Cyber Warriors under production-

Posted on May 3, 2013 by Vijayashankar Na

In recent days the media has highlighted some statements from the Central Government about the need of 5 lakh Cyber Security professionals in India. In order to address the skill gaps in Cyber Security professionals  that India may require in the future, EC Council (International Council of E-Commerce Consultants), a provider of certifications and training on information security has launched a publicity drive  to market its services.  In association with its training partners in India, the US-based company is expecting to offer training to about 40,000 people on areas such as Ethical Hacking, Computer Hacking Forensics Investigation, Security Analysis and Penetration Testing.

EC Council has been in business in India for quite some time and has been focussing on its “Ethical Hacking” programs. While such programs are attractive to youngsters, it is necessary for Cyber Security professionals to be developed on a foundation of “Responsibility”. Merely training youngsters on skills of hacking would lead to development of a large number of potential problem elements.

It is essential for every “Ethical hacking” training programs to be peppered with a teaching of “Cyber Law” as well as fortified with a proper “background Checks”, “Post training monitoring” and behavioural training.

There is therefore an urgent need for proper supervision of all “Ethical Hacking” training programs.

It is not clear if the Department of IT, Government of India nor DSCI, the Nasscom initiative is addressing this issue before trying to create a Frankenstein.

A serious national debate is required to evaluate the outcome of this publicity blitz undertaken by E C Council whose press release is cleverly implying endorsement of INCERT and DSCI. (See this report of Business Standard).

Naavi

Posted in Cyber Law | Leave a comment

National Law School to launch Cyber Law and Cyber Security Course

Posted on May 2, 2013 by Vijayashankar Na

National Law School University of India (NLSUI), Bangalore the premier law education center in the country  is launching a distance learning course on Cyber Law and Cyber Security from the next quarter.

Admissions are now open. However the admissions may be open only for a short period and interested persons may take this opportunity to enroll themselves immediately.

Presently not many traditional law colleges have been conducting courses on Cyber Law. Also this course is a combination of Cyber Law, Cyber Security and Cyber Forensics and it is expected that apart from Legal professionals, Police and Technology professionals may also find the course useful. The course would be a one year course with contact classes.

For more information visit : http://ded.nls.ac.in/courses_available#PGDCLCF

Naavi

Posted in Cyber Crime, Cyber Law | 15 Comments

Aadhar Nightmare continues

Posted on May 2, 2013 by Vijayashankar Na

Ever since the Aadhar scheme was introduced, security specialists have been warning about the large scale problems that may be caused by loss of identity of individuals.

The UIDAI authroities have been going ahead with spending of public money and enrolling the individuals who report at the counters of the registration agents.  Fraudulent registration agents have been creating their own enrollments with false identities as was revealed some time back when an aadhar card was issued in the name of “Coriander” (“Kottambari soppu” in Kannada. s/o Palav. (See the story here). In the meantime the UIDAI Bill is yet to be passed and several cases are pending in different Courts challenging the scheme altogether.

In the meantime many State Governments have been forcing citizens to go for Aadhar and linking mandatory public services to the Aadhar registration.

UIDAI however has been as irresponsible and as arrogant as the UPA Government and has continued with the project unmindful of the risks it is hoisting on the country. There have been many instances of data losses reported from different States. Even the successful registrants are battling with the practice of UIDAI sending aadhar registration cards by ordinary post which are reportedly dumped in dust bins in some places.

Now a massive data loss of 14 lakh cards has also been reported from Andhra Pradesh due to reasons that can be attributed either to negligence of UIDAI or criminal activities. (Report available here)

The fact that such large scale Aadhar related mischief is reported from Andhra Pradesh where the terrorist organizations from Pakistan are operating sleeper cells indicate the possibility of an organized threat to national security arising out of the stolen identities.

The stolen data can be used to create Aadhar ID for terrorists with different photographs. The biometrics can be switched if required. Even if the current biometrics is retained, since most of the ID use centers are unlikely to check biometrics and accept the parameters of name and address available in the given aadhar number and accept it as satisfactory identification of a person, (Eg Banks), the 14 lakh lost identities can be used to create that many false identities. using this false identity other IDs such as PAN cards and driving licenses can be created by terrorists.

This means that the system has been completely compromised and India is under threat.

It is therefore time for the Government to think of scrapping the scheme before further damage is done.

Naavi

Posted in Cyber Law | Leave a comment

mouthshut.com challenges ITA 2008 rules

Posted on May 1, 2013 by Vijayashankar Na

The Intermediary rules under Section 79 of ITA 2008 has been repeatedly used by parties to get adverse content on internet removed without appropriate procedures. The problem has been the interpretation that an Intermediary is bound to take down content objected to by a party within 36 hours.

As a result of these rules, many websites have been bombarded with notices for removal of objectionable content. Websites such as mouthshut.com are primarily meant for expressing consumer grievances and have been useful to general consumers looking for information on various products and services. It is also true that some times the comments posted on the site may hurt the business interests of the companies whose products are criticized. There could also be cases where adverse comments are posted by competitors while companies may also post self serving reports. However buyers can try to understand the strengths and weaknesses of products by browsing through the various comments.

There are also many instances of companies responding to the adverse comments of consumers on mouthshut.com.

In totality therefore a website like mouthshut.com is an instrument of “Consumer Protection” and deserves  encouragement.

However knowing the way some companies function and the threatening legal notices that lawyers can draft, it is not difficult to imagine the problems that mouthshut.com must be facing. More importantly the Police who may not understand law and who can be manipulated by the companies and their lawyers has the potential to unnerve the employees of mouthshut.com.

It must however be reiterated that Naavi.org has always been stating that Section 79 rules only indicate that “Action should commence” within 36 hours on grievance redressal. Such action need not start with the removal of the objectionable content unless there is a valid Court order for removal of content. This aspect was specifically clarified recently by the Government. (See here)

It is however essential for an intermediary like mouthshut.com to have a good grievance redressal mechanism on the site. At present a suitable system is not in place. According to the rules, the grievance redressal mechanism needs to be activated within 36 hours of the receipt of complaint.

It appears that mouthshut.com has now approached Supreme Court for the rules to be struck down. (See medianama report here). The cause of action cited is that it amounts to “Censorship”. However in the view of Naavi.org, “Censorship” rights cannot be presumed under the rules. The clarification of the government  on 18th March can be used as a defense against the petition. Hence though the petition is based on a genuine grievance, the grounds on which the remedy has been sought is incorrect.

Naavi.org has been repeatedly highlighting that when such petitions are made to Supreme Court under wrong pretences, the Court may be forced to reject the petition. The media which has highlighted the petition now as a “Challenge to ITA 2000 Rules” will also highlight that “Challenge has been dismissed”. This will give a wrong impression to the public that the Supreme Court has upheld the validity of the rule though the Court might have dismissed it for some other technical reasons. This is more harmful than leaving the rule as it is since such media reports will be taken as a vindication of the erroneous stand that may prevail now.

In such a scenario, many of the smaller websites which may be facing problems similar to what mouthshut.com is representing may have to shout down their business.

If however the Supreme Court goes beyond the technicality of whether Section 79 rules does in fact represents censorship or not and provides a positive assertion that “Expression of grievances of Consumers through websites such as mouthshut.com is part of the freedom of expression guaranteed by the constitution and needs to be protected for asserting consumer rights under  the Consumer Protection Act”, then there may be a positive impact of the case on the society.

I therefore urge mouthshut.com to include in their prayer such a declaration rather than asking only for the rules to be struck down. To ensure that its plea is strong, mouthshut.com needs to take immediate steps to make its site “Cyber Law Compliant” with appropriate changes to its terms of use.

Naavi

 

Posted in Cyber Law, ITA 2008 | Leave a comment

Workshop on Safe E Banking

Posted on April 30, 2013 by Vijayashankar Na

A day long workshop on Safe E Banking is underway at Reserve Bank of India, Bangalore. Mr G.Gopalakrishna, The Regional Director of RBI, Mrs Uma Shankar, Regional Director of RBI at Bangalore has inaugurated the workshop. ED is delivering the Key Note Address. Internaional Institute of Information Technology Law (IIIT Law) is organizing the speakers.

The workshop will discuss the GGWG regulations, the Risk Mitigation guidelines of February 28, 2013 and other regulatory aspects of regulation. Naavi  along with several other professionals and Banking security specialists will participate as speakers.

The event will mark the second anniversary of the issue of the RBI guidelines on April 29, 2011 on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (popularly known as GGWG guidelines).

Naavi

[Detailed Report will follow]

Posted in RBI | Leave a comment

Migrating to Adaptive Authentication

Posted on April 29, 2013 by Vijayashankar Na

Banks in India have been traditionally using the “Legally Non Compliant”, “Password based Authentication” for their E Banking requirements. As a result there are frequent customer-Bank conflicts where the customer demands that Bank should undertake the liability on account of Cyber Frauds while the Banks blame the customer for not securing the passwords.

The RBI on the other hand has been urging Banks to improve the authentication methods used by the Banks. Way back in 2001, RBI stated that if Banks donot use Digital Signatures for authentication, they should assume the legal risk for Phishing kind of frauds. They reiterated the same again in 2011 through GGWG (G Gopalakrishna Working Group ) recommendations on Information Security.

After the rap on the knuckles received by the S.Umashankar Vs ICICI Bank adjudication verdict, some Banks started thinking of digital signatures as a means of authentication. But most stuck to the passwords and only enhanced it through a mobile based second authentication for certain key elements of transactions.

On February 28, 2013, RBI again issued a set of guidelines for mitigating the risks in both the electronic payment transactions as well as the Payment card transactions. Apart from reiterating the need for using digital signatures at least for RTGS transaactions of a certain value, RBI in this guideline has spoken about the need for the use of “Adaptive Authentication Technology” .

Banking in India therefore is on the move from the 2 Factor authentication to a regime where apart from the multiple factors that contribute to the authentication of an online transactions, the technology of authentication should adapt to the “behavioural pattern” of the customer based on a real time assessment.

This technology should increase the security for the customers though Banks would grumble as always about the cost of implementation.  But since this is the direction in which the global banking is moving  , there is no option for Banks but to adopt the “Adaptive Authentication technology”. (AAT)

From the users perspective it should not make any difference. In fact the AAT is expected to be unobtrusive and non interfering. The foundation may still be based in the currently used authentication parameters such as “What the customer knows”, “What the customer has” and “What the customer is”, supplemented with technologies such as the public key encryption etc. But the difference is that the AAT provides a deeper level of security since based on the transaction parameters it will invoke additional security measures.

For example, if a person has never used his E Banking account from abroad and there is a debit request from a foreign IP, the system should get alerted and hold the transaction execution until further confirmation is obtained. Similarly, if the amount withdrawn is far in excess of the usual transaction or the number of transactions within a small time is high etc (All these are typical occurrences in a Phishing transactions), the system should invoke higher levels of security. The higher level of security may be to requisition an additional factor of authentication including a “Call Referral” where the customer is given a telephonic call where the voice of the customer may be recognized by the system for authentication.

Hopefully Bankers will start adopting this higher level of security soon. Today being the second anniversary of the RBI guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (popularly known as the G Gopalakrishna Working group or GGWG Recommendations), it is the right time for Bankers to take a pledge that they will leave no stones unturned for making Indian Banking Safe. Naavi therefore urges the industry to treat 29th April as the “Safe E Banking Day” and ensure that we remember our obligations and take steps towards protecting the citizens against E Banking frauds.

Naavi

 

Posted in Bank, ITA 2008, RBI, Uncategorized | Leave a comment