Naavi.org

Our war against ransomware  should start with better awareness about the epidemic as it is evolving. Ignorance is not the the concern only in India. Even in US it is stated that more than two thirds of US office workers are unaware of ransomware threat.

A recent survey of 1000 workers in US conducted by a security firm Avecto revealed that widespread ignorance prevails about the ransomware threat. About 39% of the respondents expressed that they donot have confidence that their employer may have adequate safetguards for their online safety.

Nearly 40% of businesses were hit by ransomware atacks in the past one year with more than one third of them losing revenue and 20% forced to close down.  More than 4000 ransomware attacks happen every day making it the leading threat in the cyberworld. The average ransom demand is reportedly doubled to $679 from $294 at the end of 2015 and over 100 new families of ransomware has been discovered.

Ransomware on Android has grown in several parts of Europe spreading through malicious APK files which users download and install, as well as through tricky spam messages, and malvertising. The malware may some times simply lock the screen and change the PIN to demand ransom.

The next wave of ransom ware is expected to attack the IOT s making life miserable for the tech savvy digital society resident. While the traditional ransomware attacks data residing inside the computing devices, IOT ransomware may take control of the devices and make them act under their control leading to dangerous consequences such as crashing of Cars, burning out of devices, causing fire and other physical hazards including causing death of a person using the IOT devices near his person.

The growing problems observed in Samsung mobile devices could also be a manifestation of a malware meant to hurt the company. Similar malwares can also turn into ransomware to threaten… “Pay up or else, your mobile/device will burst”.  With the kind of social engineering that precedes a targetted attack, it is possible that ransomware may be installed in a user’s family device such as the son/daughter’s mobile and threat sent to the father so that immediate compliance is guaranteed.

The risk becomes larger since  “Ransomware as Service” (RaaS) is being increasingly offered by the underworld. This  ensures that it can be used just as “Supari Killers” are used in the physical world for committing murders. This empowers all and sundry to adopt ransomware to settle personal scores and make money.

The raise of “Crime ware as a Service” requires to be tackled at the same level as we handle “Terrorism” as a part of global security. I wish global leaders like Mr Modi as well as the ISIS baiters like Donald Trump donot forget to fight the threat of “Crime ware as a Service” to protect the digital world of the next decade”.

The Fight against ransomware in corporate world has to focus on reducing the possibility of the employees falling victim to spearphishing attacks. While most infections are being caused by “Opening of Attachments” from e-mails and we often say “Donot open attachments from unknown persons”, the fraudsters who use spearfishing spend time in researching the victim and finding out his weaknesses before sending out an attachment. It may be possible to teach an employee not to open an attachment that says “Exclusive Pictures of the URI attack” or “A Bollywood star in Bed with a Cricketer”, it would be difficult to make him not open an attachment which appears to come from his boss and says, “Proposed Salary Revision”.

Phishing of e-mails and websites have become so sophisticated that we need “Two factor authentication” for every e-mail to add to its trustworthiness.

Recently, in India a phishing website in the name of “lCICI” was found to confuse the Netizen with “ICICI” (The leading Bank in India).

Watch the adjoining picture and let me know if you can spot the difference in the URL from a URL that would represent the genuine ICICI Bank.

If such phishing succeeds, as in most cases it would, one cannot blame the eye sight of the Netizen.

(Let RBI which is holding up the limited liability circular under the vested interest’s pressure take note that Customer cannot be held responsible for negligence if he is tricked into believing that such phishing e-mails are genuine).

Cylance, a security firm has recently put out a detailed account of how Cerber Ransomware operates which is an excellent guide for everyone watching this space to study.

Cerber  is the third most prevalent ransomware  in the wild with a market share of 24% behind CryptoWall (41%) and Locky (34%). Its uniqueness is that it uses a continuous change of its file name make it impossible for anti virus software to identify it by its signature file name. It is known to spread via weaponized Microsoft Word documents and also exploiting the vulnerabilities such as Adobe Flash Player. Sophisticated distribution mechanisms with “Affiliate Programs” are on offer. It is using “Bitcoins” as the payment made.

It is said that the average cost of ransomware in large corporations could be $1 mllion to $10 million making it a risk that cannot be ignored. The Bitcoin community which wants to legitimize the use of Bitcoin as a recognized currency needs to take steps to ensure that ransomware does not become the new “SilkRoute” as the war against Ransomware will start with the complete shutting down of “Bitcoin” as a legit currency.

I urge the Government of India and Mr Narendra Modi to use the occassion of the anniversary of the Digital Society Day of India falling on 17th October to declare the “War on Ransomware” open.

To start with the Government should announce its intention to tackle this as “Cyber Terrorism”, register cases under Section 66F of ITA 2008 so that it falls within the international cooperation treaties to enlist the support of law enforcement agencies in other countries. The rest of the strategy can be dicussed subsequently.

It would be better if the Government sets up an expert committee to develop the strategy for tackling the menace of Ransomware (without limiting it to the coterie in Delhi)..

Dear Mr Modi…. are you listening?

Naavi

After the surgical strikes by the Indian army on Pakistan terrorist launch pads, there has been a series of attacks by physical terrorists in different parts of Kashmir. At the same time, it appears that there is a low intensity cyber terrorist attacks across the Cyber LOC.

Just as there is little difference between the physical terrorist attacks and a “War” when it comes to Pakistan (since they have adopted terrorism as a tool of war), the cyber attacks on IT firms in Hyderabad also are not different from a Cyber War.

Refer article here

It is a fine line of distinction between Cyber War and Cyber Terrorism. Cyber War is conducted by state actors and Cyber terrorism is conducted by non state attacks. Cyber War is mostly on military targets while Cyber terror strikes on soft public targets.

The convention for Cyber Wars is yet to be developed internationally and are therefore non existent in practical terms. (Tallin Manual is under development and could eventually become an international agreement on Cyber warfare).

The Hyderabad attack is reported to be a ransom ware attack on many finance companies. Though there has been a denial from the Hyderabad police sources, it is possible that there could at least be a “Defacement Attack” probably at the ISP level. There was also an earlier report of Indian hackers hacking into Pakistani Government websites and planting ransomware.

These mutual attacks have raised an important issue of the role of “Cyber Attacks” in national defense. Obviously, if the attacks are launched by the Government sources, it will be part of the military operations just like the “Surgical Strikes”. But such attacks need to be confined to military targets and not civil targets. When civil targets are hit, it is more akin to a terror attack than a military operation unless it can be justified as collateral damage. If such attacks are launched by non military personnel, there is every right for Pakistan to call it a Cyber Terror attack by Non State Actors in India.

In order to ensure that Indian hackers are not drawn into legal battles in international courts, it is necessary for the Government to define a proper policy for such cross border cyber attacks.

Firstly, the Government of India should develop (If they have not so far done), a Cyber Army which is part of the Military operations. This Cyber Army should focus on military targets. It is not necessary that this should be manned only by the current defense personnel. Other private teams can be used for the purpose. Along with it, if the Government wants to develop a supported non state actor group, it is the Government’s call. China already must be having such an outfit. It will be like the RAW in Cyber Space and part of the intelligence network.

As regards other private parties, it is necessary to classify them as “Non State Actors”. If therefore cyber attacks do take place by hackers on either side, they are open to international legal action and the Governments of each country may disown them if they are identified.

It is open to such hackers to take the risk if they so like but should not expect much support from the Government.

We understand that Mr Modi may have a Cyber Attack Collaboration agreement with Russia which should be the starting point for developing a Cyber Army in India. If this happens, we welcome the move.

We therefore watch the BRICS summit in Goa closely to see if an agreement is signed in this regard between India and Russia.

Naavi

An unprotected open-source data base of Modern Business Solutions (MBS) based in Austin, TX is said to have compromised 58 million to 258 million data base records of its customers because of faulty configuration of its security.

According to this report from riskbasedsecurity.com  the firm provides cloud based data management platform called Hardwell Data allowing the customers to collect, store and transfer data records regardless of format, including a cloud based hosting system for databases. It is stated that the IP address of the insecure data base was identified on an internet search and shared within a small group of friends which ultimately resulted in the mega data breach.

Leaked information included names, IP addresses, birth dates, email addresses, vehicle data and occupations.

It is understood that the data base has now been secured and is no longer accessible. This however confirms that the breach was a result of a gross negligence by the information security managers of the firm.

While the IS professionals look at the problem from their perspective, there is another angle to the whole episode.

“Modern Business Solutions” is a common name used by many businesses and websites many of them in India. At least one of them is known to be providing services to ICICI Bank.  It is possible that the MBS of Austin might not have any connection with the company having business relationship with ICICI Bank.

However, as a part of the “Compliance Requirements”, it is necessary for ICICI Bank to come out with a public disclaimer that there is no business relationship between the MBS of Austin, TX and the Bank and no data of any Indian is involved in the data breach.

The same advisory holds good for all business entities in India who deal with any company called “Modern Business Solutions” to issue necessary disclaimers. Such companies who are “Lookalikes” also need to issue their own disclaimers.

For the future every company  should consider using the services of “www.lookalikes.in” so that when such reputation loss occurs on account of any shared name, their own customers feel re-assured.

Naavi

October 17 is a special day in the Digital history of India since it was this day in the year 2000 that India first provided legal recognition for electronic documents by notifying the Information Technology Act 2000. Since then the life of many IT professionals in India has changed for ever. Along with recognition of electronic documents came the Digital/Electronic signatures and a whole set of business opportunities around that. Cyber Lawyers saw a new field of activity emerging and professionals in law enforcement had to recognize the new domain of Cyber Law enforcement. E Commerce and E-Governance as well as E Banking in particular has also contributed to millions of job opportunities that can be attributed directly to the event of October 17, 2000 notifying the ITA 2000.

Now under the leadership of Mr Modi, India is talking of a new era of Digital progress beyond the e-commerce and e-Governance. We are deep into Mobile Commerce, use of Aadhar as a universal digital ID. Smart Cities and IOTs are slowly making it a part of our life. Electronic circuits are part of many of our day to day gadgets including the wearable Watches, the Cars, the Washing Machines etc.

Along with these developments in technology, the Cyber Crimes are also increasing and Police are under constant challenge to tackle the new age crimes.

In such an environment, it is the duty of every one of us who has directly or indirectly been affected by the advent of Cyber Laws in India and created Netizens out of Citizens to commemorate October 17 with the respect it deserves.

I therefore urge all Cyber Professionals to conduct their own special activities on this October 17 to just remember that this is the day when the “Digital Society of India” was born.

If you are in an educational institution, call your students and hold an awareness meeting.

If you are in a Company, have a “ITA 20008 Compliance Meeting”.

If you are a Bar Council member, call a meeting to discuss “Cyber Laws in India”,

If you are in the Police, conduct a meeting of your subordinates and increase the awareness of Cyber Crimes….

If you are in Indian Defense, develop an awareness of the world of Cyber Wars…the next war will be dominated by Cyber attacks.

And if you are Mr Narender Damodar Das Modi, call a cabinet meeting and make the Cabinet colleagues aware of the importance of developing and managing a “Cyber Law Compliant E Governance system”.

…………Just as “International Yoga Day”, the “Digital Society Day” deserves to be commemorated.

Naavi

Over the last few years, tech enthusiasts have been encouraging the BYOD or Bring Your Own Devices as a concept in corporate environment firstly to reduce the costs and then to bring in more convenience to the employees  in operating in a seemless fashion at Office and Out of Office. Over time, some are even suggesting “Bring Your Own Cloud” to encourage employees using their own cloud storage even for storing corporate data assets handled by them.

However, security professionals have always raised a red flag for such innovative measures since it is a security nightmare to manage the IS principles of protecting the confidentiality of information.

Companies have tried to manage the issue with a firewall control that checks the integrity of the device every time it is connected to the corporate network. But this is hardly sufficient security for the risk of possible deliberate or inadvertent misuse of the device when it is connected to other networks at home or in public and the possibilities of stealth viruses sneaking in. The only control for such possibilities is the updated anti virus which may however be updated only when connected to the corporate network and cannot prevent a zero day malware getting in in between the two working days when the device is off the corporate network.

Now the risks are expanding with mobile phones becoming smarter than what they should. There are malwares that are known to activate the microphone or camera and record conversations in the vicinity and send them out through the network to some command and control center for futher exploitation. This was countered by the companies trying to ban use of mobiles in some sensitive operational areas in the company though many ignore such precautions.

Now, in an interesting security measure, the UK Government has banned the wearing of  “Apple Watch” in cabinet meetings since it is considered a spying threat.

Read the Article here

In the Corporate world, the use of “Wearables” is the next craze and one can see all top executives looking smart with smart wearables to monitor their health and substitute the use of mobiles for some functions such as checking on messages. There  is no doubt that today most of us check the messages on the mobile more often than checking time on the watch and hence it makes sense to display the messages on the wearable watch.

But it is time to recognize that Companies need to start the practice of discouraging too much of gadgetry to be brought by the employees into the sensitive corporate environment putting the security at risk. At the same time it is time to add the “Wearables” to the list of monitored BYOD devices in the Corporate network.

When ITA 2008 undergoes the next revision, perhaps the Government needs to recognize the cyber crime threats arising out of such gadgets as part of the Cyber-eco system it should protect through legislation.

Naavi

(This is a continuation of the series of articles on this subject)

Article1 : Article 2 : Article 3: Article 4 : Article 5

(Easy to Read copy of the Bill)

What’s in It for Business?

The first impression about a new and improved “Consumer Protection Act” set to come into India with the likely passage of the Consumer Protection Bill 2015 in the coming Parliament session is that it is meant for activists and lawyers and of course the small set of vigilant consumers.

However it must be  remembered that it is one of those consumers who want a strict Consumer Protection Law who is also the proprietor or business owner who is at the receiving end of a strong Consumer protection legislation. There is no need to presume that he is interested always in cheating the customer and make money. After all all businessmen are not dishonest and greedy. The new Consumer Protection Bill 2015 (CPA2015) will therefore be of great interest to the businessmen and particularly those professionals working in large business houses who conduct business offline and online. It is not only relevant for the Hindustan lever or Nestle or Colgate or Pathanjali, but also to Flipkart, Snapdeal, Amazon and others.

We shall therefore look at the CPA2015 from the “Compliance” angle and try to identify some focus areas for the business. (Refer to the copy of the Act here whenever needed).

Penalty

Let us first look at the “penalty” clause in the Act.

As per Clause 79 of the CPA 2015,

(1) Where a trader or a person against whom a complaint is made or the complainant fails or omits to comply with any order made by the District Commission, the State Commission or the National Commission, as the case may be,

such trader or person or complainant shall be punishable with imprisonment for a term which shall not be less than one month but which may extend to three years,

or with fine which shall not be less than ten thousand rupees but which may extend to fifty thousand rupees, or with both

(2) Notwithstanding anything contained in the Code of Criminal Procedure, 1973, the District Commission or the State Commission or the National Commission, as the case may be,

shall have the power of a Judicial Magistrate of the first class for the trial of offences under this Act, and on Conferment of such powers, the District Commission or the State Commission or the National Commission, as the case may be, shall be deemed to be a Judicial Magistrate of the first class for the purpose of the Code of Criminal Procedure, 1973.

(3) All offences under this Act may be tried summarily by the District Commission or the State Commission or the National Commission, as the case may be.

It is to be noted that there is both a Civil and Criminal liability attached to non-compliance and the authorities entrusted with the responsibility for adjudication have the magisterial powers and take discussions on a summary basis. The scope for dragging the case and harassing the complainant is therefore limited and businesses cannot take the consequences lightly.

Product Liability

Chapter VI of the Bill states that the “manufacturer” or “producer” of product shall be liable for any product liability action if the claimant establishes all of the following by a preponderance of the evidence.

(a) the product contains a manufacturing defect or there is a deviation from manufacturing specifications;

(b) the product is defective in design;

(c) the product failed to contain adequate instructions of correct use to avoid danger or warnings of the improper/incorrect use;

(d) the product did not conform to an express warranty with respect to the product made by the manufacturer or product seller;

(e) the defendant was the manufacturer of the actual product that was the cause of harm for which the claimant seeks to recover compensatory damages; and

(f) the dangerous aspect of the product was the proximate cause of the harm suffered by the claimant.

The Product Seller will be liable for product liability action in the following circumstances.

(i) the product seller exercised substantial control over the aspect of the design, testing, manufacture, packaging, or labelling of the product that caused the alleged harm for which recovery of damages is sought

(ii) the product seller altered or modified the product, and the alteration or modification was a substantial factor in causing the harm for which recovery of damages is sought

(iii)the product seller made an express warranty as to such product independent of any express warranty made by a manufacturer as to such product, such product failed to conform to the product seller’s warranty, and the failure of such product to conform to the warranty caused the harm complained of by the claimant;

(iv) the claimant is unable, despite a good faith exercise of due diligence, to identify the manufacturer of the product

(v) the manufacturer is not subject to service of process under the laws of the State; or

(vi) the court determines that the claimant would be unable to enforce a judgment against the manufacturer:

From the above, it can be deduced that sellers of products imported from abroad such as the ubiquitous Chinese products could be liable for product liability since either the manufacturer cannot be identified or cannot be sued.

A Product seller other than the manufacturer may also be liable on the basis of negligence if the seller did not exercise reasonable care in assembling, inspecting or maintaining the product or in passing on warnings or instructions from the manufacturer about the dangers and proper use of the product (Provided that failure to exercise such reasonable care was a proximate cause of the harm).

It is to be noted that a “Complaint” under the CPA 2015 may be made for

a) Unfair Trade Practice

b) Defects in the product or Deficiency of Service

c) Excessive charging

d)Unfair contract entered into

and sale of hazardous and unsafe products as well as violation of safety standards if any.

Any act of withholding relevant information from the consumer could be considered as a “Deficiency” of service and any statements made on the internet or website could be considered as “advertisement”. Any aspects of warranty or promise contained in the communication with the consumer which is known to be untrue would constitute an “Unfair Trade Practice”.

The possibilities of deliberate and not so deliberate mis-statements normally arise because many products require the additional services of “Installation” and “Demo” which are some times handled by third party contractors who have no loyalty either to the brand or to the selling outlet and the product liability could arise out of the actions of these “agents”.

The manufacturers as well as the reputed retailers who have their own brand positioning need to ensure that the agents representing them are well trained and informed to avoid any type of mis-communications or over charging or damage or harm to the consumer at the time of installation.

The retailers conducting “Festival Sales” and the online companies running special campaigns such as “Big Billion Sales” often hire temporary employees during the peak sales time who are untrained and unprofessional. Actions of such persons could create liabilities to the suppliers if properly pursued by a vigilant consumer.

It is also essential for all manufacturers and suppliers to put in place a proper “Grievance Redressal Mechanism” which could act as a cushion to soften any adverse impact of deficient service/defective product.

The CPA2015 suggests its own mediation process but it is possible for the product manufacturers/sellers to squeeze in a dispute resolution mechanism before the mediation process or action from the dispute redressal agencies envisaged under the Bill can be invoked. This is mandatory for the online service providers under ITA 2000/8 and should be useful for others too. Such alternate dispute resolution mechanism can be an “Ombudsman” or “Mediation” or “Arbitration”.

If a consumer gets a reasonable redressal of grievance under these service provider’s dispute resolution mechanisms, the adverse impact of the mediation as envisaged under the Bill could be reduced.

Naavi