Naavi.org

 A group of Cyber Security Volunteers have come together to form a forum called “Cyber Security Alliance of India” with an objective of working towards Information security issues in the context of the current developments in India.

The alliance has started its preliminary activities in Mumbai and is interested in extending its activities to other centers in due course.

A meeting with industry leaders has been called  on 11/01/2017 at Maharashtra Cyber Project office at 32^nd Floor, WTC, Cuffe Parade to take the discussion further.

The alliance was born over a couple of “Chai Pe Charcha” meetings in Mumbai and has the potential of being a positive contributor to the “Security of Digital India”.

Hopefully the authorities will make proper use of the forum which consists of stalwarts in the field of Information Security across the country.

More information will be shared as and when available.

Naavi

Over the last week, the media has been lambasting Bengaluru police for the couple of molestation complaints received during and immediately after the New Year celebrations in Bengaluru. TV channels including Times Now, NDTV, India Today and News X revelled in criticising Bengaluru Police, Karnataka Home Minister and virtually shaming all Bengalurians as if Bengaluru is a hell for women.

Now it is time for some of these critics to eat their words as Bengaluru police have quickly solved two of the molestation complaints, intelligently applying their Cyber Investigation skills.

Firstly, one of the incidents occured in the dead of the night when a girl was returning from a New Year party at 2.45 am when two boys came on a scooter and one of them forcefully kissed the girl and then threw her down violently.

This incident was investigated by checking the CCTV video and also the mobile tower details to track all the mobiles which were present during the time in the vicinity. Since not many people were around at that time the number of devices to be tracked were less in number and hence Police were able to successfully identify the mobile owners who were roaming around and arrest them.

The second case was more interesting. In this case, a burkah clad woman had given a complaint that while she was walking to her work around 6.30 am, she was stalked by a person who kissed her, bit her tongue, and also injured her by trampling her foot and later went away after some dogs started barking. This was sensitive since it involved a muslim woman. The TV critics also commented that the girl was more than decently dressed, it was morning and not the dead of the night etc to say that the incident reflected that Bengaluru has become a really bad city for woman.

Those including the Karnataka Home Minister who felt that the first incident and the New Year celebration related disturbances were caused more because of the circumstances in which people were drunken and not decently dressed etc. had to hide themselves because the second incident was completely out of the pattern.

But here the innate intelligence of the Bengaluru Police came to fore. We are not aware of the individuals who were responsible for this successful investigation but they need to be commended since they used what is considered an advanced form of “Cyber Intelligence” which was “Gait Recognition in CCTV footages”.

“Gait Recognition” is an art and science of identifying the pattern of walking of an individual and identifying him. It is considered as an innovative “Biometric” that can be used to identify people in a crowd using only the CCTV footages. In other countries, research s being done on how to develop an identifiable pattern of the “Gait” of a person through video images available in the public and thereby identify terrorists in a crowd.

Our Bengaluru police may say that even though they might not have used the technology to the level of analyzing the gait movements through software, they were able to spot visually that the walking style of the alleged offender was similar to one of the relative of the victim who also came to the Police station to give a complaint. They also used the mobile records to know that this person had spoken to the alleged victim minutes before the incident in the early morning hours.

It is only a matter of record that the offender was actually a relative of the girl and both had enacted this drama of molestation so that they could convince the elders to their marriage under the pretext that the tainted girl will not be married by anybody else and this relative (husband of the sister of the victim) could marry her as his second wife by convincing his first wife (sister of the victim) that he was doing a service to the victim girl.

What a great plot!… but very disgusting since in future any genuine complaint by a lady will always be seen with suspicious eyes.

Law enforcers are scratching their head on how severe should be the punishment to such persons who tried to cheat the law enforcement machinery and brought shame on the entire population of Bengaluru…

Nevertheless, let us not fail in our duty in saluting the police personnel who in all probability could be just a constable in the Police station who identified the similarity of the walking styles of a living person to the crime video and helped in the successful investigation.

Naavi

Recently, the Ministry of Communications and Information Technology (MeitY) has come out with a notification under Section 79 A of ITA 2008 indicating the norms for notification of a Government agency as an “Electronic Evidence Examiner” who can be called upon by a Court for certification of authenticity of an electronic document which is available to the Court as an “Evidence”.

The eligible organizations are required to make an application with some information about their credentials. All the agencies who may apply now will be other Government agencies only.

One of the requirements specified in the “Scheme” for notification is that the applicant organization has to be compliant with two international standards ISO/IEC 17025 and ISO/IEC 27037.

The notification essentially means that if an organization wants its forensic practices to be in tune with what the ministry expects for notification, they need to first understand what are the specifications under these two standards and then implement the standards and also call one of the accredited ISO certification agencies to review their processes and give a certificate that they are in compliance with the requirements of these standards.

The specifications are “Proprietary documents” protected under copyright and cost in Swiss Francs, CHF 138 and CHF 158 respectively. (1 CHF=Rs 66.98). Therefore, the documents cost around Rs 20,000/- which is the minimum investment that any organization has to incur in foreign exchange just to know what MeitY wants. It is a normal practice in ISO documents where by one standard refers to another and so on so that many times the user needs to buy several ISO documents just to understand one standard. Then even if the organization is compliant, it needs to get certified from an accredited ISO organization for which one has to incur an expense of say around Rs 3 lakhs. A part of this goes to the Indian consultant and a part may be royalty that goes to ISO.

In 2011, the then ministry had notified rules under Section 43A which required “Reasonable Security Practices” to be followed by all Companies who collect personal and sensitive personal information from the public. This will include all companies today who use Aadhaar information which means perhaps lakhs and lakhs of corporate entities. The Ministry in its notification almost made it mandatory that all these companies will use ISO 27001 standards as the requirement of compliance.
As a result of this notification which was also placed in the Parliament and was part of the national regulation, a huge benefit running to thousands of crores was potentially passed on to the ISO organization in foreign exchange. When this was pointed out the ministry officials (refer here) the officials privately agreed that there was no mandate that ISO 27001 compliance could be considered as “Deemed Compliance under Section 43A” but did not make any change in the notification.

Similarly, recently the Union Health Ministry came out with a notification on EHR standards which needs to be complied with all IT companies handling health information as well as all hospitals, pharmacies etc in which reference was made to around 35 ISO standards. Compliance therefore required first acquisition of all these standard specifications at a cost in foreign exchange.

It is considered absolutely criminal to suggest Indian citizens that if they want to follow the laws of the country, they need to buy documents from a foreign agency just to know what the law means. By bringing in such references into notifications that are placed and passed in the Indian Parliament, the ministries are actually making the legislators also part of this siphoning away of our money.

This practice should stop not withstanding the efforts required. In the US, the national agency called NIST (National Institute of Standards and Technology ) has developed and placed all standards required by the IT industry in the website and allow free download to any person. While the standards are mandatory for the US Government agencies, others can use it as the Best Practice. The standard documents are so well written that they are good enough to be followed as a guideline by other countries also.

It is therefore perfectly possible for the Indian Government to completely indigenize the standard specifications by developing our own Information and Information Security standards. It is only in the case of data that needs global mobility that we need to adopt international standards. Some of these may be required in industries such as the health Care processing industry where the health data generated in India may have to be processed abroad. Otherwise none of the “Best Practice Standards” need to be imported. Though there is an attempt to adopt some of these standards under local standard organizations and by nodal agencies, the effort is only half hearted and not fully adopted.

I therefore urge the Government and particularly the Ministry of Information Technology to set up a Committee on IT standards and develop the equivalent of the entire ISO series of standards and the Privacy Standards of various US and EU nations for local use and publish it as a freely available Indian Standard. In order to avoid Copyright Infringement charges, it will be necessary to individually re-write each of the standards in our own words just as what NIST has done and we need to do this immediately when we are moving towards the Digital India concept faster than what we earlier envisaged.

The objective should be that all regulatory requirements are codified as “Open Source” and this should be considered as a “Make in India” project for regulatory standards.
If this is not done, then the payment which we make to buy the standard documents will be considered as a “Tax” levied on Indian citizens to meet compliance of Indian law which is mandatory.

This is unlikely to be permitted within our Constitution and if challenged in the Supreme Court is bound to elicit heated opposition to several of the initiatives of the Government.

Further complications can be avoided if the Ministry of IT moves quickly and adopts a policy of writing all standards of Information Security and Quality under the ISO family as new standards in India and provide it as open source. Otherwise Government should pay some compensation to ISO and provide mandatory compulsory publication of all Standards for free public use.

A decision like this can be taken only by a person of the stature of Mr Modi just as he took the decision on the demonetization. Now Mr Ravishankar Prasad has an opportunity to do what Mr Modi did in the demonetization issue. Will he raise to the occasion?

Naavi

(This is a continuation of the previous article found here)

ITA 2008 introduced a new section Section 79A under Chapter XIIA in which the following was narrated.

Section 79A:  Central Government to notify Examiner of Electronic Evidence

The Central Government may, for the purposes of providing expert opinion on electronic form evidence before any court or other authority specify, by notification in the official Gazette, any department, body or agency of the Central Government or a State Government as an Examiner of Electronic Evidence.

Explanation:- For the purpose of this section, “Electronic Form Evidence” means any information of probative value that is either stored or transmitted in electronic form and includes computer evidence,digital audio,digital video,cell phones,digital fax machines”.

This section enabled the Central Government to notify any organization belonging to either the Central or State Government as an “Examiner of Electronic Evidence” (EEV). The objective of this section was to enable a Court to seek expert opinion on electronic evidence before it. 

The use of the word “may” instead of “shall” indicates that this was an option. being an option, it implies that Court proceedings could have gone on and may still go on even if an “expert opinion” of the notified EEV is not available.

The doubt that now arises is whether it is mandatory that only notified EEVs can be called as “Experts” and no body else?

We may note here that under Section 79A, an EEV is an organization and not an individual. However the one who stands in the witness box and gives evidence is an “Individual”. By defining an organization as an “Expert”, the section enables the notified EEV to send any of its representatives not necessarily the one who actually conducted the forensic examination on the document to represent the EEV and confirm the “Expert View”.

There  is no provision under Section 79A to notify any “Individual as an Expert Witness in relation to an electronic document”.

Hence the present system of “individual Experts” who are persons who have demonstrated expertise in the field to which the evidence belongs (Not necessarily one with a degree or a diploma or a certificate) providing evidence which can be considered as an “Expert Evidence” where the opinion in addition to fact is also material, will and should continue.

We now look at the documents released by the Government for further comments.

The Notification

The notification starts with a wrong statement “Section 79A of the Information Technology Act 2000 mandates central Government to notify…”

We need to note that the section does not “Mandate” but suggests. This is an important aspect which we should note. As a suggested “option” the law does not prohibit a situation where there is no “Notified Electronic Evidence Examiner”. Hence even after a few labs are “notified”, others may continue to function.

The notification says that this is an experimental effort in which 3 to 5 labs will be notified and has encouraged the eligible bodies in Central and State Governments to apply for notification.

The application form for notification is provided in Annexure II

The empanelment will require development of a “Quality Manual” in which SOPs and other documents are required to be presented for the following.

1. Case Acceptance
2. Handling of Exhibits
3. Security and Preservation of Exhibits
4. Analysis of Exhibits
5. Electronic Evidence Analysis Report Format
6. Tools and Equipment Testing
7. Training
8. Internal audit reports specific to scope Quality assurance
9. Any other procedure

The department has also developed a 9 page Scheme for Notifying Examiner of Electronic Evidence

The scheme actually copies ISO 17025 standard on General requirements for the competence of testing and calibration laboratories  and ISO 27037 standard of Information Technology-Security techniques-Guidelines for identification, collection, acquisition and preservation of digital evidence.

The evaluation process will therefore involve a few ISO auditors chosen by the MeiTy.

To understand what the Government of India wants its citizens to do on Cyber Security, we are always required to pay a “Tax” in the form of purchasing an ISO document. This has been a principle followed by the DeiTy officials during Mr Kapil Sibal’s days. The same process is now being continued during Mr Modi’s regime under Mr Ravishankar Prasad.

Hence to know more about the Standards a payment of around 10000/- or more in foreign exchange has to be made to buy the document and then the lab has to pay fees to an ISO auditor to certify if what they are doing is right. A part of this fee will also go out in foreign exchange to the ISO organization as a contribution of the Indian Government.

People like us think this is an unfair “Tax” to be compliant. (Refer my earlier article in the subject here.)

Hope Mr Arun Jaitely will take note that MeiTy is introducing its own Tax on digital transactions such as “Compliance to Cyber Law” without the sanction of the budget. Also the benefit goes abroad. This is an obnoxious practice and needs to be set right as part of “Make in India” campaign where all information security standards are indigenized like NIST and released free of charge to the public.

I request Mr Ravishankar Prasad or any official of the MeiTy to clarify why MeiTy is not in a position to draft its own standards by consulting NPA or CDAC or even FBI, like how NIST does for the US and avoid reference to the documents which are only available on payment of foreign exchange in a Government notification considered mandatory for compliance by Citizens of India and departments of Government itself.

Naavi

On 2nd January 2017, the Government of India came out with a notification under Section 79A of ITA 2008 on a pilot scheme for notification of organizations under Section 79A as “Digital Evidence Examiners”. Since then some news papers are putting out reports which are not completely correct. We need to understand the notification and its purpose correctly and not be mislead by ignorant statements printed even by reputed news papers.

I refer to one such report in Economic Times under the title “India to finally get electronic evidence authenticators”which inter-alia made a statement

“In a move that will aid investigators and prosecutors, the Centre has finally decided to appoint “Examiners of Electronic Evidence“ who will be the only ones authorized to tell courts if an e-evidence is authentic “

This statement is incorrect and misleading and needs to be clarified.

In the same article, a senior IPS officer is quoted which reflects  a correct understanding. He says

“The first line of argument from the defence is that the footage or voice is doctored. Presently, material is sent to forensic labs based on court direction on a case-to-case basis. But we need one or more authenticators to who we can straight away go even before taking it to the court.Their seal and sign must qualify as concrete attestation before any court.”

Digital Evidence is presently part of almost all Court proceedings. In the past they have been used successfully to prosecute the offenders in cases both under ITA 2000/8 or IPC. The first case in which conviction was obtained with the use of electronic evidence being the main evidence to prove the crime was the “Suhaskatti Case” (Details available in two part judgement reproduced)  way back in 2004. Subsequently several Courts have taken cognizance of electronic evidence. The latest important judgement is the judgement of the Supreme Court in what is called the “Basheer Case”.

Other than these, several Courts have used electronic evidence to prove facts in a litigation both civil and criminal.

It is not as if the Courts have not admitted and appreciated any electronic evidence so far. In the past whenever an electronic evidence is presented in the Court, the evidence is first admitted on the basis of Section 65B certification. Later during trial, if any of the defendants have an objection, they may produce their own expert opinion to counter the evidence. The Court if it needs may then call a Forensic Expert acceptable to it to give his opinion in the matter.

This process will continue.

Presently Police often were requesting the Court for permission to send a seized hard disk or mobile to a Government Forensic Lab (There are a few private labs whose services have been used by the Police from time to time) and then the Government lab gives its analysis which is presented by the prosecution in the Court. If the Police proceeds with analysis without such a Court permission, there is fear that the evidence may be considered as having been unauthorizedly tampered with and the findings rejected. Hence Police will now be happy to get the notified labs to whom they can send the evidence. Obviously, such labs will be the CFSL and State level forensic labs.

By this notification, the Police may be able to speed up their investigation so that they can take the assistance of these accredited labs at the investigation stage itself.

If the defendant disputes the evidence he may request for a fresh independent analysis by requesting for a Cloned copy of the hard disk. The two experts may be cross examined in the Court to satisfy the Court one way or the other.

Section 79A is an enabling provision which states as under.

79A Central Government to notify Examiner of Electronic Evidence

The Central Government may, for the purposes of providing expert opinion on electronic form evidence before any court or other authority specify, by notification in the official Gazette, any department, body or agency of the Central Government or a State Government as an Examiner of Electronic Evidence.

Explanation:- For the purpose of this section, “Electronic Form Evidence” means any information of probative value that is either stored or transmitted in electronic form and includes computer evidence,digital audio,digital video,cell phones,digital fax machines”.

This section was introduced with the Information Technology Amendment Act 2008 and became effective from 27th October 2009. Under this provision the Central Government was empowered (Note the word “may”) to appoint any “agency of the Central or State Government” as an “Examiner of Electronic Evidence”. This is not meant for individual experts but only for an organization.

It is expected that the organization would follow certain standard practices which make their process reliable enough for the Court to consider the evidence certified by it as authentic enough to proceed with the trial.

It will be a standard process in all such forensic investigations that the lab will on receipt of a material (container of electronic document such as a hard disk, mobile, CD, pen drive etc”) create cloned copies so that any request for production of the evidence in the form in which it was presented to them is fulfilled.

We need to note that this would require money to be invested in buying additional hard disks and devices similar to the evidentiary objects. For example, if 10 hard disks are presented as evidence by the Police, the lab has to buy 10 similar hard disks to keep a cloned version of the hard disks. The Police would also perhaps have a cloned copy of their own created at the time of seizure. Thus there will be a proliferation of digital evidence storage devices and the labs will have to ensure that budgets for such expenses are provided for.

Why Digital Evidence Examiner’s Certification should be discretionary not mandatory?

Electronic evidence is admitted as evidence based on its Section 65B certification. This will be prima facie evidence for trial purpose.  Then the trial begins when one of the parties presents its findings of the evidence.  At this point of time, the interpretation of the evidence as presented by the presenter of the evidence will be admitted  as long as the evidence is  not challenged by the defendant.

This situation will be similar to say a signed letter presented in evidence on which the signature of the defendant is not challenged. If the signature is challenged in such cases,  the Court may invite a signature or handwriting expert to give his views.

Similarly, any electronic evidence admitted in a Court can be proceeded with without a further certification from the “Digital Evidence Examiner”. Where the Court on its own decision or when the evidence is disputed, it may be mandatory to seek the opinion of the examiner notified under Section 79A. However, the opinion of the examiner may still be challenged by the defense.

It will be the discretion of the Court to decide how much value they would place on the evidence before the certificate of the Digital Evidence Examiner and after such certification.

Meeting “Admissibility” criteria under Section 65B of IEA is mandatory but requiring the Certificate of a Digital Evidence Examiner need not be considered as “Mandatory”. It is discretionary.

Police may still consider it as a Best Practice

However, practically, Police may not like to present evidence in their hands without this certification so that they are not accused of shoddy investigation. So, in practice Police may adopt a practice of sending every electronic evidence for “Digital Evidence Examination” in an accredited lab.

The certification may improve the “Probative Value” of the evidence and make it more difficult for the defendant to get it termed “unreliable” by the Court.

But just because an evidence is certified by a “Digital Evidence Examiner”, Court cannot refuse to allow the defendant to question the evidence. This would amount to trampling of the rights of the defendant. 

In future Courts and the Police  need to dispassionately consider whether it is practical to send all digital evidence to such labs as a mandatory process and if so whether it is feasible to close any case in which Cyber evidence is involved (Which is almost hundred percent of all investigations) within reasonable time.

Imagine that in the case of every civil and criminal case involving written document, every such document has to be sent to a handwriting expert for certification. Such a demand would be impractical. However, in the interest of justice whenever there is a slight doubt about the authenticity of a written document, it is prudent to send it for the views of a handwriting expert.

Imagine the investigation of the molestation case which Bangalore police cracked recently from CCTV footage and Mobile Tower data. There will be hundreds of such cases in which truck loads of evidence in digital devices would be used and if all these are to be certified in the accredited labs, we are looking at a practical impossibility.

Hence, we should accept that the use of Digital Evidence Examiner should be considered as “discretionary” and not “mandatory”.  Whenever there is a “reasonable” (standard of reasonableness can be low to begin with) doubt as to the authenticity of an electronic document presented as evidence, then Courts may adopt a mandatory requirement of examination by an “accredited digital evidence examiner” (Which is an organization and not an individual) while the Police will continue to have the discretion to adopt it as a “Best Practice”.

I however state that if it is considered mandatory and all digital evidence is dumped on such labs, there will be a serious hit on the trials and the cyber criminals will be happy with the delays.

Despite what I have stated above, the notification was long overdue and is welcome. It was a necessary follow up of the ITA 2008 which was left unattended. Hence we welcome the move with caution.

(Follow up article)

Naavi

Classification of documents before distribution is one of the important activities of data managers in organizations. The better part of Information Security lies in properly classifying a document and tagging them properly for every end user to understand what he can do or not do with the document in his hands.

In this connection, it is interesting to observe the document tagging protocol used by US Cert named appropriately as the “Traffic Light Protocol (TLP)“.

Attention to this protocol was drawn with the Obama Government in USA publishing an FBI investigation document that probed into the hacking of e-mails of the Democratic National Committee by suspected Russian hackers which helped expose many of the secrets of Mrs Hillary Clinton and perhaps contributed decisively to the victory of Mr Donald Trump.

While the Obama administration has been livid with the hacking and revelations, and also taken action against many Russians being expelled and agencies being closed down, the information security observers note that the FBI document was released under the TLP as a “White” Document indicating that it can be distributed widely.

The TLP uses colour codes and nomenclatures to designate the documents and define the sharing boundaries.

There are four colour codes under the protocol and they indicate as follows:

“TLP:WHITE” indicates “Unlimited” boundaries for distribution.

“TLP:GREEN”: indicates that the information is meant for limited disclosure restricted to the community.

TLP:AMBER” indicates that the information is meant for limited disclosure restricted to the participant’s organizations

“TLP RED” indicates  “Not for disclosure”, and restricted only to the participants.

The complete definitions are found in the following table (Source: US CERT)

Color	When should it be used?	How may it be shared?
TLP:RED  Not for disclosure, restricted to participants only.	Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party’s privacy, reputation, or operations if misused.	Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.
TLP:AMBER  Limited disclosure, restricted to participants’ organizations.	Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved.	Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.
TLP:GREEN  Limited disclosure, restricted to the community.	Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector.	Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.
TLP:WHITE  Disclosure is not limited.	Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release.	Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

More details of the protocol can be found on the website of US CERT. Probably Indian corporates may also use similar tagging protocol for tagging their documents.

Naavi