Indus Media and Communication Ltd committing a Cyber Crime?

Posted on March 19, 2015 by Vijayashankar Na

indigital_stb_killing

Indus Media and Communication Ltd which manages the cable TV service (InDigital) in Bangalore is knowingly or unknowingly committing a Cyber Crime and admitting the same in its broadcasts. As we can see in the above photograph, (dated 19th march 2015), there is a pop up on the TV saying “This STB has reached its end of life”. This notice is normally followed by an advertisement that new STB would be provided at a cost of Rs 500/- .

Obviously the threatening message is an attempt to sell its new STB s for whatever advantage it perceives. There is therefore both a “Threat” and also an attempt to derive a “Commercial Benefit”. It is therefore an attempted “Extortion” under IPC.

Indus Media has taken over many of the local operators and many of these consumers are using the STBs which they possessed before the change over. Now Indus Media appears to be interested in phasing out these STBs and replace it with new STBs.

If the offer was a free upgradation, one can appreciate that there could be some technical convenience to the company (Which could be nothing but they would have better control to switch off the consumer’s connection at their discretion). But when the company wants the consumers to pay for the upgrade, the notice is to be seen as an unfair attempt at enrichment.

What the Company however is not realizing is that they are making a statement that the “Set Box is reaching the end of its life”.

Consumers cannot understand how when technically the STB is still working, Indus Media knows that it is about to die?.. unless it is being killed?….

If the STB is being killed, then it amounts to “Denial of Service” and also “Hacking into the STB” to disable it. Both are offences under Section 66 of ITA 2008. These are cognizable offences and the Police can launch an investigation immediately.

I have sought explanation about the pop up from the customer care department which however has not yet answered.

Since the company has itself admitted their intention to kill the STB, there is no need for further evidence in this regard and the Police can act immediately and take action to arrest the officials of Indus Media in Bangalore and file a suitable case against them.

I request the Cyber Crime police in Bangalore to take up this case as an “Attempt to Murder”  an “Electronic Device” and take appropriate action.

Naavi

Posted in Cyber Law, ITA 2008 | Leave a comment

TCS set to withdraw from Digital Certificate Issue

Posted on March 18, 2015 by Vijayashankar Na

It appears that TCS-CA which was one of the licensed Certifying authorities has decided to close down its business. On the website it is reported that they have stopped issuing further certificates from 1st December 2014.

However the CCA website still does not record this information.

Already MTNL and the Department of Customs have closed their Certifying Authority business. But it is surprising why TCS decided to back down.

If we analyze the Digital Certificate market, there is a good business potential because of the mandate in submission of IT and MCA returns. If TCS withdraws it will further reduce the competition only to Safescrypt, n-Code and E Mudhra. The result could be an increase in the cost for those who want to adopt to the system of judicial recognized digital identity.

However we observe that most of the CAs are not compliant with the provisions of ITA 2000/8 and CCA is remaining silent. Recently the Government’s digilocker project has been conceived in violation of ITA 2008 provisions and CCA seems to be unmindful. Bankers have always been reluctant to use digital signatures and prefer to flout the law while RBI looks the other way.

In the light of these developments, it is disheartening to see TCS withdrawing from the business. Unlike other CAs, TCS was operating on indigenously developed technology while others had to pay royalty to some foreign technology providers. Inspite of this, if TCS finds it unprofitable to be in the business, it could also be because the other CAs are flouting regulations to expand the market which TCS may not be willing to do.

I wish TCS clarifies the reasons for their exit from the business.

Naavi

 

Posted in Cyber Law, ITA 2008 | Leave a comment

Yet another Bank Fraud.. What will RBI say?

Posted on March 18, 2015 by Vijayashankar Na

Bank frauds have been so common in India that it hardly surprises any body when a new fraud is reported. The Banks are after technology in a hurry and RBI has either no clue to the risks or is just unable/unwilling to regulate the banks as we have frequently pointed out.

The reason for the situation is that RBI has not been implementing its own regulations to secure Banking in Cyber Space and Banks have effectively silenced Adjudicators and the Cyber Appellate Tribunal so that fraud victims are unable to get justice.  The “Lawlessness” is so palpable that cyber criminals are emboldened to try commission of frauds at every opportunity. RBI in the meantime is busy diluting the security in cyber banking and remaining silent when non compliance of law is brought to their notice.

To bring the discussion to the context, TOI reports today that “Anti-Nationals pull off Rs 6.9 crores” using cloned and stolen cards. What the report fails to recognize is that the cloned cards were one of the instruments used and the other major instrument used was “Bank Accounts” opened by the fraudsters in some Bank/s (Name of the card issuing Banks and the money receiving not revealed in the article). These Banks have opened the accounts without proper KYC and are mainly responsible under Anti Money Laundering as accessories/abetters to the fraud.

The report states that the fraudsters were Dubai based and hence they were “Anti Nationals”. But what about the Banks which opened the accounts for these Anti-Nationals? Are they also not “Anti Nationals”?

The main culprits in such cases of KYC failures leading to frauds are AXIS Bank and ICICI Bank with PNB and SBI not far behind.

Will RBI name and shame these Banks? Will it dismiss or take disciplinary proceedings against the Chair Persons of these Banks instead of the Governor dining with them with IMF dignitaries?

The fraud is an indication of lack of security in the Banking system for which RBI is solely the custodian. It appears that Mr Raghuraman Rajan has failed to assume responsibility for the security of Banking and has to start looking at this part of his role also. If he wants to remain only as an Inflation Monitor, Government needs to look at creating another organization that is solely responsible for regulating the security in the Banking system and take this responsibility away from RBI.

Naavi

Posted in ITA 2008 | Leave a comment

At Last Government of India remembers the Cyber Appellate Tribunal

Posted on March 17, 2015 by Vijayashankar Na

After nearly 4 years of mysterious inaction, Government of India has now realized that the Cyber Appellate Tribunal (CAT) needs a Chair Person and called for applications.

It may be remembered that 0n 30th June 2011, Justice Rajesh Tandon demitted office after reaching super annuation. Subsequently Justice S.K.Krishnan, a retired Judge of the Madras High Court was appointed as a “Member” of CAT. Mr Krishnan was eligible for the post of Chair person and there was no reason to believe that he was good enough to be a member but not good enough to be the Chair person. In an absurd way of Government functioning, Mr Krishnan remained in the CAT office for about 9 months and went into super annuation as a “Member” who did not attend any hearing. During this time the Ministry headed by Mr Kapil Sibal had time to appoint a technical member to the CAT and a Head of Department of CAT. These two posts had little meaning int he absence of a functioning CAT.

After exhausting all avenues such as writing to the Minister of IT, Secretary of Ministry of IT, PM, President, Chief Justice of India, Rahul Gandhi, Sonia Gandhi etc., the non appointment was questioned in more than one Court. The Karnataka High Court was close to passing strictures on the IT department when finally the Kapil Sibal lead ministry gave an undertaking that they would fill up the post “Expeditiously” and the High Court was satisfied. During the proceedings, it was revealed that the Ministry had sent a recommendation which the Chief Justice had declined and the matter was left to rest there without an alternative name being suggested by the Ministry.

Despite the undertaking to the Court,  the Ministry did not do anything for the appointment and soon  the elections came and over took the Kapil Sibal ministry.

What is surprising however is that even after the new Government took over and the thrust on Digital India and E Commerce was announced, the ministry failed to take steps to fill up the CAT Chair Person’s post. The undersigned has been pursuing this literally from day one of Mr Ravi Shankar Prasad’s appointment but for reasons known to the department the matter remained unattended.

Some how now two major appointments are sought to be filled up by the IT Ministry. First is the Chair Person of CAT and the second is the post of the Director General of INDIA CERT, a position which was vacated by Dr Gulshan Rai again on attainment of super annuation. Now Dr Rai has been appointed as Chief of Cyber Security at the PMO and may be he has initiated the current moves to fill up both the positions of the Chair Person CAT and Director General IN-Cert.

The time given for receiving the applications is April 13 for the IN-CERT position and April 20 for the CAT position. The requirements are available here.

1. Director General of IN CERT 

2.Chairperson of CAT

It would be interesting to see who will occupy these key positions which are critical for the Indian thrust for digitization. (See this article on Cyber Law Eco System).

In the meantime, Mr Rajesh Aggarwal who was one of the most active Adjudicators in India (as IT Secretary, Maharashtra) has been posted as Joint Secretary (Financial Services) at Government of India, Delhi and has been lost to the Cyber Law Eco System. The other person who contributed a lot as an Adjudicator was Mr PWC Davidar of Chennai who also got transferred because of a routine transfer of the AIADMK Government took over in TN.

At present there is no other active IT Secretary in India and hence the system of Adjudication is languishing.

I request the Government to immediately organize a training of all the IT Secretaries so that by the time the new CAT starts functioning, the support system would also be in place. Otherwise this will be the first task of the new Chair Person of CAT.

Naavi personally and Naavi.org wish whoever may occupy these critical positions all the best in their endeavour to stabilize the Cyber Law Eco System in India and assist the Modi Vision of a Digital India.

We know that it is still a wait upto around June for the appointments to be completed. But having waited for 3 years and 9 months, a wait of another three months is not too difficult for persons like us.

Naavi

Posted in ITA 2008 | 1 Comment

Security Audit Vs Maintenance, the Gap is large..Verizon Study

Posted on March 15, 2015 by Vijayashankar Na

Verizon has recently released the 2015 report on PCI Compliance which has provided some key insights into the current practices in industry. Though on the face of it the report indicated that about 80% of the companies were validated as PCI DSS compliant in internal assessments, the reality  the compliance was not sustained over a period of time. The report highlights the fact that only 28.6% of companies actually maintained their compliance status on all the 12 controls they committed to under the PCI DSS audit. It was therefore not surprising that data breaches detected in 9700 sampled companies, indicated over 43 million security incidents in 2014 showing a compounded annual growth of 66% since 2009 and an increase of 29% over the previous year.

On the positive side, the survey indicated that though the sustainability of compliance dropped off soon after the validation, compliance in 11 of the 12 compliance factors actually saw an improvement with the biggest compliance being in authentication access. The compliance drop was noticed in compliance of  testing procedures.

The study indicated that  “Maintenance of policy addressing security awareness building” within the workforce was one of the neglected aspects of compliance with a measly 4% increase in compliance effort.

The report is an eye opener to organizations that it is not enough if an information security assessment is done at a point of time but there is a need to sustain the compliance as an ongoing practice in the organziation. There is therefore a need to assess the controls that specifically address the “Sustainability” of compliance efforts so that the benefits of an assessment and validation is retained for a longer time. Alternatively, organizations can try if  the internal reassessment schedules may have to be undertaken at more frequent intervals in the hope that this will help in the improvement of the sustainability factor.

Naavi

 

Reference: Article in Computerweekly : Article in neirajones blog

Posted in Cyber Law | Leave a comment

Digi-locker Project may consciously flout Information Technology Act

Posted on March 14, 2015 by Vijayashankar Na

The digilocker beta project launched by the Government of India seems to be set to introduce a precedent which is ultra-vires the Information Technology Act 2000/8.

According to the information available the Digi Locker can be used to store important documents of the public such as marks cards, PAN cards etc in e-form. They can also be submitted to authorized Government departments for various services with an “e-sign” of the document owner.

The concept of e-sign which is proposed to be adopted by technologists advising the Government appears to be not in accordance with the provisions of the Indian Information Technology Act. According to the proposal, the public and private key pair for e-sign would be generated on the CA’s systems and not under the control of the signer. This would amount to a compromise of the Private Key ab-initio.

Further, use of the private key which is known to be compromised may be considered a contravention of ITA 2008.

This web based private key generation and storage is a procedure adopted by some foreign Certifying authorities and it appears that the technology is being recommended to the Indian Government. However, this system may seriously affect the “Non Repudiation” nature of the Indian digital signature system as we know today.

Once the system is used by a Government department, it would set a precedent which will be followed by other organisations also and hence the legal status of the entire digital signature mechanism will be adversely affected.

It would be preferable if the Government pauses to think before it leaps.

Naavi

apna_ad_nov24

Posted in Cyber Law, ITA 2008 | Leave a comment