Monthly Archives: April 2013

Purported Incoming Fax Messages Are Malware Infected

Purported Incoming Fax Messages Are Malware InfectedThese days consumers have lots of choices to send and receive fax messages. Not only we have traditional fax machines but we have the option to use online fax services as well. There are many good commercial and free services that help in sending and receiving free online faxes to and by the intended recipients and senders.

The file formats that are supported to send and receive faxes in an online environment are multiple and numerous in nature. They may include pdf, word or popular image formats, etc.  This has created a trust relationship where the fax recipient has little reason to suspect the intentions and faxed material by the sender. If this is not enough, the Internet is full of unprotected and unsafe devices that are openly abused by the cyber criminals.

Cyber criminals have now started abusing the fax facility to deliver malware to the innocent receivers of such faxes. Computer users have been warned to thoroughly analyse the fax messages that they receive in their e-mail inbox as they are carrying malware.

The present day fax machines are connected to corporate networks that forward a message to a fax gateway to send faxes to others and to receive electronic faxes in your inbox from others.

Cyber criminals are sending fax messages to others with malware attached to the message. The fax is sent in the form of a zip format that carries the executable file. A careful computer user would be quick to discard such a fax message as this is generally not the format for sending or receiving fax messages.

However, many users are neither that careful nor that lucky and they download the zip format and unintentionally execute the malware. The security product has discovered the malware as a trojan horse named Troj/FakeAV-GNL.

At Perry4Law Organisation and Perry4Law’s Techno Legal Base (PTLB) we believe that it is a good cyber security best practice to safely ignore those e-mail messages that have executable attachments. Further, e-mails from strangers and carrying attachments should also be discarded.

We also believe that human beings are usually the weakest link in the security chain and social engineering is the easiest way to break into a system. The recent episode of sending malware through fax messages has proved once again that social engineering is the weakest security link in the cyber security infrastructure and we must take care of this aspect in future.

Backtrack Kali Linux Accessibility Improvements In 1.0.3 Release: A Social Responsibility Towards Differently Enabled

Backtrack Kali Linux Accessibility Improvements In 1.0.3 Release A Social Responsibility Towards Differently EnabledRecently, the creators of BackTrack released a great distro named Kali Linux. It is a very useful tool in the hands of security researchers and penetration testing professionals. However, it was not primarily developed keeping in mind the requirements of differently enable people like those who are visually impaired or blind.

However, this did not fade away the spirit of such differently enabled individuals and enthusiastics. Recently two such differently enabled security professionals approached the creator of Kali Linux and put forward a very different perspective. They mentioned that Kali Linux had no built-in accessibility features. This made Kali difficult, if not impossible, to both install and use from a blind or visually impaired user’s perspective.

Kali Linux creators tried to build in this accessibility feature in the distro but the first attempt failed to materialise. However, the developers did not loose their faith and kept on working in this direction.

On a deeper analysis it was found that there were several upstream GNOME Display Manager (GDM3) bugs in Debian, which prevented these accessibility features from functioning with the GDM greeter. Working together with an upstream GNOME developer, the creator of Kali Linux achieved a landmark achievement. They not only fixed the bugs but also implemented these changes in the Kali. To make the Kali installation accessible as well, they have added a new “accessibility” boot option that triggers the speech engine during the installation process.

The developers have also added a new “Live Desktop” installer and have released a new version of Kali Linux that has these accessibility features built-in. To activate the speech assisted installer, press “S” at boot time, and hit enter.

Perry4Law Organisation and Perry4Law’s Techno Legal Base (PTLB) sincerely thanks the developers of Kali Linux for their hardwork and commitment.

Dynamic DNS, Fast Flux, Bullet Proof Servers And Botnet: A Paradise For Cyber Criminals

Dynamic DNS, Fast Flux, Bullet Proof Servers And Botnet A Paradise For Cyber CriminalsA domain name server (DNS) helps the users to reach a particular website hosted on a particular server. With the advance in technology, the DNS service has been upgraded to dynamic DNS service. The dynamic DNS service helps a domain name to point to Internet resources hosted on changing public IP addresses. However, dynamic DNS service has both advantages and disadvantages just like all other technologies.

On the positive side, the dynamic DNS service helps small scale businesses who need to provide consistent content or services to their customers. These small scale businesses use the IP assigned to them by their ISP, and every time their IP changes, they notify their dynamic DNS provider to update its name servers so that the customer’s domain points now to the new IP.

On the negative side, the dynamic DNS service, especially the free dynamic DNS service, are being abused by cyber criminals for various cyber crimes and cyber attacks. Some of the nefarious activities of cyber criminals abusing dynamic DNS service include malware implants in websites, targeted spear phishing, establishing of C&C for botnet, spamming, etc.

Abusing dynamic DNS service helps the cyber criminals escape the authorship attribution for their cyber crimes. It provides a layer of anonymity and anti forensics to the criminal activities of those abusing dynamic DNS service. This is more so when IP address cannot be solely relied upon to secure a conviction in a cyber crime case.

Further, using dynamic DNS services can also help in bypassing the IP blacklisting deployed by various service providers to prevent DNS abuses. The malware can be continued to be used to infect the computers of end users by using constantly-changing hosting IP addresses.

These IP addresses usually belong to law abiding and innocent users whose computers are compromised and made part of the botnet. These IP addresses may also belong to compromised public websites where the malicious payloads may be installed.

There may be a situation where domains themselves may be blacklisted. To circumvent domain blacklisting, cyber criminals can also use randomly-generated disposable sub-domains under the dynamic DNS domain to point to the next hop in a redirection chain or to the final malware hosting IP.

This behaviour seems similar to fast flux method but in practice dynamic DNS and fast flux are different concepts. Dynamic DNS operates at a micro level whereas fast flux operates at a macro level. Dynamic DNS operates at a regional level whereas fast flux operates at international level. Further, the authoritative name servers for a dynamic DNS domain physically belong to the dynamic DNS provider, whereas with fast flux, double fluxing is possible where the name servers can be made point to constantly changing IP address of physical hosts located in different countries. In practice, dynamic DNS domains map to a much smaller set of IP addresses than fast flux.

So what is the purpose of using the fast flux method?  Fast flux is a DNS technique used by cyber criminals to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts (botnets) acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. Fast flux may be a single-flux or double-flux.

Some of these phishing and malware delivery websites are hosted on bullet proof server with mirrored hosting facilities. Mirrored hosting is a powerful mirrored web hosting management platform that uses multiple specially designed virtual servers to host website with 100% uptime. This is supported by powerful automated control panels. No one is able to trace original IP of the server or the place where the files are hosted so the websites/domains hosted have a 100% Uptime.

The security vendors must have been working on this issue and they may come up with state of the art and innovative methods to deal with this situation.

Standing Committee On Home Affairs Recommends Safeguards For Phone Tapping Of Politicians

Standing Committee On Home Affairs Recommends Safeguards For Phone Tapping Of PoliticiansThe Standing Committee on Home Affairs has come to the rescue of politicians so that their phone cannot be tapped without strict compliance with highest standards of care and precautions. However, the ordinary man is still left high and dry as he has no procedural safeguards to protect his privacy and personal communications.

Through a report, the Standing Committee on Home Affairs took note of incidents of unauthorised phone tapping and getting call data records of some prominent individuals including politicians for ulterior motives and said such incidents should not occur in future.

The committee has recommended that phones of MPs should be tapped by security agencies only after taking permission from presiding officers of the House concerned while in case of other political leaders, party chiefs must be informed. The Committee directed the Home Ministry to make strict guidelines in this regard.

This would practically mean that phones of MPs and political leaders cannot be tapped by law enforcement and security agencies of India unless there is extreme accountability and transparency in the process. This also means that there cannot be any secret phone tapping of these VIPs.

We appreciate this effort of the Committee. However, we failed to understand why common man is left out of this protection circle when the Indian Constitution mandates so? This seems to be discrimination and procedural safeguards must also be introduced for ordinary citizens of India.

Meanwhile, the government is planning to go ahead with its ambitious but controversial project named central monitoring system (CMS) project of India that would allow the Indian government and law enforcement and intelligence agencies to engage in unlimited and at will e-surveillance upon Indian citizens.

The CMS project of India is also not subject to any parliamentary scrutiny and is not supported by any legal framework. Just like Aadhaar project, it would be imposed upon Indian citizens without any fight for human rights protections in cyberspace.

We have been maintaining that a lawful and Constitutional interception law in India is needed as soon as possible. Lawful interception law in India is still missing. We have no constitutionally sound phone tapping and lawful interception law in India.

Both Indian Telegraph Act, 1885 and the Information Technology Act, 2000 carries many “unconstitutional provisions” that are openly abused by law enforcement and intelligence agencies of India. Both Telegraph Act and IT Act, 2000 need to be repealed and constitutionally sound lawful interception laws need to be enacted by Indian Parliament as soon as possible.

Further, dedicated privacy laws, data protection laws, data security laws and cyber security laws in India must also be enacted in India as soon as possible. Besides calls data records, the cell site data location laws in India and privacy issues must be suitably regulated by a new law. The cell site location based e-surveillance in India and surveillance of internet traffic in India must also be part and parcel of a new legislation. In short, India must reconcile civil liberties and national security requirements.

The Home Ministry must also keep in mind all these pressing requirements that are simply ignored as on date. We hope the Home Ministry would take immediate action in these directions as well.

Lawful And Constitutional Interception Law In India Is Needed

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW CEO PTLBLawful interception law in India is still missing. We have no constitutionally sound phone tapping and lawful interception law in India. Both Indian Telegraph Act, 1885 and the Information Technology Act, 2000 carries many “unconstitutional provisions” that are openly abused by law enforcement and intelligence agencies of India.

If this is not enough, there is no parliamentary oversight of law enforcement and intelligence agencies of India. Further, law enforcement and intelligence agencies are also not using any procedural safeguards to protect the privacy rights of person in question and data acquired through such interceptions.

This is happening as we have no dedicated privacy laws, data protection laws, data security laws and cyber security laws in India. Further, the law enforcement and intelligence agencies are also not following any sort of cyber security best practices in India to safeguard digital data and information acquired through interceptions. The intelligence infrastructure of India needs a complete overhaul.

If this is not enough, the biometrics details of Indian are collected in an unconstitutional manner. In fact, the Aadhaar project itself is unconstitutional and illegal and Indian government has spent crores of public money on it despite many warnings from experts. Now Aadhaar project has been challenged in many courts around the nation. The cyber security, data security and civil liberties implications of Aadhaar project must not be ignored by Indian government.

The political parties of India are also engaging illegal phone tapping and interceptions by using the services of private individuals. Even the Indian telecom companies used private individuals to do phone tapping.

Both Telegraph Act and IT Act, 2000 need to be repealed and constitutionally sound lawful interception laws need to be enacted by Indian Parliament as soon as possible. Further, human rights protection in cyberspace must also be ensuring by such legislations. The central monitoring system (CMS) project of India must have parliamentary oversight. India must reconcile civil liberties and national security requirements that are presently missing.

Even on the legislation front, India is deliberately postponing enactment of relevant and crucial techno legal laws. For instance, the cell site data location laws in India and privacy issues must be suitably regulated by a new law. Similarly, the cell site location based e-surveillance in India and surveillance of internet traffic in India must also be part and parcel of a new legislation.

For instance, if a provision mandating compulsory cell phone location tracking for all the phones and others is formulated, it would fell afoul of the constitutional and statutory protections in India.

As on date, phone tapping can be done only through the procedure prescribe under the Indian Telegraph Act, 1885. All passive phone tapings that are not authorised under the Telegraph Act are illegal and punishable. It is immaterial whether a law enforcement agency or private person is indulging in such activity as it would remain illegal and punishable for both in such circumstances.

The real problem is that the law enforcement and intelligence agencies of India are not subject to any practical and effective parliamentary oversight. Indian government must not only make them accountable to the parliament but also formulate new laws keeping in mind the contemporary requirements. The Telegraph Act has long served its purpose and it deserves a complete rejuvenation.

Fortunately, privacy rights issue is pending before the Supreme Court of India due to leakage of tapped conversation between Ratan Tata and Nira Radia. The Supreme Court of India must expand privacy rights in India as that is the need of hour. The Supreme Court of India has also warned that privacy violations may also pose national security problems in India.

India Must Reconcile Civil Liberties And National Security Requirements

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW CEO PTLBThis is the updated version of the previous article titled civil liberties and national security requirements must be reconciled by India. India is planning to launch many crucial projects that could have serious civil liberty implications.

For instance, projects like national counter terrorism centre (NCTC) of India, national intelligence grid (Natgrid) project of India, crime and criminal tracking network and system (CCTNS), central monitoring system (CMS) project of India, are in pipeline.

Similarly, proposed authorities like national cyber coordination centre (NCCC) of India, national critical information infrastructure protection centre (NCIIPC) of India, telecom security directorate of India, etc have also been proposed.

Surprisingly, we have no dedicated privacy laws, data protection laws, data security laws and cyber security laws in India. Clearly, Indian government has chosen to ignore civil liberties at the cost of artificial and non existent national security requirements.

There is no doubt that ensuring a balance between civil liberties and national security requirements is a tricky issue. Countries across the world, including India, are trying to achieve this colossal mission. In the Indian context, the national security and fundamental rights must be reconciled by Indian government keeping in mind the constitutional mandates.

The truth is that nations across the world are ignoring civil liberties for the false claims of national security. This is a disturbing trend especially when the United Nations is silent on the protection of human rights in cyberspace. This applies to India as well that has draconian laws like information technology act 2000 to violate civil liberties in cyberspace.

Unfortunately, UN has not been able to formulate a universally acceptable legal framework of cyber law and human rights protection in cyberspace. The obvious result is that different jurisdictions have different cyber laws. The only thing common in these cyber laws is that virtually none of them is protecting human rights in cyberspace.

According to Praveen Dalal, managing partner of New Delhi based ICT and techno legal law firm Perry4Law and CEO of PTLB, there is need to have “Reconciliation” between National Security needs of India on the one hand and Protection of Fundamental Rights on the other. I have also sent a communication in this regard to Government of India in the past, informs Dalal.

Another area that deserves the attention of Indian government in general and UN in particular pertains to Human Rights Protection in Cyberspace. According to techno legal experts like Praveen Dalal, presently UN and Human Rights in Cyberspace are two separate issues although they need to be one. Similarly, we have no International Cyber Law Treaty, International Cyber Security Treaty, International Cooperation in Techno Legal fields, etc, informs Dalal.

India must stress upon capacity and skills development to protect its national security and cyber security requirements. The offensive and defensive cyber security capabilities must be developed by India to thwart the growing cyber attacks against Indian critical infrastructures.

We must ensure a robust cyber security infrastructure in India, cyber security best practices in India, cyber law and cyber security awareness in India, cyber security policy in India, etc.

It would be a wrong strategy to curb civil liberties for false national security requirements. That is simply a façade to hide our own lack of expertise and capabilities to manage our national security requirements.

Let us repeal the draconian laws like information technology act, 2000 and Indian telegraph act, 1885 and enact constitutionally sound law to maintain a balance between civil liberties and national security requirements.

Twitter Accounts Of News Organisations Under Cyber Attack: Twitter Is Fighting Back

Twitter Accounts Of News Organisations Under Cyber Attack Twitter Is Fighting BackNews organisations in United States are under constant cyber attacks. Unfortunately, the cyber criminals are also successful in breaching and compromising the Twitter accounts of these news companies. The Twitter accounts of CBS News titled “60 Minutes” and “48 Hours” were compromised. Now it has been reported that the Twitter accounts of the Associated Press have been compromised.

Meanwhile the Twitter team is fighting a tough battle against the crackers. It has been suspending the compromised Twitter accounts till they are restored back. Further, Twitter is also suspending the accounts of those who are attacking the accounts of others.

For instance, Twitter has deleted and suspended many accounts of the Syrian Electronic Army that is behind the cyber attacks against AP Twitter account. The Syrian Electronic Army has, in recent weeks, broken into the Twitter accounts belonging to NPR, the BBC, and others.

It seems the intention of those compromising the Twitter accounts is well beyond mere annoyance. Some of the tweets posted at the compromised accounts are spreading rumours while others are redirecting the viewers to malicious websites.

The latest victims of Syrian Electronic Army’s adventures are the Twitter accounts of FIFA World Cup and FIFA President Sepp Blatter. Let us see how twitter would respond to these cyber threats in the future.

Twitter Accounts Of The Associated Press Compromised And Tweeted About Attack On White House

Twitter Accounts Of The Associated Press Compromised And Tweeted About Attack On White HouseNews organisations like Washington Post, Wall Street Journal, New York Times, etc have been reporting that they are under constant cyber attacks. They are under cyber attacks for years and it is only now that they have discovered about these cyber attacks.

A cyber attack against news organisation is one thing and misusing and abusing their platforms after compromising the same is another thing. In a recent incidence, crackers have compromised the Twitter accounts of the Associated Press. They did not stop here and they sent false tweets about at attack at the White House. The tweet mentioned that there had been two explosions at the White House and that President Barack Obama was injured.

Meanwhile the Twitter account of AP has been suspended and AP is working to resolve the issue. The tweet has also impacted the stock market of U.S that briefly sent the Dow Jones industrial average sharply lower. The Dow fell 143 points, from 14,697 to 14,554, after the fake Twitter posting, and then quickly recovered.

Although the Syrian Electronic Army claimed responsibility for the incidence yet it has not been corroborate till now. FBI has taken cognizance of the matter and it has started an investigation in this regard.

In a similar incidence, CBS News confirmed that its “60 Minutes” and “48 Hours” Twitter accounts were compromised. These accounts are suspended as on date.

E-Commerce Websites In India Must Be Regulated By Indian Government

E-Commerce Websites In India Must Be Regulated By Indian GovernmentAn ineffective cyber law of India and lack of cyber law skills among the law enforcement agencies of India is resulting in increased cyber crimes and offences through the medium of e-commerce websites in India. Further, cyber law awareness in India is also missing that is resulting in increased e-commerce frauds in India.

In these circumstances, e-commerce websites frauds, offences and crimes in India have increased a lot. For instance, the e-commerce sites selling adult merchandise in India are openly violating the laws of India. Similarly, e-commerce websites in India are engaging in punishable soft porn publication and Indian government is sleeping over the matter.

There are well recognised legal requirements to start an e-commerce website in India and the legal formalities required for starting e-commerce business in India. As on date, the e-commerce websites are not following such techno legal requirements. They are also not following the cyber law due diligence requirements of India and are liable for Internet intermediary liability in India.

E-commerce websites dealing with online pharmacies, online gamming and gambling, online selling of adult merchandise, etc are openly and continuously violating the laws of India, including the cyber law of India. However, India government has yet to take action against these offending e-commerce websites of India.

Fortunately, the Supreme Court of India is taking some action in this regard. Recently, the Supreme Court of India has sought response from central government over blocking of porn website sin India.  Similarly, the Supreme Court of India has entertained a public interest litigation seeking regulations and guidelines for effective investigation of cyber crimes in India.

The cyber law of India is too weak to tackle cyber criminals effectively. In fact, cyber law of India should be repealed and an effective cyber law must be formulated as soon as possible. The cyber criminals are becoming innovative day by day and our laws are grossly inadequate to deal with the same.

For instance, numerous websites, both Indian and foreign, are violating the cyber law of India by operating illegal e-commerce websites in India. These websites are engaging in illegal trade in wildlife, promising home delivery of live animals, prized animal parts and rare medicinal plants from across nations through simple internet banking formats.

These are transnational crimes where the authorship attribution for cyber crimes is very difficult to establish. Realising this reality, the India’s wildlife crime control bureau (WCCB) is utilising the services of cyber crime experts to trace such cyber criminals. A preliminary inquiry by WCCB bureau’s cyber crime specialists has indicated that nearly a thousand websites are advertising sale and delivery of live animals and animal products protected under the Wildlife Protection Act, 1972 of India and the global convention on international trade in endangered species (CITES).

Surprisingly, most of these websites are popular shopping websites, online classifieds and free ad posting websites, etc. They are clearly violating the cyber law and other laws of India and Indian government is not taking any action against these websites. It is high time to take strict penal action against such illegal e-commerce websites in India.

Source: E-Commerce Laws In India.

The Central Monitoring System (CMS) Project Of India

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW CEO PTLB

By Praveen Dalal

April 2013 is the month in which Indian government wishes to implement the controversial and ambitious central monitoring system (CMS) project of India. The year 2013 is also the year where the intelligence infrastructure of India may also see a boost.

Till now the national counter terrorism centre (NCTC) of India has failed to take off the ground. Similarly, the national intelligence grid (Natgrid) project of India, crime and criminal tracking network and system (CCTNS), etc are also facing a similar fate.

On the front of cyber security infrastructure of India as well, there is little progress. We have no cyber security best practices in India and law enforcement and intelligence agencies are actually working in an improper manner while dealing with sensitive information.

Crucial projects and authorities like national cyber coordination centre (NCCC) of India, national critical information infrastructure protection centre (NCIIPC) of India, telecom security directorate of India, etc are still in pipeline.

Even on the legislation front, India is deliberately postponing enactment of relevant and crucial techno legal laws. For instance, the cell site data location laws in India and privacy issues must be suitably regulated by a new law. Similarly, the cell site location based e-surveillance in India and surveillance of internet traffic in India must also be part and parcel of a new legislation.

Parliamentary oversight of intelligence agencies of India is need of the hour as intelligence work is not an excuse for non accountability. Unfortunately, the intelligence infrastructure of India has become synonymous for non accountability and lack of oversight.

Recently the Aadhaar project of India was challenged in various courts around the nation. There are serious techno legal security issues with projects like Aadhar and they must be resolved as soon as possible. Further, projects like Aadhaar, CCTNS, Natgrid, CMS, etc must also be backed by proper legislation and parliamentary oversight.

The government has to maintain a balance between civil liberties like right to privacy and law enforcement requirements. If a provision mandating compulsory cell phone location tracking for all the phones and others is formulated, it would fell afoul of the constitutional and statutory protections in India.

As on date, phone tapping can be done only through the procedure prescribe under the Indian Telegraph Act, 1885. All passive phone tapings that are not authorised under the Telegraph Act are illegal and punishable. It is immaterial whether a law enforcement agency or private person is indulging in such activity as it would remain illegal and punishable for both in such circumstances.

The real problem is that the law enforcement and intelligence agencies of India are not subject to any practical and effective parliamentary oversight. Indian government must not only make them accountable to the parliament but also formulate new laws keeping in mind the contemporary requirements. The Telegraph Act has long served its purpose and it deserves a complete rejuvenation.

We must also not forget that we have no dedicated privacy laws, data protection laws, data security laws and cyber security laws in India. In these circumstances implementing the central monitoring system project of India would raise serious constitutional challenges and Indian government must avoid the same at all costs.