Norton Estimate 4.2 crore cyber crime victims in India each year

According to Norton’s “Internet Security Threat” report, India has 4.2 crore Cyber Crime victims in 2012. (Report in Business Standard).

According to the report, the total cost of Cyber Crimes globally is US$110 billion( approx: Rs 6,60,000 crores) of which the cost of crimes in India is around us$ 8 billion (Rs 48,000 crores).

The report reveals a 58 per cent increase in mobile malware. Fifty percent of mobile malware created in 2012 attempted to steal our information or track our movements.

Thirty-two per cent of mobile threats are attempts to steal e-mail IDs and telephone numbers and 61 per cent of malicious web sites are legitimate and are compromised and infected with a malicious code.

The top five web sites hosting infections include business, technology and shopping web sites. Sixteen gangs are active in ransomeware.

Detailed reports can be accessed here.

Another important observation is that  50 percent of all targeted attacks were aimed at businesses with fewer than 2,500 employees. In fact, the largest growth area for targeted attacks in 2012 was businesses with fewer than 250 employees; 31 percent of all attacks targeted them. This indicates that “Small Businesses” are increasingly targetted by criminals.

It is also interesting to note that within an organization, the most frequently targeted job role was in R&D, which accounted for 27 percent of attacks probably indicating that IPR theft as a target or espionage by competitors.

The total number of new vulnerabilities reported in 2012 stood at 5,291. This figure works out to approximately 101 new vulnerabilities a week. Compared with the number from 2011, which was 4,989, it represents an increase of 6 percent from that of 2011. All of the top five vulnerabilities were several years old with patches available. 12 Zero day vulnerabilities including 3 browser based vulnerabilities were identified during the year.

Corporates may take note that “Watering hole based  attack” has grown as a strategy of targetted attacks. In this strategy, genuine websites expected to be visited by targeted members are infected with trojans which automatically download themselves to the visitors. We may recall that Bank of India website, Deccan Herald websites were among such compromised websites that Indians have come across in the past. This underscrores the need for all website managers to tighten the security at hosting level to mitigate such risks.

Naavi


Hong Kong Government accuses US Government of hacking

The controversy surrounding the PRISM program of US Government under which the US intelligence agency intercepted the communication of billions of foreigners assumed a twist today with the Hong Kong Government accusing the US Government virtually of hacking.

The whistleblower Mr Snowden who had first made public the US program was known to be in Hong Kong and the US Government had issued a request for his arrest. However it is now learnt that he has been allowed to move out of Hong Kong to a safer country and the Hihg Kong Government has issued a press release that he was allowed to move out since the US request for arrest did not meet its legal requirements.

Copy of the press release issued by the Hong Kong Government in this connection is available here.

What is interesting is that the Hong Kong Government has stated in the press release as follows.

” Meanwhile, the HKSAR Government has formally written to the US Government requesting clarification on earlier reports about the hacking of computer systems in Hong Kong by US government agencies. The HKSAR Government will continue to follow up on the matter so as to protect the legal rights of the people of Hong Kong.”

This appears to be a veiled threat that international legal action may be initiated on the US Government if necessary. This should indicate the stand some other Governments may also take. In India perhaps the Government will await for the Supreme Court judgement on the related PIL before taking any stand.

Naavi


IT Secretary Maharashtra creates history

Mr Rajesh Aggarwal, IT Secretary of Maharashtra has created a history by his landmark judgement in a case of an ex-employee hacking into his former employer’s systems to provide a wrongful gain to his new employer. Such cases are common in IT industry and earlier such cases have been registered in Tamil Nadu and other places.

In this case decided by Mr Aggarwal as the Adjudicator of Maharashtra, he has found a Japanese Company liable to compensate the aggrived ex-employer of an employee who had joined the Japanese Company.

More information on the case is available here

In the above article in Indian Express it is reported that a apanese Company namely Endo Kogyo nd its employee, Mr Ashish Kalmegh were ordered to compensate a Pune based firm by name Arhan Technologies in a case recognized as “industrial Espionage”. It was alleged that the ex-employee had used his formal credentials to hack into the former employer’s systems and forward certain emails to himself. The accused were also reported to have deleted evidence and threatened the Pune company by spreading false rumours.

The adjudicator has awarded a compensation of Rs 20 lakhs. Since there is also a police complaint filed in the case it is possibel that the police may also initiate criminal proceedings against the Japanese Company as well as the offending employee under various sections of ITA 2008.

Copy of the two orders are available here:

Order 1 on admission:

Order 2 on final award

This should be considered as a landmark judgement which will enhance the reputation of the Adjudication system in general.

In contrast the Adjudication system in Karnataka is accumulating negative reputation with another kind of landmark judgement which the IT Secretary, Mr M.N.Vidyashankar rleased on 27th December 2011 holding in effect that “No Company can seek protection for hacking under ITA 2008”. If this judgement is considered operative, the Pune company or the Maharashtra police could not have proceeded in the above case.

I would like Karnataka High Court also to take note of the above judgement of the Adjudicator of Maharashtra since it has in effect endorsed the judgement of Mr M.N. Vidyashankar through its own judgement of May 27, 2013 creating a situation where Karnataka can be called a “Hacker’s Haven”.

Naavi


Cyber Crime Insurance getting attention

Naavi has been highlighting the need for Indian Banks to obtain Cyber Crime Insurance as suggested by RBI in 2001 and ensure that customers are spared from the phishing liabilities. However Banks have been generally reluctant under the ground that such covers are not available.

However it appears that more and more Insurance Companies have started offering Cyber Crime Insurance policies which has changed the scenario. Perhaps the first company which was heard of issuing Cyber Crime Insurance in India was HDFC Ergo.

The latest report in Business Standard indicates that Bajaj Allianz General Insurance and ICICI Lombard are also in the fray with some policies which may address the needs of the market. According to Bajaj Allianz General Insurance, Cyber Liability can be covered under the “Professional Indemnity Policy” as an extension and such policies would cover third party claims arising due to negligent transmission of a computer virus, misrepresentation, defamation,confidentiality breach, intellectual property infringement and elated exposures.

ICICI Lombard states that their policy covers “Privacy Breach Liability”, “Cyber Extortion”, “Business Interruption Losses”, “Liability from multimedia and public relations costs”,”Legal expenses”and “data Theft liability”.  The premiums are said to be around 0.5 to 1.5% of the amount insured.

Tata AIG Insurance covers the liability of a Director or an officer against risks of negligence resulting in liabilities in Cyber Crime incidents under the “Director’s Officer’s policy”. A more comprehensive cover is also said to be available under “it-internet liability coverage” which protects the insured from damages arising from a breach of duty in the operation of an internet, intranet or extranet site, transmission of electronic mail or documents by electronic means or the unintentional transmission of a computer virus.

Reliance General Insurance indicates a preference for customized extension of Director and Officer’s liability policies rather than standard policies.

According to Bharti AXA General Insurance,apart from companies, even government of India is quite serious on this matter and is working with various industry bodies like NASSCOM. on a proposal to mandate hardware vendors to provide cyber security awareness brochures along with the products they sell in India, which will go a long way in creating awareness on cyber threat. May be they consider such moves to increase the demand for Cyber Crime services in the future.

It is a good sign to observe that at least three or four choices are now available to Banks to cover their Cyber Crime losses. RBI should therefore ensure that all Banks confirm if they have obtained necessary cover as directed by RBI in its Internet Banking Guidelines of June 14, 2001. Failure to comply with this important regulation should be considered as a serious negligence inviting disciplinary action by way of penalties from the regulator.

According to  KPMG’s annual electronic crime report of 2011, cyber liability insurance is still to gain currency with businesses, despite the rising risk. It indicated that 78 per cent of the 200 senior security managers from global businesses indicated that their companies either did not have insurance or that they were not aware if their companies had any cyber insurance, despite more than half seeing an increase in cyber crime risk over the past 12 months.

May be the situation appears to have improved in the last two years as indicated by the recent news report of Business Standard cited here.

Wide availability of Cyber Crime insurance will make a huge difference to the life of Netizens who are today forced to accept technology intrusion into their life. It is also likely to provide a boost to the Information Assurance industry in India. We can therefore look forward to some interesting developments in this area in the coming days.

Naavi


A Mule arrested in Mumbai for Phishing Fraud

Mumbai Police have arrested a person in Delhi and charged him for the phishing fraud in Bank of Maharashtra, Mumbai where a Cooperative Bank (Deccan Merchant Co operative bank)had lost Rs 1.5 crores.

The arrested person is one of the several mules who have been used in the fraud and has reportedly received around Rs 4-5 lakhs.

In this case it is also stated that Rs 89 lakhs were recovered due to timely action by the Bank stopping the withdrawals.

Hope the Bank takes up the balance amount of loss and provides relief to the client.

(Article in TOI)

Naavi


Plight of Cyber Crime Victims in Karnataka

The plight of Cyber Crime victims of Karnataka has been brought out in an article which appeared in New Indian Express Today.

See the article here

The article provides the background of the dispute which has also been explained in detail in this website earlier.

The irony of the situation is that while the Adjudicator of Karnataka tried to correct a mistake committed earlier,(order of 27th December 2011) by a new order dated 26th April 2013, the Karnataka High Court , (Principal Bench Court Hall No 9: WP 21049/2013) has come in the way of correction by quashing the new order and reverting the validity of the earlier order. Under the circumstances,  the  adjudication order of 27th December 2011 now has the support of the Karnataka High Court and has gained a larger jurisdictional precedence across the Country.

In effect it is the current Karnataka High Court order of 27th May 2013, which has now tied the hands of the Adjudicator from taking up any complaint either by a Company or against a Company and is primarily responsible for the Cyber Crime victims of Karnataka losing the legal remedies provided by Information Technology Act 2000/8.

Though the reason stated in the impugned order of the High Court is one of non compliance of proper procedure by the adjudicator for revoking the earlier order, the facts indicate that the the Court had come to its decision in a hurry and disposed of the case on a “Short Point” without taking into consideration the impact the decision would have on the Cyber Victims in general in the State other than the respondent involved in the specific case nor the actual dispute that was represented by the petition. Further the order of the High Court appears to contain  some incorrect factual information indicating that the Court could have been mislead by lack of proper information.

It must be noted that the Court in its order did not stop at quashing the order of the Adjudicator dated 26th April 2013, but went further as to suggest one of the secondary respondents to the petition to approach Cyber Appellate Tribunal for redressal of its grievance though this did not appear to have been prayed for even by the petitioner.

One intriguing part of the order was that while the High Court expressed the opinion that the victim of Cyber Crime involved in the underlying dispute should approach Cyber Appellate Tribunal for redressal of his grievance if any against the order of the adjudicator dated 27th December 2011, the petitioner was allowed to move the High Court and not ordered to approach the Cyber Appellate Tribunal for redressal of his grievance against the adjudicating order of 26th April 2013.

This meant that there was one course of action suggested for a Cyber Crime victim and another for a business intermediary who was being accused of abetting the crime by negligence or otherwise. It appeared as if the Cyber Crime victim in Karnataka is a second class citizen and does not deserve protection from the State High Court while the business intermediary is a privileged entity which can be provided protection.

The decision of the High Court and the plight of the Cyber Crime victims should be seen in the background that the so called Cyber Appellate Tribunal has not been functional since June 2011, about six months earlier to the disputed adjudication order of 27th December 2011. Even when the order was issued and followed up with two other similar orders in January 2012, the Adjudicator knew that the victim cannot get the order reversed through the intervention of the normal appeal process. Even the Karnataka High Court when it gave its order on 27th May 2013 was aware that the Cyber Appellate Tribunal was dysfunctional. Hence its suggestion that the victim should have approached the Tribunal was like condemning the victim along with the entire community of Cyber crime victims in Karnataka.

The decision of the High Court has defined a judicial precedence that affects all Cyber Crime Victims in Karnataka including others who were affected by defective Adjudication orders similar to the order of 27th December 2011. It also provides immunity for Cyber Criminals from the operation of Section 66 of ITA 2000/8 for all hacking and denial of service and other offences committed against a Company.

The Citizens of Karnataka await a favourable decision of the other bench which is hearing the PIL on the non appointment of the Chair person of the Cyber Appellate Tribunal for the opening up of the channel for grievance redressal for Cyber crime victims. However this case  is pending before the  Court for last 6 months and could drag on for more time. Even if the Court directs the Central Government to appoint a Chair person expeditiously, it could take a long. long time for the appointment to take effect and for the Cyber Appellate Tribunal to hear the appeal and dispose it off.

The more appropriate remedy for the citizens of Karnataka is for the judge who delivered the order of 27th May 2013 to suo-moto review his own order and let the Adjudicator continue his statutory duty cast upon him under ITA 2000/8.

In the meantime the current status of the applicability of Section 43 of ITA 2008 (also linked to Section 66) may come up for discussion in other Courts where the view of the Karnataka High Court would be quoted by Criminals as a precedence to argue that ITA 2008 cannot be invoked against them. This would expose the reputation of Karnataka High Court to a debate in other Courts.

Citizens of Karnataka donot want other High Courts in the country and the Supreme Court to take note of the adverse effect of the order of Karnataka High Court of 27th May 2013 and pass their own comments which could damage the reputation of the Karnataka High Court and hence an immediate suo-moto review appears to be the best course of action.

The Court can atleast clarify that the decision was based on the specific circumstances of the petition and does not constitute a precedence nor validate the contents of the adjudication order of 27th December 2011.

Naavi

(…As a Netizen Activist in the interest of all the Cyber Crime Victims of Karnataka who have been adversely affected by the order of the Karnataka High Court dated 27th May 2013 in the WP 21049/2013.)

Relevant Orders for Reference

1. Order of the Adjudicator dated 27th December 2011 (Holding that a Company cannot file a complaint under Section 43 of the ITA 2008 nor a complaint can be filed against a Company)

2.Order of the Adjudicator dated 17th January 2012 (Holding that a complaint cannot be filed against a Company under Section 43 of ITA 2008)

2.Order of the Adjudicator dated 26th April 2013 (Holding that the earlier order of 27th December 2011 has been cancelled)

3.Order of the Karnataka High Court dated 27th May 2013 (Holding that the order dated 26th April 2013 is quashed)