Naavi.org

Happy Digital Society Day of India

This day in the year 2000, India stepped into the world of Cyber Space with a recognition of electronic documents as equivalent to paper. Along with the recognition of digital signature as equivalent to “Signature” in law, the world of Digital Contracts became a Judically recognized reality. Thus was born the legally recognized Digital Society of India.

Let’s commemorate the day with some positive action that helps in the development of a Responsible Cyber Society in India.

Naavi.org takes a Digital Society Day resolution to fight a war against ransom ware by creating greater awareness in all stake holders about the dangers of Ransomware and how to fight it.

The theme for the year is

Naavi

Our war against ransomware  should start with better awareness about the epidemic as it is evolving. Ignorance is not the the concern only in India. Even in US it is stated that more than two thirds of US office workers are unaware of ransomware threat.

A recent survey of 1000 workers in US conducted by a security firm Avecto revealed that widespread ignorance prevails about the ransomware threat. About 39% of the respondents expressed that they donot have confidence that their employer may have adequate safetguards for their online safety.

Nearly 40% of businesses were hit by ransomware atacks in the past one year with more than one third of them losing revenue and 20% forced to close down.  More than 4000 ransomware attacks happen every day making it the leading threat in the cyberworld. The average ransom demand is reportedly doubled to $679 from $294 at the end of 2015 and over 100 new families of ransomware has been discovered.

Ransomware on Android has grown in several parts of Europe spreading through malicious APK files which users download and install, as well as through tricky spam messages, and malvertising. The malware may some times simply lock the screen and change the PIN to demand ransom.

The next wave of ransom ware is expected to attack the IOT s making life miserable for the tech savvy digital society resident. While the traditional ransomware attacks data residing inside the computing devices, IOT ransomware may take control of the devices and make them act under their control leading to dangerous consequences such as crashing of Cars, burning out of devices, causing fire and other physical hazards including causing death of a person using the IOT devices near his person.

The growing problems observed in Samsung mobile devices could also be a manifestation of a malware meant to hurt the company. Similar malwares can also turn into ransomware to threaten… “Pay up or else, your mobile/device will burst”.  With the kind of social engineering that precedes a targetted attack, it is possible that ransomware may be installed in a user’s family device such as the son/daughter’s mobile and threat sent to the father so that immediate compliance is guaranteed.

The risk becomes larger since  “Ransomware as Service” (RaaS) is being increasingly offered by the underworld. This  ensures that it can be used just as “Supari Killers” are used in the physical world for committing murders. This empowers all and sundry to adopt ransomware to settle personal scores and make money.

The raise of “Crime ware as a Service” requires to be tackled at the same level as we handle “Terrorism” as a part of global security. I wish global leaders like Mr Modi as well as the ISIS baiters like Donald Trump donot forget to fight the threat of “Crime ware as a Service” to protect the digital world of the next decade”.

The Fight against ransomware in corporate world has to focus on reducing the possibility of the employees falling victim to spearphishing attacks. While most infections are being caused by “Opening of Attachments” from e-mails and we often say “Donot open attachments from unknown persons”, the fraudsters who use spearfishing spend time in researching the victim and finding out his weaknesses before sending out an attachment. It may be possible to teach an employee not to open an attachment that says “Exclusive Pictures of the URI attack” or “A Bollywood star in Bed with a Cricketer”, it would be difficult to make him not open an attachment which appears to come from his boss and says, “Proposed Salary Revision”.

Phishing of e-mails and websites have become so sophisticated that we need “Two factor authentication” for every e-mail to add to its trustworthiness.

Recently, in India a phishing website in the name of “lCICI” was found to confuse the Netizen with “ICICI” (The leading Bank in India).

Watch the adjoining picture and let me know if you can spot the difference in the URL from a URL that would represent the genuine ICICI Bank.

If such phishing succeeds, as in most cases it would, one cannot blame the eye sight of the Netizen.

(Let RBI which is holding up the limited liability circular under the vested interest’s pressure take note that Customer cannot be held responsible for negligence if he is tricked into believing that such phishing e-mails are genuine).

Cylance, a security firm has recently put out a detailed account of how Cerber Ransomware operates which is an excellent guide for everyone watching this space to study.

Cerber  is the third most prevalent ransomware  in the wild with a market share of 24% behind CryptoWall (41%) and Locky (34%). Its uniqueness is that it uses a continuous change of its file name make it impossible for anti virus software to identify it by its signature file name. It is known to spread via weaponized Microsoft Word documents and also exploiting the vulnerabilities such as Adobe Flash Player. Sophisticated distribution mechanisms with “Affiliate Programs” are on offer. It is using “Bitcoins” as the payment made.

It is said that the average cost of ransomware in large corporations could be $1 mllion to $10 million making it a risk that cannot be ignored. The Bitcoin community which wants to legitimize the use of Bitcoin as a recognized currency needs to take steps to ensure that ransomware does not become the new “SilkRoute” as the war against Ransomware will start with the complete shutting down of “Bitcoin” as a legit currency.

I urge the Government of India and Mr Narendra Modi to use the occassion of the anniversary of the Digital Society Day of India falling on 17th October to declare the “War on Ransomware” open.

To start with the Government should announce its intention to tackle this as “Cyber Terrorism”, register cases under Section 66F of ITA 2008 so that it falls within the international cooperation treaties to enlist the support of law enforcement agencies in other countries. The rest of the strategy can be dicussed subsequently.

It would be better if the Government sets up an expert committee to develop the strategy for tackling the menace of Ransomware (without limiting it to the coterie in Delhi)..

Dear Mr Modi…. are you listening?

Naavi

After the surgical strikes by the Indian army on Pakistan terrorist launch pads, there has been a series of attacks by physical terrorists in different parts of Kashmir. At the same time, it appears that there is a low intensity cyber terrorist attacks across the Cyber LOC.

Just as there is little difference between the physical terrorist attacks and a “War” when it comes to Pakistan (since they have adopted terrorism as a tool of war), the cyber attacks on IT firms in Hyderabad also are not different from a Cyber War.

Refer article here

It is a fine line of distinction between Cyber War and Cyber Terrorism. Cyber War is conducted by state actors and Cyber terrorism is conducted by non state attacks. Cyber War is mostly on military targets while Cyber terror strikes on soft public targets.

The convention for Cyber Wars is yet to be developed internationally and are therefore non existent in practical terms. (Tallin Manual is under development and could eventually become an international agreement on Cyber warfare).

The Hyderabad attack is reported to be a ransom ware attack on many finance companies. Though there has been a denial from the Hyderabad police sources, it is possible that there could at least be a “Defacement Attack” probably at the ISP level. There was also an earlier report of Indian hackers hacking into Pakistani Government websites and planting ransomware.

These mutual attacks have raised an important issue of the role of “Cyber Attacks” in national defense. Obviously, if the attacks are launched by the Government sources, it will be part of the military operations just like the “Surgical Strikes”. But such attacks need to be confined to military targets and not civil targets. When civil targets are hit, it is more akin to a terror attack than a military operation unless it can be justified as collateral damage. If such attacks are launched by non military personnel, there is every right for Pakistan to call it a Cyber Terror attack by Non State Actors in India.

In order to ensure that Indian hackers are not drawn into legal battles in international courts, it is necessary for the Government to define a proper policy for such cross border cyber attacks.

Firstly, the Government of India should develop (If they have not so far done), a Cyber Army which is part of the Military operations. This Cyber Army should focus on military targets. It is not necessary that this should be manned only by the current defense personnel. Other private teams can be used for the purpose. Along with it, if the Government wants to develop a supported non state actor group, it is the Government’s call. China already must be having such an outfit. It will be like the RAW in Cyber Space and part of the intelligence network.

As regards other private parties, it is necessary to classify them as “Non State Actors”. If therefore cyber attacks do take place by hackers on either side, they are open to international legal action and the Governments of each country may disown them if they are identified.

It is open to such hackers to take the risk if they so like but should not expect much support from the Government.

We understand that Mr Modi may have a Cyber Attack Collaboration agreement with Russia which should be the starting point for developing a Cyber Army in India. If this happens, we welcome the move.

We therefore watch the BRICS summit in Goa closely to see if an agreement is signed in this regard between India and Russia.

Naavi

An unprotected open-source data base of Modern Business Solutions (MBS) based in Austin, TX is said to have compromised 58 million to 258 million data base records of its customers because of faulty configuration of its security.

According to this report from riskbasedsecurity.com  the firm provides cloud based data management platform called Hardwell Data allowing the customers to collect, store and transfer data records regardless of format, including a cloud based hosting system for databases. It is stated that the IP address of the insecure data base was identified on an internet search and shared within a small group of friends which ultimately resulted in the mega data breach.

Leaked information included names, IP addresses, birth dates, email addresses, vehicle data and occupations.

It is understood that the data base has now been secured and is no longer accessible. This however confirms that the breach was a result of a gross negligence by the information security managers of the firm.

While the IS professionals look at the problem from their perspective, there is another angle to the whole episode.

“Modern Business Solutions” is a common name used by many businesses and websites many of them in India. At least one of them is known to be providing services to ICICI Bank.  It is possible that the MBS of Austin might not have any connection with the company having business relationship with ICICI Bank.

However, as a part of the “Compliance Requirements”, it is necessary for ICICI Bank to come out with a public disclaimer that there is no business relationship between the MBS of Austin, TX and the Bank and no data of any Indian is involved in the data breach.

The same advisory holds good for all business entities in India who deal with any company called “Modern Business Solutions” to issue necessary disclaimers. Such companies who are “Lookalikes” also need to issue their own disclaimers.

For the future every company  should consider using the services of “www.lookalikes.in” so that when such reputation loss occurs on account of any shared name, their own customers feel re-assured.

Naavi

October 17 is a special day in the Digital history of India since it was this day in the year 2000 that India first provided legal recognition for electronic documents by notifying the Information Technology Act 2000. Since then the life of many IT professionals in India has changed for ever. Along with recognition of electronic documents came the Digital/Electronic signatures and a whole set of business opportunities around that. Cyber Lawyers saw a new field of activity emerging and professionals in law enforcement had to recognize the new domain of Cyber Law enforcement. E Commerce and E-Governance as well as E Banking in particular has also contributed to millions of job opportunities that can be attributed directly to the event of October 17, 2000 notifying the ITA 2000.

Now under the leadership of Mr Modi, India is talking of a new era of Digital progress beyond the e-commerce and e-Governance. We are deep into Mobile Commerce, use of Aadhar as a universal digital ID. Smart Cities and IOTs are slowly making it a part of our life. Electronic circuits are part of many of our day to day gadgets including the wearable Watches, the Cars, the Washing Machines etc.

Along with these developments in technology, the Cyber Crimes are also increasing and Police are under constant challenge to tackle the new age crimes.

In such an environment, it is the duty of every one of us who has directly or indirectly been affected by the advent of Cyber Laws in India and created Netizens out of Citizens to commemorate October 17 with the respect it deserves.

I therefore urge all Cyber Professionals to conduct their own special activities on this October 17 to just remember that this is the day when the “Digital Society of India” was born.

If you are in an educational institution, call your students and hold an awareness meeting.

If you are in a Company, have a “ITA 20008 Compliance Meeting”.

If you are a Bar Council member, call a meeting to discuss “Cyber Laws in India”,

If you are in the Police, conduct a meeting of your subordinates and increase the awareness of Cyber Crimes….

If you are in Indian Defense, develop an awareness of the world of Cyber Wars…the next war will be dominated by Cyber attacks.

And if you are Mr Narender Damodar Das Modi, call a cabinet meeting and make the Cabinet colleagues aware of the importance of developing and managing a “Cyber Law Compliant E Governance system”.

…………Just as “International Yoga Day”, the “Digital Society Day” deserves to be commemorated.

Naavi

Over the last few years, tech enthusiasts have been encouraging the BYOD or Bring Your Own Devices as a concept in corporate environment firstly to reduce the costs and then to bring in more convenience to the employees  in operating in a seemless fashion at Office and Out of Office. Over time, some are even suggesting “Bring Your Own Cloud” to encourage employees using their own cloud storage even for storing corporate data assets handled by them.

However, security professionals have always raised a red flag for such innovative measures since it is a security nightmare to manage the IS principles of protecting the confidentiality of information.

Companies have tried to manage the issue with a firewall control that checks the integrity of the device every time it is connected to the corporate network. But this is hardly sufficient security for the risk of possible deliberate or inadvertent misuse of the device when it is connected to other networks at home or in public and the possibilities of stealth viruses sneaking in. The only control for such possibilities is the updated anti virus which may however be updated only when connected to the corporate network and cannot prevent a zero day malware getting in in between the two working days when the device is off the corporate network.

Now the risks are expanding with mobile phones becoming smarter than what they should. There are malwares that are known to activate the microphone or camera and record conversations in the vicinity and send them out through the network to some command and control center for futher exploitation. This was countered by the companies trying to ban use of mobiles in some sensitive operational areas in the company though many ignore such precautions.

Now, in an interesting security measure, the UK Government has banned the wearing of  “Apple Watch” in cabinet meetings since it is considered a spying threat.

Read the Article here

In the Corporate world, the use of “Wearables” is the next craze and one can see all top executives looking smart with smart wearables to monitor their health and substitute the use of mobiles for some functions such as checking on messages. There  is no doubt that today most of us check the messages on the mobile more often than checking time on the watch and hence it makes sense to display the messages on the wearable watch.

But it is time to recognize that Companies need to start the practice of discouraging too much of gadgetry to be brought by the employees into the sensitive corporate environment putting the security at risk. At the same time it is time to add the “Wearables” to the list of monitored BYOD devices in the Corporate network.

When ITA 2008 undergoes the next revision, perhaps the Government needs to recognize the cyber crime threats arising out of such gadgets as part of the Cyber-eco system it should protect through legislation.

Naavi