return to China asking his troops to be ready for a “Regional War” is a matter to be taken note of.

China has always been an unreliable nation and cannot be trusted for business relations. China is the leader in Cyber Warfare and using their technologies for our bullet trains and smart cities is an open invitation to disaster if and when there is a cyber war between India and China.

It is good for Mr Modi to keep China at arms length in the field of technology and ensure that India tries to develop its capabilities in the technology era with the assistance of Japan and USA.

Indian companies doing business with China should also be careful not to transfer any critical technology to China in the long term interest of our country.

Naavi

Share Button
Print Friendly

First Steps in Cyber Crime Insurance

Recently interest on Cyber Crime Insurance has been on the rise in India. According to a recent report in Business Standard, the premia for such policies is around o.5% to 1.5%.

It is important for the insured to however consider what are the exclusions in the policy and there is clarity on the valuations of the insurable assets at the time of purchase and the valuation of claims.

According to the above BS report “distribution of unsolicited email”, “wire tapping”, “eavesdropping”, “fraudulent acts”, “failure to maintain standard computer security” are some of the major exclusions.

Out of the above exclusions, the failure to maintain standard computer security is understandable. However, what is “Standard computer Security” is debatable.

Also it is not understandable how “eavesdropping”, “Fraudulent acts” etc can be excluded. If these are true, insurance companies must be considering more of “Loss due to technical failures” rather than “Loss arising out of Cyber Crimes”.

Technical failures may lead to loss of data. However in most of the cases where a claim is to be preferred there will always be a human hand, malicious or otherwise. Hence “Fraud” cannot be eliminated from the risks. Hence if “Frauds” are excluded, there is insufficient coverage. Also if the coverage does not cover “Liabilities” arising out of the security breach, it is not beneficial to the insured.

The question of “Standards” is always daisy. At present in India law requires “Reasonable Security Practice” which is often not interpreted properly by the companies. Hence what constitutes “Failure to meet Security Standards” is always a debatable issue. While many may be able to produce a certificate such as ISO audit or PCIDSS audit, these does not constitute indisputable standards under the “Reasonable Security Practice” under ITA 2000/8.

It would be interesting to see how insurance companies define such exclusions. Unless some data is built up over time on the claim settlements of different companies, it is difficult to evaluate which policy is better for a prospective insurance seeker.

As regards valuation, in a liability insurance, the value of the asset has to be based on the value of “Information” rather than the value of the hardware and software. Hence in companies where “Data Loss” is the prime criteria, the “Data” need to be valued.  Will this be based on acquisition cost or replacement value or liability potential is a matter to be discussed. Normally the acquisition cost of data is relatively low while the liability potential is high. The insurance premium would therefore be on the lower value but the claims would be on the higher value.

According to one of the recent security reports, in case of data breaches the biggest loss comes out of the “Reputation Loss”.  At the time of insurance, is it possible to add the “Value of Reputation” as part of the assets to determine the premium? is therefore a valid point for discussion.

Probably the role of insurance brokers s therefore very critical in the current juncture since they need to ensure a fair coverage for the clients at affordable premia.

We need to watch out the performance of such insurance brokers.

Naavi.org calls upon insurance seekers to share their experience with insurance companies and insurance brokers so that we can evaluate their performance from time to time.

Naavi

Share Button
Print Friendly