Naavi.org

When on July 16, 2013, naavi.org pointed out in its article “Loans Through SMS?”,it was the first time that it was pointed out that some thing fishy was going on under the website: http://www.cgtmse-govt.in . It was pointed out that the website could be a fraudulent site trying to lure innocent loan seekers and impersonated a Government website.

Subsequently, one of the readers (Mr Vinod) made some personal investigation and confirmed that the physical addresses given on the site was non existent.  At that time the main focus was that there was impersonation of a website cgtmse-govt.in. It was repeatedly pointed out that Government should take action in bringing down this phishing site.

However, Government did not do anything and the fraudulent website continued even after the Government changed in the Center from UPA to NDA. The site content promptly changed to suit the change in the Government.

Much later, with some of the efforts of people in Nagpur including Mr Mahendra Limaye, the site was closed.

In the meantime many people had lost money responding to the offer from the website. One such entity was Tushar Kant Mohanty of Raipur who had lost Rs 22.36 lakhs.  The amount was transferred from the victim’s account to the account of the fraudsters in Axis Bank and Punjab National Bank, two Banks frequently used by fraudsters due to prevailing  lose KYC practices.

Fortunately, the victim has now been able to recover his amount from the balance that was available at PNB through an order from the Chattisgarh Adjudicator.

Mr Mahedra Limaye must be congratulated on the successful conclusion of his client’s case and obtaining him the relief.

However, it is observed that the adjudicator has not found fault with CGTMSE which is was grossly negligent in facilitating the fraud particularly after it was informed way back in June 2013 that a fraud was being committed in its name. The Mohanty fraud occurred in April 2014 nearly an year after the fraud was brought to light and all those who contributed to the fraud through negligence and in action should have been made to pay a price for it.

Similarly, the Adjudicator has only ordered recovery of the credit balance that was available in the PNB’s account and has not penalized PNB and Axis Bank for being “Fraudster’s Bankers”.

Axis Bank has also not been made the respondent and hence escaped liability.

The Adjudicator should realize that Mohanty’s case is a representative case of the many other frauds that these fraudsters have committed and it is the duty of the Adjudicator to protect the interest of all these victims some of whom might not be in Chattisgarh or Maharashtra and were not the complainants in this particular complaint.

However, the Adjudicator had the power to take suo moto recognition of all such frauds and held PNB, Axis Bank and CGSMTE liable for facilitating the fraud through their negligence and lack of due diligence under Sections 79 and Section 85 of ITA 2000/8.

He could have also provided further damages to Mohanty to cover his expenses.

While we appreciate the Adjudicator for the order at a time when there are no other Adjudicators in the Country taking up such complaints, we would have been happier if the order had been simultaneously been made that the Banks and CGTMSE were liable for all others who had been defrauded by these fraudsters. He could have collected a fraud recovery amount of around 100 lakhs, from CGTMSE, PNB and AXIS Bank, acted as a receiver, collected applications from other victims and settled their claims. This would have set a precedent that would have helped in driving a sense of responsibility to these Banks and other agencies like CGTMSE.

Probably, Mahendra Limaye should file an additional petition on behalf of “Unknown Victims” and get a compensation awarded collectively like a “Class Action”. I suppose ITA 2000/8 has necessary powers.

 I hope PNB or the fraudster does not challenge the order so that the victim can atleast be happy that his actual loss has been recovered. Since the Cyber Appellate Tribunal is not operating appeal if any may arise only in Chattisgarh High Court. I urge that High Court should not intervene to grant any stay on this order if an appeal is made to them.

Naavi

Reference: Copy of the order

Hewlett Packard Enterprise has released its latest report (HPE Cyber Risk Report 2016) providing an interesting perspective on the threat landscape prevailing in 2015. The report is compiled by an analysis by the  research team of data collected from open source intelligence.

The research highlights the following key themes.

1. Collateral damage
2.  Overreaching regulations
3. Need for Broad impact solutions
4. Decoupling Privacy and Security efforts
5. Persistence of earlier threats
6. Attacks on Applications
7. Monetization of Malware

The detailed report is available here.

The report highlighted that in several instances, attacks touched people who never dreamed they might be involved in security breach, causing collateral damage. Two cases cited as example for such collateral damage were the cases involving the United States Office of Personnel Management and Ashley Madison. 

The report also highlighted that the reaction from the regulators to the attacks were often damaging and counter productive. It was observed that the over reaching regulations pushed legitimate security research underground.

The report indicated that the fixes to vulnerabilities should move from releasing patches to individual vulnerabilities to building sustainable defences to prevent attacks. It  urges Adobe and Microsoft in particular to invest in broad asymmetric fixes that knock out many vulnerabilities at once.

An interesting observation held out in the report is that in the wake of revelations by Edward Snowden and other whistle blowers have led to moves to erode “Privacy” rights in preference to “Security” needs.

It was also observed that many of the incidents arose from bugs already known to the market indicating that there was negligence in implementing security patches of the earlier years.

Report indicates that attackers have shifted efforts to attack applications directly rather than attacking the perimeter network.  It observes that with increasing use of Mobiles, the perimeter of a network is in the user’s pockets and the security practitioner needs to recognize this.

The report also highlights the growing malware market which has strengthened the attack industry and increased its disruptive capabilities.

Security professionals need to study the report in detail and factor the observations while building the security in their respective environments.

Naavi

Here are some of my views expressed in an interview with ISMG Asia on the recent TCS-Epic episode.

The interview can be accessed here:

P.S: Kindly note that the voice is slightly distorted and looks hurried through. I suppose it is because of some technical issue in recording.

Naavi

Earlier Article at naavi.org

Over the last decade and more specifically over the last few years, there has been a tremendous development in the use of ICT with the mobile technology taking firm roots. On the one hand Mr Modi has been promoting the “Digital India” concept and going all the way to promote the use of digital technology such as Aadhar.

Naavi.org has been cautioning the over use of the technology without appropriate safeguards such as information security and Cyber Insurance. However, certain types of regulation need to be cleverly drafted so that there is no misuse of technology but the regulation does not hurt development. Drafting of such legislation requires a knowledge of both the domain of legislation as well as the technology. Lack of such professionals in the bureaucratic circles appears to be creating situations where some decisions are taken at different ministries which directly affect Mr Modi’s development agenda.

There appears to be a set of people in the Governments who are hurt by the beneficial aspects of e-Governance and would like to curb the power of technology through new regulations. They seem to be targetting Cyber technologists with a vengeance by introducing restrictive laws that betray lack of understanding of the Cyber Business model solely to meet their short term goals some of which may be sinister Anti-Modi designs.

Two examples that stand out in recent times is the Arvind Kejriwal’s fight agaisnt Uber in Delhi and Karnataka Government’s bill on Aggregators of Taxi services. In both cases new laws have been passed to curb the growth of the new business.

Surge Pricing was bad to some extent but it had some logic. It could be regulated to prevent fraudulent pricing instead of bringing down the system itself. Karnataka’s law on taxi aggregators also tries to hit out at the new business model because the Government feared losing revenue from taxi operations.

Now a third fight has opened up in the new “Map Law” which imposes hefty fines upto Rs 100 crores for erroneous “Geo Spatial Information” besides possible 7 year imprisonment.

While the apparent intention was to ensure that India’s borders are not wrongly depicted by Google Maps, the law appears to actually hit the domestic start ups and small companies which are developing new business around the location of the user.

The new law would seriously hurt many mobile app operators who could be could be a taxi operator or a medical service or an ambulance service or a catering service or a grocery supply service. Today every business wants to know the location of the customer and make services available on “Near You” basis. Probably it could hit you and me who may use WhatsApp to share our location.

The draft law has now drawn the attention of the public that it may introduce an unintended licensing system  that could kill many small businesses and go completely against the “Start Up” concept that Mr Modi is promoting under the Digital India concept.

According to Section 4 of the proposed law,

“Dissemination, Publication or Distribution of the Geo-spatial Information of India.-Save as otherwise provided in this Act, rules or regulations made there under, and with the general or special permission of the Security Vetting Authority, no person shall disseminate or allow visualization of any geo spatial information of India either through internet platforms or online services, or publish or distribute any geo spatial information of India in any electronic or physical form. “

Under Section 9

“Any person who wants to acquire, disseminate, publish or distribute any geo-spatial information of India, may make an application along with requisite fees to the Security Vetting Authority for security vetting of such geo-spatial information and licence thereof to acquire, disseminate, publish or distribute such Geo-spatial Information in any electronic or physical form. “

Under Section 3,

“Save as otherwise provided in this Act, rules or regulations made thereunder, or with the general or special permission of the Security Vetting Authority, no person shall acquire geo spatial imagery or data including value addition of any part of India either through any space or aerial platforms such as satellite, aircrafts, airships, balloons, unmanned aerial vehicles or terrestrial vehicles, or any other means whatsoever”

Under Section 13

“Whoever disseminates, publishes or distributes any geo spatial information of India in contravention of section 4, shall be punished with a fine ranging from Rupees ten lac to Rupees one hundred crore and/or imprisonment for a period upto seven years. “

It is noted that the law criminalizes the dissemination of information without license by a stringent 7 year imprisonment term without even any hint of a need to prove some criminal intentions.

There is no “Exemption” provision that exempts users and any body else without malicious intentions from penalty.

There is no doubt that the law in its present form is absurdly draconian and will be struck down if challenged in a Court of Law. I hope the Government withdraws the law or makes substantial correction without exposing itself to another embarrassment in the Supreme Court.

If the law makers had any sense of the market place they would have restricted the penalty to only cases where the depiction of wrong borders was intentional and use of maps was for some anti national purpose. In every other case, a wrong map is a consumer protection issue and it would suffice if the consumer interest is protected with a penalty in the form of damages.

For example, if a map on a mobile App depicts there is an Adigas hotel in 5th Main, Chamarajpet, Bangalore and I search for the hotel for half an hour and cannot find it, it would suffice if I can collect a “Free Meal Coupon” as a compensation. There is no need for the app developer to be jailed for 7 years under a cognizable offence.

The law makers are simply unaware of how many of our businesses would be facing 7 year imprisonment term for their routine business activities on account of this new proposed law.

I cannot but think that the law has been framed only to defame Mr Modi and his efforts to promote Digital India by some bureaucrat who sits in the Government as a mole of Congress. Already a campaign has been mounted in Washington Post citing the absurdities of this law.

I wish Dr Subramanya Swamy finds out who actually was responsible for framing such a draconian law.

On the contrary, if this is simply a case of over enthusiasm and a blinkered vision that “Maps” means “Google” and “Apple” and hence one can think of Rs 100 crore penalty, then the concerned official should admit his ignorance and resign from his responsible position immediately or else removed.

 It is well known that this law will not deter Pakistan or China from depicting the maps of Indian Border as they wish. Hence the law will not have any effect but to make innocent Indian businesses to pay. It is expected that Apple or Google will pay whatever license fee is imposed on them and pass on the burden to the users such as the Zomatos, the Olas etc. The cost of doing business will therefore go up and the Ease of Doning Business index of India will dive down.

Hence there is a need for Mr Modi to immediately initiate corrective action.

I Invite public to send their views on this draft bill to jsis@nic.in within next 30 days to protect Digital India

Naavi

Related Article :  Livemint 

It has been reported that the IRCTC servers have been hacked and data base of millions of users compromised.

See article here

It is also learnt that the information is available on CDs for Rs 15000/- . (From unconfirmed private sources)

The fact that IRCTC has been hacked is no surprise. It perhaps happened long back and we have come to know of it only now.

The point that IRCTC does not have proper Information Security systems is being discussed in other fora.

At this point of time, it is not clear what information has been compromised and made public. If it is only the personal information about the name and e-mail address and used for spamming, it is perhaps tolerable.

However, if sensitive personal information including the Password, the PAN card detail, the Credit Card or Bank details have been compromised, it is unpardonable.

In such a case action should be initiated by Police and there is a need to send some body in IRCTC to jail.

It is a failure of the reasonable security practice under ITA 2008 and an assistance to commission of further frauds through recklessness with or without financial benefits.

At the same time, we cannot estimate when a past customer of IRCTC would be hurt. His confidential data may be used any time in the future to commit a fraud. Hence there is a need to protect every customer of IRCTC from possible future loss.

For this purpose IRCTC must immediately pick up a Cyber Insurance Contract and cover all their account holders against possible identity theft related losses in the next 3 years upto say an amount of Rs 5 lakhs. Whatever be the cost of such an Insurance must be boarne by IRCTC.

IRCTC should also immediately give a notice to all its customers by individual e-mail as per standard “Data Breach Notification Policy” (Please see CLCC for a draft of a model policy).

If such a policy has not been adopted, it confirms the lack of “Due Diligence”.

In January, TOI carried an article titled “IRCTC website a sitting duck for Hackware”. This was a notice on which remedial action should have been initiated.

Naavi.org has itself raised the possibility of hacking way back in August 2010 and also recently asked if IRCTC should have taken Cyber Insurance.

However, IRCTC has not taken any remedial measures and even now a google search on “IRCTC hacking” reveals many sites promoting hacking of IRCTC.

All this indicates complete negligence of the Information Security responsibilities at IRCTC for which the persons responsible must be held accountable.

I suppose some body should take up a PIL on this account.

The Supreme Court takes up many less worthy cases on Suo Moto basis and there are activists who hoist PIL litigation for innocuous matters which Courts spend time on.

Will any responsible Judge consider it worthwhile to take up this case on a Suo Moto basis and ensure that people who have shared their personal data with IRCTC are protected against losses arising out of the identity theft?

The PRO of IRCTC seem to have given a statement that the “Website of IRCTC is not hacked”

The PRO may not be aware that  it would not have mattered much if the website had been defaced rather than the data having been compromised. He is either unaware of the damage or has not shared the info with the public. Hope IRCTC releases a note through their website what exactly has happened and what are the risks to the public.

P.S: Will Aadhar data base be the next on CD on the streets?

Naavi

Naavi.org has several times brought to the attention of the public that certain certifying authorities are not following proper procedures for issue of Digital Signature Certificates and this can lead to frauds.

Earlier, one person associated with a Registration Authority had been alleged to have misused the digital signature of a Company Secretary in Bangalore to sign MCA certificates for a fee. Another instance from Delhi had been reported where directors of a Company were alleged to have used the digital signature of a deceased director and transferred the ownership.

Now, another allegation has surfaced in Bangalore where Dr Madhukar Angoor,  Chancellor of Alliance University has stated in a Press Conference that his family members have forged his digital signature to record resignation of himself and his wife to transfer the control of the University when he was abroad. (The case also involves the apparent misuse of laws meant for protection of women where false rape charges are routinely filed to defame and trouble innocent persons, which is outside the scope of this article.)

Also See  Article in Deccan Herald:  Indian Expres

It appears that the English press seems to have not noticed the Cyber Crime angle while Kannada Prabha has reported the misuse of digital signature. This would involve Section 66C and 66D besides, several other sections of ITA 2000/8 and IPC.

It may be easier to investigate the Cyber Crime which may also be a proof of the property motive that could be behind the “rape” charge.  The investigation may also expose some Certifying Authority and their Registration Authority who might have abetted the crime.

It is interesting to note from this earlier article in Bangalore Mirror  that the sister who has lodged a rape complaint on behalf of her daughter is the “Wife of an IPS Officer”.

Justice therefore awaits overcoming the barriers of conflicts of interest in investigation.

Naavi