Naavi.org

Hewlett Packard Enterprise has released its latest report (HPE Cyber Risk Report 2016) providing an interesting perspective on the threat landscape prevailing in 2015. The report is compiled by an analysis by the  research team of data collected from open source intelligence.

The research highlights the following key themes.

1. Collateral damage
2.  Overreaching regulations
3. Need for Broad impact solutions
4. Decoupling Privacy and Security efforts
5. Persistence of earlier threats
6. Attacks on Applications
7. Monetization of Malware

The detailed report is available here.

The report highlighted that in several instances, attacks touched people who never dreamed they might be involved in security breach, causing collateral damage. Two cases cited as example for such collateral damage were the cases involving the United States Office of Personnel Management and Ashley Madison. 

The report also highlighted that the reaction from the regulators to the attacks were often damaging and counter productive. It was observed that the over reaching regulations pushed legitimate security research underground.

The report indicated that the fixes to vulnerabilities should move from releasing patches to individual vulnerabilities to building sustainable defences to prevent attacks. It  urges Adobe and Microsoft in particular to invest in broad asymmetric fixes that knock out many vulnerabilities at once.

An interesting observation held out in the report is that in the wake of revelations by Edward Snowden and other whistle blowers have led to moves to erode “Privacy” rights in preference to “Security” needs.

It was also observed that many of the incidents arose from bugs already known to the market indicating that there was negligence in implementing security patches of the earlier years.

Report indicates that attackers have shifted efforts to attack applications directly rather than attacking the perimeter network.  It observes that with increasing use of Mobiles, the perimeter of a network is in the user’s pockets and the security practitioner needs to recognize this.

The report also highlights the growing malware market which has strengthened the attack industry and increased its disruptive capabilities.

Security professionals need to study the report in detail and factor the observations while building the security in their respective environments.

Naavi

Here are some of my views expressed in an interview with ISMG Asia on the recent TCS-Epic episode.

The interview can be accessed here:

P.S: Kindly note that the voice is slightly distorted and looks hurried through. I suppose it is because of some technical issue in recording.

Naavi

Earlier Article at naavi.org

Over the last decade and more specifically over the last few years, there has been a tremendous development in the use of ICT with the mobile technology taking firm roots. On the one hand Mr Modi has been promoting the “Digital India” concept and going all the way to promote the use of digital technology such as Aadhar.

Naavi.org has been cautioning the over use of the technology without appropriate safeguards such as information security and Cyber Insurance. However, certain types of regulation need to be cleverly drafted so that there is no misuse of technology but the regulation does not hurt development. Drafting of such legislation requires a knowledge of both the domain of legislation as well as the technology. Lack of such professionals in the bureaucratic circles appears to be creating situations where some decisions are taken at different ministries which directly affect Mr Modi’s development agenda.

There appears to be a set of people in the Governments who are hurt by the beneficial aspects of e-Governance and would like to curb the power of technology through new regulations. They seem to be targetting Cyber technologists with a vengeance by introducing restrictive laws that betray lack of understanding of the Cyber Business model solely to meet their short term goals some of which may be sinister Anti-Modi designs.

Two examples that stand out in recent times is the Arvind Kejriwal’s fight agaisnt Uber in Delhi and Karnataka Government’s bill on Aggregators of Taxi services. In both cases new laws have been passed to curb the growth of the new business.

Surge Pricing was bad to some extent but it had some logic. It could be regulated to prevent fraudulent pricing instead of bringing down the system itself. Karnataka’s law on taxi aggregators also tries to hit out at the new business model because the Government feared losing revenue from taxi operations.

Now a third fight has opened up in the new “Map Law” which imposes hefty fines upto Rs 100 crores for erroneous “Geo Spatial Information” besides possible 7 year imprisonment.

While the apparent intention was to ensure that India’s borders are not wrongly depicted by Google Maps, the law appears to actually hit the domestic start ups and small companies which are developing new business around the location of the user.

The new law would seriously hurt many mobile app operators who could be could be a taxi operator or a medical service or an ambulance service or a catering service or a grocery supply service. Today every business wants to know the location of the customer and make services available on “Near You” basis. Probably it could hit you and me who may use WhatsApp to share our location.

The draft law has now drawn the attention of the public that it may introduce an unintended licensing system  that could kill many small businesses and go completely against the “Start Up” concept that Mr Modi is promoting under the Digital India concept.

According to Section 4 of the proposed law,

“Dissemination, Publication or Distribution of the Geo-spatial Information of India.-Save as otherwise provided in this Act, rules or regulations made there under, and with the general or special permission of the Security Vetting Authority, no person shall disseminate or allow visualization of any geo spatial information of India either through internet platforms or online services, or publish or distribute any geo spatial information of India in any electronic or physical form. “

Under Section 9

“Any person who wants to acquire, disseminate, publish or distribute any geo-spatial information of India, may make an application along with requisite fees to the Security Vetting Authority for security vetting of such geo-spatial information and licence thereof to acquire, disseminate, publish or distribute such Geo-spatial Information in any electronic or physical form. “

Under Section 3,

“Save as otherwise provided in this Act, rules or regulations made thereunder, or with the general or special permission of the Security Vetting Authority, no person shall acquire geo spatial imagery or data including value addition of any part of India either through any space or aerial platforms such as satellite, aircrafts, airships, balloons, unmanned aerial vehicles or terrestrial vehicles, or any other means whatsoever”

Under Section 13

“Whoever disseminates, publishes or distributes any geo spatial information of India in contravention of section 4, shall be punished with a fine ranging from Rupees ten lac to Rupees one hundred crore and/or imprisonment for a period upto seven years. “

It is noted that the law criminalizes the dissemination of information without license by a stringent 7 year imprisonment term without even any hint of a need to prove some criminal intentions.

There is no “Exemption” provision that exempts users and any body else without malicious intentions from penalty.

There is no doubt that the law in its present form is absurdly draconian and will be struck down if challenged in a Court of Law. I hope the Government withdraws the law or makes substantial correction without exposing itself to another embarrassment in the Supreme Court.

If the law makers had any sense of the market place they would have restricted the penalty to only cases where the depiction of wrong borders was intentional and use of maps was for some anti national purpose. In every other case, a wrong map is a consumer protection issue and it would suffice if the consumer interest is protected with a penalty in the form of damages.

For example, if a map on a mobile App depicts there is an Adigas hotel in 5th Main, Chamarajpet, Bangalore and I search for the hotel for half an hour and cannot find it, it would suffice if I can collect a “Free Meal Coupon” as a compensation. There is no need for the app developer to be jailed for 7 years under a cognizable offence.

The law makers are simply unaware of how many of our businesses would be facing 7 year imprisonment term for their routine business activities on account of this new proposed law.

I cannot but think that the law has been framed only to defame Mr Modi and his efforts to promote Digital India by some bureaucrat who sits in the Government as a mole of Congress. Already a campaign has been mounted in Washington Post citing the absurdities of this law.

I wish Dr Subramanya Swamy finds out who actually was responsible for framing such a draconian law.

On the contrary, if this is simply a case of over enthusiasm and a blinkered vision that “Maps” means “Google” and “Apple” and hence one can think of Rs 100 crore penalty, then the concerned official should admit his ignorance and resign from his responsible position immediately or else removed.

 It is well known that this law will not deter Pakistan or China from depicting the maps of Indian Border as they wish. Hence the law will not have any effect but to make innocent Indian businesses to pay. It is expected that Apple or Google will pay whatever license fee is imposed on them and pass on the burden to the users such as the Zomatos, the Olas etc. The cost of doing business will therefore go up and the Ease of Doning Business index of India will dive down.

Hence there is a need for Mr Modi to immediately initiate corrective action.

I Invite public to send their views on this draft bill to jsis@nic.in within next 30 days to protect Digital India

Naavi

Related Article :  Livemint 

It has been reported that the IRCTC servers have been hacked and data base of millions of users compromised.

See article here

It is also learnt that the information is available on CDs for Rs 15000/- . (From unconfirmed private sources)

The fact that IRCTC has been hacked is no surprise. It perhaps happened long back and we have come to know of it only now.

The point that IRCTC does not have proper Information Security systems is being discussed in other fora.

At this point of time, it is not clear what information has been compromised and made public. If it is only the personal information about the name and e-mail address and used for spamming, it is perhaps tolerable.

However, if sensitive personal information including the Password, the PAN card detail, the Credit Card or Bank details have been compromised, it is unpardonable.

In such a case action should be initiated by Police and there is a need to send some body in IRCTC to jail.

It is a failure of the reasonable security practice under ITA 2008 and an assistance to commission of further frauds through recklessness with or without financial benefits.

At the same time, we cannot estimate when a past customer of IRCTC would be hurt. His confidential data may be used any time in the future to commit a fraud. Hence there is a need to protect every customer of IRCTC from possible future loss.

For this purpose IRCTC must immediately pick up a Cyber Insurance Contract and cover all their account holders against possible identity theft related losses in the next 3 years upto say an amount of Rs 5 lakhs. Whatever be the cost of such an Insurance must be boarne by IRCTC.

IRCTC should also immediately give a notice to all its customers by individual e-mail as per standard “Data Breach Notification Policy” (Please see CLCC for a draft of a model policy).

If such a policy has not been adopted, it confirms the lack of “Due Diligence”.

In January, TOI carried an article titled “IRCTC website a sitting duck for Hackware”. This was a notice on which remedial action should have been initiated.

Naavi.org has itself raised the possibility of hacking way back in August 2010 and also recently asked if IRCTC should have taken Cyber Insurance.

However, IRCTC has not taken any remedial measures and even now a google search on “IRCTC hacking” reveals many sites promoting hacking of IRCTC.

All this indicates complete negligence of the Information Security responsibilities at IRCTC for which the persons responsible must be held accountable.

I suppose some body should take up a PIL on this account.

The Supreme Court takes up many less worthy cases on Suo Moto basis and there are activists who hoist PIL litigation for innocuous matters which Courts spend time on.

Will any responsible Judge consider it worthwhile to take up this case on a Suo Moto basis and ensure that people who have shared their personal data with IRCTC are protected against losses arising out of the identity theft?

The PRO of IRCTC seem to have given a statement that the “Website of IRCTC is not hacked”

The PRO may not be aware that  it would not have mattered much if the website had been defaced rather than the data having been compromised. He is either unaware of the damage or has not shared the info with the public. Hope IRCTC releases a note through their website what exactly has happened and what are the risks to the public.

P.S: Will Aadhar data base be the next on CD on the streets?

Naavi

Naavi.org has several times brought to the attention of the public that certain certifying authorities are not following proper procedures for issue of Digital Signature Certificates and this can lead to frauds.

Earlier, one person associated with a Registration Authority had been alleged to have misused the digital signature of a Company Secretary in Bangalore to sign MCA certificates for a fee. Another instance from Delhi had been reported where directors of a Company were alleged to have used the digital signature of a deceased director and transferred the ownership.

Now, another allegation has surfaced in Bangalore where Dr Madhukar Angoor,  Chancellor of Alliance University has stated in a Press Conference that his family members have forged his digital signature to record resignation of himself and his wife to transfer the control of the University when he was abroad. (The case also involves the apparent misuse of laws meant for protection of women where false rape charges are routinely filed to defame and trouble innocent persons, which is outside the scope of this article.)

Also See  Article in Deccan Herald:  Indian Expres

It appears that the English press seems to have not noticed the Cyber Crime angle while Kannada Prabha has reported the misuse of digital signature. This would involve Section 66C and 66D besides, several other sections of ITA 2000/8 and IPC.

It may be easier to investigate the Cyber Crime which may also be a proof of the property motive that could be behind the “rape” charge.  The investigation may also expose some Certifying Authority and their Registration Authority who might have abetted the crime.

It is interesting to note from this earlier article in Bangalore Mirror  that the sister who has lodged a rape complaint on behalf of her daughter is the “Wife of an IPS Officer”.

Justice therefore awaits overcoming the barriers of conflicts of interest in investigation.

Naavi

In what may be described as an unfortunate but grim reminder of the risks that we run in the Cyber Space, American Dental Association (ADA) appears to have exposed itself to a risk of a hefty fine from the Department of health and Human Resources (HHS) which regulates HIPAA and HITECH Act implementation in USA. (P.S: I thank Mr Avkash Kathariya  for bringing the incident to my notice)

The Association recently sent a soft copy of CDT 2016 manual through a flash drive.

It was found that the flashdrive contained a link to a website which is known for distribution of malware. This article in krebsonsecurity.com indicates that the fact that a malware was contained in this official communication was detected by a security professional who checked the flash drive.

In an inevitable “disclosure and Remedial Action”, the Association released an e-mail alert on the incident.

A copy of an e-mail which the center for Informatics and Standards in American Dental Association has sent to their customers recently is reproduced below.

HHS normally imposes hefty fines for potential or real disclosure of PHI by Covered entities and Business Associates. This incident exposes the possibility that a malware could have been injected into the systems of any of the users and has to be recorded as a “Suspected Security Breach Incident” at every one of the users who may be exposed to HIPAA compliance requirement. Whether or not there has been any actual data breach, it would be necessary for these entities to document the incident, conduct an appropriate internal investigation and record (hopefully) “There was no breach of unsecured PHI”.

The incident could have been a major disaster in the health care industry resulting in unprecedented levels of PHI data breach. We should be relieved that  it has been detected at the earliest and the security specialist responsible for the detection identified as “Mike”,  a member of a forum titled DSL Reports deserves to be given a major bounty by ADA and HHS.

In India, “Distribution of a Computer Contaminant” would invoke action under ITA 2008 both for civil and criminal action. The Computer Abuse act in USA may have similar provisions and action can be taken on ADA for payment of damages and for criminal negligence while HIPAA itself may not be able to impose penalty on ADA.

The incident  however is a big lesson to every organization that some times distributes useful data with good intentions loaded onto a CD or Flash drive. The work is often sub contracted to some supplier who may not have any idea of the security issues involved in distributing a malware along with the intended content.

The least that a content provider may do in such circumstances is to take care to digitally sign his file and include a disclaimer and alert that enables the user to scan the data before use for malware.

Naavi