Security Awareness For every Computer buyer

Posted on January 12, 2013 by Vijayashankar Na

Government of India is suggesting that a security awareness brochure should be mandatorily inserted in every Computer/Mobile product package delivered to a customer.

Report

Though some have raised “logistic issues”, Naavi.org considers that the proposal is a move in the right direction. It is also possible that the brochure can be sent by manufacturers upon registration of the warranty and also in soft form  as part of the software package  installed .

There could be many other ways to deliver the information package and the objections raised by manufacturers only seem to indicate their unwillingness to undertake the responsibility.

Naavi

Posted in Cyber Law | Leave a comment

Is DDOS a legitimate form of Protest?

Posted on January 10, 2013 by Vijayashankar Na

The Anonymous group which is known for several DDOS attacks around the world has petitioned  Mr Obama that DDOS should be recognized as a legitimate form of protest.

The group has claimed that DDOS is not a form of “hacking” and is nothing different from “Occupy”  protest. See report here

Though the request is unlikely to be considered by the US Government, it nevertheless gives some food for thought on how do we facilitate genuine forms of protests in Cyber Space.

Naavi has already suggested one form of “Cyber Protest” which is a Cyber Law Compliant form of protest.

Naavi had also earlier suggested in respect of objectionable contents a form of publishing an opposing point of view like a rejoinder. A similar process can also be used for the kind of DDOS protests that Anonymous is now suggesting.

In this form of protest the DDOS attack will only pop out a message which will briefly obscure the content much like the “interstitial advertisements”. Perhaps this system will satisfy both the Anonymous  as well as the regulators.

If Obama administration considers such a request then it will usher in a new era of democratization of the Internet and protection of Human Rights of the Netizens.

Naavi

Posted in Cyber Crime, Cyber Law, Privacy | Leave a comment

Delhi Court issues summons to US Companies

Posted on January 9, 2013 by Vijayashankar Na

Delhi Metropolitan Magistrate Court has issued summons to 11 US based websites including Facebook and Google for promoting enmity and undermining national integrity. The MHA has been asked to serve the notices.

Other websites who will be summoned include Orkut, You Tube, Yahoo, Blogspot and Microsoft. Report

Naavi

Posted in Cyber Crime, Cyber Law, Uncategorized | Leave a comment

In US, SSN is being removed from Medicare records…

Posted on January 8, 2013 by Vijayashankar Na

A bill is being passed in US to de-link Social Security Number from medicare ID cards. This is being pushed to avoid Medicare identity theft. Report

The decision follows the observation that medicare security breaches are resulting in loss of social security identity of citizens.

This development appears interesting in the context of India trying to push inclusion of Aadhar numbers in a number of transactions such as Gas connections, Bank accounts, etc. The risk of a gas dealer losing his records which results in Aadhar number being revealed is a risk that looms large on the Citizens of India. Once the aadhar number and details with the gas dealer is known the combined data could be used for various malicious purposes such as stealing the Bank account or Mobile number.

It is necessary for the Government to keep these risks in mind before linking Aadhar numbers with all services as a matter of routine.

During Aadhar registrations in Karnataka I have observed that by default every registrant is being asked to link his Bank account to the Aadhar registration. This is required only for BPL families where benefits are to be routed to the account. Otherwise public should be circumspect in linking their Bank accounts to the Aadhar registration.

Naavi

Posted in Uncategorized | Leave a comment

Dutch Responsible Disclosure Guideline..organizational responsibilites

Posted on January 8, 2013 by Vijayashankar Na

In continuation of the earlier posts, following are the obligations that the Dutch National Cyber Security Council has imposed on the owners of systems.

According to the guidelines it is necessary for the organization to have a policy on” Responsible disclosure” and publish policies for Responsible disclosure publicly known.

It will also be necessary for the organization to make it accessible for a detector to make a notification. This can be done by a standardized manner, for example, an on-line form, to be used for making of reports. Here, the organization can weigh up to anonymous messages to receive.

  • The organization reserve capacity to adequately notifications can react.
  • The organization takes the report of a vulnerability in receipt and ensures that as soon as possible reaches the department that the message can best assess and may examine.
  • The organization will send an acknowledgment of receipt of the notification, preferably digitally signed to the priority to emphasize the detector. After join the organization and the detector in contact about the further process.
  • The organization shall determine, in consultation with the reporter the deadline by which any publication will take place. A reasonable standard term that can be used for software vulnerabilities is 60 days. The fix vulnerabilities in hardware is difficult to achieve, this may be a reasonable standard period of 6 months may be used.
  • In consultation may be desirable to extend this deadline or shorten if much or little systems rely on the system on which the vulnerability is reported.
  • If a vulnerability is not or difficult to solve, or if there are high costs are involved, may agree to the detector and organizational vulnerability undisclosed.
  • The organization keeps the detector and other stakeholders informed the progress of the process.
  • The organization can convey that the organization detector credits will give, as the reporter wishes, for doing the reporting.
  • The organization may choose to have a detector a reward / appreciation to give for reporting vulnerabilities in ICT products or services, if the detector is on the rules contained in the policy account. The height of the pay may be dependent on the quality of the message.
  • The organization may, in consultation with the notifier agree to the broader IT community about the vulnerability when it is probable that the vulnerability also exists in other places.
  • The organization shall act in the adopted policy about not taking legal action if continued with the policy is adhered.

    • These guidelines may now be construed as a “Best Practice” for organizations for whom this will be applicable and Information Assurance Auditors/consultants may take note of them for implementation of Information Security in an organization.

    More details are available in this translated copy of the brochure:

    Naavi

    [P.S: Kindly excuse some spelling errors on account of unedited translation of the original Dutch document]

    Posted in Cyber Crime, Information Assurance, Uncategorized | Leave a comment

    Free CEAC support for Ethical Hackers reporting vulnerabilities

    Posted on January 8, 2013 by Vijayashankar Na

    I refer to the earlier post where the Disclosure guidelines for Ethical Hackers suggested by the Government of Netherlands when they observe vulnerabilities. (The original Dutch version guideline is available here:: English Version)

    One of the suggestions made there in is that the ethical hacker who observes a vulnerability should first report to the owner of the facility and given them an option to plug the vulnerability.

    Users are however required to adhere to the framework mentioned in the guideline according to which they shall refrain from altering the system and not repeatedly access the system. They should also avoid Using brute-force techniques to access a system. The ethical hacker further has to agree that vulnerabilities will only be disclosed after they are fixed and only with consent of the involved organization.

    The guidelines however are silent on what action the ethical hacker has to take if the owner of the system remains silent. There is however a mention that “The parties can also decide to inform the broader IT community if the vulnerability is new or it is suspected that more systems have the same vulnerability, the NCSC said.”

    The National Cyber Security Center also states that it would be willing to act as an intermediary to inform the owner of the vulnerable system if the vulnerability is brought to their notice.

    Though the security professional who has found the vulnerability acts in good faith and notifies the owner of the system, it is possible that the owner may not respond and later on raise an objection that he was never informed. In such situation it will be necessary for the ethical hacker to create suitable evidence in his favour to prove that he actually had served the necessary notice.

    CEAC (Naavi’s Cyber evidence Archival Service, details of which are available at (www.ceac.in) provides a service on payment for delivery of “Certified E Mails”, This service in the Indian context is structured so as to meet the requirements of “Admissible Evidence” under Section 65B of Indian Evidence Act. Presently this is a paid service.

    However, in the interest of promoting “Security” and to offer support to Ethical Hackers who in good faith would like to deliver notices as per the said Netherlands guidelines or in a similar “good practice”, CEAC will offer to deliver such notices free of charge.

    A similar facility was offered to Mr Yash, an Indian security professional who published the Banking vulnerability where a demo of the vulnerability was sent to necessary authorities. (Though no action came forth from them).

    We hope that security professionals use this facility to create a third party evidence to protect themselves from liabilities.

    CEAC however restricts its activity to forwarding the communication as received from the ethical hacker to a designated e-mail address and does not take any responsibility for the correctness of the report or for the fact that the ethical hacker had followed the necessary guideline etc. Interested persons may get the details from Naavi.

    Naavi

    Posted in Uncategorized | Leave a comment