This is not a simple theft.. It is Cyber Terrorism

Posted on March 24, 2015 by Vijayashankar Na

Times of India has reported a story today from Surat (Refer: Decoder of Secret Information stolen..) in which it is reported that a precious decoder used by Police to decode encrypted messages has been stolen.

The report states “The device which is of the size of a briefcase can work anywhere in the world. Once turned on, it receives encrypted messages and translates it into readable form. The device was stolen during early hours on March 14 and police registered a theft complaint

It is necessary to recognize that this is not a simple “Theft” as the report makes it out to be. It can be considered as an offence under Section 66B since the device may be considered as a “Computer” under the definition used in ITA 2000/8.

More importantly the device can be used for committing a “Terrorist Act”, the theft can be considered as an “Attempt to Commit Cyber Terrorism under Section 66F of ITA 2008”.

Section 66B has 3 year imprisonment and Section 66F has “Life imprisonment” as possible punishment. In the event an ordinary thief (not a Naxalite) is involved in the crime, he should think of returning the device and surrendering to avoid the life imprisonment.

Gujarat Government may consider releasing an advertisement inviting surrender and also announcing an incentive to any informers just as in the case of a terrorist event.

Naavi

Posted in ITA 2008 | Leave a comment

Lessons from China to Indian Bankers and RBI

Posted on March 24, 2015 by Vijayashankar Na

China Banking Regulations Commission (CBRC) has notified guidelines to the Banking industry to use “Secure and Controllable Technology” to strengthen the Internet based Banking system. This guideline has the potential to bring significant changes to the IT industry in China and also the vendors from outside China.

According to the guideline it would be mandatory for Banks in China to use “Secure and Controllable IT Products at a minimum rate of 15% increase each year and to reach 75%  by 2019. The criteria for determining the status of a product as  “Secure and Controllable” have been detailed in the guideline and includes the following.

1. IT Vendors are required to establish own R&D service cetners in China

2. Source code should be filed with CBRC

3. Risk of Product supply chain should be controllable. (i.o.w. there could be a need for more local production in the entire supply chain)

4.The IP rights in respect of certain products could be subordinated to the local requirements. (i.o.w. provisions similar to compulsory licensing may be used)

As a result of these regulations, it would be necessary for the following:

1.Supplier/Service Contracts will have to incorporate necessary compliance clauses.

2. Banks will have to deploy 5% of their R&D budget on deployment of Secure and Controllable IT products

3. Banks need to subject themselves to an annual audit by CBRC  to determine compliance.

As a result of these changes, Indian IT companies having operations in China with exposure to Banking industry need to be prepared for a compliance related modification of their business contracts.  If they fail to adapt, the supply contracts may be terminated.

I think RBI needs to pick up a few lessons from these guidelines since they have mindlessly allowed domination of Chinese products in the Indian Banking industry exposing the country to a great disadvantage in the event of a Cyber War. Banks should also understand that there is national interest beyond the need to increase their bottom line.

 We remember that during the UPA regime, a Security Certification Center was established under the guidance of IISC Bangalore to test IT products from China in particular which were suspected to have OEM-back doors, but was actually sponsored by Huawaei !

I hope the National Cyber Security team in India takes note of these developments and initiate appropriate actions.

REFER:

China Banking IT Regulation Tightened Up

China Issues new CBRC guidelines

CBRC issues clarifications

CBRC makes life difficult for MNC vendors

Naavi

Posted in Bank, RBI | Leave a comment

Verdict on Section 66A expected tomorrow at 10.30 am

Posted on March 23, 2015 by Vijayashankar Na

The much awaited judgement on whether Section 66A of ITA 2008 is constitutionally valid or not is expected to be pronounced tomorrow at 10.30 am.

Section 66A has been frequently abused by Police when it has been used to arrest persons making posts on FaceBook, Twitter or Blogs. In at least one case, a person was arrested for clicking on “I like” on a Facebook post.

Most of the arrests under Section 66A has been related to criticisms of politicians in the form of comments and cartoons under the pretext that it was “Defamatory” and “Caused annoyance”.

Simultaneously, Section 79 of the Act may also come under review. Under this section, a few people have interpreted that it is necessary for a blog owner to remove a content within 36 hours of an objection having been lodged.

Both the arrests under Section 66A and the perception of mandatory removal of content under Sec 79 are being held out as leading to the sections being adversely affecting the “Freedom of Expression” as guaranteed by the constitution.

Naavi.org has debated this section in detail in the past and links to these articles are found below. The essence of the views expressed are that “Abuse of Section 66A” is a matter of ignorance, as well as misuse of the powers by Police and Politicians. Section 66A in our opinion was meant for addressing the issues such as Cyber bullying, Cyber Stalking, Spamming, Phishing, Threatening by SMS/Email etc. The section 66A is very much required to meet these requirements. Similarly, Section 79 imposes no obligation to “Remove Content” when objection is raised by a person who perceives himself to be a victim. Only a judicial review can order removal of content. This has been clarified by the Government subsequently though the original notification was not worded properly by the Government.

It would be interesting to note whether Supreme Court judgement would be dictated by the “Perception” or “Reality”. Wide spread perception is that the section 66A or 79 may curtail the freedom of expression but the reality is that this perception is the result of misuse of law by politicians and police. Such misuse has been in existence before these sections became available and will continue even if these sections are removed.

I wish Supreme  Court judgement would reflect this reality. I will be happy if the Supreme Court suggests some checks and balances where by misuse of the section by Police is made punishable rather than removing the provisions themselves which have other uses.

It is however acknowledged that the Government might not have put up its case properly and the decision may reflect only how effectively the two sides have argued the matter in the court.

Afterall, in computers we say “Garbage in, Garbage out”. Similarly in the Indian system of justice dispensation, it is the relative strengths of the adversarial arguments that determine the judgement and a perception of “Judicial Precedent”.

If the decision is in favour of removal of the section, then Government needs to think of bringing a suitable amendment to ITA 2008 retaining the major part of the section and accommodating the Supreme Court observations as explanations.

Naavi

Other related articles in Naavi.org:

 Section 66A and Section 79 of ITA 2008 at Supreme Court

Section 66A coming for review at Supreme Court..the issues

IRDA files Section 66A Complaint against an activist

Mumbai High Court on Section 66A

No Arrests under Section 66A without prior approval of higher officers

 Section 66A abused again

Advisory on Section 66A

Mis-perceptions about Section 66A

Section 66A is not meant for “Cyber Defamation”

Government issues clarification on Section 79 rules

Posted in ITA 2008 | Leave a comment

Indus Media and Communication Ltd committing a Cyber Crime?

Posted on March 19, 2015 by Vijayashankar Na

indigital_stb_killing

Indus Media and Communication Ltd which manages the cable TV service (InDigital) in Bangalore is knowingly or unknowingly committing a Cyber Crime and admitting the same in its broadcasts. As we can see in the above photograph, (dated 19th march 2015), there is a pop up on the TV saying “This STB has reached its end of life”. This notice is normally followed by an advertisement that new STB would be provided at a cost of Rs 500/- .

Obviously the threatening message is an attempt to sell its new STB s for whatever advantage it perceives. There is therefore both a “Threat” and also an attempt to derive a “Commercial Benefit”. It is therefore an attempted “Extortion” under IPC.

Indus Media has taken over many of the local operators and many of these consumers are using the STBs which they possessed before the change over. Now Indus Media appears to be interested in phasing out these STBs and replace it with new STBs.

If the offer was a free upgradation, one can appreciate that there could be some technical convenience to the company (Which could be nothing but they would have better control to switch off the consumer’s connection at their discretion). But when the company wants the consumers to pay for the upgrade, the notice is to be seen as an unfair attempt at enrichment.

What the Company however is not realizing is that they are making a statement that the “Set Box is reaching the end of its life”.

Consumers cannot understand how when technically the STB is still working, Indus Media knows that it is about to die?.. unless it is being killed?….

If the STB is being killed, then it amounts to “Denial of Service” and also “Hacking into the STB” to disable it. Both are offences under Section 66 of ITA 2008. These are cognizable offences and the Police can launch an investigation immediately.

I have sought explanation about the pop up from the customer care department which however has not yet answered.

Since the company has itself admitted their intention to kill the STB, there is no need for further evidence in this regard and the Police can act immediately and take action to arrest the officials of Indus Media in Bangalore and file a suitable case against them.

I request the Cyber Crime police in Bangalore to take up this case as an “Attempt to Murder”  an “Electronic Device” and take appropriate action.

Naavi

Posted in Cyber Law, ITA 2008 | Leave a comment

TCS set to withdraw from Digital Certificate Issue

Posted on March 18, 2015 by Vijayashankar Na

It appears that TCS-CA which was one of the licensed Certifying authorities has decided to close down its business. On the website it is reported that they have stopped issuing further certificates from 1st December 2014.

However the CCA website still does not record this information.

Already MTNL and the Department of Customs have closed their Certifying Authority business. But it is surprising why TCS decided to back down.

If we analyze the Digital Certificate market, there is a good business potential because of the mandate in submission of IT and MCA returns. If TCS withdraws it will further reduce the competition only to Safescrypt, n-Code and E Mudhra. The result could be an increase in the cost for those who want to adopt to the system of judicial recognized digital identity.

However we observe that most of the CAs are not compliant with the provisions of ITA 2000/8 and CCA is remaining silent. Recently the Government’s digilocker project has been conceived in violation of ITA 2008 provisions and CCA seems to be unmindful. Bankers have always been reluctant to use digital signatures and prefer to flout the law while RBI looks the other way.

In the light of these developments, it is disheartening to see TCS withdrawing from the business. Unlike other CAs, TCS was operating on indigenously developed technology while others had to pay royalty to some foreign technology providers. Inspite of this, if TCS finds it unprofitable to be in the business, it could also be because the other CAs are flouting regulations to expand the market which TCS may not be willing to do.

I wish TCS clarifies the reasons for their exit from the business.

Naavi

 

Posted in Cyber Law, ITA 2008 | Leave a comment

Yet another Bank Fraud.. What will RBI say?

Posted on March 18, 2015 by Vijayashankar Na

Bank frauds have been so common in India that it hardly surprises any body when a new fraud is reported. The Banks are after technology in a hurry and RBI has either no clue to the risks or is just unable/unwilling to regulate the banks as we have frequently pointed out.

The reason for the situation is that RBI has not been implementing its own regulations to secure Banking in Cyber Space and Banks have effectively silenced Adjudicators and the Cyber Appellate Tribunal so that fraud victims are unable to get justice.  The “Lawlessness” is so palpable that cyber criminals are emboldened to try commission of frauds at every opportunity. RBI in the meantime is busy diluting the security in cyber banking and remaining silent when non compliance of law is brought to their notice.

To bring the discussion to the context, TOI reports today that “Anti-Nationals pull off Rs 6.9 crores” using cloned and stolen cards. What the report fails to recognize is that the cloned cards were one of the instruments used and the other major instrument used was “Bank Accounts” opened by the fraudsters in some Bank/s (Name of the card issuing Banks and the money receiving not revealed in the article). These Banks have opened the accounts without proper KYC and are mainly responsible under Anti Money Laundering as accessories/abetters to the fraud.

The report states that the fraudsters were Dubai based and hence they were “Anti Nationals”. But what about the Banks which opened the accounts for these Anti-Nationals? Are they also not “Anti Nationals”?

The main culprits in such cases of KYC failures leading to frauds are AXIS Bank and ICICI Bank with PNB and SBI not far behind.

Will RBI name and shame these Banks? Will it dismiss or take disciplinary proceedings against the Chair Persons of these Banks instead of the Governor dining with them with IMF dignitaries?

The fraud is an indication of lack of security in the Banking system for which RBI is solely the custodian. It appears that Mr Raghuraman Rajan has failed to assume responsibility for the security of Banking and has to start looking at this part of his role also. If he wants to remain only as an Inflation Monitor, Government needs to look at creating another organization that is solely responsible for regulating the security in the Banking system and take this responsibility away from RBI.

Naavi

Posted in ITA 2008 | Leave a comment