Readers of naavi.org have seen discussion on IRCTC website being misused and hacked several times in the past. (Earlier articles can be found here. https://www.naavi.org/wp/index.php?s=irctc

In a fresh  move,  (See here), police have busted a gang which was committing the “Tatkal Booking Fraud” to book tickets fraudulently ahead of the genuine travellers by manipulating the online booking system.

In the process, they seem to have used IP spoofing, call spoofing, captcha breaking and several other software tools. They have used social media for advertising their service. Additionally they are reported to have used fake Bank accounts and Wallets as well as SIM Cards where KYC failures were also responsible.

Police have been successful in arresting five prime accused and taking further action.

Naavi

A long awaited measure to make filing of Cyber Crime Complaints easy has now been announced by the Central Government.

According to the news reports emerging, Government of India is setting up a central portal where such a complaint can be filed either by a victim or any good samaritan.  (refer here)

The complaint will be registered and numbered and the jurisdictional police station would be alerted. The status of the complaint gets updated at appropriate levels so that it can be followed up.

This is a simple provision that was recommended long time back and is now seeing the light of the day. An earlier attempt was made in some states including Karnataka to introduce such a system but it remained on paper since the police establishment did not support the move. Hopefully this time it is a reality.

Further details are awaited.

Naavi

In the past we have discussed the indications that China is preparing for a Cyber War supremacy by various means. It is interesting to note that using the strength of cheap manufacturing, China has virtually become the hub of global IT device manufacturing. This has also given an opportunity for China to manipulate the manufacturing of Computers and Mobiles and install backdoors to enable stealing data from all the computing devices across the world.

In this connection therefore it is no surprise that a security firm now reveals that the firmware managed by a company called Shanghai Adups Technology and contained in about 700 million phones worldwide contains a backdoor which has the capability of sending full bodies of text messages, contact lists, call history with full telephone numbers and unique device identifiers including IMEI umbers and IMSE numbers. (Refer here)

It is stated that Adups  firmware is used by 400 mobile operators, semiconductor vendors, and device manufacturers, covering everything from smartphones to wearables to cars and televisions.

According to the security firm Kryptowire, data transmission of text messages and call logs takes place every 72 hours, and all other personally identifiable information is sent every 24 hours and the data is sent to four servers belonging to Adups.

This enables Adups to identify specific devices and also track the activity. This provides a capability to the company to track Government officials and key business organizations where the mobile phones are being used. It also provides a capability to disable the phones for a massive denial of access attack.

At this point of time the brands that use Adups technology is not known but any device from Huwei and ZTE. (See here)

It is necessary for the world to wake up to this Cyber Intrusion and device appropriate security measures to prevent any data going out of the mobiles without the knowledge and permission of the owner of the phone. Since this is an offence in all Cyber Crime laws, a criminal case has to be filed against the company Adups and followed up internationally.

As a long term measure, Chinese IT devices should be completely eliminated from use by any critical Government or Corporate employee and probably by every body else. This requires alternate manufacturing facilities to be set up.

India should also immediately start a dialogue with the new US President in the making Mr Donald Trump how the manufacturing of mobile phones is taken out of China and shifted to India and USA.

There should be a global Cyber Security initiative in this regard that India and USA should lead to protect the Globe from the Chinese control of Cyber Space.

There is also a report that Micromax phones may also be vulnerable to this threat (See here). On the basis of this article,it should be possible for an investigation to be launched in India and the Company may be charged under Section 43 and Section 66 of ITA 2008. This should get more details of the “Computer Contaminant” and this “Micromax Virus” should be rooted out of India.

Naavi

Related Article:

Are any Mobile Phones Made outside China?

Clarification from Adups

The UK based Tesco Bank recently observed suspicious transactions in around  40000 Current Accounts and had to temporarily shut down transactions in the accounts. Subsequently it was indicated that about 9000 accounts saw fraudulent withdrawals to the total extent of about UK Sterling 2.5 million (About Rs 21 crores). The average loss per account was around Rs 21000/-.

Some reports allege that over 21000 accounts have seen the fraudulent withdrawals putting the potential loss at over Rs 50 crores.

Most of the fraudulent transactions occurred overseas such as Spain and Brazil.

The exact nature of the breach is yet to be ascertained/published. However it appears to be a hacking of the Bank’s systems at some level caused by failure of internal processes including negligence of intermediary service providers. An investigation by the national crime agency s underway. We may not be surprised if this breach finally leads to some BPO located outside UK hopefully not India.

For More information: Guardian.com report

It is expected that regulators may impose a multi million pound fine. (See report) The share prices have also been adversely affected. Tesco has been offering 3% interest to the current account customers and hence provided competition to other bigger Banks. But this incident could put a brake on its business growth for some time. The general allegation is that the Bank has systematically neglected cyber security and the breach is a result of such compromise…much like the Indian Banks.

The Bank has after the incident taken steps to inform their customers through SMS and has also put up a note prominently on its website indicating the latest position.

 Indian Banks often deliberately avoid notification of  breaches on their website and even to RBI. For such Banks it is important to notice the response of Tesco Bank to the breach.

The complete update as available on the website is available here: 

The update contains an apology, contact information, and an FAQ for further information. In contrast Indian banks fail to admit breach, refuse to refund the amount to the customer, deny their failure to notify customers individually and enter into a prolonged legal battle with the customers.

What RBI and Indian Banks should note

RBI should make a note of this incident and issue suitable instructions on “Data Breach Notification” for Indian Banks. Ofcourse we need to remind that it should not be a toothless advisory but an action oriented directive. RBI should also stop cheating the public with an issue of draft circular for public comment and going silent there after.

It is also recently found that RBI has not provided Banks with any guideline on Social Media Banking and Banks have started using Twitter and Facebook Banking on their own. Even after RBI was questioned in a RTI application, they have not taken any action to distinguish Internet Banking and Mobile Banking from the less secure Twitter and Facebook banking. This gross negligence on the part of RBI will come to haunt Mr Urjit Patel sooner than he may anticipate.

Presently the Banks are grappling with the “Note Exchange” program and in the process using “Mobile Centers” armed with “Micro ATMs”. Customers will be exposing their Banking credentials to these POS machines which could result in a new security risk.

We are not sure if Indian Banks and RBI are alert to the security issues. If the attitude of Vijaya Bank cashiers at M S Ramaiah Hospital in Bengaluru recently (Sitting in a Maruti Van with Open doors and dispensing cash instead of closing the doors and operating through the window) without any physical security, is any indication, Banks could be not even aware of the risks to which they are exposing themselves and their customers in a bid to satisfy the critical politicians of the opposition who are anyway habitual critics to be ignored.

Hope the current crisis in Indian banks pass off peacefully without a Tesco or SBI Card type of incident recurring.

Naavi

In the recent DDOS attacks on OVH and DYN, the attacks were committed with redirection of terrabytes of data using botnets of video devices.

It is already known that earlier botnets of millions of computers were being created to conduct such attacks. Now it appears that in certain cases, data traffic of as little as 4Mb per second could bring down networks.

A research organization TDC has reported that a single laptop producing around 180 Mbits per second can send certain commands that can trick the firewalls of CISCO and others to bring down the network.

More details are available here

Security managers need to check the vulnerability in their servers and implement the corrective steps that are being recommended by the security companies.

Naavi

n amendment bill has been tabled in Australia to amend the Privacy Act 1988 to prohibit conduct related to the re-identification of de-identified personal information published or released by Government entities. (See Details here)

According to the provisions of the amendment, when an agency is entrusted with de-identified information, they shall not act in any manner that the de-identified information gets re-identified.

The exception to the rule is when

 (i)  the act was done in connection with the performance of the agency’s functions or activities; or

  (ii)  the agency was required or authorised to do the act by or under an Australian law or a court/tribunal order.

(iii) the entity is a contracted service provider for a Commonwealth contract to provide services to the responsible agency; and  the act was done for the purposes of meeting (directly or indirectly) an obligation under the contract.

(iv)  the entity has entered into an agreement with the responsible agency to perform functions or activities on behalf of the agency; and  the act was done in accordance with the agreement.

(v)  the entity is an exempt entity for the purposes of this section in accordance with a determination in force and  the act was done for a purpose specified in that determination in relation to the entity and in compliance with any conditions specified in the determination that apply in relation to the entity.

The penalty for the offence could be an imprisonment upto 2 years and also civil fines.

There is also a provision for “Disclosure” if re-identification is done failing which there could be civil and criminal penalties.

The amendment indicates a specific attempt to focus on prevention of re-identification and enhances the Privacy protection.

In the Indian Context a protection of this nature is implicit in the contractual agreement of the sub contractor failing which the responsibility for disclosure lies with the agency (which is recognized as an “intermediary” in the ITA 2008)