Tech Mahindra starts use of Digital Signatures for job offers

Posted on March 12, 2015 by Vijayashankar Na

It was heartening to note that Tech Mahindra has reportedly started using digital signatures for sending out its job offers to counter the phishing mails sent in their name. (See Report Here).

This has been a continuing demand of the undersigned for last decade and I am happy to note that at least now one company has realised the importance of being Cyber Law Compliant.  We presume that this would be because of some enterprising and committed individual in the IS department who is different from others. We congratulate this anonymous IS professional for his initiative.

We may note that ICICI Bank was pulled up by the Adjudicator of Tamil Nadu in the phishing case in which ICICI Bank was ordered to pay compensation to their client Mr S.Umashankar who had suffered a wrongful loss on account of a phishing mail, for not using digital signatures on their mail communication to the clients. Banks have still not learnt their lessons since the lethargic judicial system of India supported by the lethargic bureaucracy is available to them to prolong litigations and harass their customers into submission in such cases. But we have faith in the adage “God Sees the Truth But Waits” and one day Banks will realize that they would be held liable for Phishing because they failed to use digital signatures on their mails as a continuing practice.

It was also reported (See report here) opening of emails with subjects such as “Salary Hikes for Government Employees” was a reason for a Pakistani firm stealing data from Government functionaries. If the Government had adopted the use of digital signatures for their internal communications, the possibility of such data thefts could have been reduced.

Having reiterated the need for the use of digital signatures by corporates as a part of the ITA 2008 compliance requirements in India and as a risk mitigation measure in general, it is also necessary to point out two other aspects that have a bearing on the use of digital signatures.

Firstly, the “Ponemon Institute’s 2015 Cost of Failed Trust Report” revealed that  most organizations believe the trust established by cryptographic keys and digital certificates, which they require for their businesses to operate, is in jeopardy. This study done across 2300 IT security professionals in Australia, France, Germany, UK and US, concludes that in the next two years attacks on keys and certificates are likely to increase and threaten the crypto systems. Security professionals look at the possibility of a “Crypto-apocalypse”, a scenario where standard algorithms of trust like RSA and SHA are compromised and exploited overnight. (Apocalypse=pralayaMtaka darshana/shruti/saakshaatkaara, in Sanskrit or Kannada)

In the light of this survey, we are in a situation where we need to ask “Are we in India ready to face the consequences of a Crypto apocalypse”?

My recent encounters with some of the certifying authorities indicate that even those who are using digital signatures in India are doing so in an extremely insecure manner and the CCA is itself grossly negligent of turning a blind eye to the situation of organized non compliance of ITA 208 by certifying authorities.

Wish CCA responds to this post.

Naavi

Posted in ITA 2008 | Leave a comment

Digi Locker Beta Release

Posted on March 7, 2015 by Vijayashankar Na

Government has opened the beta version of the Digital Locker operated by CDAC and UIDAI which provides 10MB free storage space for every Aadhar number holder. It envisages that members can upload their ID documents and share it with other Government agencies if required.

The service is available at   http://digilocker.gov.in. It can also be accessed through http://digitallocker.gov.in and http://elocker.gov.in.

The site carries a digital certificate from an Indian Certifying Authority unlike many other web sites which are using certificates issued by verisign which is not licensed in India. However it is surprising to note that instead of using a digital certificate issued by the Government owned NIC, the site uses the certificate from (n)code solutions which is a private sector certifying authority. Also, some of the practices used by (n)code solutions for issue of digital certificates to public is not in accordance with the legal procedures suggested under ITA 2008. It is therefore surprising that the project has preferred to use their services instead of NIC or other more Cyber Law Compliant Certifying Authorities.

At the time of account creation and for certain other operations, the site uses OTP as a verification mechanism. It appears that an “e-sign” procedure is envisaged for users to individually authenticate the documents. But this is not yet working properly at present. It is also not clear what is meant by e-sign in this context.

The documents would be made available to designated agencies of the Government. Users can also send the document to another person through email.

While the concept of making available a free digital document storing place is welcome it is necessary to note that the site is short in the implementation of ITA 2008 compliance measures.

The website is silent on the issue of storage of information and it is unlikely to be in an encrypted state. We draw the attention of readers to my immediate previous post about the data breach in Anthem Inc, USA and the consequences. We are already aware that the Aadhar data base has been compromised in parts many times and lakhs of aadhar records would be available with cyber criminals as well as the enemy states of India. Now if the linked information is also leaked, it is a goldmine for terrorists in Pakistan or ISIS as well as countries like China who are preparing for Cyber space domination.

Government of India may be unaware of the risks that it is undertaking in this project and Modi Government should be prepared for a huge embarrassment at some time in future.

Employers should also be ready for a completely faked employee IDs with fake marks cards etc which may completely compromise their background verification systems. This can enable more Mehdi’s to find employment in critical sector and compromise the national security interests.

We hope the authorities will take a deep breath and review the security of the system before proceeding further.

Naavi

Posted in Cyber Crime, Cyber Law, ITA 2008 | 1 Comment

Multi Billion Dollar Catastrophe…

Posted on March 7, 2015 by Vijayashankar Na

anthem_video

On January 29, 2015, Anthem Inc, a Health Insurance provider in US (second largest in US) reported a discovery of a Cyber Attack in which it is estimated that about 78.80 million health records have been compromised. (Refer here). The incident has sparked many law suits and is expected to impact the information security practices in US and elsewhere. (See report in Fortune)

The data that were accessed by hackers was not encrypted and contained identity details such as the social security numbers. This is a violation of the security requirements under HIPAA-HITECH Act and attracts civil penalty from the department of Health and Human Services (HHS).

 According to the company’s admission, hackers gained access to Anthem’s data by stealing the network credentials of at least five employees with high-level IT access. The data is believed to have been extracted over a period of 6 to 8 weeks during which the attack went undetected. The company claims that the attack was “Sophisticated” but only the investigations will reveal if it was really a sophisticated attack or a simple phishing attack.

This data breach may be the largest in terms of the financial implications on an organization. The company is said to have an insurance cover of US$ 100 million but the claims under this case may far exceed this limit. This could also be a big set back for the Cyber Insurance industry. The black market rate for health data in US is estimated to be around US 470 per record (See this article). The value of the data lost at Anthem in the black market is therefore around US$ 37.6 billion or Rs 2,33,000 crores. The value in the black market for a data is normally 5 to 10% of the potential benefit that can be derived from the data by a buyer. Hence the estimated gross value of the data lost in terms of the potential loss to consumers could be of the order of US$376 billion. (Also see here)

Now Anthem is focusing on its responsibilities under HIPAA-HITECH Act to assist the affected persons to protect themselves from the consequences of identity theft by providing a two year protection service from All Clear ID. (Refer here)Individually the cost of such service is around US$14.95 per month and for the 78.8 million IDs to be protected the total potential cost is Us $28 billion. Of course Anthem may get a much cheaper bulk rate. But the cost is still likely to be of the order of US $ 3 billion. This is besides the cost of sending data breach notices to 78.8 million people by US first class mail.

The net impact of this data breach on the Health Insurance industry, the Cyber Crime Insurance industry, as well as the status of HIPAA implementation across US (extended to Business Associates in India) are likely to be enormous. It will shake the whole industry and perhaps bring in several lasting changes in industry practices.

In the meantime, Anthem has also attracted another controversy by refusing to allow the US regulator the “Office of Inspector General” (OIG) to conduct a vulnerability scan of their systems citing their corporate policy that no external audit is permitted. (Refer here)

The Office of Personnel Management of  OIG  oversees the Federal Employee Health Benefits Program and in the course of such supervision  performs a variety of audits on health insurers that provide health plans to federal employees. Though it is a regulator of sorts, it is not having the same powers available to the HHS which is the regulator under HIPAA which has the powers of audit and imposition of penalty. The powers of the OIG has to be derived from a contract which Anthem believes are non existent.

While at first glance this attitude of Anthem appears to be self defeating from a PR angle, it is likely to establish the primacy of HHS as the sole regulator of Health data breach and resist an attempt by multiple agencies to fish in troubled waters. (Also see here).

Anthem attack itself has resulted from Phishing and now the incident itself has become a source for many other scams involving phishing e-mails offering various services. The collateral damage of this fraud can therefore go beyond the Health Care data breach.  Already suspicions are being aired about the hacking having emanated from China (See here). If these rumors are confirmed the breach may get a “Cyber War” tag similar to the recent attack on Sony attributed to North Korea.

The incident therefore has many dimensions and security professionals need to keep a watch on the developments.

End of the day one wonders…could a better “data encryption under storage” could have prevented this multi-billion dollar catastrophe?

Naavi

hipaa_apnacourse1

Posted in Cyber Law, HIPAA, ITA 2008 | Leave a comment

PMO finds a Chief of Cyber Security

Posted on March 4, 2015 by Vijayashankar Na

 

It is reported (Refer article in ET) that Dr Gulshan Rai who has been a veteran in Cyber Security and part of MCIT for a long time has been drafted by the PMO as head of Cyber Security.

In the recent days, PM has been expressing some concern on Cyber Security and there was no better person to take this forward. In the Corporate world, we say that a designation/appointment of a person as CISO is a significant development in the road to Information Security implementation. Similarly this appointment is a significant step to demonstrate the commitment of the Government to address Cyber Security Issues.

We take this opportunity to congratulate Dr Gulshan Rai and wish him all the best. We hope necessary support would be made available by the Government to Dr Rai to ensure that his mission would be successful.

At the same time we need to remind that Dr Gulshan Rai was the Head of Department overseeing the Cyber Appellate Tribunal (CAT) which is still crying for appointment of a Chair Person. Our repeated requests to Mr Ravi Shankar Prasad as well as the PMO has not elicited any response.

Since Dr Rai is fully aware of the past issues involved in this aspect, we trust that CAT would soon get activated.

During the previous time when CAT was active, there was a move to set up a bench of CAT in Bangalore.

I request Dr Rai to take up this suggestion once again so that litigants from South India need not travel to Delhi every time for hearings.

I also draw the attention of Mr Siddaramaiah, the honourable Chief Minister of Karnataka with a request to take up the issue to the logical end.

Naavi

apna_ad_nov24

Posted in Cyber Law | Leave a comment

Monitoring of Employee Internet Activity

Posted on February 6, 2015 by Vijayashankar Na

After the recent incidents involving corporate employees engaging in terrorist activities, there is an increasing necessity for companies to monitor the employee’s internet activities.

The Hyderabad police have reportedly advised companies to monitor the social media activities of their employees as a part of anti terrorist measures.

From the Information Security point of view it therefore becomes mandatory for companies to put in place appropriate technology measures to monitor the activities of their employees at least when they use the IT assets of the company.

Further the HR department needs to device methods to monitor the behavior of their employees that indicates any pattern of activities that indicate radical leanings of the employees towards ideologies that may nurture terrorism.

This is the new challenge to CISOs following the Mehdi Masroor incident in Bangalore.

Naavi

Posted in Cyber Law | Leave a comment

Current Status of Cyber Appellate Tribunal

Posted on January 26, 2015 by 98410spice

Recently press appears to have discovered a new interest on reporting the current status of the Cyber Appellate Tribunal in India.

Last week the Mumbai press reported the number of cases decided by the Maharashtra Adjudicator Mr Rajesh Agarwal who has become the “King of Adjudicators” by deciding on a number of adjudication complaints. In particular, on 20th January, TOI Nagpur reported the case of a senior citizen who got a relief of Rs 3 lakhs from State bank of India. on 14th January, TOI had also reported that in recent times six banks and a telecom operator had been asked to pay compensation under ITA 2008 in different decisions.

This development is encouraging. After the Tamil Nadu adjudicator Mr P W C Davidar kicked off the trend with the Adjudication in the case of S.Umashankar Vs ICICI Bank and ordered ICICI Bank to pay compensation to the phishing victim, and followed it up with another similar decision, Banks started fighting back to defeat the system. First the Banks tried to manipulate RBI through policy changes which however did not succeed. In fact RBI through the Gopala Krishna Working Group report on E Banking security reiterated the liability of Banks in such cases. However after the new Governor of RBI took over different wings of RBI has not been focusing on E Banking security and there is a danger of the system turning anti customer in due course.

The undersigned has been running a crusade to ensure that the well intentioned system of fast grievance redressal system envisaged under ITA 2000 which could provide compensation to cyber crime victims withing 4 months under adjudication and settlement of the appeal at the next level within 6 months through a simple process.

After the initial successes with the TN adjudicator, except for the island of wisdom running in Maharashtra through Mr Rajesh Aggarwal, there is gloom alround the country when it comes to cyber crime victims.

I reiterate again and again that neither Mr Narendra Modi our honourable Prime Minister nor the minister of IT Mr Ravi Shankar Prasad has shown any inclination to remove the gloom.

Let me record here once again why I am forced to make such a strong statement against an otherwise commendable performance by Mr Modi in other sectors and as I continue to watch the Republic Day celebrations.

First reversal to the fortune of Cyber Crime victims occurred in Tamil Nadu when Ms J Jayalalitha took over as the CM. As a matter of routine, she shifted Mr P W C Dawidar from the post of IT Secretary. Other IT Secretaries who followed never discharged their responsibilities as “Adjudicators” to the extent Mr Dawidar had done.

The second major reversal occurred in Bangalore which is otherwise supposed to be the repository of IT wisdom in the country. Here a conflict of interest intervened a decision in which Axis bank was one of the respondents because it also happenned to be a Banker to the E Governance activities of the Government. The result was that the adjudicator dismissed the complaint for the reason “The word Person used in Section 43 of ITA 2000 does not include a company and hence no complaint can be entertained if filed by a Company or against a Company”. This effectively kept Companies outside the purview of most of the ITA 2000 and no complaint either civil or criminal could be filed either by a Company or Against a company. This converted Karnataka into a “Cyber Crime Haven”.

Despite the Karnataka Human Rights Commission taking up the issue and the Legal department of the Karantaka Government confirming that the word “Person” in law includes a body corporate, the current IT Secretary has made it an ego issue and refuses to accept that a mistake was made.

Karnataka High Court as well as the Chief Minister of Karnataka have also failed to intervene effectively to correct the situation.

Now the only legal means available to the Cyber Crime victims is to get the order of the Karnataka Adjudicator reversed through an appeal at the Cyber Appellate Tribunal.

Here in comes the greatest disappointment. It has been more than 3 years since Justice Mr Rajesh Tandon retired as the Chair Person. Since then the Government of India has been unable to appoint a successor. Yesterday’s article in New Indian Express has rightly captured the developments and drawn the attention of the public to the unacceptable situation that prevails in the country when the apex cyber judiciary authority remains non functional due to non appointment of a chair person.

It is necessary to point out that this bizarre situation has been brought to the notice of all relevant Ministers, Chief Ministers, Prime Ministers, President of India as well as the Chief Justices of Karnataka and the Supreme Court as well as political party leaders, at different points of time.  But it appears that no body is able to find a solution to the problem.

During the days of the UPA Government it appeared that the department wanted to push through one appointment which the then Chief Justice of India did not approve and hence there was a delay. But now that there is Mr Modi’s Government and a new Chief Justice it appears that this issue is simply not in the priority list of activities either for Mr Ravi Shankar Prasad nor Mr Modi.

I wish some body responsible in the PMO takes up this issue and brings it to the knowledge of Mr Modi.

I would like to ask our action oriented Prime Minister, if the appointment of a Chair Person to the Cyber Appellate Tribunal more difficult than forging a friendship treaty with Mr Obama?

I would like to ask the lawyer turned IT Minister Mr Ravi Shankar Prasad, whether it is possible to speak about Cyber Security without having a proper Cyber Crime judicial system in the country?

I would like to ask the Secretary of the MCIT, whether it is not possible to find a suitable candidate acceptable to the Chief Justice of India or there is no willingness to act?

I wonder who is the beneficiary of this grand negligence? Any guesses?

Or Should we ask Mr Modi’s friend Barak to use his good offices and make it a part of Indo-US security related discussions!

Naavi

Posted in Cyber Law | Leave a comment