Recent Articles on ITA Amendment Act :   Copy of ITA 2008 : Comparison: ITA 2000 Vs ITA 2008  : Indian Information Security Framework-IISF 309

Copy of Notification on ITA 2008

...For a Copy of the E Book on Digital Signatures, Click here

---

Danish Banks Asked to Compensate Customers for Hacking

Sept 30: Danish laws require the Banks to compensate its private customers against hacking under a sort of guarantee against hacking. The proposal is now sought to be extended to small businesses having less than 10 employees and a turnover of less than 15 million kroner (about Rs 14 crores). RBI should consider similar guarantee scheme to be introduced in India also. Additionally, Industry should develop Cyber Crime Insurance system so that the Banks can get themselves covered like they do for other frauds.  Details

Theory of IS Motivation Clarified

Sept 29: The Theory of Security Pentagon recognizes a specific role for “Mandate” which is applicable both to an organization as well as to the State which wants security culture in the community. “Mandate” helps people to “rationalize” why the seemingly inconvenient security prescription should still be adopted. It helps fight the natural tendency not to adopt to control often fired by the “technology intoxication” of the IT users. Without “mandate” security adoption will be painfully slow and perhaps never reach the desired level where the society can feel safe. ..More

When Sustainability is not planned in a PPP project

Sept 29: Uttara.in is a website which provided lot of useful information on Uttrakand Government activities. It appears that the site was maintained under a public-private partnership where the Government was funding the expenses of maintaining the website. An announcement a the website indicates that due to the lack of continuance of funding the website is being closed from October 1st, 2009.

For a website which was very useful and had a good viewer ship to close down for lack of maintenance support indicates that an appropriate revenue model had not been built into the system when it was planned. Obviously the Government would have barred advertisements on the site and the beneficiaries of the site have not been asked to pay  service fees. While Government spends money to advertise tender information on the print publication, most of the time they donot pay for similar information to be advertised on websites.

These are some of the reasons why such PPP projects do not become sustainable. Unless the Governments of the day understand the short, medium and long term funding requirements of such projects and accordingly plan its implementation, such projects are bound to collapse once the initial enthusiasm of the creators fade. If PPP has to succeed, then there has to be a fundamental change in the thinking of Governments of how they can work in partnership without falling into a trap of corruption and without the opposition political parties wrongly tainting the projects for their own political gains. A larger debate is required in this regard. More

 

Theory of IS Motivation Based on a Behavioural Science Approach

Sept 28: Information Security Practice has evolved over a period from a pure technical perspective to techno legal perspective. While the market is slowly absorbing this transformation, a new dimension of Information Security Management is calling for serious attention. That is the “Human Behavioural Aspects of Information Security Management”.  

Now for the first time in India, an attempt is being made to approach the Information Security implementation issue from the perspective of Human Behavioural Science perspective.

The experience which Naavi has gained through hundreds of interactions with corporate IS professionals has developed into a thought process represented here putting forth a hypothesis on how Companies and Corporate employees get motivated for the adoption of Information Security in their day to day affairs. This understanding may help in strategizing IS policies in an enterprise. The thoughts are in the preliminary stage of development and will be refined and expanded in the days to come with inputs from like minded persons. For the purpose of identification, this thought process will be referred to as “Theory of IS Motivation”. (TISM)..... More

UIDAI Chief Clarifies

Sept 24: Mr Nandan Nilekani recently (Sept 19) interacted with the members of Cyber Society of India, Bangalore Chapter and clarified some aspects of the proposed UID system. Some of the issues he clarified are ... all 10 finger print of a person would be obtained for the database while the query to the database can be made on any single finger print. .... query can be made even on the photograph and database would respond with a "yes" or "no" response.

Another important point clarified by him was that UID would be issued to every "Resident" of India whether an "Indian Citizen or Not". The creation of database would be done voluntarily with service providers pushing for the UID for delivering their service. UID will focus on the avoidance of duplication in the UID database. The reliability of data such as the address etc will however depend on the declaration by the subject and provisions will be made for him to view the data using his biometric and advise corrections and updation if required.  The UID of minors will be backed by the finger prints of the parents.

There will however be a need for some legal issues to be sorted out (eg: It should be the responsibility of the subject to inform update requirements on a periodical basis) hopefully it will be attended to in the coming days. Similarly some security issues are also required to be sorted out and UID will be addressing these issues at the implementation stage.

Mr Nandan promised that UID website will be available shortly with more information. Also See CIOL : Earlier articles of Naavi on UID are available here: Reasonable Security Practices for UID Project : Unique ID Project.. What should be Unique?

UK Center for IS in Advanced Research

Sept 24: Leading edge research would be a focus for the Center for Secure Information Technologies (CIST) set up at Queen's University Belfast's Institute of Electronics, Communications and Information Technology. Core systems for the next generation computers, high speed processors, hardware based Cryptography are some of the areas which are being recognized as the research objectives of the Institute to meet the anti Cyber Crime requirements in the coming days. Report

Recently EMC announced a research facility in Bangalore. May be more such institutions are required to meet the growing needs of Security Research in the Information Science sector.

While Industry players will be focussed on converting basic research into commercially exploitable solutions, more academic insitutions are required to get into research so that fundamental research requirements can be taken up.

Should we hope that IISc, Bangalore thinks of setting up such a facility in Bangalore? Will Karnataka Government provide at least a notional funding for such projects?

Online Lottery Fraudsters Arrested in MP

Sept 24: MP Police have arrested two foreigners in connection with a Lottery Fraud in which the victim had lost Rs 4.76 lakhs. Report

B Tech student arrested for Phishing

Sept 23: A B Tech Student from Jhansi is reported to have been arrested for Phishing three customers of ICICI Bank  in Bangalore. The incident indicates how a prompt action by the Bank in lodging a complaint and then cooperating with the investigation can lead to successful apprehension of Phishing fraudsters. Report

In a similar incident which occurred in Mumbai a few years back, ICICI Bank refused to file a complaint with the Police and helped a fraudster escape with Rs 6 lakhs of a customer's money. What was more interesting in this case was that out of the fraudulently transferred amount, ICICI Bank recovered an overdraft granted to the fraudster and refused to refund the amount to the victim even after it admitted the occurrence of the fraud. The recent incident indicates that  negligence of the Bank in not filing a complaint should be held as complicity in the fraud and victim should be compensated by the Bank.

Why Software Developers Need IS Education

Sept 22: Naavi has been highlighting the need for Indian Engineering Education to upgrade itself with Information Security related courses as part of the undergraduate curriculum. The need for sensitizing our budding software programmers is brought out in this study on how hackers are breaking into Corporate networks which indicates how programmers unwittingly leave scope for exploitation by malicious persons. According to the study the greatest risk to corporate IT systems, comes form hackers exploiting vulnerabilities in popular websites to plant and spread malicious code on a huge scale. Spear Phishing directed at Financial Managers to install Key Loggers is also on the increase. Article

Disloyal Employee Not a Hacker.. US COURT

Sept 22: In an interesting decision, a US appeal Court has taken a view that Computer Abuse act should not be applied in case of an employee who had stolen data. The decision came after a company named LVRC Holdings filed a lawsuit against a former employee, Christopher Brekka, his wife, Carolyn Quain, and their independent consulting business. LVRC had accused Brekka of using company computers "without authorization" in order to e-mail himself LVRC client files in order to use that information for his personal business after leaving the company. ..Detailed Report

Invitation to Commit a Fraud!

Sept: 21: A website www.mumbai69.com has been issuing an interesting advertisement through bulk SMS messages in Bangalore which states "Voice Changing ..mobiles available". The website contains more information on the mobile which is priced at Rs 5750/-. The website also states what may be the use of this interesting device. It states "To Avoid-some critical situations. useful at many occasion". (Please see the extract from the website in the adjoining picture)

It is left to the imagination of the public what could be the occasions in which this device would be useful. Ofcourse one would be for genuine fun. But it appears to any person of ordinary prudence that more than the genuine uses, this device has more illegal uses.. for impersonating another's voice or atleast to hide one's own voice which cannot be for any justifiable reasons.

The website is registered in the name of Privacyprotect.org (It is illegal to register a domain name under false name). Privacyprotect.org itself is registered by Directi Internet solutions Pvt ltd (Mumbai based domain name registrar) with a PO Box address of the registrant.

It is necessary for the Police to investigate and determine if this service is likely to be a tool in the hands of the terrorists and extortionists and if used by them whether the Intermediaries such as Directi are prepared to take the liabilities.

This is also a fit case for CERT-In to discuss if Directi has followed "Due Diligence" in the process of registration of this domain name which has the potential for being misused. We request Mumbai Police to investigate the ownership of the domain as well as the list of all persons who place orders with the company for the "Voice changing mobiles".

ITA 2008- DIT to consult  Law Ministry on rules

Sept 20: It appears that the DIT has obtained industry feedback and prepared a draft of the rules under Sec 79 of ITA 2008 and is consulting the Law Ministry for a final notification. It is expected that the consultation process will take place by end of September and the notification is expected in October 2009. Related Article

Cloud Computing with MS Office applications

Sept 19: Microsoft appears to have decided to challenge Googledocs with its decision to make available Office WebApps through the browser. This perhaps is a significant development which may change the way individual will work with office applications. Simultaneously, there would be more demand for bandwidth, more complex privacy issues and Cyber Crimes. Related Report

China Stealing Cyber Secrets

Sept 18: While Chinese incursions on the Indian physical borders is making news, it is also necessary for India to realize that China is said to be running a GhostNet project with an idea of infiltrating the systems of many governments all over the world. What is alarming is the warning of security experts that some of the malicious programs inserted by Chinese sources are capable of turning on the mikes and cameras of our computers and listen to or see us. Related Article

VOIP to be Temporarily Blocked in India

Sept 16: The Intelligence Bureau is reported to have advised the Communication Ministry that until appropriate tracking mechanism is introduced, VOIP needs to be blocked. It is a bold step in favour of "security first strategy" as it has the potential for a big fuss being made by a segment of the community. Report in ET

Another Deadline Fixed for Banning Chinese Mobiles

Sept 16: After several earlier announcements which never materialized, the GOI has announced that mobile phones with fake IMEI s will be blocked by MSPs in India from Nov 30 2009  (Check your IMEI and its genuineness here). Report

It remains to be seen how serious is the Government in this respect since this is not the first time deadlines have been set in this regard.

How to guard your trade secrets from departing employees

Sept 11: Here is an interesting write up on the steps to be taken by the Companies to prevent data thefts. article in dnaindia

Information Security Education during Engineering Education

Sept: 7:Naavi has been pursuing with several Engineering institutions in Bangalore such as RVCE, PESIT and IIITB, urging them to introduce courses in Techno Legal Information Security and Cyber Forensics both at the undergraduate and post graduate Engineering education.  Unfortunately the autonomous colleges who are technically capable of taking decision on introduction of such courses  are still not able to appreciate the need for such a course and their utility in building a culture of Information Security at the base engineering education level. In the meantime it must be appreciated that Punjab university is reportedly introducing a "Post Graduate Course in Information Security" to commence from 2010. Our best wishes to Punjab University for their efforts. We may also recall that IIIT Allahabad has a Post Graduate course in Cyber Laws and Cyber Forensics. We need more such courses particularly at the undergraduate level at least as "Elective Subjects".  We hope the Engineering Institutions in Bangalore take a lesson from their counterparts in Punjab.  Report in TOI

Reasonable Security Practices for UID Project

 Sept 5: The Unique ID Project (UID) project has been announced by the Government of India under the leadership of Mr Nandan Nilekani and a body known as UID Authority of India (UIDAI) has been formed. The UIDAI has already announced that a pilot project would be undertaken in Karnataka . Naavi had already published some suggestions about the UID project in which the security requirements had been briefly highlighted.

This note contains more detailed suggested security requirements that can be tested in the pilot project. These security requirements have been developed based on the Information Security Framework (IISF-309) formulated by Naavi under the ITA 2008 and published as a Draft for Debate.. Details

1 Million Members in Second life.. What does it mean?

Sept 4: The founder of second life.com, Philip Rosedale has reported that though  the secondlife.com membership has crossed 1 million he is concerned about the increasing number of crimes in second life.com involving property thefts. There is an increasing demand by this second life inhabitants that there should be better "law and order" in the second life.com world. It is also reported that the linden currency dropped off under the threat of a malicious programme called "CopyBot" which could duplicate virtual property on second life and recovered only after some security warnings from the administrators.  See this report

All these may look like fancy stuff to be laughed away. I was just watching a TV programme on Crimes in AXN channel which involved a story of  extensive use of Second life and its avatars in planning and executing a real world political murder. Again this was Internet fiction at its creative best. But what starts as "Fiction" is often the reality in future. Hence we cannot rule out the possibility of today's fiction playing out in reality.

Cyber Sociologists need to do therefore do extensive research on the second life world and try to understand the motivations of the inhabitants and its likely impact on the physical world. Why do 1 million people think it is necessary to keep a parallel virtual identity, spend dollars, acquire virtual properties, make virtual friends, have  virtual transactions etc. Is it all for "Fun"? or "Are cyber psychopaths on prowl"?.. must be material for several Ph. Ds...for those who are interested.

The developments also raise several Cyber Law issues including whether the scope of cyber laws should be extended to cover the offences in second life.com kind of virtual worlds. By definition of course the copying of virtual assets causing wrongful harm to some body may be a crime both under Cyber Crime laws and copyright laws. But to what extent the law enforcement can monitor this game space is a matter of concern. Alternatively, Second life.com should consider developing its own Police Station, Judiciary, formation of its own Cyber Laws and have an enforcement mechanism. This group can interact with the real world Police whenever needed.

 Notification of ITA 2008 next month?

Sept 2: According to a statement by the union IT secretary, the amendments to ITA 2000 may be notified within a month. The Act was passed in the Parliament in December 2008, Presidential assent was given in February 5, and still the date of effectiveness has not been notified. The history of the amendments indicates that there must be vested business and political interests working at delaying the process of notification and probably engineer a dilution of some of its provisions on security. Report in Rediff.com

The unreasonable delay in notification has already given room for speculation that there must be some arm twisting going on in the drafting of the rules so that "Intermediaries"  are provided some freedom to "Do Business without Responsibility". In the meantime Police are already booking cases under the new provisions (Refer Case against Air India official reportedly booked under Section 66 C and 66D of ITA 2008) which when questioned in the Courts would look ackward. Many in India are now under the impression that "Cyber Terrorism" is covered under law. The department must realize that the delay in notification has been providing a greater leeway to Cyber Terrorists.

Sooner the department completes the notification, better it is for the Indian Digital Society. On the Digital Society day this year (17th October 2009) when ITA 2000 would have completed 9 years of existence, we hope ITA 2008 would be operative. If the notification is delayed beyond 17th October 2009, Naavi.org and Digital Society Foundation is contemplating  starting a nationwide campaign against the delay and exploring the possible reasons therefor through RTI and other means. Related Report in Bloggers Newsnet.: Also see article on Techgoss

Judge Questions the Means of Collecting IP address details

Sept 2: In the 26/11 case, a Mumbai Court has questioned the Police  about  the means of collection of IP address particulars. In this case the police obtained some IP addresses from FBI and with a reference to the website all-nettools.com  obtained the ISP particulars which pointed to Pakistan. The Judge has reportedly asked " Who authorized the Website to give geographical locations"?. While the response from the Judge is understandable, it is necessary for the Courts to understand that the system of IP tracing is based on the ownership of the IP address as allocated by ICANN and what the websites such as all-nettools.com can do is to trace the owner ISP for the given IP address and  indicate the location of the server allocating the IP address as the location of the person. It is like a long distance photograph of the location and a further resolution has to be obtained only from the ISP. In the instant case, it is not clear if the Court felt that the Police  can get the information from the Pakistani ISP and then proceed with the Case. Perhaps the Mumbai Police can clarify what exactly transpired in the Court for academic debate. Report in DNA

Cyber Threats and Nuclear Threats are similar?

Sept 2: Pentagon has set up  a new Cyber Command  unit under the U.S. Strategic Command, to wage digital warfare which is expected to go into operation in October 2009. This is the same command that controls the American nuclear deterrent and retaliatory forces of ICBMs, bombers and missile submarines. It is interesting to note that China’s Second Artillery Corps, which .is similarly responsible for Beijing’s nuclear arsenal, is also the leading command for cyber warfare. Both powers see the connection, to use the USSC language, “to deter attacks on U.S. vital interests, to ensure freedom of action in space and cyberspace, to deliver integrated kinetic and non-kinetic effects to include nuclear and information operations in support of U.S. Joint Force commander operations.” Or to use a Chinese term, cyber operations, like nuclear strikes, are part of the concept of “unrestricted warfare.”

There is still no news about India thinking of a Cyber Command. If we donot act immediately, we will subordinate the nation's security particularly to China : . Related Report

A Combination of Scareware and DNS poisoning

Sept 2: Trend Micro reports a major Cyber Crime syndicate which is responsible for largescale cyber jacking through DNS poisoning followed by false alarms of detected virus and fake anti virus solution offers leading to malicious infections. Report : Trend Micro Report

Internet Payment Modes such as E Gold used by fraudsters

Sept 2: Five persons belonging to a branded Cyber Crime Group called "Western Express Cyber Crime Group" have been prosecuted in Manhattan for allegedly stealing 95000 credit card data leading to a US $ 4 million fraud. The frausters stole the information of American Citizens from across the world and have used modes such as E-Gold to encash their fraudulent money. This underscores the need for a comprehensive fraud control watch which monitors many e-commerce transactions which involve substitution of cash with virtual assets.... Related Article

Foreign Mobile Phones to be subjected to Security Checks

Sept 2: India is reportedly setting up a system for checking imported mobile phones for integrity. This is a welcome move especially in view of the suspicion that China may be supplying mobile phones with backdoors for remote operation. This system must be extended to WiFi routers, Modems and even computers imported particularly from China... Report

Air India Director Faces Charges of Hacking

Sept 1: Lack of awareness of Cyber Laws often lands corporate executives into problems. One such case has been reported from Mumbai where an employee of Air India has accused a Director of having hacked into his Chat sessions based on the explanation called for by the Director about some conversations which occurred in the Chat session. As per the allegations, there appears to be an unauthorized access to information residing inside a computer which falls in the realms of Sec 66 of ITA 2000. The Director will have a tough time in defending herself.   Report in DNA

Strategy for tackling Cyber Crime

Sept 1: Association of Chief Police Officers in UK have published a strategy document outlining its approach to tackling Cyber Crimes. This could be a good reference document for Indian Police as well. Copy of the document

Naavi.org is India's premier portal on Cyber Law. It is not only an information portal containing information on several aspects concerning Information Technology Law in India but also represents the focal point of several services around Cyber Law carried on by Naavi.

The first such service is the Cyber Law College a virtual Cyber Law education center in India which provides various courses on Cyber Law.

The second key service is the Cyber Evidence Archival center which provides a key service to help administration of   justice in Cyber Crime cases.

The third key service is the domain name look-alikes dispute resolution service which provides a unique solution for websites with similar looking domain names to co exist.

The fourth key service is the online mediation and arbitration service another unique global service.

The fifth key service is the CyLawCom service which represents the Cyber Law Compliance related education, audit and implementation assistance service.

Additionally, Naavi.org is in the process of development of four sub organizations namely the Digital Society Foundation, Naavi.net, International Cyber Law Research Center and Cyber Crime Complaints and Resolution Assistance Center. Digital Society Foundation is a Trust formed with the objective of representing the voice of Netizens in various fora and work like an NGO to protect their interests. Naavi.net is meant to develop a collaborative distributed network of LPO consultants. International Cyber Law Research Center would support research in Cyber Laws and Cyber Crime Complaints and Resolution Assistance Center would try to provide some support to victims of Cyber Crimes.

Together, Naavi.org represents a "Cyber Law Vision" that goes beyond being a mere portal. Started in 1997, when the concept of Cyber Law was new across the globe, consistent efforts over the last decade has brought Naavi.org to the beginning of "Phase 2" in which the services are ready to reach out to a larger section. This is recognized as the phase of collaborations and growth by association. Naavi.org will therefore be entering into a series of associations to develop each dimension of its vision with an appropriate partner. Individuals, Organizations and Commercial houses which have synergistic relationship with the activities of Naavi.org are welcome to join hands in commercial and non commercial projects of Naavi.org.

Naavi

---

Add Your Comments Here

---

If you would like to know  more about Naavi, the information is available here.

For Any Payments to be made to Naavi online :  Naavi_s Payment Center

RSS Subscription

BLOG POSTS