Death of QR Code!
Dec 31: In recent days QR Code had emerged as
a convenient tool on mobile devices for transfer of information from a
printed code picture to data on the mobile. Unfortunately the QR code
seems to be heading for a premature death since hackers have found it as
an easy tool to spread malware. It may no longer be wise to use the QR
Code scanner on the phone to scan any Code. Naavi.org will also remove
the QR Code in its contact form to avoid any problems arising in future.
HIPAA Audit is a Business Threat!
Dec 26: The results of a recent survey in USA
about patient data breach has come out with interesting results.
Firstly, 96% of the respondents reported some data breach within the
last two years which is an alarming situation. 41% resulted from
employee negligence. About 43% of the breaches were identified during an
audit making it a dreaded business risk for most organizations.
One More ITA 2008 Case against Face Book
Dec 25: An FIR has been registered against
Face Book under Section 66A of ITA 2008 for defaming Hindu Gods and
asking for burning of Bhagvadgita in Gomti Nagar, Lucknow.
Cyber Law to enter BBM Curriculum
Dec 25: The forum of business Management Teachers
in a workshop at Mangalore decided to make Cyber Law a part of the
curriculum for BBM. The addition of Cyber Laws into Management
curriculum was long overdue since any business presently is inseparable
from E Business.
Blocking of Websites by Reliance
Dec 24: It has been reported that Reliance has
blocked a host of websites providing file hosting services on the
pretext of possible copyright infringement of Don 2 movie released this
week. Though a Court order is cited, it is unclear whether the
implementation is as per the order and whether there was a reasonable
ground for such blocking. It is unfortunate that ISPs are irresponsibly
resorting to website blocking. It is necessary for them to realize that
if their action is found to be not backed by an appropriate Court order,
they will be liable for punishment for wrongful interception.
Social Networking Sites.. questioned by Delhi
Dec24: 21 executives of different Social
Networking sites were summoned by Delhi High Court in connection with a
complaint filed by a journalist Mr Vinay Rai. Mr Rai is the editor of a
Urdu daily Akbari. It is alleged that the You Tube, Face Book and Google
amongst others have hosted content which is objectionable from obscenity
and religious view point and accordingly they have been asked to remove
the content before February 6, 2012.
Where is Internet Banking safety in India heading?
Recently, a security specialist in Bangalore released
a video in which he demonstrated how the Internet Banking System of
ICICI Bank was vulnerable to a virus attack....The revelation of the
security vulnerability in the system of ICICI Bank is also to be
considered as a notice to not only to ICICI Bank but also all other
Banks which may have similar problems....More
Naavi gets the ID "Naavi" on Face Book
Dec 22: Over the last few months, I was
corresponding with Face Book for release of the short ID "Naavi" which
had been registered by some other user. Once the name was released but
before it could be re-booked by me, it was booked once again by another
person. Finally the name has been released by the second person and
after a waiting period it became available again to me and it has been
http://www.facebook.com/naavi points to my Face Book account. This was
made possible because the current user agreed with my request and
voluntarily changed his ID from "naavi".
However the fact remains that "Naavi" was a
registered trademark and as per the terms and conditions of Face Book,
it was the responsibility of Face Book management to ensure that the ID
was withdrawn from the earlier person who had registered and handed over
to me when I demanded. Face Book failed in discharging this
In the recent controversy between Face Book and Mr
Kapil Sibal, Face Book had publicly stated that if any user is violating
the terms of agreement, they would take action to correct it. However it
may be taken on record that in this case involving the claim on the
short ID of "naavi", Face Book failed to keep up to their words.
Their commitment given to Mr Kapil Sibal therefore is not truthful.
ICICI Bank Picks a fight with a Security
Dec 21: ICICI Bank is touchy when some body
questions the security in its E Banking systems. Recently a Security
professional Mr K.S.Yash, from Bangalore had
highlighted a vulnerability that existed in the ICICI Bank Internet
Banking system by posting a video of a demo. The demo showed how a
user of ICICI Bank system may place a fund transfer order for a certain
amount through the Bank's Internet Banking website and end up executing
a fund transfer of a different amount to a different beneficiary. The
demo involved a video of a live session and clearly demonstrated the
existence of the vulnerability. Instead of taking steps to rectify the
security loophole, ICICI Bank appears to have sent a notice to the
security consultant threatening legal action.
ICICI Bank claims that the video contains false
information meaning that the vulnerability does not exist. However, the
undersigned has also seen the demo live and the fact that the
vulnerability exists cannot be untrue. What should be done by the Bank
is important. Bank should thank the consultant for having brought the
security weakness to the notice of the Bank before real hackers get into
the Act using the same or different methodology. The consultant has not
given any source code for the exploitation of the vulnerability and
therefore it is difficult to understand why the Bank should object to
what is essentially a security alert.
It would be interesting if ICICI Bank challenges a
public debate on the security vulnerability shown by the consultant
rather than throwing up threats of legal action.
Mobile Dealers Targetted by Hackers.. Are the MSP
s at fault?
Dec 20: In a TV program on mobile hacking in
Suvarna News yesterday, it was revealed that a mobile dealer in
Channapatna (a town about 60 kms from Bangalore) had suffered a loss of
Rs 15000/- through mobile hacking. The dealer had several demo mobiles
given by service providers which had a specific application to store
re-charge stock. He received a call stating that he will be getting a
bonus recharge from the service provider and it will reflect in his
account after he keeps his mobile switched off for about 5 minutes.
When the dealer switched on the mobile again, he saw that instead of
additional amount in his account, the available amount had also bee
drawn out in the form of recharges to different mobiles at different
places. According to the dealer 12-15 such cases have been reported in
Channapatna itself over the last 6 months indicating the extent of such
frauds across the country. The beneficiaries of this fraud are
indirectly the mobile companies themselves since whether the amount was
used by a fraudster or any body else, they have got their value. This
also gives room to speculate that the mobile companies may be hand in
glove with the fraudsters in such frauds to improve their turnover. Link
to Suvarna News Program broadcast (in Kannada) on 19th December 2011 :
Part 1 Part 2.
How Much have Indian Banks lost due to Phishing?
Dec 20: It is always a tough task to get
information about losses on account of Frauds in Banks. By tradition,
Banks are permitted to hide the actual details of the losses on account
of "Bad Debts" by making a "Provision" and reporting "Debts less
provisions" in the balance sheet. However no such protection exists in
respect of "Losses on account of Crimes in Banks". However, Indian Banks
have no proper system of reporting such losses in their Balance sheets.
According to RSA, the estimate of Phishing losses in India in 2011 is to
the extent of US Dollars 27.8 million (approximately Rs 140 crores). (See
report) However earlier estimates by other agencies are of the order
of at least Rs 1200 crores. Hence there appears to be a gross under
estimation of the losses.
In a recent speech to the Chartered
Accountants, Dr Subbarao, Governor of RBI also pointed out that the
reported financial statements of Banks were not truthful. (Copy
of speech). It is high time the Chartered Accountants Association of
India reviews the current Bank audit system and ensures that "Estimated
Losses on Frauds" are not suppressed under "Provisions".
More detais of the report from RSA is available here. :
Copy of RSA Online Fraud Report
Ten Commandments of Banking
Dec 20: Dr K.C.Chakravarthy, Deputy Governor,
RBI, has reminded Bankers that "Thou shalt manage the people with
empathy". In a commendable sppech delivered at the Manipal Academy,
Bangalore, he has reminded Bankers that an "essential
characteristic of Banks is that they are highly leveraged and, hence,
special and need to be regulated for protecting the interest of
depositors." Of late Bankers have become so commercialized in their
approach that they are even ignoring the regulatory role of RBI. The
"Ten Commandments" that Dr Chakravarthy has lead out should be an
eye-opener to the current day Bankers who are more IT operators than
bankers. The complete speech is worth putting into text books on Banking
Courts to use Website to communicate orders
Dec 19: In a confidential report submitted by
NIC to Mumbai High Court, it has been suggested that the High Court may
use digitally signed e-mails for communicating its orders to the lower
court. However it has been stated that since this may take some time,
High Court may in the meantime upload their orders to its website
to be picked up by the other Courts....
Report in HT
2012 security threat predictions for Mobiles
Dec19: "Mobile pick pocketing" is on the
increase and is estimated to have cost Rs 5 crores in 2011 from Android
users. In 2012, there could be an increase in bluetooth viruses,
application based malwares, spread of viruses through text and MMS
messages which could try to steal money from your account. It could make
free calls billed to your number, steal data, send out spam messages,
premium SMS messages, download paid games etc. Since "mobile" is an
always on device it has the potential to be used as a botnet component.
These threats along with the threat of SIM card cloning has to be
considered by users of Mobiles and in particular users of smart phones.
In particular users should be circumspect of applications and games
downloaded from un-trusted sources. Like in the computers, it is too
risky to own a smart phone without a good anti virus application from a
Banks seek dilution of Damodaran Committee Report
Dec 19: M.Damodaran Committee on Customer
Services gave its recommendations on Customer Service in Banks on 3rd
August 2011. The report contained several important customer
oriented suggestions. However RBI is yet to finalize its view on the
report. It is however learnt that some Banks are lobbying with RBI for a
massive dilution of the recommendations so that Banks can escape
liability arising out of their negligence. In the interest of the
customers, we hope RBI will resist this industry pressure.
Related Report2 :
Cyber Crimes on the rise..but
Dec 19: An article in livemint on current
status of Cyber Crime statistics in India.
US Legalizes Cyber War
Dec 18: US has taken an important step to pass
a law to legalize Cyber war operations by which an offensive attack from
US on Cyber Space of other sovereign countries may now be legit in US.
The new law stipulates that U.S. military is now authorized to
make war via the Internet and all the rules that apply to conventional
war, also apply to Cyber War. This development also underscores the need
for more indigenization of Software and Hardware IT supplies to India
since we cannot trust either China or US both of whom may supply
software/hardware which is deliberately embedded with backdoors...Related
Internet Censorship through backdoor?
Dec 18: According to Privacy legislation
observers in India, the amendments to Copyright Act presently pending
before the Parliament could be used as an instrument of backdoor
censorship. The concept of "Self Regulation" that the Government
proposes is considered as a facade to cover the imposition of
Government's intentions to regulate the content of the Internet to
protect the Government against public criticism.:
DIT Guidelines on Social Media
Dec 17: In continuation of the earlier post on
this subject, a perusal of the draft guidelines issued by
the Government on the use of Social media by Government departments
indicate the following two paragraphs.
"Since profiles on social network are linked more
often to individuals and not organizations, for organization's
site/page, a separate work profile may be created which can then be
linked to a general e-mail address that is accessible to anyone in the
team, enabling them to administer the social networks without
compromising on individual privacy."
"Each new account requires a URL, user name and/or email address and a
password. A proper record of log in ids and password must be maintained.
This is critical as multiple people may be authorised to post on behalf
of the department".
I think the report in ET is an interpretation of the above two
This apart, the idea of Government departments using Face Book etc in the
manner suggested is not a desirable proposition and the issue of the
draft guideline will be regretted at some point of time in the future. ..Copy
of the draft guideline
Password Sharing to be legalized by Indian
Dec16: A report in Economic Times today
suggests that the Government of India is thinking of a code by which
Government employees would use Facebook. One interesting aspect of this
code is reported to be that "the password of the account would be known
to others in the department". It is difficult to understand what the
Government is upto. If "passwords" are officially meant to be "shared",
the sanctity of the access system based on passwords would be officially
Report in ET
Bring Your Own Devices Opens up Security Concerns
Dec 16: A survey conducted by ISACA on the
concept of Bring Your Own Devices (BYOD) has highlighted the the new
threat perceptions arising out of the employee ownership of the devices.
There is no doubt that certain sections of the industry favour the idea
of employee's bringing their own access devices to their place of work.
This may be both economical and convenient. However security is built
neither on convenience nor economy though they do affect the final
outcome of security implementation. If the concept is to be given any
consideration the data security and access authentication systems as
well as the real time security monitoring systems need to undergo a
substantial modification. Rushing the concept of BYOD at the current
stage is likely to result in a huge legal risk for all organizations.
Seven Most Significant Hacks of 2011
Dec 16: Here is a compilation of seven most
significant hacking events worldwide compiled by a security observer.
First Adjudication Application filed in Kolkata
Dec 15: First adjudication application under
ITA 2008 has been filed in West Bengal. The application has been filed
by Mr R Gopi in respect of a loss of Rs 339,000/- suffered by a customer
of State Bank of India through unauthorized access to his Internet
Banking account. This was a typical case where the RBI's OTP system had
failed since the fraudster had simultaneously disabled the original SIM
card of the customer, got a duplicate SIM card with false documents and
used it for completing the fraud. The Mobile service provider involved
was Vodafone. The adjudication application notes SBI and Vodafone as
respondents along with the executives of both SBI and Vodafone.
IP address Details from Gmail
Dec 10: Often an account holder of a gmail
requires to know the IP address from which his account is accessed. This
requirement is more and is of critical need when gmail services are
being used for business and multiple access accounts are created.
Presently gmail provides information about last 10 transactions as a
security routine. However if information is required beyond the last 10
transactions, the position is unclear. There is a wrong interpretation
that such requirement can be met with only a Court order. But this is
legally untenable. It is the right of every data owner to request for
and be provided information about himself from the data processor
without need for court intervention. Court order is required only of a
person wants information about some body else. This is of course a matter
Google may be interested in restricting the rights to some extent. But
it is high time Google clarifies and introduces appropriate measures to
disclose the account holder's information when required.
High Profile Cyber Crime Cases-2011
Dec8: Here is an interesting article on some
of the successful Cyber Crime investigations that occured during 2011.
Most Notorious Cyber Crooks of 2011 – And How They Got Caught
Aaadhar Project may be discontinued?
Dec 8: It is reported that the Parliamentary
committee has rejected the UID Bill and consequently the aadhar project
in its present form may have to be kept in abeyance until a new Bill is
drafted and passed. ..Related
Now I understand why CAT Chairman has not been
Dec 08: The post of the chairman of Cyber
Appellate Tribunal is remaining vacant for last six months. Despite
repeated reminders at several levels no action has been taken by DIT.
Now that we know that the ministry has to scan the Internet for
"political criticism" and identify content indulging in criticism of
Government or the Congress leaders, they donot have time for anything
else. It is to be noted that during the first half of 2011, only one
content has been found objectionable on Google on grounds of "National
Security" while 255 items have been found objectionable for political
Government Criticism muzzled
Dec08: According to this report in Hindu,
during the first half of 2011, Indian Government sought to remove 255
items classified as "Government Criticism" from Google content.
Additionally 39 items were sought to be removed on grounds of
defamation, 20 due to privacy and security concerns, 14 due to
impersonation, three pornographic items and one due to national security
reasons. This shows that the Government machinery in DIT is is working
only to serve the political masters and not to serve people.
The report also says that Google refused to remove
the content related to Government criticism and the news now is that the
Income Tax department is making some demands on Google. It is not clear
if the two are related. But knowing how this UPA Government is
targetting Anna Hazare group, a link between the two incidents cannot be
CNet Download.com bundles adware
Dec08: Security observers always say that
"Nothing comes free on Internet" and warn users of "Free Downloads"
with attached trojans. Normally people expect that reputed download
sites donot resort to such unethical practices of bundling
adware/spyware/malware with genuine free installations. It has now been
exposed that CNet which runs download.com instals several adware
programs with its free installations.
Apology from CNET
Mr Kapil Sibal should think of taking action on such
misuse of public trust by intermediaries rather than think of using
Internet censorship to curb Anna Hazare or to muzzle political
Social Media Censorship in India
Dec 6: In a surprising announcement,
Union Minister of IT who has not found time for last 6 months to appoint
a chairperson for CAT found time to criticize social media and ask them
to set up a human pre publication scrutiny of content. The suggestion is
highly impractical besides being undesirable and unnecessary. There is
already a law to deal with objectionable content and the current attempt
is either to be treated as an attempt to bring a new censorship law or
to act ultra vires the law. It is speculated that the announcement was
triggered by some criticism of the Congress leaders on the Face Book or
more probably a preparation for the prevention of the use of Social
Media for the next stage of Anna Hazare Campaign. As usual this
could be another mistake which the Congress may regret.
Related Article :
Assocham Opposes proposal
How weak Internet Banking systems pose a threat to
Dec 3: Internet Banking has been a nightmare
for innocent customers who constantly live in the fear of Phishing
frauds. Though RBI has brought several regulations in favour of the
customers, intransigent bankers continue to place customers at risk.
Though law is in favour of customers being compensated by Banks in such
cases and Naavi himself is in the forefront of some of these
fights, the delay and cost in pursuing litigation continues to be a
cause of worry. With GOI being completely oblivious to the need of
appointing the presiding officer to CAT in place of the previous
incumbent who retired, vicitms have been made to wait endlessly while
the Banks are enjoying the funds of the customers.
In such a scnario here is a video of how a "Man
in the Middle Attack " can divert banking transactions to fraudsters. It
is high time Bankers and RBI take note of these technical risks and
ensure that adequate security is provided to customers.
See the Youtube Video here
EHR Incentive deadline under HIPAA-HITECH
Dec2: In an effort to make it easier for
Health Care Providers to qualify for maximum payments under HITECH Act,
the deadline for Stage 2 compliance has been extended from 2013 to 2014
for those who attest by February 2012 that they qualified for Stage 1 by
adopting EHRs this year. The change in the deadline is meant to remove
the disincentive for providers to adopt and use health IT right away.
USA conducting survey for ascertaining
China Cyber Risk
Dec 1: US Government conducted a survey of
telecom companies and software companies to identify presence of foreign
hardware and software and to ensure that there are no malicious
installations to spy on US assets. In the survey , the U.S. Commerce
Department asked for a detailed accounting of foreign-made hardware and
software on the companies' networks. It also asked about
security-related incidents such as the discovery of "unauthorized
electronic hardware" or suspicious equipment that can duplicate or
redirect data The survey required companies to provide a detailed
outline of who made equipment including optical-transmission components,
transceivers and base-station controllers. Companies that refused to
respond could face criminal penalties under the Defense Production Act,
a 1950 law allowing the government to manage the wartime economy,
according to the survey. It is time India also does a similar survey...