Cyber Law College Franchise Center Opened in Ahmedabad

Comments on the Parliamentary Committee Report on ITA2006

Public Comments Sought..e-Governance Standards

The Government of India has created working groups of experts to study and suggest standards for various e-Governance transactions. One such standard proposed is for Identity and Access Management. Public comments are invited on the draft before October 3rd. The draft is available here for perusal.

Naavi.org urges that a single national digital identity should be promoted and such identity can be the digital signature certificate which can be used both for individual identity as well as authentication of documents for security purpose. For simplification of use, the use of hardware token with or without biometric support would be preferable to password based systems.  However measures to reduce cost of such systems need to be debated.

The standards should therefore try to eliminate the multiple access identities such as PAN Card, Passport Number, Voter's ID etc. Naavi.org also suggests that "Single Sign on" is not an efficient system and should not be the standard. Also there would be need for standardization in terms of classes of digital certificates and other aspects of security without preventing technical innovations that may come up in future.

Swiss Cash- Money Ordered to be returned

The Securities Commission (SC) of Malaysia has  secured a court order to direct one of the defendants, Amir Hassan, to transfer back to Malaysia all Swisscash monies held in bank accounts overseas within seven days. A sum of about RM35 million is currently held in six bank accounts in Hong Kong and eight bank accounts in Singapore according to a statement made by SC... Details
 

Microsoft is fully compatible with Indian Politicians

Microsoft's office 2007 saves documents in the default format called "Open XML". Though this is called "Open" it is actually "Closed" since it is a proprietary format which cannot be viewed either without office 2007. Even the earlier versions of the office products cannot view the files without further upgradation. While Microsoft has every right to create a restrictive product, it has no right to mis name it as "Open". This is like the Indian politicians who call "Communalism" as "Secularism" and "Power Grabbing" as "Power Sharing". Just as we have learnt to call such brand of communal secularism as "Pseudo Secularism" and "Power Grabbing" as "Opportunistic Power Sharing", we need to call Microsoft's "Open XML" as "Pseudo Open" format.

We welcome Microsoft move from the point that it gives a good reason for users now to move away from Microsoft Office towards open source office applications such as Abi word or open source office.

Related Article: Freedom Movement for Digital Independence of India

Bangalore Cyber Crime Police Station Solve a Cyber Fraud Case

It is reported that Bangalore Cyber Crime PS recently has solved a Cyber Fraud case involving fraudulent withdrawal of money from a Bank account.  This is good news. It must however be remembered that in a recent incident of similar nature reported at one of the off-Bangalore centers, Police did not even proceed with the case since the Cyber PS was too busy. Even police in Chennai are displaying similar attitude of late.

It appears that Cyber Crime Police Stations in the country  have started becoming very choosy in selecting cases for action and this does not augur well for establishing the proper trust in the system. ..Report in DH

ITA 2006 to be further revised

The parliamentary committee is reported to have suggested further modifications to the ITA 2006 with an effort to clarify that "Grooming of Children for sexual relationship" would be specifically listed as an offence. The committee ahs also expressed the desire that India should be part of international cyber crime treaties. Accordingly, a fresh draft of the Act is proposed to be developed soon by the Ministry of IT. At a time when ITA 2000 is being amended providing more powers to Cert In director, it appears that the current incumbent is due to be replaced. Hopefully this critical position would be occupied by an appropriate "Information Security Expert". More in ET

Fraud on  Poets

An interesting fraud attempt has come to the knowledge of Naavi.org. This is a fraud from a website www.poetry.com which offers fabulous prizes for poets who submit poems for a contest. Every contestant is told that the winner is based on the number of votes received by him. This encourages the contestant to send out mails to all his friends requesting for a review and inviting them to view the poem on the site. This results in free publicity to the site. According to the reports of many past winners, the contest is a scam and there will be demand of money from the winners. Publishing the poem may also transfer copyright to the website and deprive the writer of its further benefit.  View the reports

Security in Indian Banking

The recent reported hacking of Bank of India website and planting of Trojans through the site has alarmed Bank customers using Electronic Delivery Channels such as ATMs and Internet Banking. Mr Rajendran, an experienced Banker looks at the issue of security in Electronic Delivery Channels in this detailed article...Click here for the article

ITA 2006 to be Reviewed

It is now reliably learnt that the amendments proposed to ITA 2000 in the form of ITA-2000 Amendment Bill 2006 has been rejected by the Parliamentary committee. The proposals will now be reviewed and further changes may be proposed to ITAA 2006. ET Report

Finger Print Scanning.. Is it foolproof security?

Security Experts have warned that even bio metric security procedure such as finger print scanning can be faked with the use of new technology details of which may be easily available on net.... more in tech2.com

Hacking of Election Commission Website raises concerns

The recent hacking / redirection of Indian election commission website has raised security concerns regarding information archived on the site. Though this appears to be a DNS re routing rather than hacking into the information, since this has happenned in .gov.in domain, it may indicate similar vulnerabilities on other Government website. Additionally, the Bank Of India website was also reportedly hacked and 22 trojans were implanted on the site. This again indicates the fragile nature of Indian e-Banking security. Unless there is a serious attempt to safeguard the national cyber space, we are in for more alarming situations in the future... Article in ET

Lessons from Dan Egerstad

Dan Egerstad the Swedish security professional who made news recently by publishing the e-mail passwords of several Indian embassies has done a good service to the security community by focusing on the risks associated with the use of unencrypted messages.

The International Cyber Crime Conference held in Delhi recently failed to discuss this issue and a remedy for such user level security loopholes. Secondly, now that it is clear that some of the sensitive information has been compromised, there was a need for the discussion of how to deal with the compromised information. This requires an analysis of what type of information has leaked and how sensitive it is and what remedial steps are to be taken to prevent misuse of the leaked information.

Though the conference failed in this respect, we urge CBI to initiate steps now to counter this security threat. Perhaps they should start with monitoring of the inventory of software used by the users on their computers, identify associated risks and risk mitigation requirements.

International Cyber Crime Conference and Gmail

The recently concluded International cyber crime conference in Delhi discussed several aspects of International Cooperation in cyber crime investigation.

One issue which is confronting Cyber Crime investigators world over is the need to trace IP address from e-mails received. This is a fundamental requirement of any cyber crime case whether it is "Spam" or "Harassment" or any other serious abuse. Even in most of the cases where  litigation  process has to be commenced, IP tracing becomes the condition precedent before a case can be registered in a Court in the normal course. Some times, IP tracing also indicates the jurisdiction in which the sender is operating.

Until recently, any recipient of an e-mail would be able to view the header information from the mail received. Of late, Google has started an obnoxious practice of hiding the IP address through a proxy in what they claim is a bid to protect the privacy of its clients. This has made it very difficult for the recipients of emails from gmail accounts to trace the IP addresses of the senders. They may have to serve a notice on gmail perhaps with a subponea to get this simple information. If this consumes time, then the investigation may get derailed.

The International Cyber Crime conference should have addressed issues like this and found the means to sort out these issues. The conference however failed to make such concrete efforts to improve the cyber crime investigation infrastructure.

Will CBI at least now take steps in this direction?

International Cyber Crime Conference ignores derangedsecurity.com

The three day International Cyber Crime conference in Delhi is over. Officials of CBI must be patting each other's back for a conference well organized. According to the press reports, the conference called for a global cyber crime fighting agency for electronic crime, as well as the standardisation of international laws. ...

...The least that the conference could have attempted to do is to create a national cyber crime authority so that neither the vested commercial interests that influence MCIT nor the vested political interests that influence CBI would have a free reign to interfere in the "Law Taking Its own Course". It appears that no action towards establishment of an Indian Cyber Crime Coordination Agency has been discussed in the conference.

Another area where the Conference appears to have failed to have taken any action, was in responding to the expose of Dan Egarsted who demonstrated the weaknesses in the Government communication system. ....

...Yet another area of discussion was the "Protection of privacy rights Vs National Interests".

... The conference appears to have not addressed some of these simple but practically important procedural issues which need to be sorted out before we can address other global issues...Details

Global Agency Recommended for tackling Cyber Crimes

In the three day conference on Cyber Crimes organized at Delhi, CBI suggested setting up of a monitory agency on the lines of International Civil Aviation Organisation (ICAO) and International Telecommunication Union (ITU) to curb the menace of cyber crime. It also suggested a model law on Cyber Crimes on the lines of UNCITRAL model law on e-commerce. Report in ET

MCIT to fund CBI for Cyber Crime Tools

The union minister of the MCIT,  Mr Raja speaking at the valedictory function of the three day conference on Cyber Crimes stated that  Ministry of Communications and Information Technology  would be giving a grant of Rs. 3.5 crore to enable CBI to install the latest software tools to fight Cyber Crimes. He also indicated that Department of Information Technology has worked out strategy which includes the security assurance framework, incident and alert system in respect of information security breaches for cyber community, legal framework, research and development and training awareness in the area of information security and cyber forensics. Press Release

Cyber Crime Complaint on China Website

Cyber Crime Complaints and Resolution Assistance center has received a complaint from a citizen of Noida about the website www.eu-wow-mart.com regarding non fulfillment of an order place through the website. More details and the response from the accused are awaited. Cyber Crime specialized lawyers from Noida who can assist the complainant on behalf of Naavi.org may kindy contact Naavi. Details

Conference on Cyber Crimes focuses on Money Laundering

Inaugurating the International Conference on Cyber Crimes at Delhi, the Union Home Minister drew the attention of the audience on  money laundering through e-channels for terrorist funding.. Officials from 37 countries also discussed identity theft, online bank fraud, Internet gaming and the risks of online terrorist activity. .Interpol has proposed the creation of global and regional anti-crime centers to fight criminal activity online and respond quickly to emergency cyber crime alerts. Report in Herald Tribune

Cyber Terrorism Should be Recognized as an offence under ITA 2000

Naavi.org has raised certain issues connected with the International Conference on Cyber Crimes organized by CBI in Delhi. While the conference is now in progress here are some thoughts on the issues raised earlier through our article of september 10th.

Aere are some more suggestions on new Cyber Crime definitions required to be added to the statute. These have not been addressed even in the proposed amendments to ITA 2000 which are now under consideration... More

Cyber Crime Help Desk Required at CBI

Naavi.org has raised certain issues connected with the International Conference on Cyber Crimes organized by CBI in Delhi. While the conference is now in progress here are some thoughts on the issues raised earlier through our article of september 10th. Hopefully the august audience will find solutions for these issues...

One of the suggestions that Naavi.org would like to put forth is for CBI to designate one officer as a "Cyber Crime Help Desk". This will provide the much needed coordination between Cyber Crime Police Stations in different states with the CBI. ..More

Major Security Breach reported in Chennai

A 37 year old former employee of Caterpillar Inc has been arrested under the charge of having hacked into the Company's server using the password of another colleague and stealing some confidential data. It is reported that the offence has been linked to the accused on the basis of a closed circuit TV recording and system logs. At the time of arrest, the accused has been working in another company in Bangalore and it is stated that a hard disk containing incriminating evidence has been seized. The case would be interesting from the point of view of Cyber Evidence collection and seizure and it would be worth watching how the case proceeds further. Report in Computer World

Indian Banks targeted by Hackers

Recently reported hacking of  Bank of India’s website when a hacker surreptitiously planted malware on the site that installed itself on computers of visitors and transmitted sensitive information to the hacker has highlighted the lack of security in the Internet operations of the Indian Banks. Report in ET

Amendments to ITA 2000 Cleared?

It is reported that   speaking on an International Conference on Cyber Crimes organized by ASSOCHAM in Delhi, the Minister of State for Home Affairs, Sriprakash Jaiswal, announced that the  parliamentary standing committee has informed the Home Affairs Ministry that it had cleared the new cyber crime Bill. (This presumably Refers to the ITA 2000 amendment Bill 2006) .

He further disclosed that a committee would be set up under private public partnership (PPP) model in which officials from law enforcing agencies and professionals from IT industry would be drawn in it to visualise threats from cyber crimes and suggest necessary remedies for their solution to the government. The effort is welcome. However the proof of the pudding is in the eating. When an expert committee was formed in 2005 for recommending amendments to ITA 2000, the GOI formed a committee which had a skewed representation. This resulted in the amendments falling completely short of expectation of the community. Hopefully, the now proposed committee which is under the Ministry of Home Affairs would be constituted more professionally.  Report in Indiainfoline.com

Orkut.com used by Ultras in Assam

Criminal Investigation Department (CID) in Assam has  indicated an increasing use of cyber tools by the insurgent groups to interact. Insurgents groups including the banned United Liberation Front of Asom (ULFA) and NSCN (I-M) are relying on social networking sites such as Orkut.com to stay in touch. ..Article in Assam Tribune

Indian Police to Install Key Loggers at Cyber Cafes?

It is  reported that Indian Police in Mumbai is insisting on Cyber Cafes install a monitoring software that contains a key logger. While this move is being defended as a measure to monitor terrorist activities, the move is fraught with danger.

Apart from being a privacy nightmare, it can lead to stealing of passwords to e-mail accounts and Bank accounts and to commission of frauds. Criminals may also use it as a pretext to fake fraudulent withdrawals from Bank accounts holding the Police monitoring responsible for the fraud. Since this would not come under "Negligence", any person who has used one of the Cyber Cafes in which a monitoring software is used to claim that the money withdrawn from his Bank account is by  Police officer who got the information.

It is unlikely that there would be enough  checks and safeguards against such happenings and if implemented, Police would be entering a dangerous zone with unknown consequences.

The move could lead to a serious blow to the credibility of Internet Banking system in India which is still working under the system of password based access security though Indian law supports only a digital signature based access authentication.

 Related Article

International Conference on Cyber Crimes

CBI is organizing a three day International seminar on Cyber Crimes in New Delhi from September 12th. It is expected that over 100 participants from different countries would discuss various issues including Cyber Terrorism and ways to combat the same. . Naavi.org attempts to list the issues which need to be debated in such a conference.... More

Parliament Committee Unhappy with ITA 2000 amendments

It is reported that the standing committee of Parliamentarians has expressed its unhappiness about the proposed amendments to ITA 2000. We are awaiting full information on the suggestions made if any. Naavi..090907 

Related report in TOI

SwissCash Vanishes!... 080907

In continuation of our prior reports, it appears that the end of Swisscah.net has perhaps arrived.  The site has been having some difficulty for some time and going off once a while. It was earlier explained as a server problem. But this time it appears a little more permanent. The website www.swisscash.net is now not accessible and it is confirmed in this report from  a news paper in Jamiaca. It is unfortunate that except Naavi.org no other media in India could identify this fraud while regulators like RBI and SEBI chose to remain quiet while hundreds of investors invested their hard earned money in the dubious scheme.  ...Report in Jamaican news paper

Mumbai to Open a Cyber Crime Police Station

An exclusive Cyber Crime Police Station to try offences under ITA 2000 is proposed to be set up in Mumbai according to a report in TOI. The police station with a state wide jurisdiction  is expected to be functioning within three months. It will be the third such police station in the country after the ones in India’s IT meccas of Bangalore and Hyderabad. The cyber police will also tackle financial terrorism, which involves money-laundering and hawala, and the online flesh trade. Report in TOI

Indian Cyber Space Vulnerable to Chinese Attack

China   reportedly routinely engages in cyber reconnaissance by probing computer networks of other governments.  According to Financial Times, twice in the past three months, cyber-war experts within the Chinese military have been caught virtually red-handed hacking into defense and economic computer networks in Germany and the US. In the light of the recent hacking of Indian embassy information network, it appears that Indian Cyber Space is vulnerable to Cyber space attacks from China. The Government of India should provide the necessary confidence to the Indian citizens that we are well prepared in the event of a Cyber Warfare and particularly our critical military warfare such as the missile launching systems are well under our control.  Article in dna

Can States Pass Laws for the Cyber Space?

When Information Technology Act 2000 (ITA-2000) was passed in 2000, it was thought to be a special central legislation passed at the instance of UNO. Hence it was given  jurisdiction over Jammu and Kashmir along with the extra territorial jurisdiction under Section 75. The Act gave powers to State Government to pass rules under Section 90. These powers are restricted however to what was required to give effect to the provisions of the Act.

Now it is reported that Orissa Government is planning to introduce new laws  to protect Children. .... These developments give raise to an important issue of whether such legislation comes under the jurisdiction of the States. Though "Law and Order" is a State responsibility, "Is Law and Order in Cyber Space" a State Responsibility? is a question which needs to be settled....More

Monster.com site hacked

Monster.com site is reported to have been hacked by a Ukranian hacker and data of more than a million users of the Monster.com job search site has been compromised. Hackers have also accessed a U.S. government career site that the company runs for the U.S. Office of Personnel and Management. What is surprising is that Monster.com had known about the breach for over a month and remained silent until Symantec disclosed a massive phsihing attack based on the compromised data. This represents the typical corporate response of wishing away a security problem. However in the process they endanger the victims more than they would have done if they had alerted the users earlier. report in newsfactor.com

How Do We respond to Dan egarstad?

There are different views on how should India respond to the incident of exposure by Dan egarstad. Naavi.org at this point of time takes the view that Dan egarstad is only a security buff who wanted to expose the security weakness in the system and did not have malicious intentions. We therefore would like to focus attention on what lessons can be learnt from the incident.

At present it appears that the GOI is not ready to come up with any public explanation about its response. We urge the GOI to hold a press conference to assure the public the safety of confidential communication in the Government sector and in particular answer the following queries.

Does CERT-In or NIC express regret for the incident?.

Does MCIT which conducts many security related certificate courses explain if they have ever conducted information security drills for the embassy officials?

..If so how is that some of them are still using passwords such as 1234 etc?

What is the Controller of Certifying Authorities doing?. Has he educated the embassy officials about the use of digital signatures and encryption of communication?

GOI  has made use of digital signatures compulsory for filing corporate returns and IT returns. But why did not the same Government consider it necessary to mandate use of secured digital signatures and encryption for inter ministerial correspondence?

If any employee in an IT organization does not practice security culture and endangers the information of the company, the IS manager and CEO will be considered responsible. Similarly the lack of security culture amongst embassy officials which has endangered the national security needs an explanation from the highest authorities in the political system.Will they respond?

When Mr Avnish Bajaj, CEO of baazee.com was arrested under Section 67 of ITA 2000, our political leaders expressed the concern that the Indian Cyber Law was too stringent and moved to dilute the same with amendments. Now Dan egarstad has shown that our Country's information is not safe in the hands of our embassy officials. Will the Government now think of making the law more stringent while debating on the proposed amendments which are in the parliament at this point of time?

We wish we will get answers to these from the Government representatives rather than a circular to all embassy officials to stop using e-mails for confidential communication ! (As reported by some news channels)

Naavi

03, September 07

Email usernames and passwords Hacked- Can we punish Dan egarstad, By K.S.Sudheer

(Ed:Views expressed in this article are the views of the author only)

August 29^th, whole world is taken by surprise, 100 email usernames and passwords of most sensitive installations are revealed over internet by a man who calls himself to be a technology security advisor from Sweden. Emails include organizations like DRDO, NDA, Indian embassy of Sweden, and other key offices.

State should not view this act as a mere technical security breach, but since this has involved institutions of national security and Indian embassy which is also Indian territory for all purposes, amounts to an Offence Against The State and also qualifies criminal conspiracy against the state and Waging A Cyber War against government of India as per section 120 and 121 of IPC questioning the security and integrity of the state punishable with death penalty....more

PSU Website Converted into a Pornographic Site

In a repeat of what happened to CII-South website a few years ago, the website www.ciwtc.com  which belonged to Central Inland Waterways Transport Corporation Ltd (CIWTC) — a Kolkata-based PSU under the Ministry of Shipping, Road Transport & Highways has omitted to renew the domain name which has now been replaced with  a Russian site with elaborate pornographic links for over a month now. It is understood that the PSU has filed a police complaint. Perhaps it would have been apt if the PSU had simultaneously launched a domain name arbitration under UDRP to strengthen its position. Report in IE

PS: The PSU has now adopted a new domain name www.ciwtcltd.com