"This website is the Wikipedia of Indian Cyber Laws".. A Visitor's remark
REQUEST ONLINE MEETING
Beware of Virus in LinkedIn Invites
Sept 29: According to security experts fake LinkedIn invitations are being used to inject a password stealing ZeuS Trojan to a target computer. Users should avoid clicking social networking site invites that arrive by e-mail, nd instead, consider browsing the social networking site and handle any invites there. Related Story
If Chennai Police Could do it in 2004, Why not others in 2010?
Sept 21: The article in TOI speaks about the lack of convictions in Mumbai and Bangalore in respect of Cyber Crime cases. It is definitely an issue that more than 600 cases are represented by these two Cyber Crime Police Stations and there is not a single conviction. It is worth examining the causes. Though the news report blames it on the lack of awareness of the Police, I feel that the there is lack of interest in pursuing the case rather than the lack of awareness. The first conviction in India under ITA 2000 occurred way back in 2004 at Chennai (Suhas Katti case) at a time when forensic support was very much lower. Now the Police are much better prepared and ITA 2008 is also available with lot more clarity on some of the offences. But if there is still lack of convictions, one needs to understand that the Police is not pursuing the cases. Further, intermediaries such as Google and Yahoo have become more criminal friendly and are hiding the IP addresses for a misinterpreted privacy obligation. Hence even simple cases which the Police would have sorted out are not able to be properly investigated. In a recent Phishing case, the Bank refused to part with IP address for more than 6 months after the incident and also erased the CCTV footage containing the photograph of the fraudster. If Police are to be effective therefore they need to force the intermediaries to be more cooperative. In the case referred to above, though the criminal complaint was against the Bank, the Police out of respect to the Bank or otherwise failed to register the FIR against the banking officials involved in the shielding of the fraudster. We also recall the Pune case where the ISP gave a wrong IP address to the Police and derailed the investigation. Police need to get bolder and book some of the intermediaries.
Virtual Employment Exchange in TN
Sept 21: In 2001, Naavi.org had undertaken a campaign regarding a company called Sohonet India in Chennai which had allegedly defrauded several persons luring them with home based job offers. Later the concerned person was arrested and perhaps brought to face the consequences of law. At that time, I had suggested the Government of Tamil Nadu that they should set up a system of Virtual Employment Exchange under an article "E Entrepreneurship Development Cell Required" and requested the then Secretary in charge of labour to consider the project. I am now glad that after 9 years this suggestion has surfaced as a project of the TN Government in the form of Virtual Employment Exchange. (Details available here).
There are a few more suggestions in my prescription which is not covered under the now introduced scheme and I request the TN Government to take those steps too. Additionally, I urge other State Governments also to take similar steps in their e-Governance framework.
Implications of ITA 2008 for Bankers
Sept 17: Increasing incidences of Banking frauds in the digital Banking era are exposing Banks to the risks of direct and vicarious liabilities for different offences under ITA 2008. Since liabilities likely to arise on account of non compliance of ITA 2008 will also result in failure of Corporate Governance and Basel II norms there is a need for Chairmen and Independent Directors of banks to take immediate steps to ensure that liabilities donot attach to them personally. In order to increase the awareness of due diligence obligations that ITA 2008 imposes on Bankers, Cyber Law College has organized a one day workshop at Bangalore on October 14th 2010. The program will be held at Windsor Manor and speakers from regulators such as RBI, CAT, and CCA would be attending along with experts from Banks and industry.
Hackers on Hire from China
Sept17: Keeping its status as the leading nation in Cyber Wars, it has now come to light that it is possible to hire a DDOS attack from Chinese hackers. This Forbes article explains how a disguised security site operates botnets to launch what they call "Pressure Tests" but actually can be used for contracting DDOS attacks. ..Article in Forbes
More Phishing Frauds Being Reported
Sept 16: After a series of Phishing frauds that came to light in ICICI Bank and HDFC Bank, now there is an increasing number of Phishing Cases reported from Punjab National Bank. In one of these cases reported from Chennai, the victim is a senior citizen who had kept his post retirement funds in the Bank. In another instance in Delhi it was a senior manager of Dabur. In another case in Maharashtra, it was an SSI's current account which was defrauded. In all these cases, the Banks have not been taking appropriate action before and after the incident causing a serious dent in the public confidence in the Indian Banking system.
It appears that the RBI has completely neglected the security aspects of banking and letting the Banks introduce technology without adequate safeguards. Naavi recently tried to obtain information from RBI about the number of Phishing cases being reported to RBI only to find that the bank has no proper recording of frauds and Banks donot appear to be reporting such frauds to Banks. Banks are also openly flouting the laws and earlier RBI guidelines on the use of digital signatures and instead of pulling up the Banks, RBI is still encouraging further enhancement of Banking risks with the introduction of insecure Mobile Banking. We hope that RBI would act at least now and restore the public confidence in Banking.
Goa Minister files a case agaisnt an unknown Facebook owner
Sept 09: Education minister Atanasio Monserrate in Goa has filed a case against an unknown person who has created a Facebook profile in his name. Police have registered an offence under Section 66A (c) for creating annoyance on the net and Section 66D for impersonation on the net under the Information Technology Act, 2008. TOI Report
Another Instance of Blocking Mistake by GOI
Sept 09: Several years back the incidence of blocking of Yahoo groups site for blocking one single group had attracted attention on wrong implementation of blocking. At that time mistake appeared to be more with the ISPs who wanted to teach a lesson tot he Government. However now another instance has come to the notice where citing a Court order, CERT In has ordered blocking of a IP address instead of blocking a single website hosted on a shared basis on the IP address. It is necessary for all technical experts to assist the Courts who may be less technically informed and guide them properly in such cases. If it was clear from the order that the intention was to block one site, CERT IN should have understood that if it blocks the IP address, other innocent websites may also get blocked in the process and requested the Court to modify its order. I am confident that any Judge would be glad to make amendments to his order and would not feel offended. On the other hand the current action has put Indian Judiciary in bad light. Article in HT
Deloitte Survey of IS Practices in India
Sep 09: A recent Deloitte survey of IS practices in India indicate that 50% of the respondents admit atleast one security breach during the last one year. This is an alarming rate since the financial losses accruing of such incidents can run into several crores of rupees. It is interesting to note that 32% of the respondents feel that their IS officials are not competent enough and there is a need to build better awareness. Brief informaiton on the report
Hindu Site Used for Nigerian Mail Spam
Sept 06: It has been reported by one of the security observers that a web form on Hindu website has been hacked and used to send spam mails. A sample mail sent is given here.
As a consequence of this security lapse, Hindu website may be blacklisted by company firewalls and ISPs reducing the e-circulation.. an example of how security lapse may lead to commercial losses.
An Interesting Interview with a Hacker
Sept 06: Techgoss has carried an interesting interview of a hacker which gives an insight into what a responsible hacker thinks. The interview highlights how there are peace treaties even between the private Cyber War groups in India and Pakistan. Related Article : Pak Cyber Army is for Peace
Cyber Assassins on the prowl
Sept 06: Copyright is a deadly combination of commercial interest and law. It is therefore a natural progression of things that Piracy fighting should degenerate into acts of "Illegal Counter Attacks". It is reported that Bolly Wood is taking steps to hire Hackers to conduct counter attacks on sites alleged to carry Pirated material. Though the end objective is legal, the means is illegal and sets a bad precedent. The Counter attack would be legal only if undertaken by a law enforcement agency empowered suitably for the purpose. While law abiding cyber security specialists are debating if this should be used in national defense or not it is the height of arrogance that Bollywood should take law into their own hands. This is recognized as violation of Sections 69 and 69A which provides powers only to designated officials for interception and blocking of electronic content and invites imprisonment of upto 7 years. If this trend is not checked, it will soon become uncontrollable and introduce lawlessness in the society. The executives of the two firms Aiplex Software and Prakash Nathan who have made statements published in the article in dnaindia enclosed here have admitted to commission of a cognizable crime and can be prosecuted on the basis of these statements alone. The industry need to move with the law enforcement agencies and find a solution however difficult it is rather than adopting the strong arm methods which are illegal. Related Article : Also read this story
Loss of Laptops at NTRO
Sept 6: Security observers have expressed concern that data security at NTRO has been repeatedly compromised with loss of Lap Tops of top scientists. It is unfortunate that the data was in unencrypted form even though it was classified as top secret. Hopefully NTRO is at least wise after the event and using automatic encryption of data. Can NTRO clarify? Related Article
Does Sec 69 of ITA 2008 violate Supreme Court Rulings?
Sept 6: The issue of notices to Google under Sections 69/69A close on the heels of notices to Black Berry has brought focus on the implications of these sections from the point of view of "Privacy". Naavi.org raised some of these issues when the amendments were passed and suggested that we need "Netizen Rights Protection Agency" to safeguard the interests of the public against the misuse of the authority. However very few people seemed to appreciate the need at that point of time. Now it appears that some people are observing the implications and commenting on the same. One such article can be found here: A lot more Black Berrys out there
Earlier Decisions of CAT
Sept6: Cyber Appellate Tribunal has been active for some time. Mr Apar Gupta has in this article provided the details of the cases so far referred to CAT. As one can observe, out of the cases presented, 6 of the 7 reference were made to CAT without a corresponding Adjudication decision and hence had to be dismissed. The other case has also been referred back to the adjudicating officer for his decision since the reference was only on jurisdictional matters. The Umashankar Vs ICICI Bank adjudication is therefore the first appeal to CAT which has gone through the pre requisites of a valid appeal and is now pending with the CAT. Article at aparguta.com
MP to set up special Cyber Crime Squad
Sept 6: MP Government has taken a unique decision to set up a special Cyber Crime Squad by recruiting 700 officers exclusively for handling Cyber Crime cases. This has been one of the long standing suggestions that Naavi has made and it is good that at least one State is thinking in this direction. Report
Certifiers for EHR selected
Sept2: The department of health and human resources (HHS) , USA, has selected two certifying organizations namely, The Certification Commission for Health Information Technology, Chicago, and the Drummond Group Inc., Austin, Texas, as EHR software certifiers. Under the HITECH Act, medicare and medicaid will provide incentives to the tune of around US $27 billion from next year to hospitals and physicians who make "meaningful use" of EHR (Electronic Health Record). Certification of the software used is essential for claiming the incentives. Indian software vendors who are into development of health care related software need to take not of this development. 45 approved test procedures have also been designed.