What is the strategy used in E-Mail password hacking?

Looking at the pattern of the passwords unearthed by derangedsecurity.com, it appears that the predominant method used for extracting the password might have been using a "Packet Sniffer" or a "Key Logger". The users might have contributed through their negligence by having not  secured their computers ..may be their laptop/home desktop.Naavi.org invites technical experts to send in their views on the possible vulnerabilities exploited in this hacking exercise for publication at naavi.org.

What Should be the Response to the E-Mail Password hacking?

According to on of the TV news channels, in response to the  publishing of e-mail passwords of Indian embassy officials, at derangedsecurity.com, the Government of India has instructed the officials to stop using e-mails for exchange of confidential information. We trust this is not true. But some time back when the security risks of WiFi devices had come to the notice of the Government,  there was a security advisory to the officials not to use WiFi rather than implementing better security measures. The news report though scandalous is therefore not too improbable!. Related Article : Related article2

Challenge to Indian National Cyber Security ...(310808)

When Naavi.org and Digital Society Foundation planned to discuss the "Vision for Indian National Cyber Security" as this year's theme for the Digital Society Day, little did we realize that the topic will come to the fore in a national debate with a hacker issuing a challenge to the Indian Government about the security of the e-mails used by key Government officers.

A hacker from Sweden has published the e-mail passwords of several Indian embassies in a blog (http://derangedsecurity.com) to remind the Indian Government of how lax is the security governing use of e-mails by Government officers in sensitive positions. Speaking to Times Now, the hacker reportedly stated "I don't think that what I have done is illegal and I have never hacked into anything. Moreover, I haven't logged into any of these accounts, however, I do have access to emails but that is because poor security. Once in a while, you do stumble on to some information on the internet. Usually, I contact the people involved and tell them how to fix it, however, in this case I didn't really think that I could --probably, the Indian governement would not have listened or if they would have, they would have charged me with cyber crime."

Though technically Indian law can consider this as a crime under section 66 of ITA 2000, Naavi.org does believe that the hacker in this case has adopted this extreme measure for a good cause and perhaps this is a fit case to grant him a respectful pardon.

It may also be noted that it is not only the Indian embassy passwords that have been stolen by the hacker, but also the passwords of several other country embassies and agencies such as National Defense Academy.

Details in Times Now

P.S: We hope that the discussion which Digital Society has fixed for October 17, 2007 namely "Vision for Indian National Cyber Security Force" now assumes more meaning.

Engineering College students in Karnataka are invited to participate in the related Essay Competition organized by RV College of Engineering. For details send e-mail to Dr K S.Badari Narayana, Professor RVCE, Bangalore on e-mail iem@rvce.ac.in

Cyber Policing.. and business opportunities

Terrorists and criminals will continue to add their contribution to make the security business prosperous. Be prepared to plan for a long term and you will reap the benefits,” says Na Vijayashankar, director, Cyber Law College and founder of Naavi.org, a techno legal information security consultancy based in Bangalore...if there is a major security breach in the banking industry or the stock market, the impact on the country would be devastating. The lack of security could undermine the growth and credibility of India’s outsourcing industry, which has given the country global attention and recognition. ..the market for cyber security services and products will grow 100 times within five years...  It is very important for entrepreneurs not to lose sight of individuals since security is important for every information user. If ‘Mobile Security’ is a target, then millions of mobile users are also the target clients... Article in ET
 

New Legislation for Sharing IP

The department of bio-technology has  drafted the Public Funded R&D Projects (Protection, Utilisation and Regulation of Intellectual Property) Bill, 2007 for giving a fillip to government aided R&D and promotion of the culture of innovation in the country,”  As per the provisions of the draft bill, R&D institutions funded by the government would be permitted to make applications to protect the IP developed by them in countries of their choice and use the revenue generated from such commercialisation. The funding agency (government) could apply for IPs only in such countries not selected by the institutions. ..More in ET

The Dangerous Trend of Ex-Parte Orders

According to a report in Busness Standard a software vendor Final Quadrant Solutions, has sued Travel Guru, an online ticketing company for infringing on its copyright. According to the preliminary reports, Quadrant solutions had provided a solution which was being used by Travel Guru and Travel Guru decided to terminate the contract and replace the software with a version of its own. Travel Guru contends that they terminated the service due to lack of proper service and the new version is developed in Java platform as against the earlier version which was in dot.net platform. However it is understood that the company has been restrained from using the allegedly infringing software until next date of hearing.

In this context, the trend of "Ex-Parte" order in the case leading to closure of  business of the accused based on nothing but the complaint  is alarming. . ..More

Swiss Cash Website...locked

After Naavi.org reported about the Swisscash, we have been receiving additional information which our readers may find interesting. The latest is that the websites are not working and are reported to have been locked by the registrars. It was stated that the site would be back on August 25th but it appears that it has not yet happenned. However, we did receive a communication from bruneiswisscash@gmail.com stating that  the ban in Malaysia was politically motivated. We await further developments. In the meantime neither RBI nor SEBI has responded to our request and have neither confirmed nor denied the legality of the investments.

Death Penalty for Cyber Terrorism

It is reported that Pakistan cabinet has approved a E Crime bill which proposes  death penalty for Cyber terrorism. It is strange that Pakistan is going ahead with stringent Cyber Crime laws where no such requirement has been recognized by the Indian Government. In India the proposed amendments to ITA 2000 which the cabinet has approved has no mention of Cyber Terrorism and plans to make most crimes non cognizable and compoundable so that offenders can have an easy escape route.  Report in thenews.com.pk

Freedom Movement for Digital Independence of India

In India we have just completed the celebration of the 60th year of Independence. We are all proud that India successfully snatched freedom from the British rule in 1947 after a non-violent Satyagraha movement lead by Mahatma Gandhi. We are also presently debating the proposed "Nuclear Cooperation Agreement" with US.  The Communist leaders such as Prakash Karat, Sitaram Yechury and others have been very vocal in their opposition to the deal since they feel that it compromises the security and sovereignty of the country. BJP leaders also agree with these views.

While we leave this nuclear debate to the seasoned politicians, we would like to draw their attention to the need to take steps to prevent colonisation of our digital space through misuse of IPR concept thrust through the WTA and  TRIPS agreement.

The immediate concerns about the increasing dependence of the country's economy on US based Copyright/Patented software and the developments regarding DRM through Windows Vista OS have been highlighted in some of the earlier articles at Naavi.org. We feel that there is a strategic attempt to first penetrate the market  through development of a addictive dependence on certain proprietory OS and applications and then gradually tightening the screws through new versions and strict copyright restrictions. Finally with a DRM switch the control on the operations of all dependent computers will be held by the OS manufacturer  with a power to hold the country to ransom if need be.

We therefore feel the need to start a strong movement on decolonisation of the Indian Digital Space. We feel this is as important as the "Freedom Movement" which Gandhi waged against the British. .. More

Avoid Software Piracy

Naavi.org has been advocating  building of a responsible Cyber Society where every user adopts a voluntary Cyber Law Compliance programme.  One of the most difficult aspects of such compliance is avoidance of the use of pirated software. While we welcome the efforts of the Linux community in trying to develop an alternative to the Windows OS, we must accept that for some time in the near future, common computer user has no alternative to Windows as an OS. While the Linux enthusiasts keep working in this direction, we feel that the time has come for public to slowly reduce their dependence on "Applications" that are copyrighted so that we can first stop piracy at the "Application level".

One of the recent developments that increases our concern is that Microsoft has  started pushing its new docx format through Office 2007 which is not compatible with the earlier versions of Word. This is expected to  be the trend in future where Microsoft will move towards more and more application dependent document formats. though these may remain free for some time, they will be  integrated it with its DRM tools and Microsoft may be able to control a single switch with which they can regulate all computer activities in the world. This is very much like the proverbial "Nuclear Button" which could destroy civilization. 

I wish Prakash Karat and Sitaram Yechury  take note of this possibility............More

Wikipedia Movement in danger

The recent incidents of motivated editing of Wikipedia has raised doubts whether the movement is in danger of getting discarded by serious Netizens. The complaints concern companies removing adverse features written about them, Microsoft deleting open source related content, CIA deleting content regarding  US policy on Iraq  etc. There are also some individuals who have been using Wikipedia for their personal promotion. If Wikipedia has to remain the great Internet phenomenon that it started as, there is a need for proper systems to be put in place for regulating content changes. Certain measures that need to be taken immediately include moderation of changes in sensitive wikipedia pages and retention of earlier versions for certain periods in an archive etc.

Paul canning list of edited sites :Wired list of maliciously edited sites

Senior Database Administrator involved in a Major Data Security Breach

In a major data security leak in USA, a public interest litigation has been launched on two US companies namely Certegy Check Services Inc and its parent company Fidelity National information services Inc., on behalf of 8.5 million consumers. The data is alleged to have been stolen by a data base administrator and sold to direct marketing firms and data brokers. The data represents what Certegy received from its own clients for whom it provides check-cashing services. The stolen data contained about 2.2 million records of  bank account information and 99,000  credit card information.

In another recent incident at Toshiba General Hospital, Tokyo a laptop computer containing personal information and medical records of 51,156 people was stolen . In another incident of laptop theft,  two Pfizer laptops were stolen from a locked car in Boston. The laptops, contained  the names and Social Security numbers of health-care professionals.

In one more incident to be taken note of, Loyala University in Chicago  discarded a hard disk without erasing data and compromised the social security number details of about 5800 students.

These incidents highlight the legal liability risks associated with inadequate data security. Indian BPOs and IT Companies handling data should also realize that similar legal liabilities may also arise on them either directly or under the indemnity clause they might have signed in the SLA.

The managements of these companies therefore need to revisit their Information security policies and check if they have  adequately covered themselves with a "Data Protection Audit".

The Days of Cyber Armies are here

The 60th anniversary of Indian independence has come and gone. Our politicians have made their speeches for the ceremony and gone back to their pastime of dividing the country through issues such as the "Caste based reservations in Judiciary".

At any time during the discussions on the independence day,  the Prime Minister or the senior politicians have ever expressed a vision or even a stray thought about the requirements of Cyber Security for India.

It would be interesting for us to note that USA has already established a "Cyber Command" under the Air Force command. Cyberspace became an official Air Force domain in USA, like air and space, on Dec. 7, 2005, when Secretary of the Air Force Michael W. Wynne and Air Force Chief of Staff Gen. T. Michael Moseley introduced a new Air Force mission statement that included the words "to fly and fight in air, space, and cyberspace."

Presently, in India, CERT-In is considered as the nodal agency for Cyber Security in India and there have been some private initiatives to fight against Pakistani hackers. These are inadequate and in appropriate to meet the national security issue arising out of Cyber Space. Ideally they can be part of the national Cyber defense structure.

The increasing dependence of  economy on computers underscore the urgent need for a National Cyber Security Force in India. It would have been appropriate if  we had initiated some action when a technical visionary such as Dr Abdul Kalam was the Supreme Commmander of our armed forces. But at least now when Dr Kalam is free to pursue innovative independent thoughts, it would be appropriate for him to provide the necessary leadership in this direction.

Naavi.org therefore urges Dr Abdul Kalam to act as the coordinating force to take this issue of establishing a "Indian National Cyber Security Force" with a suitable structure of command that merges into the existing three security commands, Army, Navy and Airforce. In our opinion, Cyber Space command has to be an independent structure and not necessarily part of the Air force structure as in the USA. It can be the fourth wing of our defense system.

We invite suggestions in this regard at naavi@vsnl.com

Related Articles:  Here Comes the Cyber Wars.. Are We Ready? 8th Air Force to become new cyber command

Cyber Crime Complaints and Resolution Assistance Center (CC-CRAC)

In  order to build a repository of Cyber Complaints, Naavi.org has decided to document Cyber Crime complaints received at our end. It is envisaged that as an NGO, Naavi.org may contribute to the resolution of such disputes in some cases.  The objective of this effort is to provide some basic guideline to a complainant on how to proceed with the resolution of the problem and enable him contact the appropriate Cyber Crime police officer.

It is hereby declared that Naavi.org does not under take any investigation regarding complaints received and does not warranty genuineness of the complaint. In cases where the accused is identified through an e-mail address, a copy of the complaint will be sent to him for his comments and his/her reply if received will be posted on the website. 

Naavi.org reserves the right to reject documentation of any complaint or to remove a complaint already documented. This service is a free public service and has no relation to any other service provided by Naavi or his associates.

We would invite public spirited Cyber Law Aware advocates in different cities to associate with this "Cyber Crime Complaints and Resolution Assistance Center" and help in the cause. We would be directing the complainants from the respective places to contact them for guidance.

We also invite Women NGOs to associate with assistance regarding pursuance of Women related Cyber Crimes and Child Welfare NGOs to associate for assistance regarding pursuance of Children related Cyber Crimes.

Any communication in this regard can be sent to naavi@vsnl.com

Naavi

August 15, 2007

Inconsistent Law Enforcement Policies

One of the important requirements of law abiding society is a fair law enforcement system. While in recent days, persons such as Justice Kode who tried the Bollywood Actor Sanjay Dutt raised the hopes of common citizens that justice is still alive in India,  the way Hyderabad Police have reacted to the Taslima attack case in Hyderabad have put a huge question mark on the professionalism in our Police force.

In the meantime it is reported that in Tamil Nadu, a student has been arrested for having sent a threatening mail to the CM. It is reported that the student was mentally disturbed and was perhaps acting under depression. Though this was a case fit to recommend a sympathetic handing, one can say that  TN police stuck to the rule of law.

On the other hand, the Hyderabad police ignoring the threat that "a person will be beheaded if she enters Hyderabad" was considered light enough by the Police not to initiate immediate action. It was of course amusing that the Police filed a case on the threatened victim for instigation. If this is an indication of the erratic manner in which law would be interpreted by certain Police officials one can understand the raise of Naxalism and why it is so rampant in A.P.

It is time those who are concerned with the development of a law abiding democracy in India reflect on how such inconsistent law enforcement policies affect the country in the long term. I wish some Sociologists conduct a study of the impact of these incidents on the young impressionable minds and how they may contribute to the development of deviant behaviour in the society.

Chennai story : Hyderabad story : Mumbai story

Mumbai Police Monitor On-line soliciting

Social Services Branch at the Crime Branch, Mumbai is monitoring orkut and have zeroed in on some prominent and other not-so-prominent Bollywood celebs involved in the flesh trade. It is also reported that  two Mumbai aspiring actresses and a model, who solicited clients through websites social networking groups, were arrested by the Nagpur rural police last week. Report at daijiworld..130807

Shared Information Security Infrastructure (SISI)

Information Security has been recognised as a key requirement of any organization which is ICT enabled. Naavi.org has been advocating Techno Legal Information Security as the requirement of the day instead of only the Technical security measures. In order to increase the prospect of "Voluntary Cyber Law Compliance" there is however a need to bring down the cost of compliance to affordable levels. This is more so in case of SMEs.

In view of this requirement Naavi's Cyber Law College recommends setting up of "Shared Information Security Infrastructure" (SISI) for virtual clusters of SMEs. A technical team has been assigned under Ujvala Consultants Pvt Ltd to  address such requirements for a group of small industries.

Creation of SISI centers will effectively create a "CyLawCom zone" and such zones at different parts of the country would provide confidence to the vendors who would like to outsource their business to India and more particularly to the non metro towns.

We suggest Karnataka Government to take up a pilot project of such nature in one or two centers outside Bengalooru and create a model for the country....More

Digital Society Day 2007

Digital Society Foundation a trust founded by Naavi will be commemorating October 17th as the Digital Society Day  as the day "Digital Society" was born in India. It is the day when in 2000, ITA 2000 was notified and an electronic document became legally recognized in India for the first time.

Last year, a similar commemoration was held in Bangalore in association with Computer Society of India. The commemoration was launched by the Honourable Justice Sri N Kumar and was followed by an interesting and educative panel discussion on “Cyber Crimes” in which eminent persons from Police and Industry participated. This year DSF again intends to  commemorate October 17^th as the “Digital Society Day”. In this connection we intend to have a half day evening event followed by dinner. We also propose to a panel discussion on “Information Security as a Key Enabler for LPOs”. 

We solicit participation from Organizations and companies  in the event who can also share some of the responsibilities or sponsor the event and request such organizations to contact the Secretary. Individuals who would like to participate are also requested to contact the Secretary.

Malaysian Government Bans Financial Scam Websites

The Securities Commission (SC) of Malyasia passed a worldwide Mareva injunction against the Swisscash Internet investment scheme bringing the total number of sites  blocked from public access to 10.

In a statement, the SC said it is working with the Malaysian Communications and Multimedia Commission and CyberSecurity Malaysia to “track, identify and block access to websites promoting investment scams to the Malaysian public”. The SC also said the same action would be taken against mirror sites, advising investors to withdraw their money immediately as they would not be able to access their accounts once the mirror sites are blocked.

Despite being notified, SEBI and RBI are yet to make any public announcement in this regard as Indian investors continue to fall prey to the Swiss cash scam.

ET Consilience 2007- Seminar on LPO

The seminar on outsourcing conducted by Times of India group at Bangalore brought many stalwarts from the industry on a single platform to discuss various issues of relevance to the outsourcing industry. Experts concurred that bigger things are yet to happen in the outsourcing industry and India continues to be the preferred destination in the world. It was however pointed out that Israel and Northern Ireland are emerging as serious competitors beside Russia and China and India needs to be on its toes to retain its momentum. The seminar discussed Legal Services outsourcing and  Engineering services outsourcing in detail. Clinical Research outsourcing and Market Research Outsourcing was also explored.

Naavi chairing the legal outsourcing discussions highlighted that  Law graduates need to be trained in US/UK legal practices to make them "LPO Ready". He also highlighted the need for Information Security culture to be developed in LPO industry to improve the confidence of the international vendors. Mr Murali Neelakantan of Arnold and Porter, Mr Russel Smith of SDD Global, Mr Ganesh Natarajan of Mindcrest and Mr Mathew Banks of Integreon particpated in the discussions. The experts who discussed on the Key Enablers for LPOs in India felt that Cost and Convenience continue to be big drivers but Quality is a critical concern. They urged the Indian industry to develop the necessary expertise to enable them move up the value chain. Mr Russel Smith of SDD Global highlighted that the quality of work done by Indian LPO s are on par with the best in US and the cost savings is enormous. He opined that there is every reason for US law firms to set up full fledged establishments in India at a low cost and yet deliver quality service. Mr Murali Neelakantan also highlighted that the cost of legal service at the high end in UK is around US $ 300 to 1000 per hour and there is a lot of scope for Indian LPOs who are presently working around US $ 30 to 100 per hour with their best talents.

Mr M N Vidyashankar, IT secretary, Government of Karnataka in his valedictory speech indicated that this year's IT.com at Bengalooru would focus on KPOs. He also outlined several measures the Government of Karnataka has taken to improve the technical education in the State to make the Engineers, "Industry ready".

---

International Cyber Law Research Center (ICLRC)

Naavi's Cyber Law College has set up a virtual Research Center for study of Global Cyber Laws. The objective of the center would be to undertake comparative study of Cyber Laws such as "Computer Crime Laws", "Data Protection Laws", "Electronic Signature Laws", "Cyber IPR Laws" etc. Like the parent venture, this will commence as a purely virtual center. Naavi will function as the Director of the center. Associations are invited from individuals, firms and academic institutions to strengthen the initiative. (290707) See www.iclrc.org

---

Maryland University introduces Technology Law Course to Technology students

Cyber Law College has been pioneering the concept of Cyber Law for Technology Students and it is interesting to note that the US university at Maryland has proposed to introduce a similar course for their technology students. Hopefully, some of the Indian Engineering and MBA colleges will soon think of a similar course here.

RBI and SEBI Remain Silent on Swisscash.net

Despite the direct query, both RBI and SEBI are silent on their views towards swisscash.net. More delay may mean more investors getting locked in the scheme. It is time MCIT also looks into such frauds through internet and block such sites or create suitable alerts.

Jamaica Issues Warnings on Swisscash.net

The Financial Services Commission (FSC) has issued a new alert about a company called SwissCash, saying it was not licensed to sell securities in Jamaica. The company, whose website promises returns of 25 per cent per month on U.S. dollar investments, has representatives here soliciting business, according to the regulator. details at jamaica-gleaner.com

A Response from a Swisscash.net investor

(Ref: http://www.worldlawdirect.com/forum/showthread.php?p=13753)

I am from US and I invested $2000 3moths ago to swiss cash . 3 weeks ago I tried to wired out $1000 but never works. I tried to contact them but never got response . 100 % swiss cash scam now I try to contact my district attoney and start need help from US gorverment. hopefully they may find terorist link to swisscash some thing, I know alots of victims in US already ,I think soon swiss cash will have real troulble when the qorverment start jump in.
By the way my swiss cash ID :ustom3140901
and my Email : vietvideo1@yahoo.com
Any body or victim has question please contact me but first please stay away from swiss cash , please post this message to any where on the internet for people aware.
Thanks

PS: We do acknowledge that there are many web references stating that people have actually received the benefits. We are trying to get some responses from them too. However we know that in a pyramid scheme, there are many planted positive stories that appear and we need to filter them with great effort...Naavi

India is a Soft State and a global haven for terrorists

India is considered a soft state and a safe haven for global terrorists where the governments are unable to distinguish between national interests and political interests and take criminal friendly decisions that a country such as USA, UK or Australia would never take. This tendency to remain soft for political gains is extending to the cyber space and soon cyber criminals may also consider India to be a safe haven for cyber crimes.. details

Swisscash.net .. Clarification sought from RBI/SEBI

Following our earlier mention about the swisscash.net scheme, several enquiries have been received by Naavi.org from prospective investors. In order to get larification from RBI and SEBI, Naavi.org has sought clarifications. When received, the replies will be posted on the website. Details

Kerala Government takes New Initiatives to handle Cyber Crimes

The Kerala Government has launched a web portal and a call centre to prevent cyber crimes. The portal- www.cyberkeralam.in - and the call centre –Phone number: (0471) 2727004 - are being launched by the Kerala IT Mission in association with the High Tech Crime Enquiry Cell (HTCEC) of the State police and the Resource Centre for Cyber Forensics, CDAC, in Trivandrum. The portal would function as an interface to help the public deal with cyber crimes. Report in Hindu