National Seminar on Privacy and Data Protection in Bangalore on October 17, 2008

Webcam Snooping .. Watch Out when you are in front of your Computer

Sept 24: Computer security specialists are warning about trojans which can activate your webcam and snoop on you and your surroundings.  "Cover your webcams and unplug your microphones" say the security specialists and caution that something as simple as a failure to update Adobe Acrobat reader and then clicking on the wrong PDF file could put your PC at risk, and the real concern is the increase in 'zero day exploits' – unpublicised or previously unknown exploits that allow hackers to seize control of computers. Detailed Article in techradar.com

Open Source for HIPAA Compliance

Sept 24: Security advisors all over the world are advocating use of Open Source software as a security initiative. The reason is that the proprietary software where the source code is not transparent is considered a "security risk". Though a "Source Code Audit" from a reliable agency can to some extent mitigate the risk, the source code also  needs to be escrowed if the dependency on the supplier is to be eliminated. In the unfortunate event of the supplier ceasing to exist after a while the software user is left to hold an application which may be unsupported and turn obsolete rendering the data at risk of being un accessible.

On September 15th, the Health e-Information Technology Act 2008 which if enacted, requires a creation of an Open Source health System. Such an open source system appears to be already available under the name VistA a health care information management application available free! (The name appears to have been taken prior to Microsoft launching its own Vista). HIPAA covered entities as well as Business Associates in India may well start testing this new platform and be ready to migrate before a legal compliance deadline. Related Article in linuxjournal

BJP to Interact with IT Professionals

Sept 23: BJP is conducting its Third National IT Convention in Chennai between September 27th and 29th 2008. It is interesting to note that the party has invited several IT professionals including Naavi to discuss various issues on IT policy during the convention. The convention is expected to be attended by party members, legislators and students. The initiative to make legislators aware of the issues in IT including Cyber Crimes etc is a welcome step for any responsible political party. Hope other parties are also equally tech information hungry. Progamme : Post Event: Photograph 1 : Photograph 2 More Photographs

 

E-Mail Snooping Required for National Security

Sept 22: R K Raghavan the former CBI Director and information security consultant suggests a proper mechanism to police the E-Mail exchanges to gather intelligence on terrorist activities. This is part of the National Cyber Security Infrastructure that Naavi.org has been advocating. Sooner action is taken on the same, better it is. In order to follow the terrorist strategy of exchanging confidential messages through "Draft Folder" there is need for cooperation from ISPs and E-Mail service providers. Similarly there is need for cracking Steganography also to make the policing effective. Not withstanding the difficulties, a beginning has to be made if we need to rid the country of terrorism. Related article in business line

Why Intermediaries should not be Protected under ITA-2000 Amendment Bill

Sept 21: One of the consistent stand Naavi.org has been taken over the last 3 years since the amendment to ITA 2000 has been in discussion is that ITA 2000 should not be diluted to make Intermediaries escape the responsibilities cast on them by the current version of ITA 2000 under "Due Diligence". This is also the point which the framers of the amendment are also consistently supporting. Their attempt is to amend Section 79 to state that "Intermediaries shall not be liable under any law in India unless abetment and conspiracy is proved against the Intermediary". Though the discussion was in relation to whether baazee.com should be made liable in the DPS case or not, we have been pointing out that the proposed amendment  would seriously jeopardize the interests of law enforcement particularly in preventing the misuse of Internet by terrorists.

A clear evidence of such a possibility is now highlighted in the analysis presented in this article (at offstumped.nationalinterest.in) where the role of a hosting company called "Dreamhost" has been indicated in the recent bomb blasts in India. According to the analysis presented, Indian Mujahiddeen has a nexus with countercurrents.org and the said hosting company. Under the current ITA 2000, it is possible to make the hosting company and countercurrents.org answerable either under ITA 2000 or IPC. But if the proposed amendments are carried through, the company would remain out of bound.

When the proposed amendments are presented in the next Parliament session, we suppose our Parliamentarians would remember the need to put reigns on the Intermediaries.

Related Article in Naavi.org: If Suggested Amendments to ITA-2000 are accepted..Orkut would feel better!

Full Discussion on the Proposed Amendments: http://www.naavi.org/naavi_comments_itaa/index.htm

Are the Mobile Service Providers Ready for the Challenge?

Sept 21:  RBI guidelines on mobile banking has opened a new avenue of business for mobile service providers. By upgrading their service offers, a new source of e-commerce revenue can be reaped in by the mobile service providers to offset the falling revenue on the voice call side.

In order to fully exploit the opportunities presented by the Mobile Banking opportunities, the service providers need to also introduce  appropriate process and information security for their operations.

Are the Mobile Service Providers Ready for the Challenge?.. More

Mobile Banking Guidelines Released

Sept: 21 RBI has released new Mobile Banking guidelines for Banks. The guidelines restrict the transaction value to RS 2500/- per transaction and RS 5000/- per day. Other information security guidelines have also been imposed. The security requirements are such that Banks would require some time before they can think of launching the services in full compliance of the guidelines. We have to wait and see if Banks go ahead and introduce Cyber Law non compliant systems as they have done in Internet Banking guidelines or wait for full compliance capability before rushing in. Copy of Guidelines

Need for Private Sector Participation in Cyber Security

Sept 20: Naavi had in his recommendation on "National Cyber Security Force" during the Digital Society Day 2007 highlighted the need for private sector participation in national Cyber Security initiatives. A similar view has now been expressed in US as indicated by this article in itbusiness. It is recognized that in developing an effective national cyber security policy, U.S. intelligence agencies find it difficult to share information about foreign cyber attacks against companies lest intelligence-gathering sources and methods be compromised.  At the same time,  companies can’t share information with government without a court order, lest they compromise customer privacy. Experts are deliberating on how to ensure the cooperation between the private sector IS professionals and the public sector law enforcement agencies. The future of Cyber Security lies in how we crack this puzzle. Article in Washington Post

HIPAA to be Hardened?

Sept 17: A Bill proposed in US called Health-e Information Technology Act of 2008, is expected to increase privacy protections for health information and require the Health and Human Services Department to make a low-cost, open-source, standards-compliant health IT system available to health care providers no later than mid-2012. The bill would stiffen enforcement and increase penalties for privacy breaches under the Health Insurance Portability and Accountability Act of 1996, and it would extend HIPAA privacy provisions to new health information organizations, such as e-prescribing gateways and regional health information exchanges.

The Bill will codify the Office of National Coordinator for Health Information Technology within the Department of Health and Human Services(HHS) and create a Health IT Advisory Committee.  In consultation with the Health IT Advisory Committee, the Office of National Coordinator would be charged with making recommendations to the Secretary of HHS for issuing standards in areas such as interoperability, privacy/security, and maximizing the clinical utility of Health IT.  Report in medicareupdate.com
 

IS Officials in Private Sector

Sept 17: A key question has arisen in relation to the appointment of Information Security officials in Private Sector Organizations such as Airlines. It is understood that Jet Airways had appointed a Singapore National as their Chief Security Official and the overwhelming opinion in a high-level security meet called by the Bureau of Civil Aviation Security (BCAS) last week- attended by representatives from the IB, RAW, home ministry, civil aviation ministry and airlines-unanimously decided that foreigners should not be allowed to hold top security posts in airlines. The reason is that the position is privy to sensitive security information sharing.

At a time when Indian private sector IS network is expected to work along with the Government's security efforts, there is a need for the IT industry to develop norms for the appointment of IS officials which may include a strict background check, Police clearance and restrictions such as the nationality of the individual etc. The credentials of the chief IS officer of an IT company could even be part of the IS guidelines. In case of MNCs, may be the guideline may restrict itself to appointments in India. 

Such measures may encourage Government to include private sector in any of the IS policy formulations. Otherwise there will be a Public Sector-Private Sector divide in information sharing and IS co-operation which may not be ideal.

WIFI Security Guidelines

Sept 17: Following a series of terrorist's use of open Wifi networks, it is reported that the Government of India is planning to draft guidelines for the ISPs to ensure security of the Wifi Networks. .... Article in Hindu

Naavi.org had earlier brought to the attention of the public a case of WiFi misuse in Bangalore where a BSNL client had complained that his connection was misused by some of his neighbors and he ran up a bill of RS 1.2 lakhs.

When this complaint was taken to the Police with a request that the case be registered as "Hacking" under ITA 2000, the then officials in charge of the Cyber Crime Police station Bangalore, in their own wisdom refused to accept that the "Unauthorized use of another person's WiFi account" could be considered as "Section 66 offence".  In this case the complainant who was himself a software professional had produced sufficient prima-facie evidence also to identify the suspect computers which appeared to belong to employees of prominent IT organizations.  However, the concerned officers forced the complainant to seek compromise with BSNL and suffer a financial loss.

We had at that time stated and we once again re-iterate that had a case been booked under Section 66 at that time, the awareness of the public to the needs for securing Wifi connections could have been created. It is necessary for the Police to re visit the unauthorised WiFi access process and prepare themselves to accept complaints at least in future. Such a complaint would have created a public awareness that could possibly have helped public to tighten up the WiFi security of their respective connections. The opportunity was missed.

The security of WiFi has to be managed by the users by setting an appropriate password. This requires proper guidelines from the ISP to the customers. Normally the BSNL staff while installing the facility use some standard passwords (eg 1234) or leave the password blank. Most users never touch this configuration. Hence it would be easy for hackers to hack into Wifi networks even without any sophisticated software to listen and decypher the WiFi activity. We need to first stop this possibility. Then we can consider other measures.

Related Article in TOI-Chennai : Related Article in IE

Metrics for Information Security

Sept 16: The Center for Internet Security plans to release a set of security metrics to help organizations gauge their security posture. The effort involved more than 80 IT security experts from government, academia and business. The metrics help organizations check on how effectively they have deployed security technologies and policies. The CIS metrics are meant to help organizations determine their security posture using a consensus-based measuring stick. In general, the initial set of outcome and process metrics include: mean time between security incidents, percent of systems patched to policy and percent of business applications that had a risk assessment.Other metrics will deal with the percent of systems with anti-virus, the percent of systems configured to approved standards, the mean time it takes to recover from security incidents and the percent of application code that has had either a security assessment, threat model analysis or code review prior to production deployment. Related Article in e-Week

HIPAA emerging as a defacto Privacy Standard

Sept13: HIPAA was enacted basically as a tool for protection of Privacy of health data in US. The act had certain penal provisions which are considered to be capable of being invoked by the regulators only. There has been so far a thinking that Private legal action for HIPAA violation is not in order. However, this view appears to be changing now. One the one hand, after years of soft implementation, HHS has started an aggressive enforcement during the current year. At the same time public are demanding that implementation has to be even more aggressive and are also invoking HIPAA for claiming damages for privacy breach. Related article in injuryboard.com Related Article in lorman.com

Hackers Target BigBang Experiment

Sept 12: Hackers have claimed they have broken into one of the computer networks of the Large Hadron Collider (LHC), the 4.4-billion-pound machine designed to expose secrets of cosmos, raising concerns about security of the world's biggest experiment which is referred to as the "Big Bang Experiment". A group calling itself the 'Greek Security Team'  said the hackers mocked the IT used on the project near Geneva and described the technicians handling security as "a bunch of school kids." However, they said they had no intention of disrupting the work of the atom smasher. The incident however exposes the risks faced by such experiments and the dangers if terrorist groups get access to such systems. Report in techherald

Rs 1 Crore lost in Chennai for Phishing

Sept 12: According to a report from Chennai, over Rs 1 crore is reported lost in recent days by Chennaiites due to Phishing Frauds. According to police, phishers have already built a syndicate in India, with their roots firmly grounded in the financial capital of the country, Mumbai. The Police have stated that they would be undertaking an information campaign alogn with Banks to inform Customers.

Naavi.org considers that Banks in India have been grossly negligent and knowingly practicing unsafe Internet Banking exposing the customers to the Phishing Risks. In one of the cases brought to light which is presently before the Adjudicator of Tamil Nadu, the fraudulently drawn money was credited to another account in the same Bank and withderawn in Cash. The Bank had also used part of the proceeds to adjsut an overdraft account in the name of the beneficiary. Though the beneficiary was a Current Account holder, the Bank expressed its inability to trace the customer indicating violation of the Anti Money Laundering Act. It also had a CCTV footage of the person withdrawing the cash which was not made available to the complainant. Additionally, despite RBI's instructions to Banks to use Digital Signatures for authenticated communication, Banks are avoiding use of Digital Signatures and communicating to customers through undigitally signed e-mails which can be easily spoofed.

Customers of Banks who fall victims to Phishing need to question the contributory negligence on the part of Banks and hold them liable for the loss. We may recall here that in a recent case in Germany the Court has rightly held the Bank liable for Phishing and such a strict stand needs to be taken even in India.

Article in TOI : Related German Court Decision

Anytime Police in Karnataka

Sept 11: Karnataka IG & DGP Sri R.Srikumar has ushered in a new era in Karnataka Police which should gladden the hearts of all those who wished Police will become more and more citizen friendly. Now it is possible for any person to call a toll free number and place register a complaint. It is also possible to send an e-mail and file a complaint without worrying about which Police Station has jurisdiction etc. The most important aspect is that normally public are afraid of approaching the Police because they feel that they themselves become victims if the accused is influential. Most of the time the complaint may also not get registered. Computerised Kiosks in villages are also being planned so that no person need to walk more than 2 kms for filing a compliant.

All information provided by visitors and reports lodged by other mediums or calls made through the toll free numbers would  be documented and automatically recorded in voice loggers and sorted in to Cognisable and Non Cognisable reports lodged with the Police for appropriate actions. After recording the calls, by whatever means received, well trained BPO operators, will pass on reports of an alleged cognisable offence to an appropriate police mobile unit (patrol cars like Hoysala etc). These should serve as the first responders and the police teams would verify the information received by visiting the home of the complainant and contacting him or her personally. 

 The new complaint filing system will prevent the SHOs exercising discretion and rejecting complaints against influential persons or where the complainant is not willing to put sufficient wait behind his complaint.

The Toll-free telephone number for filing petitions is :100 or 1-800-4250-100.

Outsourcing of Criminal Activities to India

Sept 11: India is known as the source of skilled IT manpower. This manpower is not only used for positive work in the IT field but also for "Outsourced Criminal Activities". These activities are in the form of development of Phishing Websites, Development of Pornographic Content etc. Recently, one more activity appears to have been added on to this Outsourced Criminal Activities. It is "Breaking of CAPTCHAs" supposed to be working at breaking of CAPTCHAs at a meagre rate of US $ 2 to $5 per thousand.

(CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart". It's mostly used to prevent automated registration or activity where we would like humans to participate, but keep the excesses away. These are images containing some code letters or numbers which the users are asked to input to authenticate a transaction such as opening of an e-mail account. The jumbling of image is done in such a manner that the digits are not machine readable and only a human can read the same and input it in the filed).

Experts feel that there are countless number of franchises operated by several of India’s large data processing companies offering "Home based working opportunities". There are also software developers developing tools for making the work easy. The articles refered to here in contain more details. One such service provider is  the India based decaptcher.com,

It must be stated that all the persons working for such projects are actually committing an offence both under Indian laws as well as foreign laws. Companies engaged in such services could easily be hauled up both under ITA 2000 as well as IPC. ..More

Women techie Booked for Cyber Crime

Sept 11: Eight persons, including a female software engineer, have been booked in Orissa for cheating a non resident Indian (NRI) of Rs.1.3 million by making false promises mostly through e-mails. The complainant has alleged that during their friendship the girl urged him to pay for her father's heart surgery, her mother's treatment and also asked for money to start a new college in her village. She got funds from him regularly and assured him that she would return the money soon. In this manner, the complainant has paid  Rs 1.3 million  and he has now found that the girl who promised to marry him earlier has now  married someone else. His money has not been repaid. Article in economictimes

Parliamentary Committee Directs Banks to Take steps to tackle Cyber Crimes

Sept 11: The parliamentary standing committee on personnel, public grievances, law and justice on Wednesday asked public sector banks to devise a special monitoring system to check cyber crimes and strengthen the present vigilance system to curtail corruption. The committee observed that the present banking set up was not equipped to tackle cyber crimes, which are quite familiar at the international level. The committee was concerned about effects of cyber crimes on the Indian banking system.

These recommendations were revealed by the committee during its interaction with the top brass of Bank of India, Dena Bank, Central Bank of India, Bank of Baroda, Union Bank of India and Bank of Maharashtra. The committee at length discussed various other measures to contain corruption and strengthen vigilance mechanism to detect frauds. It is expected to prepare a report on these issues by November.

It may be recalled that Naavi.org has recently pointed out that Banks may be held liable for "Phishing" if they are negligent. RBI has many times indicated to Banks to use secure methods such as use of digital signatures for communication with customers which Banks are conveniently ignoring. Sooner or later the judiciary will come down heavily on Banks for this knowing omission of a security provision mandated in law. The statement  from the Parliamentary committee is another reminder to the Bankers.

Article in Financial Express

Company fined US $100,000 for not encrypting data

Sept 10: Seattle-based Providence Health & Services agreed to  pay $100,000 to settle what HHS described as "potential violations" of the Health Insurance Portability and Accountability Act's requirements arising out of loss of laptops and media devices containing unencrypted information. On several occasions in 2005 and 2006, equipment was reported missing after workers took it out of the office with them. Unencrypted medical records of more than 386,000 Providence patients were lost in the process. Under the agreed corrective action plan (CAP) Providence has to revamp its security policies to include physical protections for portable devices and for the off-site transport and storage of backup media.

The security action items that Providence Health & Services agreed to include revision  of policies and procedures for safeguarding patient data while it is stored at or being transported to off-site facilities, training  all workers on security policies and submit proof to HHS that the training has been completed, updating  policies as needed, but at least on an annual basis, ensuring  that a security risk assessment and management plan and a data breach notification policy are in place and conducting  reviews that include unannounced audits, spot checks and site visits at company facilities.

Details in computerworld.com

Open Source initiative adopted in e-Governance

Sept 8: In a significant development worth taking notice, the Government of India has taken steps to adopt Open Source in e-Governance applications. Bharat Operating Systems Solutions (BOSS) Linux Software Version 3.0 developed by NRCFOSS (National Resource Centre for Free/Open Source Software) through DIT initiative has been adopted by  DIT, New Delhi. The Centre for Development of Advanced Computing (C-DAC) has signed a Memorandum of Understanding (MOU) with National Informatics Center (NIC), on 04.09.2008, to implement BOSS Linux on e-Governance applications developed and maintained by NIC.

AP Police being Impersonated by Cyber Fraudsters

Sept 3: Recently press in India carried reports about a sting operation in USA where an Indian software worker  had been reportedly trapped by a private sting operator and charged for  trying to indulge in sexual inducement of a minor girl in a chat room. In India sting operations are normally undertaken by the Press and not by Police. Police do undertake intelligence operations trapping criminals such as terrorists but rarely they have been found to be active in Cyber Space.

However it appears that now there is a group of persons in Hyderabad posing themselves as Police officers conducting sting operations trying to trap persons indulging in sexually overloaded conversations on the Chat rooms. While Naavi.org has been recommending some action against serious offenders such as s_bhabhi.com owners and the Police have turned a deaf ear to the same, it was surprising to come across the incident from Hyderabad where one Mr Chandra supposedly from Cyber Department was threatening a software employer that he had indulged in obscene chat conversations and action will be taken against him. He has also indicated the name of a police officer by name Veena Devi of the Hayathnagar Police station as the Cyber Inspector in charge of the complaint and advised the person to meet her.

Naavi.org considers this as a fraudulent activity even if some lower level police officers are involved in the racket. We request the higher officers of AP Police to investigate the matter and prevent such harassment of the general public.

We had recently come across an incident in another city where a software professional had to part with a million rupees to get protect his minor son being charged of a Section 67 offence. Hopefully the Hyderabad incident does not reflect a similar attempt of some police officers trying to extract money from unsuspecting public who might or might not have really erred. Related Article in Techgoss.com Related Article in Deccan Chronicle-Bangalore-5/9/08

A New Kind of Fraud?

Sept 2: Recently, Naavi.org has received information about a new kind of fraud from Chennai. This fraud targets new IT companies which ae eagerly looking for software projects. This is a case of suspected fraud where a consultant has promised a Company about an overseas project, faked e-mail correspondence and enjoyed for himself and his group of friends nearly six months of salary and consultancy charges.

Naavi.org invites companies to report if they have faced similar instances. They are also advised to be on guard with such fake project vendors and ensure that they check the veracity of claims made by consultants particularly when the promised project is from abroad and it is difficult to establish its genuineness. ..Details

Hyderabad Police Charge a Techie under Section 66

Hyderabad police have filed a case under Section 66 of ITA 2000 on charges of having stolen a software of the company and trying to sell the same. Kunapareddy Sita Venkata Ravi Kumar alias Ravi, 33, who had worked as a software engineer for Tecra Systems, allegedly stole products and custom applications developed for various clients of Tecra Systems by copying them into his personal laptop.

On a complaint lodged by Krishna Prasad Gondi, managing director of Tecra Systems Private Limited, a case was registered (Crime number 194/2008) under sections 420, 406, 380 of IPC and sections 65, 66 of the IT Act on August 19. ..More in TOI

SC stays proceedings against eBay

August 26: The Supreme Court today (August 25) stayed the proceedings against auction portal eBay India and its chief Avinash Bajaj for allegedly permitting sale of an MMS clip showing two school students from a Delhi school indulging in a sexual act. A bench headed by Justice Altamas Kabir, while issuing notice to the Delhi government, stayed the proceedings under Sections 67 and 85 of the Information Technology Act, 2000.

The petitioner has contended  that Section 67 of the Act, does not define the term obscenity and thus liability cannot be fixed on him for merely listing of the 2.37-minute clip video clip even if it was obscene. “Even assuming that video clip is obscene, mere ‘listing’ cannot be obscene for the purpose of Section 67 of the Act merely because the video clip may be obscene,” he said while seeking quashing of all the proceedings against him. Report in apakistannews.com

Company Law to Amend ITA 2000?

August 26: It is reported that Company law is proposed to be amended to enable e-mail to be considered as an evidence. While the objective is good, it must be pointed out that there is no need for such amendment since the law already recognizes e-mail being an electronic document as evidence. There is also clarity on the fact that a digitally signed e-mail is admitted as evidence against the signer without any further proof while an undigitally signed e-mail may be admitted as evidence but needs to be proved as to data integrity and origination.

It is preferable if multiple legislations are not allowed to tamper with the law and whatever clarifications are required it should be attempted with ITA 2000 alone.

Report in ET