Header image alt text


Building a Responsible Cyber Society…Since 1998


Here is a demo of how an open USB port can be used by a hacker with a 30 to 60 sec access using a “USBDriveBy”.

The device which is small enough to be worn around the neck (or carried in the pocket) when connected to a USB port will emulate as a mouse or key board and establish connect to the OS and establish a remote control to the hacker’s computer completely compromising the computer.

See the detailed report

Now we need to start worrying about how to lock and unlock USB ports. Refer here for ways to disable USB ports in windows.


Is What’s App bound by Section 67C of ITA 2008?

Posted by Vijayashankar Na on December 25, 2014
Posted in Cyber Law  | No Comments yet, please leave one


TOI has reported today that the Nagpur Bench of Mumbai High Court has dismissed a PIL filed by Advocate Mahendra Limaye demanding that What’s App should retain the data for a specified period under Section 67C of ITA 2008.

The Court has held that since the service is voluntary and free, there is no public interest in the requirement.

Recently I had a discussion with some senior police officials who informed that in several investigations they were unable to obtain information from What’s App because of which their investigation could not proceed on the desired lines.

From the published information it appears that What’s App stores the personal data of its subscribers and also the contacts of the subscribers. To that extent, What’s App is exposed to Section 43A of ITA 2008 requiring “Reasonable Security Practice”. This also requires adherence to data retention requirements under Section 67C. They are also bound by Section 79 of ITA 2008 as an intermediary. Under the circumstances it appears that What’s App is bound by ITA 2008 and therefore there is a stake for Indian public on What’s App being compliant to Indian law.

However, it is the business model of What’s App that they only store the contact information and allow the content only to pass through. According to information available at http://www.howdoeswhatsappwork.com ,  the messages are temporarily saved on What’s App servers and automatically deleted after 30 days.

It is also known that What’s App proposes to charge a service fee after a trial period though they have indefinitely postponed the charging on the service. Now that Facebook has taken over the management of What’s App it is only time that What’s App would be a paid service or an ad supported service in a short time. The contention of Nagpur Court on “What’s App is free” is therefore not correct.

Further one grey area of What’s App operations is that they are acquiring “Contact” details of the subscribers and using it. A question arises in this context whether the subscriber has the consent of his contact to part with the mobile number and name to What’s App and whether this would be subject to privacy right of the contact. Since the subscriber is only sharing the number as associated with a name he has assigned to the contact, it may be argued that the data ceases to be that of the contact.

After the Uber and Bitcoin controversies on Interpretation Internet based business models, What’s App also needs to be understood properly if it is a purely “Peer to Peer” service or a “Server Based Service” and if so, whether What’s App will have liability to retain data at least when demanded by law enforcement etc.



Just as the IS community is absorbing the lessons of Sony attack, the JP Morgan security breach involving a suspected data theft of 76 million records has disturbed the community.

See Report 

According to the New York report it appears that the J P Morgan attack resulted from one of the servers being out of the 2F authentication which prevented the breach on close to 100 other servers. Though the 2F authentication is in itself not fool proof, the fact that every small step towards security can have its own ROI is proved from this incident since the servers which were hardened with 2F authentication seems to have escaped the attack.

It is interesting to note that hackers donot always need zero day exploits to make big hits. There are many negligent IS practitioners who can facilitate exploits which could have otherwise been prevented with a “Reasonable Security Practice”.



It appears that the hacking of Sony pictures in which corporate data has been destroyed and compromised has exposed the new dimension of a kind of Cyber warfare. According to FBI, the hack was attributed to North Korean Government and the motive was the prevention of the release of a Hollywood movie involving a theme of assassination of a North Korean leader. Of course North Korea has denied the charge.

The issue highlights the potential for damage to corporate business assets arising out of such state sponsored high impact attacks. Such attacks can occur on other corporates  in future as a targeted attack as a part of Cyber terrorism.

Indian corporates face the specific risk of Pakistan sponsored attackers intending to damage the Indian economic infrastructure.

It is time therefore for Indian Companies to initiate appropriate security measures to ensure that they can ensure business continuity if such debilitating attacks are targeted at them.

Apart from hardening of the security on an ongoing basis, most companies need to revisit their Disaster Recovery Programs (DRP). Many companies need to establish a DRP where there is none and upgrade if they have a basic facility.

As a result of this new threat perception and the necessary mitigation measures, the cost of maintaining the IT infrastructure would increase significantly.

The Government of India needs to therefore think what is its responsibility in providing a security blanket to Indian Corporates against such attacks coming from enemy states. It appears that this is a National Defense Responsibility rather than an information security responsibility of an individual company.

There are two immediate actions that the Government may contemplate.

1. First requirement is to provide some kind of a defense cover to the Indian corporates by offering financial support directly promoting higher cyber security investments by corporates. This could be in the form of setting up a National Secured Data Center at different parts of the country where in companies can be provided DR hosting facilities at a reasonable cost.

2. Second is to  recognize that such attacks on private citizens of one country by another state actor  is  “Terrorism” and handled as such by the international community India should join an international consortium with US to develop a “Global Cyber Security Force of Democratic Nations” that can attack and bring down the rogue states who mount cyber wars on the citizens of other countries.  This should be discussed during the visit of Mr Obama to India during the next month.

The Sony attack is a defining moment in the global cyber security and we cannot afford to ignore the event as the next such attack can come upon one of our own global players.


 Related Articles:

5 ways how Sony Hack will Change how America will do business

Hollywood Reporter

Security Week

US Cert Advisory

Is there a Mehdi in my company?

Posted by Vijayashankar Na on December 14, 2014
Posted in Cyber Law  | No Comments yet, please leave one


Mehdi Massor Biswas the Bangalore based employee of an ITC group company  was arrested by the Police for having maintained the Twitter account Shami Witness in which he was promoting ISIS ideology.

While the Police will continue their investigation and punish the guilty, the HR manager at ITC would be wondering how he/she could have not found out that a radical jihadist was working with them without being found out. Some may argue that Mehdi was very clever and carried a “Dual Personality” exhibiting only his quiet professional face in the organization and did what he did during his free time. Some may even say that organization has no responsibility for what an employee does during his spare time.

But let us not forget that ITC employed a jihadist and paid him a salary of about Rs 5.3 lakhs per annum. In a way this was funding a terrorist. However unpalatable it would look like, there is no way the organization can say they have not indirectly supported a global terror movement.

If so, can the Company officials be held liable for “Vicarious Liability”?. This depends on whether the company officials had a knowledge of Mehdi’s character as a Jihadi sympathizer and failed to take any action since nothing happenned during office time using office infrastructure.  If so they would be liable for not taking such steps as would be necessary to prevent the crime. This responsibility would also fall on Mr Mehdi’s co-workers who might have had more information than the HR Manager himself.

Had the Company practiced “Due Diligence” or “Reasonable Security Practices” to identify vulnerabilities in their human resource and apply risk mitigation measures perhaps the crime would have been detected earlier.

Now that the incident is behind us, not only ITC but also other companies need to review their HR and Security policies to check if they have a Mehdi in their company?.. a person who is a radicalized “terror sympathizer” and who carries the risk of committing a terrorist campaign or even a terror attack either within the company or in India or elsewhere.

If there is any such person in their company, then they need to take action to remove him from any sensitive positions and if necessary from the organization itself.  If in doubt, he needs to be kept under watch for action at a later time. Probably there is a need to share such information with the intelligence authorities also.

How do we identify persons who could be causing trouble? ..well this is a million dollar question. The normal “Back Ground Verification” where a report about the person’s previous employment etc is verified is inadequate since people providing reports are not always truthful. They tend to suppress any adverse report either because they are unsure of their assessment or because they are sympathetic to the employee even though he might have been chucked out of their organization.

We therefore need other means to identify the behavioural traits of a person during the time when a person is working for the organization. The first step in this direction is  to implement a “Whistle Blower Policy”, because there is a high likely hood of the Mehdi type person exposing himself with his co-workers unwittingly. A well managed whistle blower policy would help identifying such person at the earliest.

Additionally, one needs to adopt sophisticated psychological measures to spot persons with a deviant tendency. This could be done through behavioral analytics applied in a non intrusive manner to map the behavioural tendencies of the employees. May be the well known behavioural theories used in criminal psychology can be applied to identify persons who have a deviant tendency.

In the coming days, this domain of Behaviour Science will be the new skill  requirement for HR Managers and Security managers.

Related Article: ITC Confirms..


ISIS Propaganda from a Bengaluru Executive?

Posted by Vijayashankar Na on December 12, 2014
Posted in ITA 2008  | No Comments yet, please leave one

It is a shocking revelation that one of the most prominent Twitter handles carrying on ISIS propaganda happens to be that of a young professional working in Bengaluru in an MNC firm.


The twitter handle was titled Shami Witness and the person is identified by his pseudo name Mehdi.

The incident highlights how terrorism has spread its wings to young professionals with good educational background. It is unfortunate that the Police in Bengaluru had no inkling to the goings on.

It also highlights the failure of the employee behaviour monitoring system in the organization in which the person was employed and HR professionals need to think of new ways of identifying such deviant minds working in the system.


P.S: Another question which the Government of India and Karnataka need to answer is that just as they banned Uber and other app based taxi services, will they ban the ad company in which the person was employed and also other ad companies !