IRCTC hacking.. What Next?

Posted on May 5, 2016 by Vijayashankar Na

It has been reported that the IRCTC servers have been hacked and data base of millions of users compromised.

See article here

It is also learnt that the information is available on CDs for Rs 15000/- . (From unconfirmed private sources)

The fact that IRCTC has been hacked is no surprise. It perhaps happened long back and we have come to know of it only now.

The point that IRCTC does not have proper Information Security systems is being discussed in other fora.

At this point of time, it is not clear what information has been compromised and made public. If it is only the personal information about the name and e-mail address and used for spamming, it is perhaps tolerable.

However, if sensitive personal information including the Password, the PAN card detail, the Credit Card or Bank details have been compromised, it is unpardonable.

In such a case action should be initiated by Police and there is a need to send some body in IRCTC to jail.

It is a failure of the reasonable security practice under ITA 2008 and an assistance to commission of further frauds through recklessness with or without financial benefits.

At the same time, we cannot estimate when a past customer of IRCTC would be hurt. His confidential data may be used any time in the future to commit a fraud. Hence there is a need to protect every customer of IRCTC from possible future loss.

For this purpose IRCTC must immediately pick up a Cyber Insurance Contract and cover all their account holders against possible identity theft related losses in the next 3 years upto say an amount of Rs 5 lakhs. Whatever be the cost of such an Insurance must be boarne by IRCTC.

IRCTC should also immediately give a notice to all its customers by individual e-mail as per standard “Data Breach Notification Policy” (Please see CLCC for a draft of a model policy).

If such a policy has not been adopted, it confirms the lack of “Due Diligence”.

In January, TOI carried an article titled “IRCTC website a sitting duck for Hackware”. This was a notice on which remedial action should have been initiated.

Naavi.org has itself raised the possibility of hacking way back in August 2010 and also recently asked if IRCTC should have taken Cyber Insurance.

However, IRCTC has not taken any remedial measures and even now a google search on “IRCTC hacking” reveals many sites promoting hacking of IRCTC.

All this indicates complete negligence of the Information Security responsibilities at IRCTC for which the persons responsible must be held accountable.

I suppose some body should take up a PIL on this account.

The Supreme Court takes up many less worthy cases on Suo Moto basis and there are activists who hoist PIL litigation for innocuous matters which Courts spend time on.

Will any responsible Judge consider it worthwhile to take up this case on a Suo Moto basis and ensure that people who have shared their personal data with IRCTC are protected against losses arising out of the identity theft?

The PRO of IRCTC seem to have given a statement that the “Website of IRCTC is not hacked”

The PRO may not be aware that  it would not have mattered much if the website had been defaced rather than the data having been compromised. He is either unaware of the damage or has not shared the info with the public. Hope IRCTC releases a note through their website what exactly has happened and what are the risks to the public.

P.S: Will Aadhar data base be the next on CD on the streets?

Naavi

Posted in Cyber Law | 1 Comment

Digital Signature misuse reported in Bengaluru

Posted on May 3, 2016 by Vijayashankar Na

Naavi.org has several times brought to the attention of the public that certain certifying authorities are not following proper procedures for issue of Digital Signature Certificates and this can lead to frauds.

Earlier, one person associated with a Registration Authority had been alleged to have misused the digital signature of a Company Secretary in Bangalore to sign MCA certificates for a fee. Another instance from Delhi had been reported where directors of a Company were alleged to have used the digital signature of a deceased director and transferred the ownership.

Now, another allegation has surfaced in Bangalore where Dr Madhukar Angoor,  Chancellor of Alliance University has stated in a Press Conference that his family members have forged his digital signature to record resignation of himself and his wife to transfer the control of the University when he was abroad. (The case also involves the apparent misuse of laws meant for protection of women where false rape charges are routinely filed to defame and trouble innocent persons, which is outside the scope of this article.)

madhukar_alliance

Also See  Article in Deccan Herald:  Indian Expres

It appears that the English press seems to have not noticed the Cyber Crime angle while Kannada Prabha has reported the misuse of digital signature. This would involve Section 66C and 66D besides, several other sections of ITA 2000/8 and IPC.

It may be easier to investigate the Cyber Crime which may also be a proof of the property motive that could be behind the “rape” charge.  The investigation may also expose some Certifying Authority and their Registration Authority who might have abetted the crime.

It is interesting to note from this earlier article in Bangalore Mirror  that the sister who has lodged a rape complaint on behalf of her daughter is the “Wife of an IPS Officer”.

Justice therefore awaits overcoming the barriers of conflicts of interest in investigation.

Naavi

 

Posted in Cyber Law | 2 Comments

Will HHS impose a hefty fine on American Dental Association?

Posted on May 3, 2016 by Vijayashankar Na

In what may be described as an unfortunate but grim reminder of the risks that we run in the Cyber Space, American Dental Association (ADA) appears to have exposed itself to a risk of a hefty fine from the Department of health and Human Resources (HHS) which regulates HIPAA and HITECH Act implementation in USA. (P.S: I thank Mr Avkash Kathariya  for bringing the incident to my notice)

The Association recently sent a soft copy of CDT 2016 manual through a flash drive.

ada_virus_2ada_virus_1

 

 

 

 

 

It was found that the flashdrive contained a link to a website which is known for distribution of malware. This article in krebsonsecurity.com indicates that the fact that a malware was contained in this official communication was detected by a security professional who checked the flash drive.

In an inevitable “disclosure and Remedial Action”, the Association released an e-mail alert on the incident.

A copy of an e-mail which the center for Informatics and Standards in American Dental Association has sent to their customers recently is reproduced below.

IMG-20160503-WA0000

HHS normally imposes hefty fines for potential or real disclosure of PHI by Covered entities and Business Associates. This incident exposes the possibility that a malware could have been injected into the systems of any of the users and has to be recorded as a “Suspected Security Breach Incident” at every one of the users who may be exposed to HIPAA compliance requirement. Whether or not there has been any actual data breach, it would be necessary for these entities to document the incident, conduct an appropriate internal investigation and record (hopefully) “There was no breach of unsecured PHI”.

The incident could have been a major disaster in the health care industry resulting in unprecedented levels of PHI data breach. We should be relieved that  it has been detected at the earliest and the security specialist responsible for the detection identified as “Mike” a member of a forum titled DSL Reports deserves to be given a major bounty by ADA and HHS.

In India, “Distribution of a Computer Contaminant” would invoke action under ITA 2008 both for civil and criminal action. The Computer Abuse act in USA may have similar provisions and action can be taken on ADA for payment of damages and for criminal negligence while HIPAA itself may not be able to impose penalty on ADA.

The incident  however is a big lesson to every organization that some times distributes useful data with good intentions loaded onto a CD or Flash drive. The work is often sub contracted to some supplier who may not have any idea of the security issues involved in distributing a malware along with the intended content.

The least that a content provider may do in such circumstances is to take care to digitally sign his file and include a disclaimer and alert that enables the user to scan the data before use for malware.

Naavi

 

Posted in Cyber Law | Leave a comment

Wiping Every Tear from Every Eye.. Forget Courts…Transform from Litigation to ODR

Posted on May 1, 2016 by Vijayashankar Na

cji_2During a recent meeting of Chief Justices of High Courts, the Chief Justice of India, Mr T.S.Thakur broke down emotionally with the burden of a perceived guilt of the Judiciary in not being able to reduce the pendency of cases.

While this brought out the frustration of an honest Chief Executive of the system, I could not miss a feeling that the solution is staring at us and we have not perhaps identified it.

The solution lies squarely in an aggressive promotion of the system of ADR (Alternate Dispute Resolution). Being from the IT enabled legal services industry, it was natural for me to immediately feel the increased need for the use of ODR to accelerate the ADR process itself.

Afterall, the Modi Government passed the Amendment Act to the Arbitration and Conciliation Act 1996 on 31st December 2015 enabling the use of electronic means for conducting ADR. The amendment also contained what may be considered as revolutionary proposal to fix specified time limit for completion of Arbitration and incentives and disincentives for variations.

Now all those Advocates and Professionals who have the necessary legal and domain experience and the “Urge to Resolve Disputes” should consider setting up their own “Dispute Resolution Centers” (also identified as Arbitration and Mediation Centers) so that in the next couple of years, we have a huge capacity build up in Dispute Resolution which will at least ensure that there is no further build up cases in the overworked Judiciary.

Naavi’s ODRGLOBAL.IN proposes to provide the technical infrastructure to enable and empower such professionals so that they can conduct online dispute resolutions and apply their arbitration and mediation skills to good use.

Ofcourse, skills in Arbitration or Mediation are to be nurtured. They are different from what advocates learn while acquiring LLB or practicing in a Court of Law. Perhaps we may consider that Mediation is more an “Art” than a tought and learnt skill. However, efforts are to be made by professionals to polish their dispute resolution skills before they plunge full scale into this new profession.

The first thing an “Arbitrator” or an Advocate participating in Arbitration proceedings or even the Litigant parties need to understand that in a “Litigation” it is more often a “Win-Lose” fight where as Arbitration and more so the Mediation is a “Win-Win” negotiation.

Further, the Judge in a litigation is strictly constrained by the inefficiency of the counsels and cannot go beyond the evidence and argument provided by the counsels even if it is inefficient and incorrect. Arbitrator has a greater freedom to find a solution and can intervene more pro-actively than in a litigation.

In a mediation, the emphasis is driving towards a mutually agreeable conclusion and not being correct to a point of law.

If this principle of “Win-Win” is understood and implemented, then the society will be lot better in the next decade when the pending 3 crore cases are resolved by Courts since they will not create 3 crore dissatisfied losers trying to take revenge on other 3 crore winners,  rather than having 6 crore happy resolved formerly disputing parties.

(P.S: I agree that all disputes are not amenable to a Win-Win solution. But the principle needs to be appreciated). 

If we agree, the question then arises….

a) If I am a professional advocate or a domain specialist

Should I become an Arbitrator?

Should I ask my clients to include an arbitration clause in the agreement providing for “Online Arbitration on the technology platform of www.odrglobal.in”?

…. perhaps it is time to consider.

b)  If I am a Consumer facing organization, say a Bank or a White Goods manufacturer or a Service provider, or an e-Commerce player,

Should I start incorporating the ODR clause into my contracts?…..(with odrglobal.in as the technology platform)

…. perhaps it is time to decide

This transformation from a “Litigation Mindset to ODR Mindset” could be an innovation in the dispute resolution industry that can wipe “Every tear from Every eye”….an evergreen mission for all nation builders.

Whenever we discuss an “Innovation” with established  industry practitioners, we come across a dilemma.

They often ask….

Should I be the first to try out? Are there some unknowns which I cannot identify?.

Most of the conservative practitioners come to the conclusion, let me not be the first..  Let me wait for others to implement the innovation and then come in.

No doubt this is a common human trait and we need to respect the cautious attitude of such “Safety First-Innovation Next” kind of professionals.

But behind this attitude lies the quality of management .. “Should I be a Leader or Am I content being a “Follower”.

The entire “Start Up ” industry is built on this premise that “Innovation is the Key to Success”. No doubt some or even many innovations may fail. But as long as the innovator hedges his risks to the extent that he will not go down with a failed innovation, there is no reason for not trying to be an innovator.

In fact it is the few innovators who succeed who turn out to be the industry leaders and icons.

Today, I would like to ask a question to all the Legal heads of companies including the Infosys, Wipro, Flipkart , as well as the Toyotas, Whirlpools, Citi Bank or State Bank etc, or for that matter any consumer facing Company why they should not take the lead in using ODR as a dispute resolution mechanism between themselves and the Customers.

It would be an “innovation” that may distinguish them as a leader rather than a follower. Will these companies who are known leaders in their respective fields bogged down by the thought “Let others try…then I will follow..”. I hope not.

I call upon all the legal heads and business heads of companies to step into this new world of ODR and contribute to the vision of “India as a Global Hub of ODR”.

I request all readers to forward this post to any of their known legal contacts in the industry and seek their response and feedback which may be sent to Naavi

Naavi

arbitration_logo4

Posted in arbitration, Cyber Law | Leave a comment

Have Russian Hackers entered India?.attacking State Bank of Mysore and Bank of Baroda?

Posted on April 29, 2016 by Vijayashankar Na

Recently two bank fraud incidents have been reported one from State Bank of Mysore in Karnataka and another from Bank of Baroda in Lucknow where security specialists have suspected hacking of the Bank’s servers without any compromise of information at the POS or the customer side.

Reference:

Hindu and Hindu Business Line on SBM fraud

TOI on BOB fraud : P.S: Though this was a case of hacking into dormant accounts by an insider, there is a failure of information security even in this fraud.

nyooz.com on BOB

In the background of these frauds, one can read the article in Kasparesky published a few months back titled: “Dozens of banks lose millions to cybercriminals attacks” and “APT-Style bank robberies on the increase..

This article states that Kasparesky which exposed a sophisticated bank fraud gang last year by name Carabanak has now identified threats from of two more gangs by name Metel (or Corkow) and GCMAN. It also said that Carabanak has reemerged with new targets. Some of these attacks indicate a spear phishing attacks on the Bank employees.

It appears that the recent attacks in India may indicate the activity similar to what has been reported here.

One of the strategies that is reportedly used is to first gain access to one of the user’s computer and plant a trojan. The trojan may crash some application such as Microsoft Word and it is expected that  the admin will be called to set things right. When the admin logs into the victim’s computer with his password, his credentials are captured by the attackers. Using this, the attackers slowly get into other systems until they are able to compromise the fund transfer systems leading to further frauds.

What we have seen in SBM now with small amounts being transferred may be only a testing of the fraud and we may soon see a major break in SBM which may shake the Bank and put its customers into great pain. May be similar threat is there in other banks also.

The recent failure of basic information security principles in an otherwise reputed company like TCS leading to a Rs 6000 crore damage on the Bank is an indication that most of the companies (including the Banks) have very weak security culture.

Additionally the opening of Unified Payment Interface opens up the mobile network to one part of the Banking servers which can be used by hackers to worm their way up the network into the core banking servers and launch a major attack to bring down a bank.

Knowing the attitude of Banks and RBI, nothing constructive is expected to be done to prevent such attacks and hence it would not be long when this prognosis may sadly come true.

I would therefore advise Bank customers to manage their risks by ensuring that they spread out their bank balances into multiple Banks and ensure that all the eggs are not in a single basket. Better still, spread it across smaller banks including cooperative banks without internet and mobile banking  so that their hard earned savings are protected.

Naavi

Posted in Cyber Crime | Leave a comment

SBI introduces a long awaited security measure to control Card frauds

Posted on April 27, 2016 by Vijayashankar Na

State Bank of India has been one of the Banks specially targetted by Card fraudsters for cloning and fraudulent withdrawal. A few years ago, Damodaran Committee of RBI recommended the most sensible control where by the customer should be given the ability to switch on and off the online banking facility.

Now We understand that SBI has introduced a “SBI Quick” service where a customer can switch on and off the use of debit cards through SMS and or Missed calls.

While the full details of how the system operates and whether it would be limited to the use of Debit cards or would be extended to credit cards, are awaited, the service in principle is welcome and has to be a mandatory feature.

This is similar to the olden day locking and unlocking of STD facility in a phone.

Hopefully the implementation of SBI quick will ensure that the security weaknesses in the current system donot also spill over to this locking and unlocking system where by a fraudster may just look at this as one additional step to cross before he continues to do what he is presently doing.

More info here: 

Naavi

Posted in Cyber Law | Leave a comment