Dutch Responsible Disclosure Guideline..organizational responsibilites

Posted on January 8, 2013 by Vijayashankar Na

In continuation of the earlier posts, following are the obligations that the Dutch National Cyber Security Council has imposed on the owners of systems.

According to the guidelines it is necessary for the organization to have a policy on” Responsible disclosure” and publish policies for Responsible disclosure publicly known.

It will also be necessary for the organization to make it accessible for a detector to make a notification. This can be done by a standardized manner, for example, an on-line form, to be used for making of reports. Here, the organization can weigh up to anonymous messages to receive.

  • The organization reserve capacity to adequately notifications can react.
  • The organization takes the report of a vulnerability in receipt and ensures that as soon as possible reaches the department that the message can best assess and may examine.
  • The organization will send an acknowledgment of receipt of the notification, preferably digitally signed to the priority to emphasize the detector. After join the organization and the detector in contact about the further process.
  • The organization shall determine, in consultation with the reporter the deadline by which any publication will take place. A reasonable standard term that can be used for software vulnerabilities is 60 days. The fix vulnerabilities in hardware is difficult to achieve, this may be a reasonable standard period of 6 months may be used.
  • In consultation may be desirable to extend this deadline or shorten if much or little systems rely on the system on which the vulnerability is reported.
  • If a vulnerability is not or difficult to solve, or if there are high costs are involved, may agree to the detector and organizational vulnerability undisclosed.
  • The organization keeps the detector and other stakeholders informed the progress of the process.
  • The organization can convey that the organization detector credits will give, as the reporter wishes, for doing the reporting.
  • The organization may choose to have a detector a reward / appreciation to give for reporting vulnerabilities in ICT products or services, if the detector is on the rules contained in the policy account. The height of the pay may be dependent on the quality of the message.
  • The organization may, in consultation with the notifier agree to the broader IT community about the vulnerability when it is probable that the vulnerability also exists in other places.
  • The organization shall act in the adopted policy about not taking legal action if continued with the policy is adhered.

    • These guidelines may now be construed as a “Best Practice” for organizations for whom this will be applicable and Information Assurance Auditors/consultants may take note of them for implementation of Information Security in an organization.

    More details are available in this translated copy of the brochure:

    Naavi

    [P.S: Kindly excuse some spelling errors on account of unedited translation of the original Dutch document]

    Posted in Cyber Crime, Information Assurance, Uncategorized | Leave a comment

    Free CEAC support for Ethical Hackers reporting vulnerabilities

    Posted on January 8, 2013 by Vijayashankar Na

    I refer to the earlier post where the Disclosure guidelines for Ethical Hackers suggested by the Government of Netherlands when they observe vulnerabilities. (The original Dutch version guideline is available here:: English Version)

    One of the suggestions made there in is that the ethical hacker who observes a vulnerability should first report to the owner of the facility and given them an option to plug the vulnerability.

    Users are however required to adhere to the framework mentioned in the guideline according to which they shall refrain from altering the system and not repeatedly access the system. They should also avoid Using brute-force techniques to access a system. The ethical hacker further has to agree that vulnerabilities will only be disclosed after they are fixed and only with consent of the involved organization.

    The guidelines however are silent on what action the ethical hacker has to take if the owner of the system remains silent. There is however a mention that “The parties can also decide to inform the broader IT community if the vulnerability is new or it is suspected that more systems have the same vulnerability, the NCSC said.”

    The National Cyber Security Center also states that it would be willing to act as an intermediary to inform the owner of the vulnerable system if the vulnerability is brought to their notice.

    Though the security professional who has found the vulnerability acts in good faith and notifies the owner of the system, it is possible that the owner may not respond and later on raise an objection that he was never informed. In such situation it will be necessary for the ethical hacker to create suitable evidence in his favour to prove that he actually had served the necessary notice.

    CEAC (Naavi’s Cyber evidence Archival Service, details of which are available at (www.ceac.in) provides a service on payment for delivery of “Certified E Mails”, This service in the Indian context is structured so as to meet the requirements of “Admissible Evidence” under Section 65B of Indian Evidence Act. Presently this is a paid service.

    However, in the interest of promoting “Security” and to offer support to Ethical Hackers who in good faith would like to deliver notices as per the said Netherlands guidelines or in a similar “good practice”, CEAC will offer to deliver such notices free of charge.

    A similar facility was offered to Mr Yash, an Indian security professional who published the Banking vulnerability where a demo of the vulnerability was sent to necessary authorities. (Though no action came forth from them).

    We hope that security professionals use this facility to create a third party evidence to protect themselves from liabilities.

    CEAC however restricts its activity to forwarding the communication as received from the ethical hacker to a designated e-mail address and does not take any responsibility for the correctness of the report or for the fact that the ethical hacker had followed the necessary guideline etc. Interested persons may get the details from Naavi.

    Naavi

    Posted in Uncategorized | Leave a comment

    The Dilemma of Advertising on Internet

    Posted on January 8, 2013 by Vijayashankar Na

    Advertisements on the Internet are increasingly attracting attention of the public. No doubt that advertisers using innovative advertising techniques are mainly responsible for this attention.

    But a news about a French ISP blocking advertisements by default through its routers has caused an uproar in the Internet world. See report here

    It is acknowledged that advertisements have absorbed the cost of internet access and also provided a return on investment to the content owners. They therefore continue to serve the cause of “Internet Access for All”.

    However as it happens in the live telecast of Cricket in India on TV where we end up seeing more ads than the cricket, the greed of the advertisers have started generating a negative effect of the advertising.

    On the Internet, we have two kinds of such ads. One is the type of ads normally referred to as “interstitial Ads” that block the main content and remain in display for an annoying period of time (eg:check espncricinfo.com). Advertisers also ensure that the “Close” button is not easily detectable and if the user wrongly clicks on the ad for closing it, it actually opens up the ad link.

    The second category of objectionable ads is the “bandwidth guzzlers”. These ads are “Video Ads” that start automatically playing out when you visit a website. Such ads consume much more bandwidth than the entire content page which the user wants to surf and also causes an embarrassment if he is browsing in a silent environment. The cost of such bandwidth is also being borne by the user.

    Comparatively text ads or low byte sized picture ads appearing only outside the content portion are more tolerable.

    If the advertisers remain conscious of the fact that users get annoyed by such high impact advertising and are likely to start using “Ad blockers” (eg: Ad blocker1: Adblocker2 if their patience is put to test, they will realize that it is necessary for them to completely avoid such objectionable ads.

    Naavi

    For latest information on Adblockers in 2020, Refer here: Best Ad Blockers of 2020

    Posted in Cyber Crime, Privacy, Uncategorized | Leave a comment

    Guidelines For Ethical Hackers

    Posted on January 8, 2013 by Vijayashankar Na

    The Netherlands Government has issued guidelines for “Ethical hackers” who discover vulnerabilities for reporting the vulnerabilities.

    According to the guidelines a person who discovers the vulnerability should report it directly to the owner of the system in a confidential manner.

    It is not however clear what action needs to be taken by the Ethical hacker if the owner does not respond. If there is public interest involved is it right for the ethical hacker to remain silent and let the vulnerability continue?

    It is essential for organizations who receive such communications to acknowledge the report and promise a time line within which a correction is made and the ethical hacker is informed about the correction in the same channel in which the vulnerability report was received.

    If there is no response from the owner, there should be an escalation to a regulatory agency such as the CERT or an industry specific authority where a designated person should be available to receive such reports and respond.

    If after a reasonable time, no response is received from the owner and the regulatory agency, the ethical hacker should be permitted or rather obligated to release the information on vulnerability to the public if possible through accredited security portals/agencies.

    It may be recalled that Naavi.org had during the last year discussed this issue in the case of vulnerabilities exposed by a security professional Mr Yash in the Indian Banking system. In this case, the Banks refused to act and instead of setting their system right, took steps to forcibly shut out reports about the vulnerabilities. CERT In refused to take cognizance and RBI preferred to remain silent on the issue. As a result the vulnerabilities continue to exist and Bank customers continue to bear the risks for the commercial benefit of the Banks.

    This is one live example of how things are handled in India. Perhaps this Netherlands Guideline will open the eyes of the Indian authorities if they have eyes that can see.

    Naavi

    Posted in Cyber Crime, Information Assurance, Uncategorized | Leave a comment

    Hacking of Government websites lead to losses..

    Posted on January 6, 2013 by Vijayashankar Na

    It is well known that websites of Government of India hosted at NIC are not adequately protected against cyber attacks. It has now been admitted that “The defacement and hacking of government websites have not only brought to the fore security lapses, but also resulted in financial losses to the exchequer”

    According to the Reserve Bank of India, between 2009 and 2011, 489 e-fraud cases were registered, and these led to a loss of about Rs 28.46 crore. Separately, the Central Bureau of Investigation’s economic offences unit registered nine financial fraud cases between 2009 and 2012 (February). These led to a loss of Rs 43.92 crore….More in Business Standard Report

    As a remedy the report suggests that the Government is trying to adopt ISO 27001 audits. This is a step in the right direction but again indicates that the Government is unable to make a distinction between technical aspects of security and techno legal aspects of Information Assurance. Hence the measures of the Government are unlikely to be considered “Adequate” in any proper CAG audit.

    Naavi

    Posted in Cyber Crime, Information Assurance | Leave a comment

    Anonymity promotes democratic debates…study

    Posted on January 6, 2013 by Vijayashankar Na

    A study of You Tube Videos has been presented by Mr Nn Laeeq Khan of the Michigan State University has thrown up a interesting thoughts on the “role of Anonymity” in online socializing. In the background of Internet Censorship controversies in India, the findings of the study are relevant for India.

    It is well known that “Anonymity” was one of the main reasons for the Internet to be popular as a medium of communication. The raise of the social media has also been significantly assisted by the fact that people participate in discussions through “Comments” and enrich the thoughts presented by one person.

    The study of Lqeeq Khan on Comments made on You Tube videos indicated that both praises and criticisms were significantly high in the anonymous mode rather than an identified mode. During the study it was observed that 863 appreciative comments were made of which 856 were anonymous. Out of the 252 critical comments, 251 were anonymous. Out of 93 flames and 176 spam comments, 93 and 166 comments were anonymous. In summary, 99.4 % of all comments were anonymous.

    It is not surprising that the critical comments, Flames and spams are anonymous. But the fact that 856 of 863 appreciative comments were anonymous is indicative of a distinct preference for anonymity by Netizens.

    This finding negates the school of thought that Netizen’s comments are aimed at stroking “Self Ego”. They appear to be more honest in objectively expressing their opinion. The fact is that Netizens continue to consider that “Anonymity” is the way of life on the Net.

    This should be a good feedback to the regulators who move heaven and earth to curb Netizen’s freedom of expression through misuse of legislation.

    Recognizing the two divergent views, Naavi continues to favour his thought of “Regulated Anonymity” as a way forward. It is a concept where “Anonymity” is preserved by a “Non Governmental” body of Netizens which in exceptional circumstances cooperate with law enforcement to ensure that the Cyber Society lives in harmony with the physical society.

    Naavi

    Related Article: Theory of Regulated Anonymity by Naavi

    Posted in Cyber Crime, Privacy | Leave a comment