Regulating Ethical Hacking Training in India

Posted on May 24, 2013 by Vijayashankar Na

The recent accusation that a prominent information  security training company in India was responsible for release of some malware in the wild and used for Cyber Espionage of Telenor and also for attacking Pakistani and Chinese web assets has raised an issue of ethics for all security trainers.

Naavi.org has for years advocating that there should be a proper regulation of training of ethical hackers since the skills acquired by people during these training programs can be used for committing crimes.

Recently the Government of India has announced that India needs 4.7 lakh security experts. Obviously this has created an opportunity for many unscrupulous IT training companies to start what they call as “Ethical Hacking Course”. APPIN itself has created many franchisees and trying to provide training to hundreds of persons across the country.

Who will be the persons who will undertake the training? what will they do afterwards? are areas of concern of the society.

If these training companies are not strictly regulated, there will be lakhs of young trained hackers ready to test their skills in the open market. During these training programs trainees also get a “Hacking Kit” and information about online resources. These can be dangerous terrorist training camps in the digital world.

It is the responsibility of IN CERT to immediately take stock of the activities of these companies and put a hold on their activities until a proper system of regulation is evolved.

There is no doubt that we need information security professionals. But we donot need “hackers”. The very use of the term “hacker” mentally indicates to the trainee a status different from a “Security Professional”. Just as there is a ban on the use of “Bank” by any organization other than licensed Banking institutions, the use of the word “Hacking” or “Ethical Hacking” should be banned in India.

Also all companies indulging in information security training other than registered educational institutions such as the Engineering and Law Colleges whose curriculum is controlled by regulators such as the AICTE or BAR councils should be subject to scrutiny of IN CERT. If a licensing system is required for this purpose, it should be designed.

All persons who are enrolled into such programs should submit proper ID documents and the details are to be kept in a central data base accessible to public who can report any adverse activity of a person. Such list should be available for employee background check by companies. INCERT should periodically conduct audit of such educational organizations and record their observations. Sample background checks should be done on the candidates.

Once trained and certified, the trainees should submit themselves to a life time surveillance of their activities by IN CERT. Their employment movements, financial returns, IT activities should all be voluntarily submitted for surveillance of the State.

If any organization or individual does not enter into appropriate contractual agreement to be monitored (like a person on parole) they should not be allowed to run such courses or take such training.

I am sure that many of my friends in the security professions may express strong dissent for such a move which appears “Draconian”. I agree that it is draconian. But the consequences of letting loose trained hackers in lakhs to the field already reeling under the growing threats of Cyber crimes is disastrous. It will eventually destroy the Internet and convert it into a Cyber Crime Paradise.

If for this purpose we need to enact a separate law such as “Cyber Security Regulation Act” on the lines of Banking regulation and give the powers of regulation to say the newly formed National Cyber Security Council, it can be considered.

If this suggestion needs to be countered by the private sector information security education industry then there is a need for formation of a similar “Cyber Security Education Regulatory Forum” as a private sector initiative. This should not be left either to NASSCOM or DSCI. It should be more like TRAI and headed by a person outside the corprote influence which gets reflected in NASSCOM or DSCI.

If APPIN is an affected party in the current controversy, they can consider taking the leading initiative in formation of such a forum without putting themselves into a position where they can be accused of influencing the activities of such an academic organization.

I see a parallel in this proposal with the need for BCCI to set up an independent committee (Uninfluenced by BCCI cronies such as Atul Wassan) to monitor Betting in IPL.

On many occasions I have suggested formation of a “Netizen Protection Forum” as a Netizen imitative and “Netizen Protection Commission” as a regulatory structure. The same commission can also undertake the responsibility of regulating the ethical hacking training.

Comments are welcome.

Naavi

Posted in Cyber Crime, ITA 2008, Netizen's Forum, Uncategorized | 1 Comment

IPL betting

Posted on May 23, 2013 by Vijayashankar Na

The entire country is crying hoarse about the havoc betting is playing on IPL. The power of money available through betting influences spot fixing and probably even match fixing. This is a logical development and there is no surprise here. However some ares till arguing for legalizing betting.

While we consider that betting is illegal in India, there is a website http://www.iplbet.com/ which is providing online betting options. There is also a list of bookies and offers.

 

In India except for Goa and Sikkim, betting in any form is illegal. Viewers are advised to refrain from using the site particularly if you are a citizen of India.

Naavi

Posted in Cyber Law | Leave a comment

Indian Security Firm accused of being behind Corporate Espionage

Posted on May 22, 2013 by Vijayashankar Na

The well known Delhi based security group “Appin” which conducts information security and  ethical hacking trainings is accused of being indulging in organized APTs (Advanced Persistent Attacks) and Corporate espionage.

Initially it was reported that the group had been identified as behind some attacks of Pakistani targets. It was also speculated that they were the outsourced agent of the Indian Government. Now this report of Hangover indicates that some of the targeted attacks could be aimed at corporate espionage.

Another report identifies some of the recent attacks to Technical and Commercial Consulting Pvt. Ltd.

This Indian Express Report states that Appin is identified as the source of recent attacks on Pakistan and could be acting on behalf of the Ministry of Defense.

The hangover report puts a disclaimer that Appin could have been implicated by others. The company obviously denies the charge.

In the meantime it is reported that Appin franchise business shows an uptrend after the breaking out of the controversies. So far so good.

The scene is however murky and could lead to more interesting disclosures, twists and turns in the coming days. If this is a badly executed Cyber warfare though it is embarassing for the Government, the Indian Government can ride it out. But if  it is involving corporate espionage, the possibilities are that this could develop into a legal battle and a scam. For example if Telenor takes up a legal battle in India accusing the Indian company  imputing motives linked to the Telecom scam, there could be more embarrassments in store for many people. This could also hurt Appin commercially.

On the regulatory side, the need for regulating conduct of Ethical Hacking training which Naavi.org has raised several times in the past again attracts attention. Irresponsible training companies may end up creating a number of unethical hackers around the country who may turn out to be Cyber Terrorists and sophisticated Cyber Criminals. There is therefore a need for putting breaks on the activities of such firms and bring them under a very strict regulation.

Related Articles: techweekeurope

Naavi

 

Posted in Cyber Crime, Uncategorized | 1 Comment

ICICI Employee Arrested for 32 lakhs fraud

Posted on May 22, 2013 by Vijayashankar Na

An ex employee of ICICI Bank has reportedly been arrested for duping one of the Canadian Customer, by name Pierre Courtat to the extent of Rs 32 lakhs. The customer held about 61451 Canadian dollars in an account which was nearly dormant. He had called the call center to enquire the status of the account some times back when the employee by name B. Kishore Reddy accessed the personal credential of the account holder such as date of birth etc.  After observing fro a few days that there was no further transactions in the account, Mr Reddy hatched a conspiracy to rob the amount. For this purpose he opened another account with the help of his wife and her friend, changed the email ID and got the amount transferred to the new account and withdrew through ATMs.

In this incident there is cheating under IPC as well as hacking and other offences under ITA 2008. There is also employee involvement creating vicarious liability on the Bank as well as KYC failure in opening the mule account. There also appears to be a systemic failure which enabled the employee to access sensitive personal data of the customer and its unauthorized modification.

If ICICI Bank does not pay off the customer and close the case, then there is a danger of the top executives of the Bank being held liable.

The incident also reveals the fault lines in the systems as a result of which many other customers often lose money and keep fighting with the Bank on legal front.

It is high time that RBI starts exercising its authority suo moto, recognize the root cause of the fraud and order the Bank to repay the amount to the customer without a legal challenge.

Naavi

Posted in Bank, ITA 2008 | Leave a comment

Bank alone should be liable on RTGS and Phishing Frauds

Posted on May 20, 2013 by Vijayashankar Na

I refer to an article in Business Standard today titled “Cyber frauds: Experts blame banks; banks find faults with clients”.

One of the views expressed by a Banker is quoted as follows:

“Earlier when internet banking was started, we thought that user name and password is the enough security but then additional security measures were developed,” a banker said, adding, “Even that is now proving futile.”

I would like to remind this Banker that way back on 17th October 2000, the Information Technology Act 2000 became effective. According to this law the only method of authentication of an electronic document recognized in law was “Digital Signature”. If this Banker thought that user name and password was enough security, I must say that he was ignorant of the law of the land.

Again, on June 14, 2001, RBI released the Internet Banking Guidelines and reiterated that if the Banks use any technology other than the “Digital Signature”, then they should assume the legal risk. At that time RBI could not mandate digital signature since no certifying authority was available until February 2002. Since 2002, digital signatures are available and hence Banks have no business to carry on Banking authentication without the use of digital signature. If the Banker was not aware of this position till now I am sorry about his ignorance.

In 2010, the Tamil Nadu Adjudicator gave his award in the Phishing case of S. Umashankar Vs ICICI Bank where he categorically pulled up the Bank for not using digital signatures.

The RBI  circular on GGWG recommendations on Information security on April 29, 2011 again reiterated this fact that if Banks suffer any loss on account of non usage of digital signatures, then they should assume the legal risk which also is an operational risk under Basel II considerations. If the Banker does not know even this, then I donot know what to say.

I am aware that security experts are already warning that soon hackers will break even the digitally signed instructions through Man in the Browser attacks. So Banks are several steps behind the current threat scenario.

There is no point in them blaming the hackers nor the so called “ignorance of the customers”. If Bankers themselves cannot understand the emerging risks, the new trojan behaviour etc, how can they expect their customers to be more informed than them?

Naavi.org has been time and again pointing out that Bankers are bullying the customers into accepting liability arising out of the Banker’s greed to push Internet Banking to unprepared customers.

RBI has reminded them again and again that banks need to introduce real-time transaction behaviour monitoring to stop the kind of frauds that we have seen in the case of Yes Bank. But Banks did not heed.

The recent Rs 250 crore card fraud in which the Indian payment processing companies were hacked is another indication of how hacking can take place at the Bank’s end and innocent customers may lose their money. The same card processors also process transactions of some Indian Banks and hence the customers continue to be at risk.

Unless some Chairpersons of Banks are put in jail for such frauds, Banks will continue to act arrogantly and try to disclaim their responsibility. If minister’s resign for the mistakes of their subordinates, is it not necessary for Bank Chairmen to resign when such major frauds take  place?

I hope Bankers are more responsible when they give press statements in such cases.

Naavi

Posted in Cyber Crime, ITA 2008, RBI | Leave a comment

Yes Bank blames RPG group

Posted on May 20, 2013 by Vijayashankar Na

According to this Article in ET today, Yes Bank has started blaming RPG Life Sciences for the Rs 2.41 crore fraud that has been reported to have been committed a few days back.

Naavi.org has discussed several times the issue of the liability of Banks in such online fraud cases the latest being the article posted here on 18th instant.

The matter has been discussed and settled first in the S.Umashankar Vs ICICI Bank case (presently on appeal) with the Adjudicator of Tamil Nadu as well as the recent case of the Adjudicator of Maharashtra  against Punjab National bank.

Though Banks have been using their money power to delay the judicial process by stalling the appointment of the Chair person for the Cyber Appelate Tribunal, there are enough judicial views even from abroad to hold categorically that liabilities in such cases lies only with the Bank and not with the customer. This holds good even in the case of a fraud from some of the employees of the customer as per previous Supreme Court judgement in respect of forgeries in Bank.

RPG should therefore  not allow Yes Bank to bully them down. Even if the Bank takes the case to the Supreme Court, RPG should fight and obtain justice since most other victims are unable to carry on the legal fight with the Banks.

It is however possible that in this incident Yes Bank may buckle down in view of the strength of the RPG group. Even if therefore no precedent is set in a Court of law, we can expect an implied acceptance from Yes Bank that the fraud liability is on the Bank and not on the Customer.

We may recall the RBI’s Internet Banking Guidelines, the GGWG report and the Damodaran Committee report which all have held that liability for phishing lies with the Bank.

Naavi

Posted in Cyber Crime, ITA 2008 | Leave a comment