One More Technology Intoxication case

Posted on June 9, 2020 by Vijayashankar Na

Here is another case of a hacker admitting publicly an offence for which he may get 3 to 7 years of imprisonment and challenging the Indian Government. The MeitY is not strong enough to either secure their systems nor prevent Indian software professionals trying to use the Government projects as target practice for testing their hacking skills.

In the bargain the Indian Government under Mr Modi appears to be powerless against people who are specifically targeting the Indian Government assets and exposing the other citizens to great risk.

I draw the attention to the article   https://yetanothersec.com/blog/2020/06/03/digilocker-disclosure/

which has highlighted the exploits of  Sri Mohesh Mohan, Senior Security Specialist for Dubai Smart Government.

I have no doubt that this person is a talented security specialist and his website (https://www.h4hacks.com/) may have proof of his talent. However, he represents that category of technology experts who are suffering from “Technology Intoxication” and focus their energies on hacking Government projects particularly of India because the Indian Government is meek in dealing with such persons.

In his article he admits that he was motivated by the “Competitive Hacking Urge” that he felt when the  another software person from Bangalore announced that he has hacked the Aarogya Sethu app.

He has then targeted the digi locker app after downloading it . Rest of the article describes the modus operandi of the hacking just like how a psychopath describes how he murdered a person.

The fact that this person is proud of his act makes me wonder about the ethics of professionals.

I want to question the Dubai Government if it has assisted this person to hack the Indian Government assets by providing him any hardware, software, wifi connectivity etc., if so whether they would take the responsibility for the hacking.

It is clear that because the Aarogyasethu authorities handled the earlier hack with kid gloves, it has encouraged this hacking. Hence we should hold the officials who did not take stringent action on the AarogyaSetu hacker for encouraging Mr Mohesh Mohan for complicity in this fraud.

I am a DigiLocker holder and this hack has directly compromised my security for which I am entitled to claim damages from the Government of Indaia.

I seek an answer from the person in charge of the Digi Locker project, National e-Governance Division, MeitY on what action they intend taking against this hacker.

Has the Meity got Digilocker notified as a “Protected System” under Section 70 of ITA 2000?

Has the terms and conditions of use of Digilocker prohibit the downloading for reverse engineering and hacking purpose?

Is there a privacy policy and terms of use before the citizen first provides his Aadhaar number to the Digilocker authorities when some body downloads the app?

I would like to know from the Secretary of MeitY who will be held responsible for exposing mine and several lakh fellow Indian’s confidential information to the hacker who may sell it in the darkweb?

The reply from CERT-IN that the vulnerability has been plugged confirms that the vulnerability did exist and is a damning evidence against the Digilocker authorities.

The reply of the digilocker team is funny as it says “No account other than that of the attacker was used”. It does not say that the information of the 3 billion documents were not accessed by the hacker. The reply also says that the data is “Safe and Secure”. It is difficult to understand how  compromised data is considered “Safe”.

The digilocker team does not perhaps understand that keeping data safe and not the data owner’s safe is not  acceptable Techno Legal security.

The incident calls for  a severe disciplinary action against the digilocker team along with initiation of criminal action against the hacker.

I am forwarding this article to the concerned persons and await their reply.

I hope  MHA also takes necessary action since this incident is a crime which causes a serious concern for Indian citizens if their critical personal information such as the Aadhaar data, PAN data, Driving license data etc are safe.

Naavi

P.S: I have sent the following e-mail to digital locker team:

To: support@digitallocker.gov.in

Dear Digitlocker team

I am informed that a hacker by name Mohesh Mohan has hacked into your system and accessed 3 billion confidential records including critical information of citizens of India.
I also understand that you have admitted the vulnerability and CERT-IN has also confirmed the vulnerability.
Though you have stated that the data is still with you, what you have is only a copy of what the hacker also has. It is possible that he could have by this time sold the data in the darkweb and made millions.
Please let me know what action have you taken against the hacker who has admitted his hacking. Are you entering into any compromise with him? If so for what consideration?
Please also let me know how you are compensating individuals like me?
You have been kind enough to answer the hacker. Will you be duty bound to answer me?

I have also sent the following message to CERT-IN:

To: incident@cert-in.org.in

To

The Director General
CERT In
Kindly advise me if you have initiated any action against the Digilocker team or the hacker. Forbearance is an act of complicity and I hope you would not let this pass just as you let the Aarogyasetu hacker get away.
This kind of soft handling of such serious incidents would create a very bad precedent and is not keeping with the policies we advise the private sector to follow when it comes to imposing sanctions on their employees for negligence.
Meity and Cert-In should not create a precedence of this nature.
Naavi
(Na.Vijayashankar)
Posted in Cyber Law | Leave a comment

Dubai Data Protection Law

Posted on June 9, 2020 by Vijayashankar Na

Another Data Protection law having relevance to Indian Companies is now out. Effective 1st July 2020, the Data Protection Law in Dubai has been revised and brought in line with the current trends.

The new DIFC (Dubai International Financial Center) law (no 5 of 2020) replaces the earlier 2007 version. The law tries to replicate the GDPR provisions but expresses the provisions differently and perhaps with a little more clarity.

The application of the law is in the jurisdiction of DIFC and the purpose is to protect the fundamental rights of data subjects as well as provide standards and controls for processing.

The law applies if the data processor/controller is situated in DIFC or processes personal data in DIFC as part of stable arrangements other than on an occassional basis.

Processing is generally subject to free consent or explicit consent (special category of information) though other basis such as a contract, legal necessity, protection of vital interest of data subject as well as the legitimate interest.

The appointment of a DPO is optional except for controllers performing high risk processing activities on a systematic basis. DPO must reside in UAE.

Transfer of data outside DIFC is permitted on “Adequacy” basis,  or through a legally binding instrument, Binding Corporate Rules, Standard Protection clausses approved code of conduct etc. Transfer is also permissible under an explicit consent, or public interest , for legal claims etc.

The requirements of notice and the information to be contained there in is also mentioned in the act.

Rights of the Data Subject such as withdrawal of consent, right to access, rectification and erasure as well as portability and object to profiling are also provided.

Atleast two means of contact for the data subject to exercise their rights need to be provided.

Data Breach Notification is provided for and the Commissioner shall be the regulatory authority. Only in high risk breaches the data subjects need to be notified.

A voluntary certification scheme may be established for the purpose of the Controller or Processor to demonstrate compliance of the law but certification alone will not relieve the responsibility for compliance. The Commissioner may issue accreditation for agencies who are authorized to issue such certificates.

Non compliance is subject to appropriate fines that may be imposed by the Commissioner. Right of private action is also available.

In general the regulation closely follows the GDPR principles but avoids the quoting of a threatening high limit of fine or criminal prosecution though they could be invoked when necessary.

The Indian companies who intend using Dubai as a base for their operations should gear up to the new regulation.

(P.S: This is only a preliminary view to keep the legislation under our radar. Watch out for detailed discussions in due course)

(Copy of the law can be found here)

Naavi

Posted in Cyber Law | Leave a comment

Equip yourself for a career as a Data Protection Professional in India

Posted on June 5, 2020 by Vijayashankar Na

A new career is unfolding in the field of “Data Protection Professionals in India”.  The subject of “Data Protection” is a techno legal domain. It can be considered as an extension of the Cyber Law expertise for legal professionals looking for Corporate careers. The IT and IS professionals can also look at this domain as an enrichment of their present expertise and acquiring an additional dimension to their current careers.

This knowledge could be a gateway for the new career opportunities in the field of Data Protection.

In the direction of preparing the professionals towards this new career, Naavi is conducting a series of educational programs in which more than 100 senior professionals have already taken part.

Over the next two week ends, Naavi is conducting another online program  which is a good opportunity for professionals to start their journey in this direction.

Probably when the Covid Lock down ends and the realities of economic disturbance hits the employment scenario, there will be need for professionals to preserve their positions by re-skilling themselves in appropriate futuristic knowledge. This is one such opportunity.

The participants of this program have the opportunity to also appear for the Certification examination of Foundation of Data Protection Professionals in India (FDPPI) and qualify as “Certified Data Protection Professional (Module-I)” by paying an additional fee subsequently.

Remember that India is already under a Data Protection regime under Section 43A of Information Technology Act. The forthcoming Personal Data Protection Act is only a new version of the “Due Diligence” and “Reasonable Security Practice” under the current laws.

Check www.cyberlawcollege.com for more details and payment

REGISTRATION CLOSED

Naavi

An opportunity is before you. Grab it today. Tomorrow may be too late.

Posted in Cyber Law | Leave a comment

Name and Shame Rogue Domain Name Registrars

Posted on June 3, 2020 by Vijayashankar Na

Congratulations to Delhi police fr busting the “Aysushman Bharat fake website fraud”.

It has been reported (Refer Indian Express article) that four persons were arrested in Delhi for running a fake website by the name ayushman-yojana.org and cheating public by offering jobs in the name of the Government. The fraud was brought to light after a complaint was made by the National Health Authority. The website had advertised 5116 vacancies in six states and received payments for registration of applications.

This fraud is a repeat of the fraud committed several years back when a fake website cgtmse-govt.in was opened to impersonate cgtmse.in (First reported on naavi.org: Loans through SMS ??  and Loans through SMS-Fraud Site confirmed. These articles were written on 16/7/2013 and June 11, 2014 but despite the matter having been brought to the notice of the owners of the genuine domain name, no remedial action was taken. Subsequently, a fraud of Rs 22 lakhs occured to a client of Punjab National Bank on which a complaint was filed. It was then reported (Refer article Chattisgarh Adjudicator passes compensation order for Rs 22 lakhs)  The compensation was awarded on 20/5/2016. (copy of order available here)

In the above case also it was the Delhi Police who had arrested the accused who had set up the fake websites www.cgtmse-govt.in, www.cgtmse-gov.in and www.pmay-gov.in. The name of the accused in this case were Sudipto Chatterji alias K.M.Acharya and Shekh Ibrahim.

The websites were disabled after the adjudication which was 3 years after Naavi.org brought the fraud to the notice of the public. During this time several other persons lost their money and this was evident in the fact that the beneficiary of the adjudication, Mr Mohanty got his money returned because there was money in the PNB account of the fraudster which was actually money collected from subsequent frauds. So, some body else who did not pursue the complaint lost the money and the person who pursued the case got his money back from the proceeds of the other frauds.

What we had pointed out at that time and reiterate now is that this fraud could not have been committed without the assistance of the Registrar of Domain Names and also the Bank (PNB in this case). These two parties should have been the co-accused in the fraud case and had to be punished. If the Adjudicator had exercised his powers under Section 46 of ITA 2000 fully, he could have ordered PNB to check all earlier fraudulent credits in the account and made PNB return all these o the respective victims. The domain name registrars would have also learnt  a lesson that they could have acted in 2013 after the Naavi.org made public the fraud and cancelled the domain name registration which would have been well within the their rights under the domain name registration contracts they would have obtained from the accused.

It is however not considered the duty of the domain name registrars and they continue to be the architects of the kind of frauds  that re-surface again and again. The Ayushman-yojana.org fraud is just another case which has been found now even as many such frauds are being committed even now.

The domain name was registered on 8th March 2020 by the registrar midwestdomains.com. It may be noted from the whois records that this domain name has been registered by an organization named HSIF Company in Uttar Pradesh.

Fortunately since “Privacy protection” was not enabled on the site, a research of other sites showing whois information reveals the following domain name registration details.

Name: HSIF Company

Address: B-7 Sector 64, Gautam Budhdha Nagar, UP, 201301

Phone 1204250001

E Mail: hr.hsifc@gmail.com

In my view it is the negligence of midwestdomains.com  has enabled not only the registration of the fake domain name. The registrar has also profited by such registrations. 

Name and Shame Rogue Domain Name Registrars

The question we should rise is

Should we not make these registrars also responsible for such fraudulent registrations as co-conspirators of the scam?.

Law permits these registrars to be considered as co-conspirators but the fact that these companies are like deep web companies and part of the criminal syndicate themselves makes it difficult in practice to draw them to courts .

But these registrars should be named and shamed and must be put on the “Rogue Registrars” list. ICANN should also be asked to change its current systems of appointing registrars and making them liable for proven cases of domain name frauds arising out of lack of verification of the identity of the registrants.

I request any official of ICANN to respond and let us know what action they take when such rogue registrars are reported and if they have issued any circular earlier that registrars have to identify the registrants and have failed to do so, what action can be taken now at least after a fraud has been reported.

Mr Samiran Gupta the India representative should be made a respondent in all future domain name related phishing and should be questioned on what action is taken at the ICANN level to prevent such frauds.

Mr Samiran Gupta’s LinkedIn profile here

ICANN also has to immediately stop the domain name registrars hiding the registrant’s identity under the privacy excuse since registration of domain name and running a website is a “Public-Business” activity and does not come under any “Personal Data Protection” laws of either GDPR or any other law.

ICANN and the registrars being blind to the cyber crimes being committed out of deliberate registration of fake websites is a bane of the Internet and is also increasing the cost of operation for genuine operators who have to block several related domain names only to prevent frauds of this nature.

In around 2002, Naavi promoted the concept of “Look Alikes Disclosure”  (Presently available at www.lookalikes.in) to enable genuine domain name registrants to at least declare these fraudulent domain names. But this also requires some efforts on the domain name owners to display a link to the lookalikes data base like the following:

This service was proposed but could not be commercialized. May be its time has come now.

I wish Delhi Police check up if the current gang of fraudsters in the case of Ayushman-yojana.org have any connection with the earlier fraud and if so ensure that they get appropriate punishment in the Court for repeated offences.

A Note to honest Registrars in India

This article refers to those registrars who are in the wild west abetting the Cyber Criminals and refuse to be accountable. Other honest registrars may kindly excuse me for using the title as I have done here.

However, even these registrars need to introduce policies and procedures to ensure that proper KYC is done on the domain name registrars so that impersonation frauds are reduced to the extent possible.

If possible look at the proposed Personal Data Protection law in India which has suggested social media intermediaries to introduce a system of verifying the users. Introduce a similar system in domain name registrations and refrain from providing “Privacy Protection of Who is data”. Who is data is not a personal information but is a public business information.

NIXI should also incorporate these guidelines as “Best Practices in Domain Name registration” and be a model to the world. Mr Samiran Gupta can coordinate some of these changes with NIXI which is the policy formulator for Dot IN domains.

Naavi

Posted in Cyber Crime | Tagged | Leave a comment

A Movement in Data Protection has started in India…

Posted on June 2, 2020 by Vijayashankar Na

A detailed 44 minute video including the Question and Answer session is also available here

Posted in Cyber Law | Leave a comment

Cyber Law Courses from Naavi…a reaction to cherish

Posted on May 31, 2020 by Vijayashankar Na

“Most of us don’t want to learn law primarily for two reasons, one subject being little dry and secondly we feel lawyers are there to take care. After attending this workshop conducted by Guru Na.Vijayashankar (Naavi) and organised by …. ,I realised the subject is fantastic provided taught by a person who himself knows the subject. At the same time as a citizen an IT professional need to know basics . Otherwise we as security professional are dependent on others as first responder for any un toward incident. Can’t claim to be an expert but at least aware. Thanks ….for making me part of this learning experience. My prize possession.”

A Director, Information Security

It was a pleasure to complete two short programs on Information Technology Act 2000 to Information Security professionals during the last two weeks. The Course was conducted over 12 hours and covered the ITA 2000 from a Techno Legal perspective.

One of the participants posted the above comment in his linkedIn profile which I thought I should share with others, just to highlight the need of IT/IS professionals to be also aware of ITA 2000.

For some time now I had restricted to teaching only Data Protection and it was after a long gap that I returned to teaching ITA 2000. It was refreshing. I also felt honoured by several senior IS professionals from major companies in India being part of these programs.

Naavi

Posted in Cyber Law | Leave a comment