Header image alt text


Building a Responsible Cyber Society…Since 1998

Security Breach reported at Naavi.org Server end

Posted by Vijayashankar Na on May 30, 2013
Posted in Cyber LawITA 2008  | No Comments yet, please leave one

It has been reported that due to a security breach at the server end, three unauthorized URLs had been hosted under the domain of naavi.org for some time during the last week.

The URLs hosted/intended to host malicious codes.

There was no link to these URLs from any of the naavi.org pages. Hence none of the visitors to the site were affected by the links.

The URLs were reportedly meant for hosting a cloned Paypal page which was meant for phishing.

The URLs have since been removed.

The hosting of Naavi.org is on a shared hosting service provided by a prominent hosting provider with decades of experience in the field and we hope that the security breach would be effectively addressed at their end.

This is for public information and highlights the unavoidable risks in hosting arising out of vulnerabilities at the server end on which the clients have no control.


Cyber Criminals Rejoice in Karnataka

Posted by Vijayashankar Na on May 27, 2013
Posted in BankCyber CrimeITA 2008  | No Comments yet, please leave one

It is a black day in the State of Karnataka. For some time now, Cyber Criminals in Karnataka can rejoice that no case can be booked against them under ITA 2008 for hacking of a Bank or any Company systems.

The reason is that the Karnataka High Court has passed an order of huge ramifications under  an extremely narrow procedural view and quashed an order of the Adjudicator of Karnataka dated 26th April 2013. This was a justified corrective order passed by the State Adjudicator in an attempt to correct an earlier defective order to the effect that “No Company can be proceeded against nor no Company can invoke Section 43 of ITA 2000/8”.

Since Section 43 also defines Cyber Crimes under Section 66, what is not applicable in Section 43 is not applicable in Section 66 also. Hence the defective order had the unsavoury effect of nullifying a large part of ITA 2008.

If therefore tomorrow there is a hacking of Infosys or Wipro in Karnataka, the companies cannot invoke Section 66 of ITA 2008. Perhaps they have to invoke the law of “Tresspass” under IPC !

 The defective order on Section 43 about “Companies being outside the purview of Section 43” was first given on December 27, 2011 and it prevailed as a precedent until 26th April 2013 when on an intervention of the Karnataka Human Rights Commission, it had been cancelled by the present Adjudicator. Between the period Dec 27, 2011 to 26th April 2013, the Cyber Criminal friendly situation as described above was prevailing.

After 26th April 2013, a silver lining had appeared on the horizon that the office of adjudicator in Karnataka would come back alive.

The reason why the order of 26th April 2013 was quashed is stated to be because of a procedural omission to issue a notice to one of the petitioners who was the respondent in the adjudication complaint. Whatever be the reason, the effect remains the same.

This  order today from Karnataka High Court has given the defective order a seal of approval and a pall of gloom has descended on the Cyber Crime victims of Karnataka who are asking whether Karnataka High Court should have victimized these members of public for a simple procedural irregularity which could have been condoned in the interest of the public.

It appears that Karnataka has now slipped from Digital Age to an dark ancient age.

It is therefore a black day for Karnataka in the history of Cyber Crime justice.

Cyber Crime victims of Karnataka have to therefore wait until the procedural irregularity is corrected by the Adjudicator issuing a fresh notice to all the parties to the complaint that he intends cancelling the earlier order and invite objections if any, then consider the objections and come to a conclusion.

Until such time the dark days continue.


ನ್ಯಾಯದೇವತೆಯೇ ಕಣ್ಣು ಬಿಡಮ್ಮ ಎಂದು ನಾವೆಲ್ಲ ಪ್ರಾರ್ಥಿಸೋಣ

On 27th May 2013, an interesting writ petition is coming up before the Karnataka High Court (WP 21049/2013 at Court Hall No 9, #54).

This petition has been filed by Axis Bank Ltd against the Adjudicator of Karnataka as the first respondent and Gujarat Petrosynthese Ltd as the second respondent and a decision on the petition will have a huge impact on the Cyber Crime law in India.

On the face of it the case appears to be a simple “Preliminary Hearing” and the proceedings at the end of the day are unlikely to have any earthshaking consequences. But this perception may not be correct.

During the preliminary hearing the Court will consider admission of the petition and also take a view on the “Interim Stay” granted by the vacation judge on 16th May 2013.

The options before the Court appear to be one of the following.

a) Admit the petition, post it for a detailed hearing on another day and in the meantime continue the Interim Stay granted by the vacation judge.

b) Admit the petition, post it for a detailed hearing on another day but vacate the Interim Stay.

c) Based on the preliminary objections, dismiss the petition.

A normal observer of Court proceedings would say, “What is special about this? This is common for all similar writ petitions”. They may also say that “The most likely decision is the first one where an opportunity is given for detailed hearing and in the interim the status quo  may be continued. The status quo in this case means continuation of the interim stay.

In order to appreciate the impact of a decision on the above preliminary hearing on the Cyber Judiciary system in India, it is necessary to understand the background of the case and the meaning that can be ascribed to the above three possible decision outcomes

The decision outcome will interalia determine

a) Whether the Adjudicator of Karnataka can effectively discharge the duties cast on him under ITA 2000/8

b) Whether Individual Cyber Crime victims can file any adjudication complaint against any companies such as a Bank

c) Whether any Company can file any adjudication complaint or hacking or denial of service etc complaint against any other individual or a company.

As an example let us take the recent case in which some persons hacked into the systems of two BPOs in India (One of which is in Bangalore) and stole some information/modified some information unauthorizedly and caused a fraud of over Rs 250 crores. Some of these hackers have been arrested in New York. Had they been in Karnataka, the Company here which suffered hacking cannot file a complaint  sustainable under Section 66 of ITA 2000/8.

Another example is that if some body hacks into Infosys or Wipro, then Infosys or Wipro cannot file a Section 66 complaint with the Police or Section 43 complaint to the adjudicator.

If somebody hacks into an ATM in Bangalore by any means, the Bank cannot file a Section 66 (Hacking) Complaint against such a person.

To understand why such an adverse impact can arise we need to appreciate what a “Continuation of Interim Stay Means” as a legal precedent.

The background of the case is as follows:

In around June 2011, M/S Gujarat Petrosynthese Ltd, (GPL) a company having an account with Axis Bank, Marathhalli found that Rs 39 lakhs vanished from its account. On filing a complaint with the Bank as well as the Police it was found that the amount had been transferred to several other branches of Axis Bank, Indus Ind Bank, Standard Chartered Bank, ING Vysya Bank etc.  Bank gave the account details to the Police and Police are trying to identify the existence of such customers.

In the meantime, GPL filed a complaint under Section 43 to the Adjudicator of Karnataka alleging that Axis Bank and the other Banks who received the proceeds transferred from their account should compensate them for the loss.

Axis Bank objected to the filing of the complaint stating that the “Adjudicator does not have jurisdiction” to entertain the complaint under Section 43 of ITA 2000.

The reason stated by Axis Bank for the purpose was

1. Under Section 43, any “Person” can file a complaint against another “Person”.  Here the word “Person” means an “Individual”. GPL is not an individual. Also Axis Bank is not an individual. They are “Body Corporates”. Hence Section 43 is not applicable.

2.Recognizing the lacuna of Section 43 that it was not applicable for Companies, an amendment was brought to the Act to introduce Section 43A.

Despite objections from GPL, the then Adjudicating officer agreed with the contention of Axis Bank and issued a decision that the complaint cannot be entertained by him since Section 43 cannot be invoked by GPL since it is a corporoate entity. He confirmed his conviction on this view in another instance where the complainant was an individual but the respondent was ICICI Bank which was a corporate entity.

By these two decisions, the Adjudicator created a precedent that “Section 43 cannot be invoked by a Company and cannot be invoked against any Company”. This also applied to partnership firms and association of persons.

GPL submitted a request for review immediately within 2 days of the decision on 29th December 2011. The review was kept pending by the Adjudicator.

In the absence of a review of the said order of 27th December 2011, no cyber crime victim in Karnataka could approach the Adjudicator under Section 43. Since Section 43 is directly linked to the definition of offences under Section 66, if a Company cannot be considered as part of Section 43, it could not be part of Section 66 also. (Please see Section 43/and  Section 66 here). Under Section 61 of ITA 2000/8 the Adjudicator has the sole jurisdiction for any claim for damage upto Rs 5 crores. The Civil Judiciary therefore believes that any claim for damages arising due to contravention of any of the provisions of ITA 2000/8 is falling under the sole discretion of the Adjudicator and they would therefore refuse to entertain any complaints.

The situation was similar to the jurisdictional police station and the Cyber Crime police station bouncing a cyber crime complainant from one to another. There was therefore a void created in the Cyber Judicial System in the state of Karnataka.

Recently the Karnataka Human Rights Commission took suo-moto cognizance of the adverse effect of the lack of Cyber Judicial process in Karnataka and in the month of March 2013 issued a notice to the current IT Secretary of the State to set things right. The current IT Secretary who is holding the Adjudication responsibilities and having the review request in his files took a legal opinion of the State Law department and in accordance with such opinion cancelled the order of 27th December 2011 and started hearing the complaint once again on 15th May 2013. During the hearing Axis Bank sought time to file a reply and the hearing was adjourned for the next hearing on 31st May 2013.

On 16th May 2013, the vacation judge of the Karnataka High Court considered the writ petition challenging the order of the current adjudicator cancelling the earlier order and deciding to continue the process making several allegations against the IT department, the Law department as well as the complainant. The Court  issued notices to the respondents namely the Adjudicator and GPL for hearing on 27th May 2013. However the Court routinely approved the request for interim stay.

The interim stay was on the action of the new order of the present adjudicator dated 26th April 2013 which cancelled the earlier order of 27th December 2013  which had held that “No Company has a right to invoke Section 43 or no body can invoke Section 43 on any Company”.

If On 27th 2013, the interim stay is not vacated, it would mean that until such time where the Court changes the order later in the future, the adjudication order of 27th December 2011 will be operative and the cancellation will not be effective. This also means that the citizens of Karnataka would be deprived of the human right regarding availability of judicial redress in respect of cyber crimes. There would be a conflict between the decision of the Karnataka Human Rights Commission and the Karnataka High Court and the Adjudicator would be sandwiched between the two decisions.

If the Court vacates the Stay and continues hearing the case then the adverse impact of the stay will be prevented.

However if the High Court proceeds to hear the writ petition, it would be over ruling the powers of the Adjudicator as envisaged under ITA 2000/8 and would be also destabilizing the natural process of “Appeal” that has been envisaged under ITA 2000/8. This would mean that the role of the Cyber Appellate Tribunal is irrelevant. In other words the Karnataka High Court would change the hierarchy of Cyber Judiciary from

-Adjudicator of a State to Cyber Appellate Tribunal to the High Court of the State and then the Supreme Court of India to

-Adjudicator of a state to High Court of the State and then the Supreme Court of India.

The system of Cyber Appellate Tribunal can therefore be considered as redundant and ITA 2000/8 provision will effectively stand amended.

It is not clear if the High Court has this power to cause an effective amendment of ITA 2000/8 by agreeing to continue hearing of the case.

The option where the petition is dismissed and returned to the adjudicator for continuation would avoid setting of the above precedents which may add some confusions in the Cyber Law situation in India.

The objective of placing this detailed analysis of the forthcoming  hearing is to enable the media to take note of the importance of the case so that they can follow up the case.

I wish Mr Arnab Goswami of  Times Now, Mr Rajdeep Sardesai of CNN IBN, Mr Rahul Kanwal of Head Lines Today, Ms Bukah Dutt of NDTV, Mr Vishweshwar Bhatt of Suvarna News (Kannada) and others from TV 9 (Kannada), Samaya, (Kannada), Public TV (Kannada) and other channels to take note. I also invite attention of the print media such as Hindu, Deccan Herald, Economic Times, DNA, Deccan Chronicle, Bangalore Mirror, Times of India, Business Standard, Kannada Prabha, etc also to take note.

I request readers who have contacts with these journalists to draw their attention to this article so that they show some interest in the case.




Regulating the Ethical Hacking Training in India

Posted by Vijayashankar Na on May 26, 2013
Posted in Cyber Law  | No Comments yet, please leave one

The views expressed here and elsewhere on the need to regulate the “Ethical hacking Training” in India has evoked some responses which need to be debated. I will try to present some of these views and my perceptions about them.

Two important points of view that have been raised are as follows:

1. Regulation means one more opportunity for corruption and hurdles for development.
2. More Security education will lead to reduction of cyber crimes and hence no regulation is required.

One of the biggest advantages of regulating the ethical hacking education is more accountability in the industry.

Yes one more regulation, one more regulator, one more licensing scheme, one more audit power etc., will also open the possibilities of corruption. But even if a few training institutes get valid accreditation despite being ineligible, such people will at least be accountable after some time through RTI or otherwise. No scam can be hidden for long as we have seen in the recent days.

Secondly, whether more security education will reduce cyber crimes, depends on what type of “Security Education” we are talking about.

I agree that teaching a software developer to build security into the software architecture at the design level will help better practices to prevail in the community and enhance the security environment.

Also, I believe that teaching ethics at the graduation level when the students are at a more impressionable age is more likely to embed an ethical behaviour rather than years later when they have seen the world and tasted money flowing in their hands. (In the relative sense).

If ethical hacking training is imparted at an age where people are not willing to easily accept ethical suggestions and are only looking forward to acquiring skills which they themselves will decide how to use, then the probability of misuse is far higher. Since these trainings also distribute ready made hacking tools, I believe that the risk of mis-application of knowledge is higher.

What could reduce cyber crimes is security education where the curriculum is meant for the Aam Admi and sensitizing him to the dangers that lurk in the Internet and the tools of security he can use to minimize the risks while using web based services.

These type of trainings are done mostly by NGOs and self motivated individuals without the expectation of financial rewards while training for developing fraud skills is done by other companies for making profit.

The Government of India needs to invest in the “Security Awareness Programs for the Public” and not financing the “Fraud Skills Development” programs.

Hence regulation of Ethical Hacking education is in my opinion requires a serious consideration both at the basic academic level and at the advanced private education level.

May be the regulation may also include that for every ethical hacking trainee trained by a company, 100 members of the public are to be trained in security awareness through schools, colleges and public fora… so that the environment improves.. similar to de-forestation and re-forestation programs.

More Comments are welcome


Punjab National Bank Customers at Special Risk

Posted by Vijayashankar Na on May 25, 2013
Posted in Cyber Law  | No Comments yet, please leave one

A client of Punjab National Bank in Chennai has reported that the Bank has suspended sending of SMS alerts for Internet Banking transactions as is required under RBI guidelines.

The reason is reported to be some malfunctioning of some software.

If this is a problem in all branches of the Bank, it puts all the customers of the Bank at a serious risk of losing money in cyber frauds.

RBI should immediately take note of the situation and suspend the Internet Banking facility of PNB until the problem is sorted out.

The IT Secretary of Tamil Nadu who is also the “Adjudicator” for the State of TN should suo moto take cognizance of the development which places the citizens of the State at great risk and demand an explanation from the Bank.

I suggest all customers of PNB to walk into their branches and obtain a written confirmation about the availability of the SMS alert system and if the Bank confirms that the system is not available, the customers should suspend their Internet Accounts until the Bank sets right it’s system.
They may also send their complaints to the RBI in this regard.


Positive use of Ethical Hacking Skills

Posted by Vijayashankar Na on May 24, 2013
Posted in Cyber CrimeCyber LawUncategorized  | No Comments yet, please leave one

While in the long run Naavi.org would like a proper regulatory regime to be set up for regulating Ethical Hacking trainings in India,  it is necessary for  Ethical Hackers who have already been trained to be guided properly to use their skills for legal purposes only.

At present the hacking skills can be used only with the written permission of the owner of an Information Asset who can authorize a  vulnerability testing of his own systems. Any other form of “Unauthorized Access” or even an “Attempt at Unauthorized Access” including even a “Port Scanning” is not permitted in India law and can be prosecuted for punishment from 3 years to life imprisonment.

If hacking is attempted on foreign government assets there are countries which prescribe even a “Death Sentence”.

No person can give a written authorization to attempt hacking of any system not under his control. For example, an employer cannot try to hack into his employee’s e mail account without his written permission. A hacker should not therefore consider the written permission from a company as an all encompassing authority to hack.

In this context, the trained ethical hackers may feel frustrated that a training for which they paid lakhs of rupees is going unrewarded. Yes there is an underground mafia of Cyber Criminals and it may be profitable for them to join the mafia and make money. Then like Sreeshant the cricketer who sacrificed his promising cricket career for a short term enrichment through spot fixing, they may find themselves spending the rest of their time in jail.

Alternatively, I draw the attention of such frustrated souls to http://bugcrowd.com/ . (There may be other sites like this). Some of these sites are authorized (Please check authorization since they may make false claims) by certain system owners to conduct vulnerability testing and reward the persons who find out bugs. Those who have the skills should explore such opportunities and avoid getting lured to committing Cyber Crimes.