Naavi.org

As could be expected after any global catastrophic event, the ISIS attack in Paris has also given raise to fraudulent e-mails. Some of them could be hoax emails and some could be carrying malware prompting the receiver to click on a link.

Public should be careful not to fall prey to such e-mails.

Some of these e-mails or messages are also circulating in WhatsApp.

Some of the reported hoax mails/messages  are:

1. Singapore  PoliceNotice

2. We All Paris Hoax

These may be considered as indicators of what is to be expected. Some of the fraudsters will include spear phishing mails which may say some thing as follows :

” Police in Paris identify an employee of xxx company as a suspect of Paris attacks. Click here for the photo released by the Police.”

Such an email may be sent to all employees of an organization named in the e-mail prompting them to immediately open the e-mail and see which of their colleague is a suspect and invite a malware.

Public should therefore be extremely careful to avoid opening any attachments in an e-mail and also avoid circulating hoax mails in the belief that it is true. Such forwards may entrap the receivers since they would consider it as a message coming from a known person.

Naavi

The Paris Attack of 13/11 (2015) by ISIS would be an event which will change the face of earth. On the one hand, it has galvanized France and other nations including Russia which suffered an attack a few days back in the form of a bomb on a plane, into an all out war on ISIS on ground. At the same time it has galvanized the powerful group of Anonymous Hacker Group to take down the Cyber Assets of ISIS.

It looks a little strange that one group of mercenaries who have enemies all around them including the neighboring Muslim states of Syria and Iraq can threaten the whole world and challenge countries such as France, UK, USA and Russia all at one time. But the power of “Terrorism” is such that as an asymmetric warfare  it has the power to challenge the conventional forces with greater fire power. The difference lies in the motivation to fight and the unconventional methods used to strike.

For these countries who fought two world wars as allies, this is the “Third World War” unfolding in the form of ISIS. It appears that they have a renewed resolve to fight ISIS after the Paris attack. But one has to wait and see how long this enthusiasm lasts. Will the allies go for the complete control of the ISIS controlled land like what Sri Lanka successfully did against LTTE or back off at some point of time for their own reasons, is difficult to foresee. But it can be expected that as the Allied forces succeed in pushing back the ISIS in the physical world, they will increasingly go underground, spread out and start attacking the world in a series of terrorist attacks.

Breaking the link to the command and control center over such distributed terrorists and starving them of money and ammunition would be an important requirement if these terrorists  need to be neutralized. It is in this context that winning the Cyber war against ISIS is as important as winning the war on land.

It is therefore interesting for us to watch the Cyber War that is unfolding between the Anonymous Hacker Group and ISIS. The Hacker Group has issued a statement that they would hunt down and destroy the ISIS on Cyber Space. (Read article here). It is reported today that the Hacker group has already brought down over 5500 twitter handles in the last two days. But this should be only the starting point. What is important is whether the terror plans can be disclosed before execution and forced into failed or abandoned missions.

The Group has also released a guideline on how to proceed hacking into ISIS assets. (See the report here)

During the Post Paris attack investigations, it has been speculated that the terrorists might have used Sony Play Station 4  game console for in-game communication to plan and execute the attacks. It is given that execution of any major coordinated terror attack (which some have called the Wolf pack attack) requires extensive planning and therefore a good stealth communication channel that can be sustained over a period of time.

Some experts donot agree that PS4 was used for communication in this case. It does not actually matter if PS4 was used or not used in this attack for communication. But the possibility of the “Video Gaming” platform being used for communication cannot be ruled out. In future these communication channels need to be monitored by the intelligence agencies to get the scent of what is brewing in the terror camps. Apart from the Sony Play Station or X-Box type of gaming consoles, there are many online gaming sites where groups can be formed apparently for a gaming situation and messages exchanged. It would be a near impossible task for the intelligence agencies to monitor such communication on real-time.

However, it should be possible to develop necessary algorithms to monitor the pattern of group formation and communication in these game situations to flag any suspicious activities that can be taken up for monitoring on an exception basis. Probably the companies such as Sony and Microsoft themselves may develop such tools to monitor the misuse of their properties.

Presently Sony Play Station privacy statement does provide that it retains the right to monitor and record the communication between the users of Play Station Network. This indicates that they do have the necessary backdoors that can be activated for monitoring user’s activities.

Creating an automated system of analytics is a logical step ahead given the fact that there are over 110 million users of which 65 million are active at any point of time. This is a Big Data challenge that needs to be overcome and would be over come perhaps in the immediate future.

It is also considered possible that terrorists may super impose cryptographic techniques to hide their messages. But such techniques  can hide the messages but not the suspicious pattern.

Breaking the communication network of ISIS is an important step in winning the Cyber War and whether the Anonymous Hackers can go beyond the taking down of twitter accounts into monitoring and revealing terror plans in advance to the law enforcement will determine to what extent the Hackers can help destroy ISIS as an organization that can survive beyond the physical annihilation that the Allies can inflict on ground.

Another significant part of the Cyber Warfare is to trace the monetary assets of ISIS on the cyber space and destroying them.  It is worth watching if Anonymous Hackers can attack the financial assets of ISIS and starve them of their funds.

While the Allies are expected to fight the war both in the physical space and the cyber space, the Anonymous hackers will fight only on the Cyber Space. But their contribution to winning this war for the sake of humanity in general is very important and history will recognize this contribution if it succeeds.

Technology is known to create problems and it is time technology also finds solutions to benefit the mankind. Hactivists now have a point to prove. Let’s see whether they can walk the talk.

Naavi

In the early days of E Commerce development, the undersigned had been a great fan of the “Brick and Click” strategy for business development. The idea was to leverage the strength of the physical presence of a business with the business potential in the cyber society . It was also considered that this strategy would  insulate the business from emerging competition in any one of these two domains and forces the challenger to also come up with a multi domain expertise. Some of services proposed by Naavi such as the CEAC, Cyber-Notice.com, etc are all trying to build themselves on this principle.

One of the developments that catches my eye now is the emergence of a mobile App named “Zopper”. This is an app which tries to challenge the hold that pure e-commerce players such as Flipkart have established in certain markets. It is an idea to leverage the “Reputation of Physical Presence” with the “Convenience of E-Presence”.

In simple terms, it is an aggregation service that enables the local stores find a presence on the e-space. Just as Practo gets doctors into the e-fold, Ola Auto gets the Autorikshaw drivers on the band wagon of mobile space, Zopper has the declared objective of bringing the local stores into the e-wagon. It is a good service to these less tech savvy retailers who otherwise need the assistance of an elaborate technical team to get onto the e/m-space.

(Disclaimer: This is not a promotion of Zopper app).

After the recent debacle of BJP in Bihar, I recall the number of times I have raised the issue of Chandrababu Naidu’s earlier experience of losing an electoral battle despite wonderful contribution in the IT space in Hyderabad.  Even in future Modi’s Digital India dream will continue to face these challenges. The Land Acquisition Bill has already been grounded. The GST bill is unable to make progress. Congress will continue to oppose every progressive step that the Government initiates and soon the Congress will start attacking Modi’s Digital India project.

I have been warning the Government that if there is any large scale information security breach and losses to the common people through aadhar misuse or credit/debit/ATM card misuse, then the blame will be placed on this Government. I will not be surprised if the opposition parties arrange a major hacking attack of the JanDhan scheme beneficiaries just before 2019 Loksabha elections to discredit this program on which Modi places repeated emphasis.

Hence I feel that not focussing on proper strategies for the Digital India will be harmful to the future of Mr Modi and for the development of India. Such strategies will be both on the aspect of “Security” which I have been highlighting on “Secure Digital India” concept but also on what kind of business/Governance can be run on e-commerce/e-Governance platform and how.

I find Zopper type of Apps as a tool to ensure that the “FDI policy in retail” will not harm the local retailers. Similarly, the price rise of Rice and Dhal which was one of the factors that affected BJP along with Caste equations can also be tackled by a proper E-PDS policy implemented through Zopper type of network of retailers who can distribute Dhal and Rice at reasonable prices to the public (Including the middle class).

If properly implemented, the Government can implement a Public Distribution System for Middle Class (PDS-MC) as a separate system at fraction of the cost of the current Public Distribution System for BPL families which can continue in its present form. The PDS-MC can focus on such goods as the Middle Class families may require and offer it at a reasonable price with assurance of quality and reliability. It could be like the old concept of Janata Bazaar. The SMEs and Public Sector enterprises may use this platform for marketing their products in direct competition with the Flipkarts, Snapdeals, Amazons as well as the Big Baskets, Pepperfrys or Peppertaps. Once the network of the local stores on the e/m-space gets established, Government can even think of FDI in multi brand retail without any backlash from the market or the political adversaries.

Just as there is a disruption in the finance sector with the mobile wallets, let there be a revolutionary disruption in the retailing segment through the e-Janata Bazaars.

I am confident that if properly handled, these  e-Janata Bazaars can work towards reducing the consumer price of essential commodities to the levels of 2014 when Mr Modi took over and restore the lost confidence in the Modi Government in part of the electorate.

Naavi

It was heartening to note that during the recent Cyber Security Summit in Delhi (Ground Zero), Mr Rajnath Singh, the Home Minister, stressed the need for “Cyber Security” for the success of the other Government initiatives such as the Digital India.

Naavi.org has not only been highlighting this issue for a long time but also urging specific action plans from the Government in this regard including the”Cyber Insurance For ALL” as a Government initiative. Naavi also initiated a private sector Special Interest Group in “Secure Digital India” with the hope that other security professionals will join hands in providing voluntary inputs on information security to the Government.  As a further follow up, Naavi also initiated the “Cyber Law Compliance Center”. Naavi had also stressed the need for a revision of ITA 2008 with a vision on the futuristic issues such as Internet of Things (IoT) and Big Data with a document on “Cyber Law Vision-2018″  . After noting that the Government of India has set up an expert committee for a review of ITA 2000/8, Naavi has now also invited experts from the private sector to contribute ideas to what needs to be done in this regard through the “Special Interest Group on Amendment to ITA 2000/8”.

In all these efforts, it is possible that the efforts of Naavi is unlikely to gather as much support as it deserves from the community. The reason is not that others are not as much concerned about the welfare of the Digital India project as Naavi is, but it is because they all feel that it is futile to do anything voluntarily for the Government or the Country since it would not be appreciated.

Probably they are right but like an eternal optimist Naavi will continue to voice his views through Naavi.org and expect that just as many of his ideas have taken years to find support, these will also gain acceptance over a period of time, if not in this tenure of Modi, in his next tenure.

However, looking at the reasons for the lack of trust between Information Security professionals and the Government, the article “It’s No Secret That the Government Uses Zero Days for Offence” published in eff.org, gives a hint.

Though this article reflects development in USA, it has universal application. The article highlights the fact that the Government of USA is guilty of using many “Zero Day Vulnerabilities” to snoop on its own rather than trying to secure the Digital Space with counter action to secure the society against such vulnerabilities.

A Citizen would think that if he finds a vulnerability, he has a duty to inform the Government so that the society is kept safe. Many Information Security specialists also feel the same. Some of them do their best to contact the source of the vulnerable software so that the vulnerabilities are corrected. But companies driven by their business interests and immediate profit goals often donot make necessary corrections and let the vulnerabilities remain. Some Companies may reward the informers in their Bug Bounty program but most donot have such programs in operation.

When companies fail to remove vulnerabilities, the security professional who pointed out the vulnerability has two options with him. One is to inform the regulatory authorities in the hope that they will initiate action against the Company which has released a vulnerable software and endangered the community of users or teach the laggard company a lesson by actually exploiting the vulnerability and make it more visible to the public.

If he choses the second option, he will be called a “hacker” and probably be punished by law. If he choses the first option and the Government itself tries to exploit it instead of bringing a correction, he will soon develop a distrust for the Government and eventually become a rebel and a hactivist.

I invite Sociologists to conduct a study of the mindset of “Information Security Professionals who turn into Hackers” and identify the reasons for such transformation which is detrimental to the society.

At the same time, the minority of Information Security Professionals who resist the temptation of hacking and remain “Compliance Consultants” need to be identified, encouraged and recognized.

In the light of these thoughts, I would like to draw the attention of the Government to some of the following action elements.

If Modi Government wants to continue its economic policy thrust based on Digital development, despite the reverse in Bihar, and avoid the fate of Mr Chandra Babu Naidu in Andhra, there is a need to merge the digital policies to social goals.

In working towards this goal, it is essential to ensure that community understands and supports whatever we are doing sincerely for the good of the country. Just as political opponents can make capital out of anything including a well designed suit, and the fact that there are a majority of people who are happy to continue living in a  half torn Dhoti and say “Jai Lalu”, there are information security professionals who may turn into “Hackers”  (or Hactivists) if they are not with you.

If the Government has to succeed in their mission “Digital India”, it is therefore essential for it to cultivate these IS professionals and take them on its side.

As some body watching the developments in the Government and also closely watching the Information Security industry, I can categorically say that India possesses a huge talent pool of information security skills which are today not being tapped by the Government.

Many of these professionals are productively engaged in the private sector and some are successful entrepreneurs in the filed of security. But the best in the field may be staying aloof from Government projects since they are not in the privileged “List of Accredited Experts” who get appointed as “Brand Ambassadors” and “Members of Expert Committees”.

Government therefore needs a policy to bring such experts into the main stream and give them the psychological satisfaction of having contributed to the growth of the country.

So far the policy of the Government is only to introduce some courses in Colleges and sponsor some workshops conducted by NASSCOM or DSCI. But most specialist Information security professionals are outside the gamut of the Government sponsored organizations are not easily connected. They are not qualified in Engineering colleges and donot hold the degrees and certificates based on which the Government tends to measure their utility.

The participation of Mr Rajnath Singh in events such as Ground Zero was therefore a welcome development and such interactions need to increase in future. One of the positive outcomes of this meeting is a policy initiative to start the Indian Cyber Crime Coordination Center (I-4C) and formation of a National Cyber Registry.

Bug Bounty By Government

May be in the context of US Government using Zero Day vulnerabilities to its own use, a comprehensive policy for “Disclosure of Vulnerabilities” providing for a Bug Bounty from the Government side would be desirable to enable reporting of zero day vulnerabilities without distrusting the Government.

Some would scoff at this idea of a “Bug Bounty by Government” and may not agree and feel that the Government should  not take over the private sector responsibilities. But I would like to state that Government is a stake holder in any vulnerable IT program being in the public space since it leads to a “Law and Order Issue in Cyber Space”.

If an Ola program or a Flipkart program or a Paytm program is vulnerable and a million customers find their credit card data compromised and a few thousands of them get exploited, then there will be a huge issue of credibility of our online Banking system. Hackers and Enemy States may attack our Banking system through these vulnerable private sector vulnerable apps. Hence Government has a duty to watch the space and take curative action when the vulnerabilities are still at Zero Day status. This is like the public safety body taking objection when a private multi storeyed building is being constructed without safety features.

If there is a good Bug Bounty Program by the Government, then the Citizen who reports the vulnerability will have a reason to report the vulnerabilities and also create a record of the report. He can be rewarded immediately and later with a suitable recognition (Padma Bhushan?.. non returnable!) that goes beyond educational qualifications.

Having taken the vulnerability on record under the Bug Bounty Program, Government would not be able to misuse the vulnerability. Government on receipt of such notice of a vulnerability can send a suitable notice to the developer, get the feed back and impose a fine to recover the cost of the bug bounty program. The program will therefore be  a self financing program.

Hopefully, the developers will insure themselves against such unexpected losses through a Cyber Insurance plan that covers the risk of being fined for vulnerabilities. (A new Policy Opportunity for Cyber Insurers!).

The actual reward to be paid and fine to be imposed may vary based on the threat impact assessment  of the vulnerability . It can be a token of Rs 1000/- or a maximum of say Rs 5 lakhs depending on the assessment for which some transparent guidelines can be developed.

Remember that if the vulnerability gets exploited, then the liability of the software releasing/using organization can be higher as per ITA 2008. Hence the system of a Government’s Bug Bounty program and a fine to cover the cost could be an acceptable suggestion which even the software/App development/user companies may welcome.

If the program requires an amendment to ITA 2008, it can be addressed by the new “Expert” committee being set up for the purpose of amendment. (If such “Experts” have a vision beyond the limited objective of restoration of Sec 66A in a form acceptable to Supreme Court)

In fact the software/App buyer can ask the developer to indemnify against any such vulnerabilities reported in the first one month of the release and later take over the liability himself. This will improve quality and testing of software before it is delivered for public use.

The program if introduced will therefore help the goal of Secure Digital India in multiple dimensions and I request the Government to consider it in right earnest.

Nice words have been spoken by the Minister during his inaugural speech at Ground Zero summit and if this finds support in its implementation, then it is an encouraging sign. There is still a long way to go in making this “encouraging sign” a real “game changer”.

Let’s keep watching the developments and hope for action from the Government.

Naavi invites views of the readers on this need for a “Bug Bounty Program by Indian Government” and how to motivate all Information Security Professionals contribute towards Secure Digital India.

Naavi

More on the Summit

In a significant ruling, the US Federal Communications Commission (FCC)has rejected to force websites a petition by the Consumer Watchdog to enforce the “Donot Track” requests from individuals.

The petition had requested  that the Commission “initiate a rule making proceeding requiring ‘edge providers’ (like Google, Facebook, YouTube, Pandora, Netflix, and LinkedIn) to honor ‘Do Not Track’ Requests from consumers.”

The FCC however ruled that the current regulations meant for voice services cannot be applied to broadband internet and dismissed the petition.

Copy of Order

Some observers in the Privacy and Consumer Interest groups express concern that this will prevent online services from requiring consumers to consent to tracking in exchange for accessing web services, preventing online services from sharing personal information of users with third parties when consumers send “Do Not Track Requests”. This may also mean that websites will reject the web browser settings that send “Opt out” requests.

A counter view is that the FCC order only applies to “Transmission Services” and not “Content Services”. If this view is valid, then the content owners need to continue obtaining consent from the website visitors as they are doing at present.

We concur with the counter view since use of web services is a contract and the visitor should be given the option to either share or not share data which he considers as not essential for the service.

If however, the website wants to make it a “Dotted line contract”,  they need to highlight and draw specific attention of the user to the information sharing clauses before proceeding with the use of the services.

This may not however be practical to implement for all user and hence any prudent website owner would continue the existing practice of honouring automatic requests for opting out of any such information collection that the website wants to do and wait for an Opt-in for collecting analytics which involve identifiable personal information.

Naavi

Naavi has been pointing out that the increasing use of IT in E Governance and E Commerce and the embracing of the Digital India policy which includes the Internet of Things and Big Data, there is a need for a revision of Information technology Act 2000.

A “Cyber Law Vision-2018” was suggested by Naavi which included some thoughts on the direction that the Indian Cyber Law of the future should pursue. The vision document was released before the Supreme Court verdict but anticipated the possibility of Supreme Court holding the section unconstitutional.

Naavi has also repeatedly drawn the attention Modi Government on the unsavoury experience of Mr Chandrababu Naidu who lost a political election despite his glorious achievements in the IT sector and warned the Government of a possibility of similar nature for Modi. ( Refer: An Open Letter to Mr Modi) Now unfortunately this prediction has come through in the form of a debacle in the Bihar election.

Scrapping of Section 66A by the Supreme Court, had already forced the hands of the Government to start a process of revisiting ITA 2008 and the Bihar debacle has added the urgency.

In order to ensure that Government gets the right inputs on amending the ITA 2008 which not only satisfies the Supreme Court but also provides a base for Secure Digital India without a political backlash, Naavi invites interested specialists in Cyber Law to come together into a Virtual Special Interest Group that can recommend a comprehensive revision of ITA 2008.

It may be remembered that when an “Expert Committee” was formed by the then Government in 2005 to amend ITA 2000, it had no representation of Netizens and it came up with a highly controversial amendments. Though some of the mistakes were corrected by the Parliamentary Committee before it was passed in 2008 (what we recognize now as ITA 2008), many of the weaknesses remain.

Over the period we have pointed out how the Government officials themselves are flouting ITA 2000/8 out of sheer ignorance. In particular, we have pointed out the Karnataka IT Secretary who ruled “Person” in Section 43 means only an individual and not a company. Karnataka Legislature passed the amendment to Indian Registration Act 1908 which is ultra vires the ITA 2000/8. Even the Central Government in its notifications for the Digital Locker project violated ITA 2000/8.

In view of the above, we the Citizens of India who are being forced to be also Netizens because of the rapid digitization of the country, but firmly believe that ICT has the potential to transform India for the better if the policies are implemented in a proper manner, need to participate in the process of this transformation of Cyber Laws.

We presume that the Government may not invite the public to contribute their ideas until it is too late for making any positive contributions and hence need to move now before the Government pushes ahead its own efforts in this matter.

The objective is to ensure that the amendments when made are “Citizen Centric” and even the Biharis and Uttar Pradeshis who would vote in the elections should be able to appreciate the benefits and does not derail the Digital India vision.

We shall call this the “VSIG on Cyber Laws for Digital India” and collate recommendations from the private sector for amending ITA 2008 in such a manner that it becomes an instrument of development which does not face the opposition either from the politicians or the general public who only feels the effect of IT but does not understand the intricacies or the limitations.

Looking forward to participation from the Cyber Law stalwarts of India.

Naavi