Naavi.org

Here is a link to the interview of Naavi at ISMG.

http://www.inforisktoday.in/security-privacy-challenges-aadhaar-based-authentication-a-10051

Naavi

Recognizing the importance of GST in Indian economy and particularly for E Commerce, Naavi.org is launching an online education center for GST related information and discussion under the domain name www.gstlaw.ind.in.

I welcome contributions from others so that it can be developed over a period of time into an useful information center on GST Laws.

Naavi

Tomorrow is an important day in the life of the evolution of taxation system in India with the ushering in of the GST system which is termed “One Nation -One Tax” system. Unfortunately, the proposal has been diluted over the months because of the non cooperation of the opposition parties.

Nevertheless, it is a time to recognize the special nature of the occassion.

Naavi.org has been celebrating October 17 as the “Digital Society Day of India” since it was this day in 2000 that electronic documents were first recognized legally in India with the notification of ITA 2000. Similarly July 1, 2017 will in future be recognized as the day when India marched into an integrated tax regime with the introduction of the GST system. It needs to be commemorated despite the reservations one may have on whether it could have been made better than its present form.

Since the entire GST system runs on an IT back bone, IT stake holders are excited about the opportunities of various types that would be unleashed by this monumental change. It is like the UIDAI system in India and the HIPAA in USA which unleashed a whole lot of new business opportunities all round. It may take some time for everyone to recognize the ancillary business potential that a system like this would generate. But the beneficial impact on the IT sector will be seen sooner than we realize.

We have pointed out that there are some issues in “Security” that will emerge when such a huge system with a centralized IT control is established since it also represents a single point of vulnerability which if exploited, can spread across the country in no time. The fact that the recent Petya ransomware was spread through a tax related software in Ukraine should be an eye opener in this regard. At the same time, “GST Information Security Practitioners” who understand GST and its operational aspects along with the principles of Information Security will see a generation of a new service opportunity.

Just like the passing of ITA 2000 gave birth to “Techno Legal Behavioural Science experts”, GST will give rise to the birth of “Techno Tax System Security Experts”.

May the tribe flourish!

Since the entire GST platform runs on an IT backbone, most of the legal provisions related to GST acutally becomes an extension of the E Commerce related laws. As a result GST law is part of the larer canvas of Cyber Laws or Laws of usage of Electronic Documents for business.

Naavi.org will be separately discussing the GST related legal issues under the banner of “GST Knowledge Center” which will be online soon. In the meantime, in the context of the recent discussions we have been having on Bitcoins and Crypto Currencies, it would be interesting to reflect on how the Bitcoin community in India would be affected by GST and its penal provisions for non compliance.

The Central Goods and Services Act 2017 (CGST) envisages that under certain circumstances of non compliance, apart from the financial penalties imposed, there could be liability for imprisonment to the person who contravenes the Act. Hence all Bitcoin players need to take note that GST needs to be complied with.

We need to therefore appreciate how the Bitcoin or other Crypto Currency buyers and sellers as well as the Exchanges like ZebPay, UnoCoin, Coinsure, BTCxindia etc and the Bitcoin wallet service providers may get impacted by the GST.

First and foremost we need to understand that Bitcoin (and other Crypto Currencies) is not “Bank Notes” which come under the provisions of Section 22 (1) of RBI Act.

A “Bank Note” in India by definition is a “Promissory Note payable to bearer where the promise is made by the RBI Governor” and by practice it is issued on a specific format. “Promissory Note” is itself defined in Negotiable Instruments act 1881 as an “Instrument in writing (not being a Bank Note or  Currency Note) containing an unconditional undertaking signed by the maker to pay a certain sum of money only to or to the order of a certain person or to the bearer of the instrument”. A Promissory note is a document which requires compulsory payment of stamp duty under the Indian Stamp Act without which it is not valid. Bitcoin (and other Crypto Coins”) is obviously not “Bank Notes” nor “Promissory Notes”. It is an electronic document produced under a process and contains some information in electronic form.

Bitcoin cannot also be classified also as “Actionable Claim” since there is no contractual offer or acceptance within the Bitcoin document.

Bitcoin  is just a ledger entry and in return to recording an entry and broadcasting it, a person is rewarded with a “Certificate of Merit” which is treated as a saleable commodity.

The Bitcoin community has adopted a format in which this electronic document is created and some people seem to be willing to assign a financial value to it and prepared to trade in it. It has therefore become a “Perceived Currency” within the closed community of Bitcoin users who are now trying to make it an universally acceptable “Currency”.

Information Technology Act 2000 recognizes an electronic document as equivalent to “Paper” and hence Crypto Currencies like Bitcoin is recognized as equivalent to a piece of paper on which some thing is written on.

It may simply say “This is a part of the reward provided to xxx for having created a block number yyy… in the zzz system”… or some thing with a similar meaning.

This document is in electronic form and cannot be denied recognition whether it is digitally signed by the creator or not. In Indian legal system Bitcoin is an “Undigitally signed Electronic document” and has the legal recognition under Section 4 of ITA 2000.

Since Bitoin is only like a piece of paper, it is a “Commodity” which is in electronic form. May be it is similar to a digitally signed e-mail or a webpage where the source can be identified with an “attribution” though in a “Physical De-identified electronic  form”.

In case any person is trying to represent Bitcoin as a “Currency” in digital form, it may be considered as misrepresenting a fact and committing a fraud which is an offence both under the RBI Act and IPC carrying imprisonment of may be upto 7 years.

If however, Bitcoin is a “Commodity” and it is being bought and sold some times from within the country and some times from outside, then the trade would be equivalent to trading of any other commodity.

International transactions would amount to import or export of the commodity. Since our FEMA does not specifically permit import of Bitcoins, it would be necessary to seek the permission of RBI and every purchase of Bitcoin in exchange should be treated as an “Import” with necessary foreign exchange permissions through an “Authorized Dealer”. Every sale is like an Export and must be supported by declaration and recovery of proceeds through an Authorized Dealer. A registration under Import-Export regulations may also be required.

If any body is lucky enough to “Mine” a Bitcoin, it would be treated as a “Manufacture of a Commodity” and is subject to GST as a manufacturer of  goods could be.

Any services related to the Bitcoin would be subject to the Service Tax equivalent of GST. Any trading resulting in a revenue would be a “Business income” and may not be considered “Investment Gains such as Short term or long term capital gains”.

If some body is part of a “Pool” and gets a mining reward, he would be like an “Employee” on part time receiving an income and it would be part of his “Global Income” to be taxed.

Holding of Bitcoins either mined or bought has to be declared in the IT returns as “Inventory” and accounted as “Income from Business” Where the employee contracts donot permit part time employment elsewhere, or trading of commodities as a part time business, they need to seek permissions from their employers.

As regards the chain of trading activities, each purchaser has to pay GST and is entitled to take input credit if the seller provides an “Invoice” in the requisite format showing payment of GST at his end. There is of course an exemption from GST for traders, manufacturers and service providers below a specific limit and if the person exceeds these limits there will be need for GST registration.

Bitcoin exchanges who have not registered under GST and not implemented appropriate procedures need to stop trading from tomorrow as they would be in violation of the law once they exceed to limits specified. Exchanges and Wallet Service Providers who are “Registered” and deal with “Unregistered Bitcoin sellers and buyers” need to pay “Reverse Charge on one leg of the transaction and another normal GST on the other side”.

In the case of inter state transactions, the payment is made as IGST. If the Exchanges structure the transaction as a broking transaction and the seller raises an invoice directly on the buyer, the intermediary may escape with the taxation of his charges only as a “Service Tax”.

Additionally after the initial moratorium period there would be Tax deduction at Source and Tax collected at source in some cases. If contravened, there would be interest, penalty and other liabilities.

The first principle to be remembered in GST is that it is the supplier of Goods or service who would be liable to pay GST. The seller of Bitcoin is therefore liable along with the Exchange and Wallet service provider. If the seller is unregistered, the reverse charge is on the exchange.

Then the Exchange sells Bitcoins to the buyer. If the exchange is registered, then it has to charge GST to the buyer.

If both the buyer and the seller are unregistered (because their turnover is less than Rs 20 lakhs) then there may be exemption of GST. In some cases such as imports, liability can be on the recipient.

GST needs to be paid immediately (by 20th of each month) on sale  and returns need to be filed within a fortnight (deferred now for 2 months).  The Tax collected at source (TCS) in GST means that any E Commerce operator who makes a payment for a transaction needs to withhold a designated percentage from the payment and remit it to GST authorities before the 10th of next month.

Since Bitcoin is not specifically mentioned in the list of Goods and it cannot be treated as an “Essential commodity” which maybe exempted from GST, nor it suffers a tax like the STT applicable for stocks and CTT applicable to commodities traded through exchanges,  the rate of GST on Bitcoins may be treated as 28%.

If the intermediary is liable for GST at both ends he may pay a reverse tax in one case and perhaps be eligible to claim input tax benefit at the other end.

Since Bitcoin is taxed under GST as a normal commodity which is manufactured, imported or exported, bought and sold at each purchase point the buyer is entitled to claim input credit. Hence the exchanges and wallet owners need to incorporate necessary systems in place to enable claiming of such input credits along with payment of GST. It would be interesting how the companies respond to this new challenge.

Naavi

A day after the Petya attack, it is now recognized that those who pay ransom for Petya attack may not be able to get the decryption key and decrypt their system back to action.

The attack is now being dubbed as “Not a Ransomware but a Wiper”.

Experts are now realizing that the malware was by design not meant to restore data on payment of ransom. It could be a mistake that the creators of the malware have committed or it could be an attempt by a state actor who wanted to attack Ukraine and wanted to disguise and mislead the security world that it was in deed a ransomware.

For more details one can refer to this article

According to these experts, unlike other ransomware, this malware does not encrypt at the file level. It encrypts the Master Boot Record (MBR) and makes the computer not bootable. Then it scans through the local network and infects other machines using other exploits. The malware replaces MBR with its own version which displays the ransom message.

It is however observed that the current variant of the malware encrypts the Master Boot Record (MBR) but does not keep a copy of the original MBR. Hence on payment of the ransom, the system cannot be recovered.

It is reported that the first around 45 victims who paid the ransom of around US $10500 in Bitcoins have not received the decryption keys.

There is therefore no hope for Pipavav Port or Jawaharlal Nehru Port Trust (JNPT) or any other victim of Petya (also called NotPetya or GoldenEye) to recover the data. They need to dig into their back ups and re construct their lost data.

However, what we in India need to be concerned more about the future attacks of similar nature that may be more devastating than the WannaCry or Petya. We in India are now on the eve of GST implementation and the Aadhar Based Payment systems, both of which have a highly centralized system structure which if infected, can cause havoc across the country.

It is to be noted that the devastation that occurred in Ukraine by  Petya malware was because the malware first infected a program called MeDoc through an official update from the vendor. This was a tax accounting system perhaps widely used in the country and hence it spread like wild fire.

When our GST is in place, we will have a “One Country- One Tax” system and it could bring in many benefits of its own. But at the same time, it may also turn out to be a “One Malware infection Point” in place and God forbid, if this is infected the country’s economic infrastructure may come down.

In a recent press statement, the authorities in charge of GST have stated that due to lack of time, they were not able even to complete the “Functional Testing” fully after the changes that continued upto the last minute. It is therefore reasonable to expect that “Security Testing” has not been also completed.

It is hoped that nothing will go wrong as we function under the Amir Khan’s “Three idiot’s Principle” that “If you believe All is well, then everything will be fine”.

I am sure that enough Poojas have been conducted across the country to ensure that the system works fine. If not, we need to organize such poojas to coincide with the launching of the GST at the midnight hour tomorrow.

But the Murphy’s law says that “If anything can go wrong, it will” and security observers have more faith in this principle than the Three Idiot’s principle.

In a country like India which has a constant terror threat supported by countries like China, there is every possibility that what may normally not go wrong statistically may also go wrong since there are enemies working on destroying the country both from outside and also from within including the political parties like Congress, TMC, National Conference, Communists etc. Hence even if a small vulnerability is found in a system like GST, the possibilities of it being exploited are near certain.

Our response to Petya should therefore include how we face a situation where a Petya type of destructive malware spreads through the GST system.

The first thing the GST authorities as well as all individual assesses should do is to always keep a 100% back up of every document that is created and processed in the system and that such back ups should be maintained in an off the network system which is well protected with a good malware protection system. GST needs to maintain a robust DRP/BCP system to have a parellel system ready for switch over in case the main system comes under a Cyber Attack.

All businesses should ensure that they donot link their operational computers directly to the GST system but use a separate computer to upload and down load documents to GST. Any transfer of files from their current accounting computers and the GST connected computer should be done securely avoiding spread of any malware during the transfer process. Similarly, the main accounting system should be insulated from normal internet activities including e-mail and web surfing. SMEs may find this burdensome but if they need to avoid regretting later, this is a small investment they need to consider.

Since the GST system was built when WannaCry had not yet been recognized as a big threat, it is possible that it might have used all the vulnerabilities that the recent set of malwares have exploited.

I hope the security agencies will be upto the task to super impose ransomware protection on the current GST system and ensure that our national system is well protected.

Refer articles:

GST Network safe from global malware attack, says CEO Prakash Kumar

No time to test software now, says GSTNetwork chairman Navin Kumar

At the same time, for whatever it is worth, we need to declare the GST system as a “Protected System” under Section 70 of ITA 2008 and also make it public that any attack on the GST system will be considered as a “Cyber Terrorist” attack which can immediately invoke international treaties for both investigation and protection.

Naavi

Thanks to the recent WannaCry ransomware that attracted wide attention, security professionals seem to have moved fast and identified what is claimed as a “Vaccine” for the Petya (a new version which some have called NotPetya) ransomware which is on the prowl. So far a couple of Indian companies seem to have been affected. May be we are not aware of more.

This ransomware appears with the following note on the affected desktops.

Just before the encryption, the following screen shot will appear.

When this alert appears, if the machine is powered off, the encryption would be stopped and the files may be preserved.

It can then be recovered by connecting it as an external hard disk to a secure system under a forensic supervision without booting from the disk. It should however be taken care that there is no reverse infection from the affected disk to the healthy system.

It may be better if the observation computer is first vaccinated as suggested subsequently here and even prudent if it is a clean machine with no other data to avoid any adverse effect of reverse infection if it occurs.

Also since the ransomware first delets the files before encryption and the proccess has been stopped in between, if the files have already been deleted, one may need to use a deleted data recovery software before the sectors are over written.

It appears that  this cyberattack appears to be an “updated variant” of the Petya malware virus. It uses the SMB (Server Message Block) vulnerability that WannaCry did, however in the case of Petya it encrypts, among other files,the master boot file. These messages recommend conduct a system reboot, after which the system is inaccessible. This basically means the operating system won’t be able to locate files.

Also Bleeping computer.com has suggested a simple vaccine which is available here: 

The suggested kill switch is creating a file titled “perfc” as a read only file in the Windows folder for which step by step guideline is provided in the article available here: 

I hope with the vaccine, the damage will be contained.

A reminder however is due that the attack again under scores the need for proper back ups in an off Network system and employees being vigilant in not downloading the ransomware through attachments in e-mails etc.

One of the suggestions made by experts is to block an e-mail and several IP addresses and domains as listed below.

Actions to be taken:

1. Block source E-mail address
wowsmith123456@posteo.net

2. Block domains:
http://mischapuk6hyrn72.onion/
http://petya3jxfp2f7g3i.onion/
http://petya3sen7dyko2n.onion/
http://mischa5xyix2mrhd.onion/MZ2MMJ
http://mischapuk6hyrn72.onion/MZ2MMJ
http://petya3jxfp2f7g3i.onion/MZ2MMJ
http://petya3sen7dyko2n.onion/MZ2MMJ
http://benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin
COFFEINOFFICE.XYZ
http://french-cooking.com/

3. Block IPs:
95.141.115.108
185.165.29.78
84.200.16.242
111.90.139.247

I urge ISPs and MSPs to accomplish this at their end so that individuals are not required to do it at their end.

Naavi

Reference:

Cert-In recommendation is available here

Bitdefender  vaccine is available here;

Also read:

Petya Ransomware Outbreak Originated in Ukraine via Tainted Accounting Software

Petya cyber attack: Everything to know about the global ransomware outbreak

WORLD CYBER ATTACK: How to unlock computers hacked by Petya virus

Kasparesky: Petya ransomware eats your hard drives

Update:

Posteo.net has blocked the email accounts used in the Petya attack.

……..The action initiated by Posteo.net needs to be appreciated.

Naavi

The task force on the Bitcoin formed by the Central Government is presently battling the lobbying pressure from ZebPay and other stake holders who want Bitcoin to be legalized in India and the contrarian voices of people like the undersigned and trying to arrive at a decision at the earliest.

The main public input they are considering is the MyGov.in discussion board. On the discussion board, a number of pro-Bitcoin messages were planted by vested interests. There was even a message from an insider in the name of MCX supporting the Bitcoin legalization which was quickly removed on objection.

Additionally the committee/taskforce appears to have met ZebPay several times in closed door meetings and held consultations.

It is anybody’s guess why the committee should have closed door meetings with a stake holder and not a public open meeting. Add to this, the attempt of MCX, a regulatory agency itself trying to bat for Bitcoins in the discussion board and its Directors not taking any noticeable action to punish the insider influencers.

Any intelligent observer can take a guess in these circumstances that pressure is being brought on the Task Force for a favourable decision that leads to the Bitcoin Exchanges being permitted to conduct their business freely perhaps under the guise that they take the PAN card number of the traders and claiming that they have “De-Anonymized Bitcoin Transactions”.

The frequent utterings of ZebPay representatives in the media to the effect that “Bitcoin is in the process of legalization” indicates a level of confidence that is not giving a feeling of comfort to neutral observers. Additionally the fact that the names of the individual members of the initial commitee and the Task force and their failure to disclose and declare that they donot have any holdings of Bitcoins add to this discomfort.

There is a genuine fear that the decision of the Task force has already been fixed and it could be announced as soon as the time is ripe may be when the entire media is busy with the discussions on Jaitely’s GST effort and Modi’s US visit.

I hope that the task force members are not gullible enough to think that even if they are prepared to believe that Bitcoin legalization is beneficial to the country and therefore it should be promoted, the larger audience are gullible to believe similarly. They should therefore expect that any decision to push Bitcoin legalization in India would be challenged in the Court both for the imprudence as well as possible bias besides being raised within the BJP party fora.

Mr Modi has been proudly claiming that his Government has not seen any scam in the last three years and would like to keep up this record.

However, in the event of Bitcoin is legalized, there could be a perception that this decision hides a scam as big as the Coal scam of the UPA regime.

I expect that the CAG will take note of the possibility of a biased influence on the decision of the task force and keep observing how the decision on Bitcoins unfolds. The discussions which the committee has held with ZebPay and others should be matters subject to RTI query and if these records are destroyed and refused to be divulged in an RTI, it would confirm that “Dal Me Kuch Kala tha..”

The reason why I consider “Legalization of Bitcoins would lead to one of the biggest scams in the Modi Government” is as follows.

On November 8, 2016, Mr Modi demonetized the Rs 500 and Rs 1000 currency notes in a bid to curb black money in India. Subsequently the Finance Minister Mr Arun Jaitely successfully negotiated with the authorities in Switzerland to provide information on the bank accounts of Indians held in Swiss Banks at least in future. The message from the Government was very clear that the Modi Government was keen on curbing black money which is also an effort to reduce corruption. The other attempts such as linking of Aadhar to PAN card and Benami Property identification etc are also measures that the Government is projecting as a comprehensive strategy towards curbing black money.

However, if the Bitcoin task force succumbs to the pressures from vested interests and legalizes Bitcoin or otherwise gives an impression that the Government is not keen to intervene and people can do what they want with Bitcoins…accept them as legal tender for goods and services if they so desire….then in one stroke a huge stock of Bitcoins held not only by Indian Citizens but people all over the World including many of them who are criminals, some of them who are enemy countries will become part of the money circulation in India. They could dump the Bitcoins to Indians and create chaos in the market.

Currently, it is estimated that the total currency in circulation in India around November 2016 when the demonetization exercise started was around Rs 14.26 lakh crores. (There are other estimates which put the figures higher). Out of this stock of currency, at least notes equivalent to Rs 6.32 lakh crores represent the demonetized notes sought  to be removed from the system.

All the measures that the Government is now undertaking such as the use of UPI, BHIM or AEPS etc where we talk of “Digital Payments and Digital Currencies” donot add to the money circulation. They are simply alternate channels of using the money available in the system and could reduce the need for holding currency.

However, the current discussion of “Virtual Currency” refers to Bitcoin and other similar Crypto Currencies which are all fungible and indistinguishable. Its impact would be to create a new stock of liquid cash that can be used to buy goods and services with the receiver not obliged to bring it into the books of account as “Measurable Revenue”. Also this may be held in Bitcoin wallets with players abroad and one fine day declared as “Lost Due to a Cyber Attack”. While new buyers withdraw money from the Banking system and buy Bitcoins, the Bitcoin wealth itself may not return to the Banking system. It will remain in invisible and anonymous wallets and transferred to other similar wallets.

Now if the Bitcoin is legalized, not only the current stock of Bitcoins but also the other Crypto Currencies which are convertible into Bitcoins (including any National Crypto Currency which provides for seem less conversion with Bitcoins as well as pseudo currencies like Lindens) will become part of the money supply in India.

Currently it is estimated that the market capitalizaion of Bitcoins is about Rs 2,7 lakh crores and market capitalization of all Crypto currencies including Bitcoins is around Rs 7 lakh crores. This is about 50% of the current money supply.

This means that the money supply in India would double overnight with any move to legalize Bitcoins.

Judging from the records of earlier years the money supply in India has an annual accretion of around 8-10% while the inflation levels have been around 5-7%. Currently the Government has brought inflation down and is targeting an inflation level of around 2% by the next year.

If the money supply jumps by 50% overnight, the inflation level will also jump. Historical data suggests that inflation could jump to astronomical figures of upto 40% P.a. Assuming that the Crypto Currencies held by foreigners and Criminals may not come into circulation, the real increase in the money supply in actual circulation and the inflation effect may not be that alarming. But there is no doubt that there will be a huge inflationary pressure which would make the Government miss the inflationary targets in the next few budgets at least until the next Loksabha elections in 2019.

Hence all dreams of BJP going to the next election with an economy that shows “Good Governance” and “Acche Din” will vaporize.

Is Mr Jaitely ready for this risk? Does Mr Amit Shah and Mr Modi aware of this risk?… I have my doubts.

It is therefore necessary for Mr Jaitely who is busy with GST and Mr Modi with the US tour to immediately spare some time towards what the Finance Ministry’s task force on Bitcoin regulation is likely to do. If they are negligent, the future of India could be put in jeopardy.

I sincerely hope that the Task force has realized the enormity of the effect of the decision which the Bitcoin supporters are trying to lure the committee into taking.

Whether the CAG recognizes the latent scam or not, Whether the media is interested in focusing on this impending decision of huge implications on the economy, we shall keep our vigil. We shall do our best to ensure that no decision is taken to legalize Bitcoins which we firmly believe is the currency of Criminals, Terrorists and Black Money holders. We request the public to render their vocal support in this regard and ensure that the message reaches the right quarters.

Naavi