In US, SSN is being removed from Medicare records…

Posted on January 8, 2013 by Vijayashankar Na

A bill is being passed in US to de-link Social Security Number from medicare ID cards. This is being pushed to avoid Medicare identity theft. Report

The decision follows the observation that medicare security breaches are resulting in loss of social security identity of citizens.

This development appears interesting in the context of India trying to push inclusion of Aadhar numbers in a number of transactions such as Gas connections, Bank accounts, etc. The risk of a gas dealer losing his records which results in Aadhar number being revealed is a risk that looms large on the Citizens of India. Once the aadhar number and details with the gas dealer is known the combined data could be used for various malicious purposes such as stealing the Bank account or Mobile number.

It is necessary for the Government to keep these risks in mind before linking Aadhar numbers with all services as a matter of routine.

During Aadhar registrations in Karnataka I have observed that by default every registrant is being asked to link his Bank account to the Aadhar registration. This is required only for BPL families where benefits are to be routed to the account. Otherwise public should be circumspect in linking their Bank accounts to the Aadhar registration.

Naavi

Posted in Uncategorized | Leave a comment

Dutch Responsible Disclosure Guideline..organizational responsibilites

Posted on January 8, 2013 by Vijayashankar Na

In continuation of the earlier posts, following are the obligations that the Dutch National Cyber Security Council has imposed on the owners of systems.

According to the guidelines it is necessary for the organization to have a policy on” Responsible disclosure” and publish policies for Responsible disclosure publicly known.

It will also be necessary for the organization to make it accessible for a detector to make a notification. This can be done by a standardized manner, for example, an on-line form, to be used for making of reports. Here, the organization can weigh up to anonymous messages to receive.

  • The organization reserve capacity to adequately notifications can react.
  • The organization takes the report of a vulnerability in receipt and ensures that as soon as possible reaches the department that the message can best assess and may examine.
  • The organization will send an acknowledgment of receipt of the notification, preferably digitally signed to the priority to emphasize the detector. After join the organization and the detector in contact about the further process.
  • The organization shall determine, in consultation with the reporter the deadline by which any publication will take place. A reasonable standard term that can be used for software vulnerabilities is 60 days. The fix vulnerabilities in hardware is difficult to achieve, this may be a reasonable standard period of 6 months may be used.
  • In consultation may be desirable to extend this deadline or shorten if much or little systems rely on the system on which the vulnerability is reported.
  • If a vulnerability is not or difficult to solve, or if there are high costs are involved, may agree to the detector and organizational vulnerability undisclosed.
  • The organization keeps the detector and other stakeholders informed the progress of the process.
  • The organization can convey that the organization detector credits will give, as the reporter wishes, for doing the reporting.
  • The organization may choose to have a detector a reward / appreciation to give for reporting vulnerabilities in ICT products or services, if the detector is on the rules contained in the policy account. The height of the pay may be dependent on the quality of the message.
  • The organization may, in consultation with the notifier agree to the broader IT community about the vulnerability when it is probable that the vulnerability also exists in other places.
  • The organization shall act in the adopted policy about not taking legal action if continued with the policy is adhered.

    • These guidelines may now be construed as a “Best Practice” for organizations for whom this will be applicable and Information Assurance Auditors/consultants may take note of them for implementation of Information Security in an organization.

    More details are available in this translated copy of the brochure:

    Naavi

    [P.S: Kindly excuse some spelling errors on account of unedited translation of the original Dutch document]

    Posted in Cyber Crime, Information Assurance, Uncategorized | Leave a comment

    Free CEAC support for Ethical Hackers reporting vulnerabilities

    Posted on January 8, 2013 by Vijayashankar Na

    I refer to the earlier post where the Disclosure guidelines for Ethical Hackers suggested by the Government of Netherlands when they observe vulnerabilities. (The original Dutch version guideline is available here:: English Version)

    One of the suggestions made there in is that the ethical hacker who observes a vulnerability should first report to the owner of the facility and given them an option to plug the vulnerability.

    Users are however required to adhere to the framework mentioned in the guideline according to which they shall refrain from altering the system and not repeatedly access the system. They should also avoid Using brute-force techniques to access a system. The ethical hacker further has to agree that vulnerabilities will only be disclosed after they are fixed and only with consent of the involved organization.

    The guidelines however are silent on what action the ethical hacker has to take if the owner of the system remains silent. There is however a mention that “The parties can also decide to inform the broader IT community if the vulnerability is new or it is suspected that more systems have the same vulnerability, the NCSC said.”

    The National Cyber Security Center also states that it would be willing to act as an intermediary to inform the owner of the vulnerable system if the vulnerability is brought to their notice.

    Though the security professional who has found the vulnerability acts in good faith and notifies the owner of the system, it is possible that the owner may not respond and later on raise an objection that he was never informed. In such situation it will be necessary for the ethical hacker to create suitable evidence in his favour to prove that he actually had served the necessary notice.

    CEAC (Naavi’s Cyber evidence Archival Service, details of which are available at (www.ceac.in) provides a service on payment for delivery of “Certified E Mails”, This service in the Indian context is structured so as to meet the requirements of “Admissible Evidence” under Section 65B of Indian Evidence Act. Presently this is a paid service.

    However, in the interest of promoting “Security” and to offer support to Ethical Hackers who in good faith would like to deliver notices as per the said Netherlands guidelines or in a similar “good practice”, CEAC will offer to deliver such notices free of charge.

    A similar facility was offered to Mr Yash, an Indian security professional who published the Banking vulnerability where a demo of the vulnerability was sent to necessary authorities. (Though no action came forth from them).

    We hope that security professionals use this facility to create a third party evidence to protect themselves from liabilities.

    CEAC however restricts its activity to forwarding the communication as received from the ethical hacker to a designated e-mail address and does not take any responsibility for the correctness of the report or for the fact that the ethical hacker had followed the necessary guideline etc. Interested persons may get the details from Naavi.

    Naavi

    Posted in Uncategorized | Leave a comment

    The Dilemma of Advertising on Internet

    Posted on January 8, 2013 by Vijayashankar Na

    Advertisements on the Internet are increasingly attracting attention of the public. No doubt that advertisers using innovative advertising techniques are mainly responsible for this attention.

    But a news about a French ISP blocking advertisements by default through its routers has caused an uproar in the Internet world. See report here

    It is acknowledged that advertisements have absorbed the cost of internet access and also provided a return on investment to the content owners. They therefore continue to serve the cause of “Internet Access for All”.

    However as it happens in the live telecast of Cricket in India on TV where we end up seeing more ads than the cricket, the greed of the advertisers have started generating a negative effect of the advertising.

    On the Internet, we have two kinds of such ads. One is the type of ads normally referred to as “interstitial Ads” that block the main content and remain in display for an annoying period of time (eg:check espncricinfo.com). Advertisers also ensure that the “Close” button is not easily detectable and if the user wrongly clicks on the ad for closing it, it actually opens up the ad link.

    The second category of objectionable ads is the “bandwidth guzzlers”. These ads are “Video Ads” that start automatically playing out when you visit a website. Such ads consume much more bandwidth than the entire content page which the user wants to surf and also causes an embarrassment if he is browsing in a silent environment. The cost of such bandwidth is also being borne by the user.

    Comparatively text ads or low byte sized picture ads appearing only outside the content portion are more tolerable.

    If the advertisers remain conscious of the fact that users get annoyed by such high impact advertising and are likely to start using “Ad blockers” (eg: Ad blocker1: Adblocker2 if their patience is put to test, they will realize that it is necessary for them to completely avoid such objectionable ads.

    Naavi

    For latest information on Adblockers in 2020, Refer here: Best Ad Blockers of 2020

    Posted in Cyber Crime, Privacy, Uncategorized | Leave a comment

    Guidelines For Ethical Hackers

    Posted on January 8, 2013 by Vijayashankar Na

    The Netherlands Government has issued guidelines for “Ethical hackers” who discover vulnerabilities for reporting the vulnerabilities.

    According to the guidelines a person who discovers the vulnerability should report it directly to the owner of the system in a confidential manner.

    It is not however clear what action needs to be taken by the Ethical hacker if the owner does not respond. If there is public interest involved is it right for the ethical hacker to remain silent and let the vulnerability continue?

    It is essential for organizations who receive such communications to acknowledge the report and promise a time line within which a correction is made and the ethical hacker is informed about the correction in the same channel in which the vulnerability report was received.

    If there is no response from the owner, there should be an escalation to a regulatory agency such as the CERT or an industry specific authority where a designated person should be available to receive such reports and respond.

    If after a reasonable time, no response is received from the owner and the regulatory agency, the ethical hacker should be permitted or rather obligated to release the information on vulnerability to the public if possible through accredited security portals/agencies.

    It may be recalled that Naavi.org had during the last year discussed this issue in the case of vulnerabilities exposed by a security professional Mr Yash in the Indian Banking system. In this case, the Banks refused to act and instead of setting their system right, took steps to forcibly shut out reports about the vulnerabilities. CERT In refused to take cognizance and RBI preferred to remain silent on the issue. As a result the vulnerabilities continue to exist and Bank customers continue to bear the risks for the commercial benefit of the Banks.

    This is one live example of how things are handled in India. Perhaps this Netherlands Guideline will open the eyes of the Indian authorities if they have eyes that can see.

    Naavi

    Posted in Cyber Crime, Information Assurance, Uncategorized | Leave a comment

    Hacking of Government websites lead to losses..

    Posted on January 6, 2013 by Vijayashankar Na

    It is well known that websites of Government of India hosted at NIC are not adequately protected against cyber attacks. It has now been admitted that “The defacement and hacking of government websites have not only brought to the fore security lapses, but also resulted in financial losses to the exchequer”

    According to the Reserve Bank of India, between 2009 and 2011, 489 e-fraud cases were registered, and these led to a loss of about Rs 28.46 crore. Separately, the Central Bureau of Investigation’s economic offences unit registered nine financial fraud cases between 2009 and 2012 (February). These led to a loss of Rs 43.92 crore….More in Business Standard Report

    As a remedy the report suggests that the Government is trying to adopt ISO 27001 audits. This is a step in the right direction but again indicates that the Government is unable to make a distinction between technical aspects of security and techno legal aspects of Information Assurance. Hence the measures of the Government are unlikely to be considered “Adequate” in any proper CAG audit.

    Naavi

    Posted in Cyber Crime, Information Assurance | Leave a comment