Zomato Data Breach.. What Next?

Zomato a leading Mobile App owner and a restaurant guide has suffered a major security breach in which 17 million data sets of customers including the name, email address and hashed password is reported to have been lost.

Read Article here

The hashed passwords are said to have been hashed using the MD5 algorithm which is considered  weak and has already been dis-accredited even in India for a long time.

Most of the customers of Zomato are Indians particularly from the high income group of IT workers who use the App on a regular basis.

It is suspected that the data lost may include the payment details which may include Credit Card and Bank related data.

This is therefore a very serious situation that could in association with the currently prowling ransomware and other malware could create chaos in the Indian Financial Markets.

We have a real Cyber Financial Terror threat on hand and need to defend the situation in national interest.

There are discussions about what kind of liability does Zomato face under Section 43A of ITA 2000/8 for failing to provide “Reasonable Security” for the “Sensitive personal Data”. This is a legal discussion which can be kept for a post mortem analysis.

But what we now need to decide is an action plan on how to handle the crisis. This is a disaster management situation where the Private Sector, the Public Sector as well as the regulators need to come together and find solutions to first contain the damage and ensure that there is no large scale adverse effect on customers of Zomato.

There will be two kinds of Zomato Customers. Those who have downloaded the App and used it for searching the restaurants and those who have further ordered food through Zomato and made payments.

According to Zomato, all payment information on Zomato is stored in  a highly secure PCI (DSS) Compliant vault and hence no payment information or credit card data has been leaked.

Zomato also claims that the passwords leaked are in hash format and hence is not easily readable though there is a claim that MD5 hashing is not secure enough.

On the other hand, the Privacy Policy of Zomato says:

“We assume no liability or responsibility for disclosure of your information due to errors in transmission, unauthorized third-party access, or other causes beyond our control.”

It is doubtful that such blanket self declared indemnities are valid in law.

In US, it is common regulatory imposition in such cases for the organization to pick up the cost of “Data Identity Theft Insurance” for a certain period such as 2 years. (Such insurance may cost around $30 per person and in the current instance it would be of the order of $500 million in total). Such an insurance covers consequential losses that may arise to the data subject on account of the current breach.

In India we donot have any precedence of any organization being held liable unless an individual files an Adjudication application under ITA 2000/8.

ITA 2000/8 of course provides an option for the Adjudicator to take Suo Moto action on behalf of unnamed victims and impose a fine on an offender but we can be reasonably certain that no Adjudicator may do so. (In the current case, the jurisdiction may fall on the Adjudicator of Haryana.)

The companies like Zomato are ignorant that there are multiple sections under ITA 2000/8 where civil and criminal liabilities are defined for lack of compliance.

While the company claims PCI DSS compliance, there is no indication of whether the Company is “ITA 2008 Compliant”. It is obvious that the company may not even be aware of the need to be ITA 2008 compliant and like many other companies, big and small, consider Indian laws with a “Chalta hai” attitude while looking at international laws with reverence.

Some are suggesting therefore that this is the time to make Zomato an example and make these companies realize their responsibilities. Naavi has a history of pursuing Banks for their negligence and has been shouting from roof tops that the Start Up companies using Mobile App based business model should also be ITA 2000/8 complaint and should not be blinded by being certified either under ISO 27001 or PCI DSS.

Unfortunately most IT personnel in these companies donot want to take responsibility for running the business fairly and take the consumers for a ride. Professionals in such companies often are not worried since at the first such instance they leave the troubled company and join another company leaving the promoters to go behind bars if necessary.

Promoters on the other hand are often dependent on professionals who donot take any liability for their negligence and end up paying the price.

If CERT-In and the Police are strict in implementing the provisions of ITA 2000/8, most of these companies will find their business unviable under their current business models.

Without further hurting the already hurt Zomato, its promoters and their IT professionals, let us see how the situation can be salvaged.

Zomato presently uses a Privacy Policy and Terms which indicate their present commitments to security which need to be reviewed. A Copy of the Privacy and Terms of use is available here.

The Privacy Policy is an “Implied Contract” which is a “Standard Form Contract” and an “Unconscionable” contract. It is legally unacceptable and hence cannot be defended. This was my argument against Banks and will hold against these companies also.

We can therefore consider that the Company is likely to be held liable to prove its “Due Diligence” with the appropriate authorities and the Courts if required.

It can however be said that ITA 2000/8 compensates when a loss has accrued and not on a possibility of loss. Hence Zomato may not immediately be liable for any actual loss. There is also a lack of “guilty mind” and hence  it can defend against normal criminal charges.

However, regulatory agencies may be able to persuade and it would be a good gesture for Zomato to offer a warranty to its customers in the form of “Cyber Insurance Coverage” against “Any loss that may arise to the customers of Zomato, within the next one year on account of data loss that can be directly attributed to the current breach, subject if necessary to a limit of (say) Rs 25000”. I am sure one of the Cyber Insurers can structure a policy of such nature.

Additionally, Zomato should assure to revise its Privacy Policy and Terms to be in tune with the legal requirements in India and also introduce a grievance redressal mechanism (Which may include the Online Dispute Resolution Facility similar to what is suggested in www.odrglobal.in) .

As a PR exercise it can also provide some discount coupons to soften the impact to all those customers who are willing to forego the Cyber Insurance coverage otherwise offered. (Probably most would opt for this rather than wait for Cyber Insurance).

The CERT on the other hand needs to examine the claim of the company that the critical data lost is in encrypted/hashed state and the risks are containable.  Users will better change at least the VBB associated with the cards (or its equivalent) they might have used in their transactions with Zomato.

Credit Card Risk managers need to create an “Adaptive Authentication Filter” by which any card used at Zomato would be flagged for additional authentication.

With such protective measures we may be able to reduce the impact of the crisis until another reckless App company brings in another crisis for the Citizens of India.

Naavi

Posted in Cyber Law | Leave a comment

One more reason why we should impose a global ban on Bitcoins

I argued yesterday that it is time to place a global ban on Bitcoins .

The reasons were clear. We need to disarm the Cyber Financial Terrorists like those who were behind the WannaCry ransomware and could also be planning for other ransomware attacks with Uiwix and Jaff. We cannot allow these terrorists to benefit by bleeding the market. Even if the current perpetrators are small time fraudsters as some think they are, I anticipate that other professional terrorists including rogue countries such as North Korea and Pakistan would be quick to adopt these ransomware as their own weapons to carry on their proxy war against their own enemies.

Now today’s report says that “Another large-scale cyberattack under way”.

According to this report researchers have discovered a new attack linked to WannaCry called Adylkuzz,  which  uses the hacking tools recently disclosed by the NSA and which have since been fixed by Microsoft in a more stealthy manner and for a different purpose.

Instead of completely disabling an infected computer by encrypting data and seeking a ransom payment, Adylkuzz uses the machines it infects to “mine” in a background task a virtual currency, Monero, and transfer the money created to the authors of the virus.

This sort of infection had been reported earlier also by one free software and this is a re-play of similar efforts to use the resources of the target computer to mine “Crypto Coins”.

This indicates that all “Unregulated Crypto Currencies” are the likely beneficiaries of such attacks and they need to be addressed as “Tools of Cyber Robbery” though this is more in the nature of a salami attack.

Though Adylkuzz is not directly linked to Bitcoin, it indicates the possibility of “Monero” also developing itself into a currency of the underworld and should be nipped in the bud. Monero is today only in the range of Us$ 27.60 as against Bitcoin which hovers around US$ 1760. It is therefore not as popular as Bitcoin. But soon it can become a Junior Bitcoin and we need to also consider banning such currencies which feed on cyber financial terrorism.

Naavi

Posted in Cyber Law | Leave a comment

Naavi’s Advisory for Common People on WannaCry

Wanna Cry has not only affected companies, but also individuals who donot actually are target audience for payment of extortion money. Hence this advisory for such people.

Leaving all the technical discussions to the experts, I would like to provide the common man’s guide to fighting the ransomware like WannaCry. This advisory is meant for circulation in the Whats App Groups of non technical persons.

If you are not so far affected by WannaCry, consider yourself lucky. But your luck may not hold for long and hence act immediately with the following steps.

  1. Disconnect Internet and donot use Internet or E Mail until the following exercise is complete.
  2. Buy one external hard disk matching your computer memory and create a full back up of both your operating system and the data.
  3. Windows  provides an easy system back up option. You can use it. Additionally data can be backed up manually.
  4. Ideally have two back ups, one created through windows and another manually.
  5.  Some Anti virus software also provide their own means of creating a recovery disk. Create such a Recovery disk through the anti virus software. Also create another recovery disk through the process recommended by your computer/laptop manufacturer so that you can re-install the operating system from scratch.
  6. Some security software manufacturers may provide options for recovering the computer without re-installing the Operating system. But this may be complicated for an ordinary computer user.
  7. Now go back to the computer and Internet. Update your Windows to current version (Windows 10) and apply all patches. Download updates to your anti virus software. I advise you to also use a paid version of Malware Bytes or such other dedicated anti malware software as a second defense.

Now you may be ready to face the consequences of a future attack. If there is an attack, donot pay ransom. Re format and restore the OS and data from the back up.

In case you are affected before you have taken the back up, it is most unfortunate. If you feel your data is not that critical, forget the incident as a bad dream and start afresh. Even if you are tempted to pay the ransom, beware that buying ransom amount in bitcoin and paying it to the extortionist is itself a punishable offence since it is classic “Money laundering”. Also there is no guarantee that the data would be restored even after payment.

if you are a professional, keep a record that your computer was in fact attacked. This is by having a certified copy of your desktop with the ransomware message. CEAC.IN will provide the details of how this certificate can be obtained. This is required as an evidence since some time later, the taxman can ask you for the data which you may refuse and he may charge you for not providing the required data and assess you with a penalty.

After certification, you can keep the hard disk preserved so that if in the event that some good samaritan finds a decryption key for the WannaCry int he next few weeks, you may restore your data. In the meantime you may use a new hard disk to continue your activities with the precautions mentioned earlier.

Ensure that you donot spread the infection in your computer to other computers by forwarding infection ridden e-mails and messages. You should yourself now stop responding to phishing mails and clicking on the attachments from unknown sources.

If necessary, open your emails first on your mobiles before opening on the computer. Ensure that your mobile also has a good anti virus program running.

Remember that there would be phishing mails suggesting removal of WannaCry which itself may infect. Be careful even if the e-mail appears to come from “Naavi”. There have been earlier occasions when spoofed e-mails have gone apparently from “Naavi”. I will not take any responsibility for it. It is your responsibility to identify phishing e-mails and act cautiously.

Naavi

(P.S: Experts can suggest corrections if required to the above advisory. You can add your comment so that any person visiting this page would get the benefit of your suggestions.)

Posted in Cyber Law | Leave a comment

Is it time for a worldwide ban on Bitcoin to stop Cyber Financial Terrorism?

One of the Counter terrorism strategies is to choke a terrorist organization of the money supply. This holds good not only for terrorists in Kashmir or elsewhere and to the Naxalites, but also to organized cyber criminals.

If we look at the recent developments on the growth of “Ransomware”, there is no doubt that the collection of ransom through “Bitcoins” has become one of the hurdles for law enforcement. Though some brave people suggest that Bitcoins can also be tracked and they may be right to some extent, it is definitely not easy to locate the owner of the Bitcoin wallets in the anonymized world and zero in on the recipients of the bitcoins.

Just like Bitcoin is used for laundering legacy currency, bitcoin itself is laundered to make it less and less identifiable. Like spoofing an IP address, the recipients of Bitcoins break it up into sub units, jumble up and then distribute it before finally converting it into legacy currency at which point of time there could be a possibility of identification.

At present FBI thinks that it has the technology to track Bitcoins because it has a few successes in the past. But in India, I am not sure if we have the forensic capability to track a Bitcoin transaction. So would be many other countries. hence Bitcoin continues to be the Currency of Convenience to the Cyber Criminals.

Now that WannaCry storm has blown over, it is anticipated that more such ransomwear attacks may be coming up in the coming days. The news that WannaCry has emanated from North Korea may not be correct as of now.

But it is likely that terrorists in Pakistan as well as the North Korean dictator would definitely get the idea and will soon send out a ransomware in the guise of Jaff Ransomware  or Uiwix Ransomware or by any other name and either use it as a weapon to destabilize the economy or to fund their nefarious activities.

Since India is one of the most affected countries both in terms of Cyber Crimes and Cyber Terrorism, we need to take the lead to run a global campaign to fight this “Cyber Financial Terrorism” called Ransomware.

We should therefore move the world forum such as United Nations to immediately declare Bitcoins as a “Banned Possession” across the globe without exception and stop its circulation.

This will ensure that Bitcoin holders will not be able to make profitable use of their holdings and hence it will cease to be a valuable currency for criminals.

Just as in the case of “Demonetization”, one time offer can be given to genuine Bitcoin holders to exchange their holding to legacy currency after they provide proof of its acquisition through proper accounted money.

I request Mr Arun Jaitely to take a lead in this direction. This will put an effective curb on the ransom writers to give up this means of extortion on the community.

I look forward to a response from Mr Arun Jaitely as well as Mr Ravi Shankar Prasad in this regard.

Naavi

ALSO READ

Anonymize Bitcoins

How we got busted…

Bitcoins are easier to track than you think

Using Bitcoins anonymously

Uiwix, yet another ransomware like WannaCry – only more dangerous

Jaff Ransomware Family Emerges In Force

Posted in Cyber Law | Leave a comment

WannaCry and Cyber Insurance

The WannaCry ransomware seems to have targetted the health sector more, probably for the reason that most of the systems used in the industry were using unpatched or old windows systems and also their employees were not as well informed as those in IT industry as to the social engineering and phishing mail threats.

Just as ATMs in the Banking sector run on old Windows XP systems, it is possible that an industry like Health Care that depends on many equipments with computerised support systems may be working in the background on windows XP.

We already have evidence that some ATMs in India have been hit by WannaCry but the damage has not been felt because the closure of ATMs was some thing people got used to in the last few months and a few more did not matter. ATMs did not contain sensitive data in itself and hence could be easily reset.

However, when an ATM was found to have been affected, there is a suspicion that the back end system also must have been affected. Firstly the infection cannot originate in the ATM except in the case when an ATM maintenance is undertaken with a USB. Mostly ATMs are updated remotely and hence are the nodes for a back end server. If therefore the local memory of the ATM has been affected, there is every reason to believe that the back end server has already been compromised. The Back end server ultimately connects to the Core Banking server.

One reason that many of the Indian organizations seems to have escaped the vortex of the attack is that most of the servers could be running on Linux and not on Windows. This could have been the reason that even when parts of the network were affected, some parts have remained safe.

In the health Care segment, the hospitals are using a large number of diagnostic equipments some of which are used as critical equipments for support of surgeries and any infection of these machines would cause a “Denial Of Access” situation in the hospital.

One of the doubts that health care segment is confronted with in the case of a ransomware attack is whether the attack needs to be reported as a “Data Breach” to the HHS ?. In the case of a Business Associate, the doubt is whether the attack has to be reported to the upstream data supplier?

In the case of a “Ransomware attack”, it is presumed that the nature of compromise is that “Data remains where it is but gets encrypted”. Hence data does not go out of the system and it is not a conventional data theft case.

However, data may become “Unusable” even by the “Authorized users” and in case there is a request of data from the data subject, the request cannot be met. Hence there is a disruption of activities and breach of contractual obligations without data loss.

Hopefully, data may be recovered after some time and processes may continue. However equipments need to be re-calibrated and tested before it is back to normal use.

HHS may not impose heavy penalties but reporting is a necessity.

Hence users of these compromised and rectified equipments need to first create an evidence (In India the evidence should be certified under Section 65B of Indian Evidence Act as explained in www.ceac.in) that they have been adversely affected in this Global storm and hence their systems have been disrupted. They need to simultaneously notify their principals about the disruption because “Denial of Service” is also a “Data Security Breach”.

The attack is a confirmation that the organization is perhaps using systems that are running on unpatched or unpatchable systems which will remain vulnerable unless further action is taken. Hence a post incident audit report has to be obtained where the cause of the breach is determined and necessary preventive measures are taken. In certain cases where the equipments are controlled by embedded systems which are not meddled with by the hospital administration, the equipment manufacturers need to be notified and rectification demanded on an emergent basis. Some of these equipments may be “imported” and quick servicing may not be easy.

I pity the IT administrators of such systems because there may be no easy solution to their problem. While the CISO s may say, keep the equipments quarantined until they are disinfected and vaccinated, the business requirements may force reinduction of the equipments before a thorough check is done and systems upgraded.

If so, they need to be alert of the possibility of a second wave of attack from a mutated virus may hit them again. To avoid any adverse impact on the patients, the hospitals which are dependent on such compromised IT systems need to reduce their dependence on IT and double check their results produced by IT systems manually.

For those who have taken the Cyber Insurance policies, it is time to check the clauses. In this incident, there is no data loss but there could be expenses involved in recovery of systems and data. The ransom payment if any is an illegal expense and I am not sure if Cyber Insurance companies should cover this. But I am told that some Cyber Insurance companies may cover this expenditure also, and if so, it is fine. We know that when multiple systems are affected, the decryption key has to be bought for each such machine and hence the actual ransom may not be $ 300 for an organization but several times more and go beyond the “Minimum Loss Clause” in the insurance contract.

If however an Insurance company takes a stand that the attack was facilitated by the negligence of the user in not patching its systems or by an employee negligence in clicking on a phishing mail attachment etc., they will have some justification to reject the claims. This needs to be settled on the basis of relationship between the Insurer and the Insured on whether the negligence amounted to being “Grossly Negligent” or ” Below Average Negligent”. This may depend on the policies and procedures adopted and documented and the manpower training undertaken in the past. If the organization has not previously undertaken effective measures to meet such contingencies, it would amount to “Negligence of the Organization” and not “Negligence of an Employee” and hence the Cyber Insurance cover may be rejected.

It is time for every organization to review their past actions on Cyber Security to that in future when such attacks recur they are better equipped.

In the meantime, we may keep our fingers crossed and wait for the after effects of the WannaCry storm to pass over..

Naavi

Also refer:

WannaCry: After worldwide ransomware hack, governments and cyber experts brace for more attacks

Insurance companies may face the brunt of botched tech after WannaCry

Cyber insurance market expected to grow after WannaCry attack

After WannaCry, ex-NSA director defends agencies holding exploits

India third worst hit nation by ransomware Wannacry; over 40,000 computers affected 

Posted in Cyber Law | Leave a comment

WannaCry, Is it an US Cyber War Preparation that went awry?



Today, the 15th May 2017, Indian corporates, including Banks will be switching on their computers with a prayer in their lips hoping that they would not see the dreaded “Your files are encrypted” screen.

It is still not clear what would be the extent of damage that the ransomware could cause. The first version was killed. But it is reported that a modified version which does not have the kill switch is now in circulation. It could spread like a worm in a networked computer, self replicate and execute an encryption code remotely. Most major anti virus manufacturers have claimed to have included a ransomware protection tool either as part of their end-point security software or separately.

The first task for all IT users particularly those who are using Windows systems is to check if they have installed the patches provided for Windows and the Anti Virus software that they are using. They should not open their computers to internet before this task is accomplished. In this process, it is expected that most ATMs in the country will remain shut off today and create a mini cash crisis for Indian citizens who are running around. Consequently there will be a more than normal crowd in the Banks also where also the servers may run slow. We therefore may find some confusion in the financial market.

Unconfirmed reports are suggesting that many Banks including Syndicate bank, Union Bank, SBI, Karnataka Bank have been affected by the ransomware. Even HCL is reported to have been affected. I hope this report is not true as otherwise there would be chaos in the Banking industry today which will extend to the stock markets by the afternoon.

CERT-IN has announced a webcast to make companies aware of the issue which those interested may attend. The webcast may be available at webcast.gov.in. It may be difficult to access in view of the network related issues but it is worth trying.

CCN-CERT of China has issued a prevention tool which may be available here which security professionals can check.

Amidst all the confusion it is necessary to note that one of the reports indicate that India is one of the countries with the highest number of infections.

Initially the breakout was observed in UK and Europe where there is a large number of infections particularly in the heath care sector. Indian impact may be yet to unfold. If the above report is true then nearly 10% of the infections are in India and we will come to know about the impact some time during this week.

We are concerned that the GST systems and UIDAI systems may also need to watch out.

The UIDAI system may not get affected since it’s design may prevent infection if normal precautions are in place. But the fact that the Iranian nuclear systems which were “Air gapped” and operating hundreds of feet below ground under utmost military security could be affected by Stuxnet means that no system is really safe as long as there are employees who are ignorant and negligent.

We may recall that the Stuxnet which was perhaps developed by US/Israel to attack Iranian Nuclear program also infected (Reportedly) the Rare Earth Minerals near Mysore, in Karnataka, India. Similarly WannaCry may also ultimately reach the GST systems and UIDAI. GST is yet to start but some testing is on. It is good if they take special steps to secure this nationally critical information system.

What is tragic is to note that “Shadow Brokers”, the group which released the weaponized cyber exploitation tools developed by NSA, a couple of which have been used in the creation of WannaCry have released further exploits from the hacked NSA stable in the last few days which may result in newer attacks.

Thus the source of all the chaos that is occurring in the Cyber world today is NSA. The speed with which the ransomware spread in Europe and the fact that US itself has not been affected as much as other countries indicate that most probably the infections had taken place earlier than when shadow brokers leaked the information and exploitation occurred now. It is possible that US had already infected systems in Europe and other countries as a part of its “Cyber Military Exercise” and when the exploits were used by the criminals, the victims had no defense. It is like a Military exercise preparation for which a stock pile of weapons were kept ready and terrorists took over the stockpile of weapons and used it for their own gains. It is a replay of a typical movie plot. Unfortunately we donot have a James Bond to enter in time to destroy the terror infrastructure before the real damage is done.

The Government of India and other affected countries need to take up the issue with the UN and question the US intentions. Is this in any way linked to discrediting Mr Trump? . Is it linked to the change in the FBI Director in US? …etc are also questions that bug our mind.

If US wants to stockpile Cyber weapons, it is their duty to secure them and not let hackers hack into their stockpile and endanger other countries. US should therefore take up a part of the liability for this Cyber attack and I request India to raise this issue in the appropriate forum.

For the time being we keep our fingers crossed and wait to see how the impact of the ransomware unfolds in India.

Naavi


Related Articles

MeitY reaches out to RBI, others against Wanna Cry ransomware

Cyber experts working round the clock to protect India from the ‘biggest ransomware’ attack

Revealed: The mysterious case of ‘Shadow Brokers’ and NHS hacking

Seriously, Beware the Shadow Brokers

U.S. Government Fears a Monday Explosion of the Ransomware Plague It Helped Create

Wannasmile… a quick tool

China and Japan wake up to the Attack…

How To Remove…Symantec


Update at 8.52 AM

The new infection map in the last 24 hours given below indicate that a large number of Indian computers are infected. Even US is now getting affected probably because we are dealing with a Worm that travels across the network and today US systems are also connected worldwide.


Posted in Cyber Law | Leave a comment