Naavi.org

Today, I received a telephone call from the mobile number 90699 35661 which appears to be an attempted fraud. I am placing this for public attention so that people donot respond to the call. At the same time, the Internet Service Provider involved namely, Videocon is being notified for necessary corrective action.

The caller who was a lady made a call to my mobile at 14.50 hours and stated that she was calling from Consumer Court in Delhi and was informing that a 420 case has been filed on me. When I asked for the name of the person and further details of which court, she disconnected.  Afterwards, when I tried to call back, there was no response.

Some of my friends have subsequently informed me that they are aware of such calls and in one case the caller suggested help to resolve the case through a lawyer and wanted the person to contact the lawyer.

I would like the public to be informed of such fraudulent calls and request them not to respond.

I also hereby give public notice to the Mobile Service Provider which according to information taken from the web appears to be Videocon in Himachal Pradesh that this incident indicates that they are abetting a crime by providing facilities of telephone connectivity to the fraudster.

I am expecting them to take action to deactivate the account to prevent any further frauds.

I also expect Police in the relevant area to take suo moto action since this is not an isolated attempt but is an organized syndicate that is running a call center to commit such frauds. I wish some responsible police officer takes up this case and busts the racket.

Naavi

As could be expected after any global catastrophic event, the ISIS attack in Paris has also given raise to fraudulent e-mails. Some of them could be hoax emails and some could be carrying malware prompting the receiver to click on a link.

Public should be careful not to fall prey to such e-mails.

Some of these e-mails or messages are also circulating in WhatsApp.

Some of the reported hoax mails/messages  are:

1. Singapore  PoliceNotice

2. We All Paris Hoax

These may be considered as indicators of what is to be expected. Some of the fraudsters will include spear phishing mails which may say some thing as follows :

” Police in Paris identify an employee of xxx company as a suspect of Paris attacks. Click here for the photo released by the Police.”

Such an email may be sent to all employees of an organization named in the e-mail prompting them to immediately open the e-mail and see which of their colleague is a suspect and invite a malware.

Public should therefore be extremely careful to avoid opening any attachments in an e-mail and also avoid circulating hoax mails in the belief that it is true. Such forwards may entrap the receivers since they would consider it as a message coming from a known person.

Naavi

The Paris Attack of 13/11 (2015) by ISIS would be an event which will change the face of earth. On the one hand, it has galvanized France and other nations including Russia which suffered an attack a few days back in the form of a bomb on a plane, into an all out war on ISIS on ground. At the same time it has galvanized the powerful group of Anonymous Hacker Group to take down the Cyber Assets of ISIS.

It looks a little strange that one group of mercenaries who have enemies all around them including the neighboring Muslim states of Syria and Iraq can threaten the whole world and challenge countries such as France, UK, USA and Russia all at one time. But the power of “Terrorism” is such that as an asymmetric warfare  it has the power to challenge the conventional forces with greater fire power. The difference lies in the motivation to fight and the unconventional methods used to strike.

For these countries who fought two world wars as allies, this is the “Third World War” unfolding in the form of ISIS. It appears that they have a renewed resolve to fight ISIS after the Paris attack. But one has to wait and see how long this enthusiasm lasts. Will the allies go for the complete control of the ISIS controlled land like what Sri Lanka successfully did against LTTE or back off at some point of time for their own reasons, is difficult to foresee. But it can be expected that as the Allied forces succeed in pushing back the ISIS in the physical world, they will increasingly go underground, spread out and start attacking the world in a series of terrorist attacks.

Breaking the link to the command and control center over such distributed terrorists and starving them of money and ammunition would be an important requirement if these terrorists  need to be neutralized. It is in this context that winning the Cyber war against ISIS is as important as winning the war on land.

It is therefore interesting for us to watch the Cyber War that is unfolding between the Anonymous Hacker Group and ISIS. The Hacker Group has issued a statement that they would hunt down and destroy the ISIS on Cyber Space. (Read article here). It is reported today that the Hacker group has already brought down over 5500 twitter handles in the last two days. But this should be only the starting point. What is important is whether the terror plans can be disclosed before execution and forced into failed or abandoned missions.

The Group has also released a guideline on how to proceed hacking into ISIS assets. (See the report here)

During the Post Paris attack investigations, it has been speculated that the terrorists might have used Sony Play Station 4  game console for in-game communication to plan and execute the attacks. It is given that execution of any major coordinated terror attack (which some have called the Wolf pack attack) requires extensive planning and therefore a good stealth communication channel that can be sustained over a period of time.

Some experts donot agree that PS4 was used for communication in this case. It does not actually matter if PS4 was used or not used in this attack for communication. But the possibility of the “Video Gaming” platform being used for communication cannot be ruled out. In future these communication channels need to be monitored by the intelligence agencies to get the scent of what is brewing in the terror camps. Apart from the Sony Play Station or X-Box type of gaming consoles, there are many online gaming sites where groups can be formed apparently for a gaming situation and messages exchanged. It would be a near impossible task for the intelligence agencies to monitor such communication on real-time.

However, it should be possible to develop necessary algorithms to monitor the pattern of group formation and communication in these game situations to flag any suspicious activities that can be taken up for monitoring on an exception basis. Probably the companies such as Sony and Microsoft themselves may develop such tools to monitor the misuse of their properties.

Presently Sony Play Station privacy statement does provide that it retains the right to monitor and record the communication between the users of Play Station Network. This indicates that they do have the necessary backdoors that can be activated for monitoring user’s activities.

Creating an automated system of analytics is a logical step ahead given the fact that there are over 110 million users of which 65 million are active at any point of time. This is a Big Data challenge that needs to be overcome and would be over come perhaps in the immediate future.

It is also considered possible that terrorists may super impose cryptographic techniques to hide their messages. But such techniques  can hide the messages but not the suspicious pattern.

Breaking the communication network of ISIS is an important step in winning the Cyber War and whether the Anonymous Hackers can go beyond the taking down of twitter accounts into monitoring and revealing terror plans in advance to the law enforcement will determine to what extent the Hackers can help destroy ISIS as an organization that can survive beyond the physical annihilation that the Allies can inflict on ground.

Another significant part of the Cyber Warfare is to trace the monetary assets of ISIS on the cyber space and destroying them.  It is worth watching if Anonymous Hackers can attack the financial assets of ISIS and starve them of their funds.

While the Allies are expected to fight the war both in the physical space and the cyber space, the Anonymous hackers will fight only on the Cyber Space. But their contribution to winning this war for the sake of humanity in general is very important and history will recognize this contribution if it succeeds.

Technology is known to create problems and it is time technology also finds solutions to benefit the mankind. Hactivists now have a point to prove. Let’s see whether they can walk the talk.

Naavi

In the early days of E Commerce development, the undersigned had been a great fan of the “Brick and Click” strategy for business development. The idea was to leverage the strength of the physical presence of a business with the business potential in the cyber society . It was also considered that this strategy would  insulate the business from emerging competition in any one of these two domains and forces the challenger to also come up with a multi domain expertise. Some of services proposed by Naavi such as the CEAC, Cyber-Notice.com, etc are all trying to build themselves on this principle.

One of the developments that catches my eye now is the emergence of a mobile App named “Zopper”. This is an app which tries to challenge the hold that pure e-commerce players such as Flipkart have established in certain markets. It is an idea to leverage the “Reputation of Physical Presence” with the “Convenience of E-Presence”.

In simple terms, it is an aggregation service that enables the local stores find a presence on the e-space. Just as Practo gets doctors into the e-fold, Ola Auto gets the Autorikshaw drivers on the band wagon of mobile space, Zopper has the declared objective of bringing the local stores into the e-wagon. It is a good service to these less tech savvy retailers who otherwise need the assistance of an elaborate technical team to get onto the e/m-space.

(Disclaimer: This is not a promotion of Zopper app).

After the recent debacle of BJP in Bihar, I recall the number of times I have raised the issue of Chandrababu Naidu’s earlier experience of losing an electoral battle despite wonderful contribution in the IT space in Hyderabad.  Even in future Modi’s Digital India dream will continue to face these challenges. The Land Acquisition Bill has already been grounded. The GST bill is unable to make progress. Congress will continue to oppose every progressive step that the Government initiates and soon the Congress will start attacking Modi’s Digital India project.

I have been warning the Government that if there is any large scale information security breach and losses to the common people through aadhar misuse or credit/debit/ATM card misuse, then the blame will be placed on this Government. I will not be surprised if the opposition parties arrange a major hacking attack of the JanDhan scheme beneficiaries just before 2019 Loksabha elections to discredit this program on which Modi places repeated emphasis.

Hence I feel that not focussing on proper strategies for the Digital India will be harmful to the future of Mr Modi and for the development of India. Such strategies will be both on the aspect of “Security” which I have been highlighting on “Secure Digital India” concept but also on what kind of business/Governance can be run on e-commerce/e-Governance platform and how.

I find Zopper type of Apps as a tool to ensure that the “FDI policy in retail” will not harm the local retailers. Similarly, the price rise of Rice and Dhal which was one of the factors that affected BJP along with Caste equations can also be tackled by a proper E-PDS policy implemented through Zopper type of network of retailers who can distribute Dhal and Rice at reasonable prices to the public (Including the middle class).

If properly implemented, the Government can implement a Public Distribution System for Middle Class (PDS-MC) as a separate system at fraction of the cost of the current Public Distribution System for BPL families which can continue in its present form. The PDS-MC can focus on such goods as the Middle Class families may require and offer it at a reasonable price with assurance of quality and reliability. It could be like the old concept of Janata Bazaar. The SMEs and Public Sector enterprises may use this platform for marketing their products in direct competition with the Flipkarts, Snapdeals, Amazons as well as the Big Baskets, Pepperfrys or Peppertaps. Once the network of the local stores on the e/m-space gets established, Government can even think of FDI in multi brand retail without any backlash from the market or the political adversaries.

Just as there is a disruption in the finance sector with the mobile wallets, let there be a revolutionary disruption in the retailing segment through the e-Janata Bazaars.

I am confident that if properly handled, these  e-Janata Bazaars can work towards reducing the consumer price of essential commodities to the levels of 2014 when Mr Modi took over and restore the lost confidence in the Modi Government in part of the electorate.

Naavi

It was heartening to note that during the recent Cyber Security Summit in Delhi (Ground Zero), Mr Rajnath Singh, the Home Minister, stressed the need for “Cyber Security” for the success of the other Government initiatives such as the Digital India.

Naavi.org has not only been highlighting this issue for a long time but also urging specific action plans from the Government in this regard including the”Cyber Insurance For ALL” as a Government initiative. Naavi also initiated a private sector Special Interest Group in “Secure Digital India” with the hope that other security professionals will join hands in providing voluntary inputs on information security to the Government.  As a further follow up, Naavi also initiated the “Cyber Law Compliance Center”. Naavi had also stressed the need for a revision of ITA 2008 with a vision on the futuristic issues such as Internet of Things (IoT) and Big Data with a document on “Cyber Law Vision-2018″  . After noting that the Government of India has set up an expert committee for a review of ITA 2000/8, Naavi has now also invited experts from the private sector to contribute ideas to what needs to be done in this regard through the “Special Interest Group on Amendment to ITA 2000/8”.

In all these efforts, it is possible that the efforts of Naavi is unlikely to gather as much support as it deserves from the community. The reason is not that others are not as much concerned about the welfare of the Digital India project as Naavi is, but it is because they all feel that it is futile to do anything voluntarily for the Government or the Country since it would not be appreciated.

Probably they are right but like an eternal optimist Naavi will continue to voice his views through Naavi.org and expect that just as many of his ideas have taken years to find support, these will also gain acceptance over a period of time, if not in this tenure of Modi, in his next tenure.

However, looking at the reasons for the lack of trust between Information Security professionals and the Government, the article “It’s No Secret That the Government Uses Zero Days for Offence” published in eff.org, gives a hint.

Though this article reflects development in USA, it has universal application. The article highlights the fact that the Government of USA is guilty of using many “Zero Day Vulnerabilities” to snoop on its own rather than trying to secure the Digital Space with counter action to secure the society against such vulnerabilities.

A Citizen would think that if he finds a vulnerability, he has a duty to inform the Government so that the society is kept safe. Many Information Security specialists also feel the same. Some of them do their best to contact the source of the vulnerable software so that the vulnerabilities are corrected. But companies driven by their business interests and immediate profit goals often donot make necessary corrections and let the vulnerabilities remain. Some Companies may reward the informers in their Bug Bounty program but most donot have such programs in operation.

When companies fail to remove vulnerabilities, the security professional who pointed out the vulnerability has two options with him. One is to inform the regulatory authorities in the hope that they will initiate action against the Company which has released a vulnerable software and endangered the community of users or teach the laggard company a lesson by actually exploiting the vulnerability and make it more visible to the public.

If he choses the second option, he will be called a “hacker” and probably be punished by law. If he choses the first option and the Government itself tries to exploit it instead of bringing a correction, he will soon develop a distrust for the Government and eventually become a rebel and a hactivist.

I invite Sociologists to conduct a study of the mindset of “Information Security Professionals who turn into Hackers” and identify the reasons for such transformation which is detrimental to the society.

At the same time, the minority of Information Security Professionals who resist the temptation of hacking and remain “Compliance Consultants” need to be identified, encouraged and recognized.

In the light of these thoughts, I would like to draw the attention of the Government to some of the following action elements.

If Modi Government wants to continue its economic policy thrust based on Digital development, despite the reverse in Bihar, and avoid the fate of Mr Chandra Babu Naidu in Andhra, there is a need to merge the digital policies to social goals.

In working towards this goal, it is essential to ensure that community understands and supports whatever we are doing sincerely for the good of the country. Just as political opponents can make capital out of anything including a well designed suit, and the fact that there are a majority of people who are happy to continue living in a  half torn Dhoti and say “Jai Lalu”, there are information security professionals who may turn into “Hackers”  (or Hactivists) if they are not with you.

If the Government has to succeed in their mission “Digital India”, it is therefore essential for it to cultivate these IS professionals and take them on its side.

As some body watching the developments in the Government and also closely watching the Information Security industry, I can categorically say that India possesses a huge talent pool of information security skills which are today not being tapped by the Government.

Many of these professionals are productively engaged in the private sector and some are successful entrepreneurs in the filed of security. But the best in the field may be staying aloof from Government projects since they are not in the privileged “List of Accredited Experts” who get appointed as “Brand Ambassadors” and “Members of Expert Committees”.

Government therefore needs a policy to bring such experts into the main stream and give them the psychological satisfaction of having contributed to the growth of the country.

So far the policy of the Government is only to introduce some courses in Colleges and sponsor some workshops conducted by NASSCOM or DSCI. But most specialist Information security professionals are outside the gamut of the Government sponsored organizations are not easily connected. They are not qualified in Engineering colleges and donot hold the degrees and certificates based on which the Government tends to measure their utility.

The participation of Mr Rajnath Singh in events such as Ground Zero was therefore a welcome development and such interactions need to increase in future. One of the positive outcomes of this meeting is a policy initiative to start the Indian Cyber Crime Coordination Center (I-4C) and formation of a National Cyber Registry.

Bug Bounty By Government

May be in the context of US Government using Zero Day vulnerabilities to its own use, a comprehensive policy for “Disclosure of Vulnerabilities” providing for a Bug Bounty from the Government side would be desirable to enable reporting of zero day vulnerabilities without distrusting the Government.

Some would scoff at this idea of a “Bug Bounty by Government” and may not agree and feel that the Government should  not take over the private sector responsibilities. But I would like to state that Government is a stake holder in any vulnerable IT program being in the public space since it leads to a “Law and Order Issue in Cyber Space”.

If an Ola program or a Flipkart program or a Paytm program is vulnerable and a million customers find their credit card data compromised and a few thousands of them get exploited, then there will be a huge issue of credibility of our online Banking system. Hackers and Enemy States may attack our Banking system through these vulnerable private sector vulnerable apps. Hence Government has a duty to watch the space and take curative action when the vulnerabilities are still at Zero Day status. This is like the public safety body taking objection when a private multi storeyed building is being constructed without safety features.

If there is a good Bug Bounty Program by the Government, then the Citizen who reports the vulnerability will have a reason to report the vulnerabilities and also create a record of the report. He can be rewarded immediately and later with a suitable recognition (Padma Bhushan?.. non returnable!) that goes beyond educational qualifications.

Having taken the vulnerability on record under the Bug Bounty Program, Government would not be able to misuse the vulnerability. Government on receipt of such notice of a vulnerability can send a suitable notice to the developer, get the feed back and impose a fine to recover the cost of the bug bounty program. The program will therefore be  a self financing program.

Hopefully, the developers will insure themselves against such unexpected losses through a Cyber Insurance plan that covers the risk of being fined for vulnerabilities. (A new Policy Opportunity for Cyber Insurers!).

The actual reward to be paid and fine to be imposed may vary based on the threat impact assessment  of the vulnerability . It can be a token of Rs 1000/- or a maximum of say Rs 5 lakhs depending on the assessment for which some transparent guidelines can be developed.

Remember that if the vulnerability gets exploited, then the liability of the software releasing/using organization can be higher as per ITA 2008. Hence the system of a Government’s Bug Bounty program and a fine to cover the cost could be an acceptable suggestion which even the software/App development/user companies may welcome.

If the program requires an amendment to ITA 2008, it can be addressed by the new “Expert” committee being set up for the purpose of amendment. (If such “Experts” have a vision beyond the limited objective of restoration of Sec 66A in a form acceptable to Supreme Court)

In fact the software/App buyer can ask the developer to indemnify against any such vulnerabilities reported in the first one month of the release and later take over the liability himself. This will improve quality and testing of software before it is delivered for public use.

The program if introduced will therefore help the goal of Secure Digital India in multiple dimensions and I request the Government to consider it in right earnest.

Nice words have been spoken by the Minister during his inaugural speech at Ground Zero summit and if this finds support in its implementation, then it is an encouraging sign. There is still a long way to go in making this “encouraging sign” a real “game changer”.

Let’s keep watching the developments and hope for action from the Government.

Naavi invites views of the readers on this need for a “Bug Bounty Program by Indian Government” and how to motivate all Information Security Professionals contribute towards Secure Digital India.

Naavi

More on the Summit