Efficacy of Anti Virus software

Posted on February 8, 2013 by Vijayashankar Na

The recent Chinese hacking of New York Times has raised the issue of the efficacy of anti virus or security softwares used by corporates.

According to NYT, the hackers had installed 45 custom malware over the previous three months of which only one could be detected by Symantec. (See article)

Symantec has however said in its defense that Times did not use the software properly.It said “The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behavior-based blocking, specifically target sophisticated attacks.Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.”

This gives rise to a discussion on what are the default capabilities of an end point security software and what is the extent of expertise required by the clients to use such a software efficiently.

In this connection the this comparative test of different products for Home users would be useful. This test is based on the most common default settings and hence is of interest to an average user. In this test several products have been compared against three specific parameters namely ability to identify threats,repair them and the usability factor.

While evaluation of an anti virus solution for home users has to be based on default configurations without expecting too much of expertise, Naavi.org is also trying to find out the expectation level of informed buyers such as corporate customers regarding the security solutions they look for.

All said and done, Chinese hacking of NYT could also be due to targeted attack on the domain which would be difficult for an average AV software to detect. There is however a possibility of detecting it at least after the malware starts exhibiting its properties. i.e. if prevention fails at least early detection should help. In the NYT case Symantec seems to have failed in detecting the malware for nearly 3 months. This delay needs to be pondered over.

Naavi

Also: PCworld review

Posted in Cyber Crime | Leave a comment

Bankers try to mislead credit card customers

Posted on February 7, 2013 by Vijayashankar Na

Earlier in the day today, Times of India first reported the arrest of 5 Indians in USA in connection with the US$ 200 million credit card fraud.

Immediately thereafter there was a second report in TOI itself attributing the growth of recent credit card frauds to “Dexter” malware. The report referred to quotes from some Bankers who were not identified who stated that the fraud did not reflect any weakness in the security system of the Banks.

The unidentified Bank official was quoted as stating “I doubt that this is related to skimming. In skimming there is a physical limitation in the number of cards that can be read also we are getting cases from metros across the country” . It was also added that since this fraud was perpetuated at the card acceptance stage it was not limited to one card issuing bank. He is said to have further assured that “We have secured our solutions through incorporate of advanced security mechanism such as Unique Key Per Terminal and Terminal Line Encryption which make the systems future ready as per RBI compliance needs”

The report absolves RBI by stating that it cannot prevent international frauds.

The entire report appears to be a planted story from some credit card issuing Banks in India along with RBI to hedge against them being held liable.

While the Bank official proudly states that International E Commerce sites some times accept credit cards without the CVV2 number and hence the frauds prevail, Naavi has brought to the attention of the public in India an instance with SBI cards where a Hotel In Delhi had charged the customer without any kind of authorization from the customer. This indicated that most Banks in India never verify the charge slips and make payments against forged charge slip signatures as well as non existent charge slips. (After prolonged correspondence over a few months the charge was reversed. However though Naavi insisted that action should be taken against the fraudulent merchant, no such action appears to have been taken).

The fact is that RBI has introduced certain technology features without proper security measures and influential Banks are not absorbing the fraud risks.

RBI is aware that credit card companies in India are  forcing the customers to buy fraud insurance at their costs even against “Forged Charge slips”. This is unethical and illegal as it tries to force a Consumer to accept additional cost for a service arising out of a “Forgery” which is the responsibility of the Bank to prevent. RBI is by its silence contributing to the prevalence of the fraudulent practice.

Will the unidenitfied Bank official clarify if the above situation is prevailing in India and if so whether it is correct?

A detailed explanation of the activity of “Dexter” virus is available in the following article.

Report on “Dexter” malware

As this article indicates Dexter attacks the POS terminals used by Merchants in the physical space. This is not an internet transaction. Hence this needs the signature of the customer. If therefore frauds can take place in this scenario, it can occur only because of unsigned charge slips. Such debits cannot be placed on the customer and the Banks must absorb the losses.

Hence the US $ 200 million fraud to the extent it relates to Indian Banks (If any) represents the losses to the Indian Banking system. RBI needs to disclose the details of the Indian Bank’s involvement and how it would prevent consumers from being bullied by Banks to accept the losses on their accounts.

Also see: Credit card fraud in Mumbai

Naavi

Posted in Bank, Cyber Crime, Cyber Law, Information Assurance | Leave a comment

Hearing on PIL on CAT Appointment at Bangalore

Posted on February 7, 2013 by Vijayashankar Na

The hearing on the public interest litigation in the High Court of Karnataka (WP 37577/2012)regarding the non appointment of the Chair Person for Cyber Appellate Tribunal which was scheduled for today the 7th February 2013 has not been listed in the proceedings for the day.

It is understood that it is now rescheduled for next Monday.

As per the last order of 3rd December 2012, Government of India was today expected to file its objections to the petition of Advocate Chaitanya.  However the hearing has not been listed and hence there is some additional time available with the Government of India for filing its objections.

The exact reason for the postponement  is unknown. It is speculated that the Government of India might have requested for the reschedulement hopefully intending to notify the appointment before the date of hearing to avoid the Court passing any further observations.

Naavi

Posted in ITA 2008 | Leave a comment

5 Indians in US$ 200 million Credit Card fraud

Posted on February 7, 2013 by Vijayashankar Na

5 Indians are amongst the persons charged in US in a massive credit card fraud said to involve US $ 200 million loss to various credit card holders. Details in TOI

Among those charged are Babar Quereshi (59), Ijaz Butt (53), Raghbir Singh (57), Mohammad Khan (48), Sat Verma (60), Vijay Verma (45), Tarsem Lal (74) and Vinod Dadlani (49). Each of them faces a maximum penalty of 30 years in jail and a $1 million fine. All are residents of New Jersy US.

The fraud appears to be an Indo-Pak cooperative bid !

While Pakistan is notorious as a Terror center, India sadly appears to be gaining in Cyber Crime related notoriety.  It is necessary for all responsible Netizens in India to ensure that the situation does not go out of hand. This requires urgent measures from the Government towards Cyber Security.

I reiterate that the Government of India headed by Dr Man Mohan Singh and the Ministry of Communications and Information Technology headed by Mr Kapil Sibal are guilty of not addressing issues such as operationalizing Cyber Appellate Tribunal and are showing their apathy towards controlling Cyber Crimes in India.

Related article in TOI on “Dexter”malware

Naavi

Posted in Cyber Crime, ITA 2008 | Leave a comment

Mobile Apps Company fined $800,000

Posted on February 5, 2013 by Vijayashankar Na

The Federal Trade Commission (FTC) of USA has fined a two year old Mobile Apps manufacturing company “Path” a sum of US$ 800,000 for violating the privacy of US Citizens. In particular the Social Networking Apps manufacturer was charged with violating the privacy of children since it collected personal information on underage users including any person in the user’s address book.

The incident is a serious notice to all mobile apps manufacturers to offer a strict “opt out” option by default and a proper check on the identification of children.

Identifying whether a person is an adult or a minor is a huge challenge and companies need expert advise from appropriate Privacy Consultants to steer clear of the risks indicated by the above incident.

Related Report

Naavi

Posted in Cyber Law, Information Assurance, TELCO | Leave a comment

Women’s protection Ordinance clashes with ITA 2008

Posted on February 5, 2013 by Vijayashankar Na

Government of India has promulgated an ordinance titled “The Criminal Law (Amendment) Ordinance, 2013” following the public outrage on the the recent incident in which a girl was gangraped in a Delhi bus. The Ordinance has initiated some provisions to strengthen the laws against sexual assault on women including acid attacks, rape and rape leading to death or reduction of the victim to vegetable status etc.

Apart from some of the provisions that directly relate to physical society offences, there are at least two provisions which directly conflict with the provisions of ITA 2008.

One of the conflicting provisions is “voyeurism” which conflcits with Section 66E of ITA 2008 and the other is on “Stalking” which conflicts with Section 66A.

The amended IPC section 354C states as follows.

Section 354C: voyeurism:

“Whoever watches, or captures the image of, a woman engaging in a private act in circumstances where she would usually have the expectation of not being observed either by the perpetrator or by any other person at the behest of the perpetrator shall be punished on first conviction with imprisonment of either description for a term which shall not be less than one year, but which may extend to three years. and shall also be liable to fine, and be punished on a second or subsequent conviction, with imprisonment of either description for a term which shall not be less than three years, but which may extend to seven years, and shall also be liable to fine.

Explanation 1.- for the purpose of this section, “private act” includes an act carried out in a place which. in the circumstances,would reasonably be expected to provide privacy, and where the victim’s genitals, buttocks or breasts are exposed or covered only in underwear,or the victim is using a lavatory or the person is doing a sexual act that is not of a kind ordinarily done in public.

Explanation 2.- Where the victim consents to the capture of images or any act, but not to their dissemination to third persons and where such image or act is disseminated, such dissemination shall be considered an offence under this section.”

Section 66E of ITA 2008 on the other hand states

“Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both”

For the first time offender Section 66E has a harsher punishment where as for the second time offender, IPC 354C will be harsher. It is not clear however if a person can be punished for the first time under ITA 2008 and for the second time under IPC. Also section 66E addresses capture as well as publishing and transmission of a picture of a private part of a person. If however the publishing and transmission involves content which falls under Section 67, 67A or 67B (Obscenity) then there would be harsher punishments under ITA 2008.

In the IPC section however, the offence relates to “watching and capturing” a “Private act” and the punishment may be as little as one year in the first instance. “Watching a private act” falls only under IPC, where as “Capturing” falls under both IPC and ITA2008 “Publishing” and “Transmission” falls only under ITA 2008.

Section 354D of the proposed ordinance states as under:

354D: Stalking:

(1) Whoever follows a person and contacts or attempts to contact such person to foster personal interaction repeatedly, despite a clear indication of disinterest by such person, or whoever monitors the use by a person of the internet, email or any other form of electronic communication, or watches or spies on a person in a manner that results in a fear of violence or serious alarm or distress in the mind of such person, or interferes with the mental peace of such person, commits the offence of stalking:

Provided that the course of conduct will not amount to stalking if the person who pursued it shows
(i)that it was pursued for the purpose of preventing or detecting crime and the person accused of stalking had been entrusted with the responsibility of prevention and detection of crime by the state; or
(ii) that it was pursued under any law or to comply with any condition or requirement imposed by any person under any law. or
(iii) that in the particular circumstances the pursuit of the course of conduct was reasonable.

(2) Whoever commits the offence of stalking shall be punished with imprisonment of either description for a term which shall not be less than one year but which may extend to three years, and shall also be liable to fine.’

Section 66A has been extensively discussed on this site (Refer : Misconceptions about Section 66A). It applies to “Persistent” sending of emails/messages to create annoyance which is the effect of “Stalking”. The punishment is 3 years.

Section 354 D overlaps with Section 66A since it specifically refers to “Use of internet or email”. The punishment is between one to three years.

If the ordinance had been carefully drafted the overlapping of IPC with ITA 2008 could have been avoided. It may be noted that IPC ordinance is issued from the Ministry of Home Affairs and ITA 2008 is managed by Ministry of Communications and Information Technology. Unfortunately the two ministries perhaps had no consultation process which could have avoided the conflicts.

Naavi

Posted in Uncategorized | Leave a comment