Naavi.org

The WannaCry ransomware attack across 100+ countries attracted a huge attention of the media yesterday. It continues to be the main story in print media today. The developments on the ransomware has been fast and furious with security experts all over the world joining hands to find a remedy for Wannacry.

A few hours into yesterday, CERT IN joined in sending out its advisory but the advisory was a little too late to be of any practical help. But by that time most of the Anti Virus and anti malware companies had put out their advisories and it had been circulated by most security professionals and in discussions over social media including Naavi.org. Nevertheless this was one of the few occasions when CERT In did respond with an advisory within a short time and hopefully the trend will continue and improve in future.

One of the reasons stated for the delay is that CERT In has to wait  for secondary confirmations before an advisory is sent. But there is no use in locking the stable after the horses had bolted. Keeping the nature of the organization which is CERT-In, I suggest that CERT-In should develop an “Incident Alert” which could go out as an “Intelligence Advisory” even when a security threat is not fully confirmed to the satisfaction of a Government Agency like CERT-IN and then follow it up with a full scale advisory. This will meet the needs of the market and preserve the conservative outlook on advisories to be held out by the Agency.

For the sake of records, we have given below some links which provide an excellent analysis of the Version 1 of the WannaCry ransomware.

This was “Accidentally” halted yesterday through an activation of the “Kill Switch” when a security professional analysing the malware code found that the encryption is activated only if the malware cannot connect to a particular website named in the code. The URL named was http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/

Out of curiosity he checked the domain and found that it remained unregistered. He registered the same and it acted as a “Kill Switch” for the malware.

The person has admitted that when he registered the domain he was not aware that it would act like a kill switch but since the domain looked strange, he tested if it was available and went on to register it.

The kill switch doesn’t help devices WannaCry has already infected. But by registering the domain, and then directing the traffic to it into a server environment meant to capture and hold malicious traffic (“sinkhole”) some time has been bought for systems.

Additionally some security specialists advised disabling of the SMB 1 in windows features which comes activated by default. In fact even as back as an year, a security specialist categorically stated (Refer here) that this “Server Block Messaging Protocol” had outlived its utility and has no place in the modern world of malicious hackers. It can be easily disabled by going into “Turn off/on windows features” and unchecking the feature.

I am not sure if CERT-In had observed this opinion and converted it into an “Advisory”. It is this sort of advisory that would be useful to the people.

In the meantime, the ego of the hackers who introduced the WannaCry version 1 with a kill switch which was decyphered quickly has been hurt and we already have a notice that a new version of the malware has been released without the kill switch.

In view of this, the need to implement the security measures including applying the patch provided by Microsoft and disabling SMB1.0 becomes critical. Additionally, avoiding clicking on phishing mails and attachments also become necessary to be reiterated.

Some of the protective measures that people may try are as follows:

(Kindly beware that there would be phishing and fake sites offering such solutions which may themselves infect your company. Check if you are on a genuine site before proceeding further.)

1. CERT Advisory from Cyber Swachcha kendra
2. Kasparesky System Watcher: (Works on Endpoint Security)
3. Guide at PCRISK.com
4. Malware Bytes
5. Bitdefender solution
6. Sophos Solution
7. TrendMicro solution

The best solution for “Ransomware”  however remains to keep an off network data backup and complete segregation of critical systems from e-mail and internet threats. Ensure that the backup is accessed and operated in a secure environment so that the backups would not be infected during the process of updation or retrieval.

Naavi

Related Articles

Technical Analysis

Marcus Huchins, the hero  who saved many from wannaCry

[P.S: Though the Karnan episode is not a Cyber Law related issue, in the interest of fighting for the supremacy of the Supreme Court, it has become necessary to express our opinion in the matter since there is a lobby out there to support his actions which we consider as not conducive to national interests. Please ignore these discussions if you belong to Karnan camp. Let us honourably agree to disagree…. Naavi]

According to the statement attributed to the “Legal Aide” of Justice Karnan, Mr Karnan may be in Nepal or Bangladesh. This was a report put out by Hindustan Times on 11th May 2017. But on the same day another lawyer was able to meet him in Chennai and Mr Karnan was able to give an “Affidavit” sworn before a “Notary” to file a review petition in Supreme Court to withdraw the earlier arrest order issued. How?..Who is lying?.. is a question in my mind and probably in the minds of many.

Now we are aware that the review petition has not been accepted on an urgent basis by the Supreme Court and may have to wait the end of the Court vacation to be taken up for consideration.

It is not clear on what grounds the Supreme Court would agree to hear the petition on behalf of a fugitive who refuses to surrender before the Court and plead his case. In the past, Courts have told such fugitives applying for anticipatory bail to first surrender and then only the Court will admit the petition. A similar approach needs to be applied to Mr Karnan Case unless he is considered as “Not a Common Man but a VIP” for whatever reason.

If the Court departs from this procedure, it will provide an excuse for other convicts and accused to keep themselves underground unless the Court relents and accepts their demand. This will create a bad precedent that the Court should avoid.

The question which media including Mr Arnab Goswami and others are not asking but the “Nation wants to Know” are

1. How is that the lawyer and the notary can meet Mr Karnan on the same day in Chennai when another legal aide (Ramesh Kumar, an advocate of Chennai) says he is in Nepal or Bangladesh?
   1. Is it a false statement made out to mislead the media and the Supreme Court?
   2. Is he being sheltered in some secret location by some people or organizations who also donot recognize the authority of the Indian Supreme Court?
2. What does the legal aide mean when he says that he wants President of India to take up Karnan’s case in International Court of Justice with a plea like in the case of Kulbhushan Jhadav?…..
   1. Does Mr Ramesh Kumar mean that Mr Karnan is not getting justice from the Indian Supreme Court just as Kulbhushan did not get the justice from the Pakistan Military Court and wants the International Court of Justice to intervene?
   2. Is Mr Ramesh Kumar equating the Indian Supreme Court with a 7 member bench to be same as the Pakistani Military Court which is completely opaque about its procedures?
   3. Is Mr Ramesh Kumar aware of the damage he is causing to the Indian democratic system by such irresponsible statements?
3. Why is that the Police in Kolkata allow Mr Karnan to travel to Chennai?
   1. Were they too embarassed to arrest the former judge?
   2. Did they also not want to cooperate with the Supreme Court?
4. Why is Police in Chennai are unable to locate him?
   1. Are our police so incompetent?
   2. Are they also trying to prove that if Police donot cooperate, Supreme Court is powerless?

It appears that we are seeing a power game going on in which different actors are showing off their mutual powers and taking sides. It is unfortunate that the casualty in this process is the reputation of India as a democratic country and the Indian Judiciary as an effective pillar of our democracy.

It is interesting to note that Police are normally very efficient in tracking down fugitive criminals in most challenging circumstances. Hence tracking Mr Karnan is child’s play for the Police. if therefore Police are saying that they have not been able to locate him, it is only an indication that they are playing their part in the drama directed by Mr Karnan.

The point of suspicion naturally falls on the TN Government since Police only follow the diktats of their political bosses and as a rule, the efficiency of the Police in any State is directly proportional to the wishes of the Home/Chief Minister.

I am aware that TN Police are very efficient and by this time they would definitely know the whereabouts of Mr Karnan. They may be waiting for directions from their Political bosses to take their next step.

We also know that Mr Karnan was once an AIADMK member and also a Poll Agent for AIADMK. It is now difficult to know whether his leanings are to the EPS camp or the OPS camp. But he would definitely have his political connections in Tamil Nadu which will go upto Mr EPS.

In this context it is interesting to note that there is a rumour floating around that the current EPS faction of AIADMK is trying to align itself with BJP. This may appear to be good for BJP for the Presidential elections but will in the long run be morally unsustainable.

The fact that Mr Karnan has contacted Mr Modi with his complaint against corruption of 20 judges indicate that he hopes to get his support. In the normal course he could have contacted either the CJI or the Speaker of the Loksabha requesting for impeachment proceedings against the accused judges. He could also have lodged a formal complaint with the CBI like what Mr Kapil Mishra did against Arvind Kejriwal.

Mr Karnan did not do any sensible things which a prudent whistleblower does but his supporters still consider him as a whistleblower against corruption. He has not given any evidence and just shot out a letter which is now in public domain raising complaints against a group of 20 judges.

I however doubt very much that the PM will fall prey to the bait. Now the legal aide is trying to draw the President into the picture. Knowing the maturity of Mr Pranab Kumar Mukherjee, he is too seasoned to accept the bait himself.

Hence neither the PM nor the President is likely to come to Mr Karnan’s help and now that the Supreme Court has rejected an urgent hearing of the review petition, Police are left to decide how long they will wait to arrest Mr Karnan before the public starts questioning their integrity. It is possible that they may simply sit tight until they are forced to act.

It is therefore left to the media to take up the cudgels and expose the hypocrisy of the players.

When a complaint of corruption like what Karnan has made is against a single Judge, it becomes a case of defamation. But when it is made collectively on 20 judges followed by bizarre orders of arrest etc against 7 other Supreme Court judges including the CJI, it is no longer a defamation of the individual judges but a collective defamation and destabilization of the Indian judiciary.

Hence the Supreme Court was left with no option but to immediately immobilize him with an arrest order though the Police are not cooperating in execution of this order. Even if the Supreme Court had suo-moto considered the collective action as a conspiracy to destabilize Indian democracy, there would have been justification. The Court has been lenient because Mr Karnan has been part of the judicial family and is not an Aam Admi.

At this point, I would like to state that if Mr Karnan’s allegations of corruption are true, there should be measures to address it. Naavi.org supports transparency in Judge’s selection as well as video streaming of Court proceedings to public or a section of the public acting as a “Watch dog” for which norms can be devised. But Naavi.org does not support the undermining of the Supreme Court’s authority the way Mr Karnan and his supporters are doing.

But first things first. We need to preserve the reputation of the Judiciary before we expect the same judiciary to take action against the accused.

To be honest, I think Mr Karnan’s attempt is an act that destabilizes the Country’s democracy. Today there is a news that Karnan’s supporters in India are mobilizing support of international associations of Ambedkarites as if this is a “Dalit Vs Non Dalit issue” as Mr Karnan wants to make it out to be.

It is for the same reason that I strongly oppose his move as similar to what Mr V.P.Singh did in the past with the Mandal politics. Now Karnan may cause a national and international divide of Indian citizens on the caste lines and destroy the fabric of harmony of India. We also take note that Mr Karnan has not stopped at his Dalit Card and in the past invoked Hindu Vs Muslim and Christians to further his cause. He can therefore be expected to use all divisive strategies so that his post retirement political career is built up. In the end India is going to be made “Tukde”.. “Tukde”…

I want all right thinking persons to join me in protesting against Mr Karnan and his friends who are trying to project him as a hero. Donot let the cancer of caste divide to spread. Soon Modi baiters like Arvind Kejriwal and Rahul Gandhi along with the communist leaders like Raja, and TMC leaders like Mamata Bannerjee will join the bandwagon of supporters of Mr Karnan and just like the EVM, he will be a rallying point for the opposition to grind their axes.

If by any chance, Tamil Nadu BJP gets involved and Mr Modi is even remotely identified as sympathizing with the cause of Mr Karnan, this will become an explosive political issue. I request Mr Modi to take care that he remains as far away from the controversy as possible and also request Mr Amit Shah to ensure that BJP also keeps itself far away from the controversy. This is a lose-lose situation and both sides who involve in the controversy will be losers in the end.

It is possible that Naavi.org will also face the wrath of atleast the trolls on the internet and social media but when even Arnab Goswami remains tight lipped there is need for some body to step in unmindful of the risks and embarrassment.

We believe that What the nation deserves to gain is much more than what we may lose in the process of expressing our opposition to Mr Karnan’s antics.

The silent majority which allows the vocal minority to create a wrong public perception needs to wake up and support this cause. We welcome your support with comments.

Naavi

Also Read:

Justice Karnan maybe in Nepal or Bangladesh, we want President to appeal to ICJ: Legal aide

A ransomware attack which crippled many hospitals in UK is now creating waves of alarm by spreading into other countries. According to one researcher, more than 45000 attacks have already been flagged in 74 countries of having been caused by a ransomware by name WanCry or WCry.

The ransom demand is reported to have begun with around $300 to be paid in the form of Bitcoins.  In an related development the Bitcoin exchange rate has spiked to US $1850 on May 12 and is presently hovering around US$ 1650. The ransom demand says that the ransom will double if not paid within 3 days and the encrypted files will become unrecoverable after a week.

Though no report of largescale infection has yet been reported from India, the infection map indicates that India has also been affected. The map shows infected computers that attempted to communicate with the server between 11 a.m. and 6 p.m. Eastern time on Friday according to NY Times.

It is stated by experts that the ransomware exploits a vulnerability which was identified and used by National Security Agency (NSA) of USA to infect user’s computers as a part of its intelligence activities. Recently in April, a bunch of such Cyber Tools used by NSA were leaked by the underworld and it has now been exploited.

It appears that the exploit has hurt companies which have not applied one of the latest Windows patches. Also some anti virus companies are claiming that they already have the exploit covered in their product and hence the lack of adequate security measures by the users may be one of the main reasons why the attack has succeeded in the current proportions.

According to Kasparesky, “It’s important to understand that while unpatched Windows computers exposing their SMB services can be remotely attacked with the “EternalBlue” exploit and infected by the WannaCry ransomware, the lack of existence of this vulnerability doesn’t really prevent the ransomware component from working. Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the outbreak.”

Naavi.org had warned the IT users that Ransomware attacks are nothing but “Cyber Terrorism” and we need to guard against such attacks through various means including keeping an “Off Network Back Up”. Kasparesky advocates use of its “System Watcher Component” and other prominent Malware detection softwares also have suggested some added security features to be subscribed.

It is essential for all IT users to explore the feasibility of protecting their computers and the data through appropriate measures suitable to them.

Issues Raised By this Incident

The incident raises at least two main ethical issues that the society needs to address. First is that if NSA was aware of this vulnerability got some time, should it not have disclosed it and helped the safeguarding of the society rather than keeping it to themselves as a tool to watch terrorists. it is like the security agency having intelligence of a bomb attack but keeps the information itself until the citizens suffer by the execution of the attack while the agency was only trying to gather more information from its informers.

The attacks have now affected hospitals and must have caused even death of individual citizens. It has caused economic loss which is not limited to US$ 300 per infection (estimated total equal to US $ 30 million (Rs 210 crores) and the follow up costs.

Should this have been prevented by NSA by getting the vulnerability patched? Did they do it selectively to critical sectors?, Did they share the information with security agencies of other countries? are questions which will never be answered. NSA may however defend their position that in the larger interest of a need to watch the terrorist actions such as what happens in Syria or Pakistan, it is necessary to hold available Cyber tools as secret weapons to be used by the State only. Unfortunately the tools were not secured and was therefore used by exploiters. This is a typical scenario like terrorists of ISIS getting hold of Pakistani Nuclear weapons and causing damage to others.

The second ethical issue is whether the Victims should pay the ransom? ..and use Bitcoins?… thereby emboldening the attackers further and legitimizing the Bitcoin as a currency?

It is difficult to preach the victim who may have only the short term selfish interest of recovering his data at $300 rather than spending more subsequently.

But we understand that some Cyber Insurance Companies are paying claims for such ransom payments which in our opinion both unethical and illegal. Cyber Insurance claim even if higher than $300 should be paid for recovery of the data without paying the ransom and not for paying the ransom.

I urge all Cyber Insurance companies not to encourage payment of the ransom than the higher data recovery cost in the long term interest of the society. Of course, they should encourage their insurance customers to adopt better security preparedness by not only using the available prevention tools but also an effective disaster recovery mechanism and upgrade of patches.

Also after April 14, 2017 when the hackers are reported to have published a suite of NSA exploits, it is interesting to know if any Cyber Insurance company advised their customers about the possible risks ahead. This alert generation is normally the role of a CERT. But I expect Cyber Insurance Companies to be CERTs for their own interest.

I also would like to know what action CERT IN took after April 14 when NSA exploits were available and now after May 12 when the UK attacks became public.

Other regulatory agencies like RBI should also start sending their own advisories to their subordinate stake holders.

Action To Be Taken

In the meantime it is the duty of each IT users big and small and more importantly the critical sectors like the Hospitals, Banks and Government to review their security measures today.

I expect all listed Companies who are stake holders to report to SEBI if they are holding an emergency Board Meeting today to assess their security positions. If not SEBI should itself advise the companies to disclose their vulnerabilities and action taken in the context of the knowledge of this Cyber attack now available.

The compliance requirements under different law require that when a “Knowledge of a Risk becomes known, appropriate remedial action needs to be initiated”. So all CISO s need to wake up and work over time this week end and ensure that the threat perceptions are updated for their management to take immediate action. Even if the Managements donot ask, CISO s should shoot out  an e-mail to the Board members to hear out an assessment presentation and take remedial action.

If necessary, simply forward the copy of this article to your CEO since bringing the risk to their knowledge is part of the “Due Diligence” of the CISO.

Naavi

Related Articles:

In Naavi.org: Start a War on Ransomware. It is Cyber Terrorism

Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool

Alarm grows over global ransomware attacks

WannaCry ransomware used in widespread attacks all over the world

NHS left reeling by cyber-attack: ‘We are literally unable to do any x-rays

UPDATE: 13th May 2017: 12.45

In an interesting development, one security researcher has found and executed a kill switch that seems to have stopped spread of the WannaCry ransomware. He found the hard coded code indicating that the ransomware would stop if a random domain name named therein becomes live. It is presumed that the code writer wanted to hold the power to stop the ransomware and had introduced this kill switch. This was identified by the security researcher who checked up the domain name and found that it was available for registration. He registered the domain name and the ransomware died.

See the report here: Accidental hero’ finds kill switch to stop spread of ransomware cyber-attack

Wish all cases of malware were solved so quickly. We must however congratulate the person responsible for killing the ransomware….may his tribe increase!

Update: 13th May 2017 : 1452

In a tweet the person who identified the kill switch says that he was not aware that the registration of the domain would act like a kill switch. It was therefore an accidental discovery.

This is interesting to note because if the domain name was indicated in the hard code and it was found to have been registered in the name of the security expert, he could have been connected with the writing of the ransom ware code. He had unknowingly created an incriminating evidence against himself. It was fortunate that it turned out to be a blessing in disguise.

CERT IN now issues an alert

It appears that CERT In has now issued an advisory which is a replica of what Kasparesky and others have given. Hopefully next time CERT IN will be quicker. RBI and SEBI also needs to issue an advisory of their own or link to CERT In.

The claim of Saurabh Chaudhary that EVMs can be tampered and the demo he ran in the Delhi Assembly is a fraud on the Indian public.

Mr Chaudhary brought his own EVM lookalike which had a self introduced code which could render it to function in a particular way. He used this to demonstrate that EVMs can be tampered with.

If this logic can be applied to any demo, I can bring a Mobile or Computer with pre-inserted virus and say that all computers behaves in a particular manner. If this argument has to be extended then we need to also state how the malicious code can be introduced in Computers or EVMs that are not under our control.

We had a similar situation some time back when a technology expert demonstrated that the Bank’s Internet Banking systems could be tampered with a user side virus which carries out as a “Man in the Browser” attack. It was with the disclosure that it is true only of that virus is present in the computer. Since we know that there are many ways that a computer of the public can be infected, the demo was legitimate and urged the Banks to introduce counter safety measures.

In the EVM issue, the devices are always with the Election Commission and its officers. Changing of the mother boards in say 10000 EVMs require 10000 fraudulent mother boards to be prepared and installed in the EVMs. It requires compromise of the human beings more than the machines themselves. Unless all the EC members are cheats, the allegation is an empty allegation and not a realistic process.

If Mr Chaudhary had shown that an EVM is susceptible to a WiFi signal or some other remote signal system which could alter the embedded code or otherwise tamper with the results, then there would have been some credibility.

The detractors of EVMs are quoting Mr Subramanya Swamy and GVN Rao who are BJP sympathizers. They may aswell quote me also since all of us have made statements about the tamperability of EVMs in different contexts. But EC has taken some counter steps including the VVPAT to address the vulnerabilities pointed out.

Now EC has also given an opportunity to the EVM detractors to prove that the machine can be tampered with in a hackathon invitation. But it is necessary for the detractors to prove that EVM is hackable while it is in the custody of the EC and not when it is taken over unless they also prove that a large number of EVMs can be taken over and manipulated.

It is ofcourse possible as in the days of booth capturing that EVM booths can be captured and machines tampered with. But today CCTVs do watch over such intrusions and representatives of all parties are present in the polling booth. Hence unless it is a security compromised area such as the parts of Kashmir or Naxal infected areas, capturing the EVM booths and changing the mother boards is not possible elsewhere.

Comparisons with some foreign systems are also not valid since the systems used are different from the stand alone machines used in India.

Political parties are raising this issue only to defame the Election Commission which has been hailed world over. They should stop this short term publicity stunts in the interest of the country’s reputation as a large democracy.

As an Information Security observer, I would like to add that the EC need not be complacent and should always be alert to the possibility that new technologies can be used to tamper any electronic device. If so, it should happen at the manufacturing level and hence proper controls there are required. EC may continue to review the security measures and take necessary measures.

I would not like to discuss any other speculative vulnerabilities in the public but express the confidence that EC should have access to proper security advise with which they can take all measures that are required to keep the possibility of frauds or errors within a range of probability within which the risk can be absorbed.

EC should not agree to some suggestions made by AAP that the voter should be asked to testify if the VVPAT coupon now shows what he himself voted. AAP is capable of bribing some voters to say that the VVPAT coupon is showing some thing different from what he swears.

Similarly, EC should not succumb to the pressure and re-introduce paper ballots just to satisfy the critics. It is even more vulnerable to tampering.

I hope that after today’s meeting of all Political parties with the EC, the controversy is laid to rest.

Naavi

The drama played by the Justice Karnan  having been convicted for 6 months imprisonment and suspension of judicial powers indicates that he is now standing in the shoes of a convict evading arrest.

The rumors floated by one of his lawyers that he may be in Nepal or Bangladesh etc while he is available to his lawyers to sign an affidavit in front of a Notary makes him a self declared fugitive from law.

There is a rumour that he may move the International Court of Justice to claim that injustice has been done to him like in the case of Mr Jadhav by Pakistan Military Court.

I donot see much difference in his conduct from that of Mr Vijay Mallya who is holed out in London. In fact, Mr Vijay Mallya appears to be in comparison a better gentleman than Mr Karnan because Mr Mallya is only fighting his financial charges and not denigrating the country and its democratic institutions which Karnan is trying to do.

What surprises me however is that many in the law community are standing in support of Mr Karnan for their own reasons. Most of these lawyers have a grudge against Judges in general and the Judges in Supreme Court in particular and find Mr Karnan a hero who has stood upto the mighty.

Their present wrath on the Supreme Court judges may be genuine because they feel that the Collegium system of appointment is not transparent, there is nepotism, there is corruption etc. Since Mr Karnan’s problems originated because of his complaints about his brother judges that they are corrupt, some of the lawyers think he is a crusader like Mr Arvind Kejriwal and deserves to be supported.

However, the statements that Indian Judiciary is corrupt is a generic statement similar to what we say about all politicians or all bureaucrats being corrupt. Such statements may be fine for a discussion in a party but not to be highlighted in the national and international media to further personal interests.

Besides some bad elements who may be present or perhaps are definitely present, Indian Judiciary still has some committed and principled Judges and it is uncharitable to carry individual grudges against some in the Judiciary to the entire community and dishearten even those who are honest and dedicated.

If the system of appointment of Judges is incorrect and not transparent, we have every right to fight for it. My lawyer friends should continue to fight for this cause.

But the same lawyers failed to support Modi’s Government when there was the difference between the Government and the then CJI because they had their own prejudices against Mr Modi which were more important to them than Judicial reform.

Today their prejudice for Karnan is making them take up cudgels for a person who is bent upon destroying the credibility of the Indian Judicial system.

This appears to me a hypocritical attitude.

Karnan is not fighting against the restoration of NJAC or some thing similar. He is only fighting what he calls as harassment of a “Dalit Judge”. He has in the past also raised the religion card Hindus Vs Muslims and Christians etc. He basically represents a corrupt mind that is dysfunctional to the society and will be detrimental to the society in the long run. If left unchecked he will divide the Judicial society on religion and caste basis and has to be checked before further damage can be done.

Mr Karnan has shown scant regard for the higher Court by passing his own Kangaroo Court order sentencing 7 Supreme Court judges to 5 years imprisonment without a trial while his lawyers cry injustice that he was himself sentenced by the Supreme Court without trial.

Besides, he is absconding like a common criminal and not surrendering before the Court.

We therefore have no reason to extend our support to Mr Karnan. He needs to be condemned as a person who is trying to denigrate the whole system of Judiciary in India and making our country a laughing stock in the eyes of the world.

The lawyers who have now filed a review petition before the Supreme Court for recall of the order have raised several legal issues including that the “Constitution” does not provide for dismissal of a High Court judge except by impeachment process and Supreme Court has no powers against High Court Judges except to decide on appeal of their decisions.

Their argument may indicate a lacuna in our Constitution that needs to be corrected. According to his detractors which include the Supreme Court judges themselves, Mr Karnan’s orders appear to be the decisions of a person who has lost his mental balance and hence does not fall under “Recognized Legal Contracts” let alone “Judicial Decisions”. Hence to defend them on “Constitutional Rights” is unjustified.

I donot see that it was the intention of the Constitution that a mentally unsound person could continue to occupy a Judicial position and exercise the constitutional privileges meant for the Chair.

If this indiscipline shown by Mr Karnan is not curbed, tomorrow we will have a judicial chaos in the Country with different High Court judges passing orders against brother judges and Supreme Court judges including orders to arrest them. It is better not to discuss the ugly consequences of such a possibility.

Mr Karnan and now his lawyers are giving a handle to Indian Anti Nationals to cock a snook at Indian Democracy.

If we dispassionately look at the developments of Mr Karnan Vs Supreme Court, it appears that Mr Karnan is fit to be declared as either

a) A person of unsound mind and hence all his actions are to be ignored or

b) A person who is an anti national who wants Indian Democratic reputation to be brought down in the eyes of the world

If the first presumption is taken, the review petition has to be dismissed forthwith.

If the second presumption is taken, the trial should be upgraded to a trial under other sections of IPC applicable to anti nationals and the appropriate punishments are considered.

If both the Supreme Court and the lawyers of Mr Karnan want a middle ground, the petition may be  dismissed on the grounds that the signature of Mr Karnan on the affidavit needs to be attested by his personal appearance since there is a probability that it could be a forgery.

It may be taken up again if Mr Karnan surrenders and appears in person.

In the meantime the Notary who attested the signature could be summoned to testify if the signature is true and if so, why the Notary knowing fully well that the person swearing before him was a fugitive from law, did not inform the Police voluntarily.

If Supreme Court is lenient on Karnan because he was a “Judge”, then it would indicate that Supreme Court is discriminating between a common citizen and a past Judge. They will not be able to exercise authority in the case of Mr Vijay Mallya who may raise a defense that the Court is  not consistent.

Naavi

Also Read

Curious case of Justice CS Karnan: How he defied the Supreme Court and created legal history

The Supreme Court Order Sentencing Justice Karnan to Six Months’ Imprisonment Sets A Wrong Precedent

Justice Karnan vs SC: Playing the lead in his own courtroom drama

Where is justice Karnan? Police struggle to arrest judge convicted by SC

CS Karnan vs Supreme Court: Ongoing stand-off a national shame, harms dignity of Indian judiciary

‘Missing’ Justice Karnan files counter appeal in Supreme Court

Justice CS Karnan ‘missing’, police of 3 states can’t find him

15-yr run: From AIADMK booth agent to judge to jail

Why are India’s top judges doubting each others’ sanity?

At Naavi.org 

Justice Karnan escalates fight with the system

A Sad Day for Judiciary.. at Madras High Court

“Cyber Insurance-a dog that can bite you and itself” says my friend  Mr Dinesh Bareja (Information Security Expert) in an interesting article. Mr Dinesh has well brought out the risk of an insurance company being sued by its client when there is a rejected claim. He has also pointed out how many insurers may find themselves unable to enforce the insurance claim even after incurring the cost. He has rightly concluded that both the Insurer and the Insured will learn in due course how to keep the Cyber Insurance dog under a tight leash.

Let me add to the comments of Mr Dinesh….

Cyber Insurance is a legitimate tool of an Information Security Manager for “Transferring the Risk” at a cost to an insurer. This is after he has taken reasonable steps to mitigate and avoid. The goal of an Information Security manager (ISM) is to ensure that the “Residual Risk” is within the “Risk Absorption” capacity of the organization as set by the Financial Managers.

However, in most practical situations, Cyber Insurance Contract is not conceived and structured with a good assessment of “Total Risk” reduced by  “Avoided Risk”, ” Mitigated Risk” and “Risk Absorption capacity”. (All reduced to a common denominator of Money).

I am not sure if any ISM has ever made a presentation to the Board stating to the effect that….”Our Cyber Risk is estimated to be around 100 crores to the best of our knowledge and ability…. By avoiding this process we can reduce it to Rs 80 crores….. By our ISM we can bring it down to Rs 10 crores…… Beyond this ISM cannot mitigate and the organization needs to absorb or cover through Cyber Insurance if possible.

In order to make an assessment of the kind above, we need to have metrics to evaluate our ISM program. If we intend to cover the residual risk with  Insurance, the best option is to work along with the Cyber Insurance Company what they consider as adequate “Information Security” and develop a mutually acceptable information security program.

If the Information security program of a company is approved by the Cyber Insurance Company, there will be less opportunities for rejection of claims and litigation between the Insurer and the Insured. But the Insurance industry is not interested in this approach for reasons stated below.

We should always remember that Indian Insurance Industry is working under the concept of “All Insurance Contracts are “Uberrimae Fedei Contracts”. Uberrimei Fedei contracts are contracts of “Utmost Faith” where the insured (applicant) has the onus of disclosing all matters that may affect the decision of the Insurer (The Cyber Insurance Company) in accepting the proposal. The Insurer has no obligation to verify and accepts the proposal as declared. But when a claim situation arises, the Insurance Company will undertake an investigation to find whether the Insured had disclosed all risks as were known to him on the date of the proposal and if there is any short fall, the claim would be rejected. The Insured will end up paying the premium but does not enjoy the benefit of the policy.

This system is to the advantage of the Insurance industry and there is no incentive for them to change it while the user industry has every reason to challenge this proposition.

This nature of the Insurance Contract as a “Contract of Utmost Faith” if accepted, puts the CISO in a spot. If he highlights all the risks, the management may say.. “too bad that you are the CISO”. If he does not…then he is postponing the day of reckoning to the day when the Insurance claim may arise.

In most companies, the CISO is not even consulted when a Cyber Insurance deal is negotiated with a Cyber Insurance Company. Some times, Cyber Insurance is taken because the Business Manager says that the vendor of a data processing contract has made it mandatory. It is only the CFO who takes the decision since he has to write the cheque. He will chose to insure to the extent his budget allows or to the extent a business contract mandates. It would be great if he checks with the CISO but it may not happen all the time. (This was corroborated in our Cyber Insurance Survey 2015).

IS specialists know that apart from all the risks that they are theoretically expected to assess and mitigate there are “Zero Day Risks” that no CISO knows. Ransomware payments in “Bitcoins” may involve an illegal acquisition of bitcoins which the Insurance company may refuse to fund. There is also a difficulty in stating the “Value of the insured assets” since financial valuation of data is difficult. Further most of the insurance claims are not for pre-determinable costs but liabilities that arise based on the third party claims. Hence to state in Good faith that “This is the Risk I face and this is the risk I can mitigate and this is the Risk which I want the Insurance Company to cover” is a near impossibility if we want to respect the “Uberrimae Fidei” nature of Insurance contracts.

Another risk that a CISO finds himself in is that when all the risks that he has identified are not mitigated and/or covered through insurance, when the claim arises, the Insurance company may hold the company of undervaluing its assets for insurance and either call it a fraud or at least reduce its coverage under the clause that “Insured is considered a Co-Insurer to the extent of under insurance”.

It is therefore clear that the decks are stacked against the Insurance seeker and this is one of the reasons that Cyber Insurance is slow to take off. In turn this also puts the Insurance industry in a state that they are not able to spread their risks and bring down the premia. If business expands, it is better for both the insured and the insurer. Efforts are therefore required in this direction.

I refer to my earlier article “If China can have a PRC law, Can we not too have a similar law?..for Insurance?“.

In this article I had highlighted the fact that In China, the Insurance law has been modified to make Insurance contracts, “Contracts of Honest Disclosure” and not “Contracts of utmost Faith”.

We in India need to introduce a similar modification to our Insurance law if we want the Cyber Insurance contract to be a useful tool in the hands of the industry.

What this “Honest Disclosure” could imply is that the Insurance Company is given the freedom to ask as many questions as they like on the “Cyber Insurability” of the proposer and even allow them to do their own risk assessment after which a mutually acceptable premium is fixed for the coverage sought and approved. In such cases, the possibility of a claim being rejected and bad blood developing between the user industry and the Insurance industry would reduce.

In the coming days, the GDPR regulations will force more and more IT companies to look for Cyber Insurance and for the benefit of all the contracts should be made acceptable to both the parties so that there is no misunderstanding.

It is for this reason that any organization that intends to take Cyber Insurance needs to have a suitable consultant to advise them to understand the limitations of what the Insurance company proposes rather than being surprised later at the time of claim.

Some of the Insurers particularly the Banks are used to issuing an RFP and chose the lowest bidder. This approach is dangerous since the RFP will become the base on which the “Utmost Faith” is determined on a later date.

Instead, they should enter into a negotiation with a short listed group of Cyber Insurers and discuss what is possible to be insured and take the insurance contract with the full understanding of what is covered and what is not.

This objective of having Cyber Insurance which is acceptable under a “Negotiated Risk Assessment” between the Insurer and the Insured can be achieved by IRDA coming out with necessary guidelines by declaring “Cyber Insurance” as a separate category of Insurance and instituting the “Honest Disclosure” element as part of the Proposal clearance.

So… the power to tame the Cyber Insurance Dog and make it a saviour of the IT industry without biting its master, now lies with IRDA.

Naavi