Monthly Archives: May 2013

Indian PMO Sanctioned Rs. 1,000 Crore To Strengthen Indian Cyber Security

India's PM Singh attends an EU-India Summit in BrusselsCyber security in India is now taken seriously by Indian government. Indian government is improving on this front step by step. Firstly, it announced the cyber security policy of India. Then it stressed upon developing indigenous capability to make hardware and software in India. The intentions to establish a cyber command for armed forces of India are also pretty clear.

Now it has been reported that the Prime Minister’s Office (PMO) of India has sanctioned a plan to spend 1,000 crore over the next four years to strengthen the cyber security capabilities of India. This would include both offensive and defensive cyber security capabilities of India.

India has already announced initiatives like national critical information infrastructure protection centre (NCIPC), national cyber coordination centre (NCCC), national intelligence grid (Natgrid), etc. These initiatives are essential to ensure critical infrastructure protection in India.

As per the latest plan, new agencies and coordination cells would be established to improve response to cyber threats. Presently, this is waiting the cabinet committee approval. The plan provides that the National Security Council Secretariat will coordinate among agencies and implement a policy outlined by the Intelligence Bureau.

The Department of Electronics and Information Technology (DEITY) has proposed to set up of a National Cyber Coordination Centre involving an expenditure of Rs 500 crore over five years.

Security Agencies Of India Call For Indigenously Made Cyber Security Softwares

Security Agencies Of India Call For Indigenously Made Cyber Security SoftwaresIndia has been stressing too hard to adopt indigenously made hardware and software.  Indian government has made it very clear that preference would be given to telecom equipments manufactured in India. Further, India has also justified its preferential market access (PMA) policy for domestic telecom equipment manufacturers.

The stress for domestically manufactured hardware and software has not arisen out of blue. Security concerns are behind taking such precautionary moves. For instance, Huawei and ZTE are in telecom security tangle of India and other nations like United States. India even made telecom security a part and parcel of its national telecom policy of India 2012. Now Huawei is trying to inculcate trust among US government over telecom security issues. Companies like Huawei and ZTE are also in constant talks with other nations, including India, in this regard.

India is also in the process of formulating norms for import of telecom equipments in India. Indian government is also planning a legislation mandating strict cyber security disclosure norms in India. Indian government has also directed that mobile service providers of India shall use Indian made SIM cards.

Even social media platforms are under security scanner and it has been proposed to have social media platforms of Indian origin. Security agencies of India have also been insisting that Internet telephony and VOIP service providers must establish servers in India now.

It has been reported that U.S. government is the biggest buyer of malware in the world. Even anti virus updates are potential tool to install malware on the targeted systems. Naturally, Indian intelligence agencies are insisting upon indigenously manufactured software and hardware so that these possibilities can be ruled out.

Indian security agencies are not happy that they have to rely on foreign-made cyber security software from the likes of Symantec and McAfee to protect India’s critical information technology infrastructure.

The deliberations to renounce commercial anti-virus and security software were undertaken at a recent inter-agency meeting on cyber security organised by the National Security Council, and attended by officials from the Intelligence Bureau, Research and Analysis Wing, Cyber Emergency Response Team, and the defence forces.

The cyber security policy of India has also advocated indigenously manufactured software and hardware. The shift from foreign made products to Indian made products would be not easy. We wish all the best to Indian government in this regard.

U.S. Government Is The Biggest Buyer Of Malware

U.S. Government Is The Biggest Buyer Of MalwareCyber security infrastructure has become an essential part of the defence system of all nations. Nations have formed dedicated and specialised units to tae care of cyber espionage, cyber terrorism and cyber warfare issues. The cyber security infrastructure of India is also required to be established. It must have both offensive and defensive cyber security capabilities.

Recently, researchers have found a global cyber espionage network named SafeNet. Although it is very difficult to ascertain authorship attribution for sophisticated cyber attacks yet the blame game is played around the world. Of all, U.S. is most vocal in pointing out at cyber attacks originating out of China, India, etc.

In a recent revealing, it has been declared that the U.S. government has become the biggest buyer of zero-day security vulnerabilities and the tools that exploit them. Since this issue is classified in nature, not much information is available in this regard.

Malware like Stuxnet and Duqu have already shown how critical infrastructures and SCADA systems are vulnerable to cyber attacks. It has been alleged that Stuxnet was developed through a joint effort of the US and Israeli government agencies.

According to Charlie Miller, a well-known security researcher who used to work for the National Security Agency, “the only people paying are on the offensive side”.

And while former counter-terrorism czar Richard Clarke and former Cyber-Security Coordinator of the Obama Administration Howard Schmidt point out that the U.S. government should tell U.S. users about vulnerabilities they know about and that could lead to serious compromises, the reality is that they don’t.

According to Reuters’ Joseph Menn, who had the opportunity to take a peak at a product catalogue by a large government contractor, there are tools that turn iPhone into eavesdropping devices, allow the transmission of malware via radio waves from one device to another, data-grabbing tools and so on. Most of them had versions for Windows, Apple and Linux machines, and again most of them depend on the exploitation of zero-days.

Global Cyber Espionage Operation Named SafeNet Discovered By Researchers

Global Cyber Espionage Operation Named SafeNet Discovered By ResearchersCyber attacks have grown world over where some are even using stealth and undetectable malware to indulge in their activities. Since there is a problem of authorship attribution for cyber attacks at International level, the origin of these cyber attacks can at best be a well analysed guess. We cannot blame a particular country or organisation with utmost certainty that it is behind the cyber attack.

Botnet are used by cyber criminals to indulge in various cyber crimes and launch numerous cyber attacks. For online advertisement industry alone, botnet have caused losses upto the extent of USD 6 millions.

Then we have spyware and keyloggers that are used by government to defeat civil liberties in cyberspace. For instance, the command and control servers of FinFisher were found in 36 countries and India is one such country. This shows that governments around the world are interested in secret spying upon their citizens. India has taken I to another level by introducing the projects like Aadhaar, National Intelligence Grid (Natgrid) and Central Monitoring System (CMS).

India has also proposed the cyber security policy that has been cleared by the cabinet committee on security. The policy, among other things, has advocated development of offensive and defensive cyber security capabilities in India. It is a mere coincidence that an Indian firm has been accused of indulging in cyber espionage of sophisticated nature though the firm has denied any such involvement.

Meanwhile, the security researchers from Trend Micro have uncovered an active cyber espionage operation that so far has compromised computers belonging to government ministries, technology companies, media outlets, academic research institutions and nongovernmental organisations from over 100 countries. The operation, which Trend Micro has dubbed SafeNet, targets potential victims using spear phishing emails with malicious attachments. The company’s researchers have investigated the operation and published a research paper (PDF) with their findings.

The investigation uncovered two sets of command-and-control (C&C) servers used for what appear to be two separate SafeNet attack campaigns that have different targets, but use the same malware. The malware installed on the infected computers is primarily designed to steal information, but its functionality can be enhanced with additional modules.

The operators of the C&C servers accessed them from IP addresses in several countries, but most often from China and Hong Kong. The researchers also found use of VPNs and proxy tools, including Tor, which contributed to the geographic diversity of the operators’ IP addresses.

Indian Social Media Websites Must Be Started Say Experts: But Will This Succeed?

Indian Social Media Websites Must Be Started Say Experts But Will This SucceedIndia has been struggling to make the foreign websites, especially the social media websites, to fall in line with Indian laws. However, foreign websites are in no mood to comply with the wishes of Indian government. Naturally, the cyber litigation against foreign websites in India is going to increase.

In some cases this refusals is wrong and is a clear violation of Indian laws whereas in other cases this refusal is justified as no government can be allowed to impose its own e-surveillance and eavesdropping dreams upon public platforms that are helping exercising the speech and expression.

In the former category comes those websites that do not comply with Indian laws by citing their own laws and privacy policies. Foreign websites operating in India must comply with Indian laws and not the laws and policies of their native nation.

In the later category comes those websites that are complying with the laws of India as per the requirements of Indian constitution but are not willing to accede to Indian government’s desires to censor their respective platforms. In such cases take down notices are rightly refused by these websites.

Recently the U.S. government refused to serve Indian summons on U.S. websites citing constitutional protections. Naturally, Indian government is left with no choice but to forget about its demands. However, Indian government is not willing to let it go lightly.

As an alternative, Indian government has been asking the telecom service providers and foreign companies to establish servers in India so that Indian law enforcement and intelligence agencies can have unlimited access to the relevant information they are seeking. Similarly, Indian government has also launched the central monitoring system (CMS) of India that can help it in analysing various information and data on real time basis.

However, this would not solve the main problem that Indian government is facing. Social media platforms have the capability to shape public opinion and launch unlimited attacks or support for the ruling government. They have significant impact upon the thought process of Indian population and if we keep in mind the previous record of foreign social media websites, they cannot be regulated as per the wishes of Indian government.

China has faced similar problem and it launched its own social media websites by banning and blocking the foreign social media websites. However, India is planning to play safe in this regard as it may not wish to violate civil liberties in cyberspace.

Recently the idea of formulating guidelines for social media contents regulations in India was mooted. Before that the idea of pre screening of contents at social media websites was out rightly rejected by both social media platforms and those using them.

If this is not enough, the Indian government has also decided to ask internet service providers and mobile phone companies to ensure that Internet Protocol (IP) addresses are bifurcated as per the States territory. This may allow the Indian government to block social networking or pornography or hate speech or MLM frauds and other websites and even internet telephony in select States or regions in India. However, as on date websites blocking is India is purely a judicial act as websites in India are blocked only after a court order.

However, it is not the case that social media websites are playing with the laws of India. On the contrary, the social media websites are helping in furthering civil liberties in cyberspace and are encouraging expression of free speech and expression. Social media websites are also very good at protecting privacy of its users that is missing in India. In India we have no dedicated data protection law in India. Similarly, we have no dedicated privacy laws in India and data security laws in India as well.

In these circumstances, the idea of launching Indian social media websites would be a big failure. If India really wishes to make such an idea a big success it must first create the environment for the same with which the users may be comfortable. With government committed to indulge in unlawful and unlimited e-surveillance and impose projects like Aadhaar and CMS, this seems to be a distant dream only.

Internet Telephony And VOIP Service Providers Must Establish Servers In India Now

Internet Telephony And VOIP Service Providers Must Establish Servers In India NowIndian intelligence agencies are very anxious to force the electronic communications of India pass through Indian territories. In order to achieve the same, Indian intelligence agencies have been forcing the companies like Research in Motion, Nokia, etc to locate and establish the servers in India so that our agencies can snoop upon electronic communications.

While there is nothing wrong in this exercise provided we must establish adequate, strong and constitutional procedural safeguards so that civil liberties in cyberspace are not violated. With the projects like Aadhaar, Central Monitoring System (CMS), National Intelligence Grid (Natgrid), etc the procedural safeguards are just unachievable dreams alone.

India must reconcile civil liberties and national security requirements to justify its actions. We have no constitutionally sound lawful interception law in India and the same is urgently needed.

The latest to add to the list of service providers who are compulsorily required to establish server in India are all Internet telephony and VOIP service providers who wish to provide their services in India. This could mean that Skype may be required to establish a server in India if it wants to continue offering its services in India.

The Indian government has also decided to ask internet service providers and mobile phone companies to ensure that Internet Protocol (IP) addresses are bifurcated as per the States territory. This may allow the Indian government to block social networking or pornography or hate speech or MLM frauds and other websites and even internet telephony in select States or regions in India. However, as on date websites blocking is India is purely a judicial act as websites in India are blocked only after a court order.

The present decision to establish server in India by the VOIP providers was taken in a home ministry meeting on April 23 that was attended by representatives from Intelligence Bureau, other security agencies, top police forces and senior officials from telecom and IT departments.

As per media reports, the minutes reads: “Any service provider, who provides communication service in India via any media through Voice-over-Internet Protocol ( VOIP), should be mandated to be registered in India, having its office, server located in the country and therefore, subject to Indian laws. Necessary provisions to this effect may be incorporated through amendment in Indian Telegraph Act, 1885 and Information Technology Act, 2000”.

As per the present trends, the cyber litigation against foreign websites in India is going to increase. We have already suggested some recommendations in this regard. These recommendations would become more important when we cannot have either national or international support to prosecute the defaulting companies in India. For instance, recently U.S. refused to serve Indian summons upon U.S. websites including Facebook and Google. Prosecuting foreign companies in such circumstances is really tough unless there is something on the basis of which we can prosecute such companies in India.

Further, the present solution of establishing server in India was proposed after both the telecom and IT departments said it would be not possible to intercept internet telephony communications on a regional basis, or even block these in specific States and regions, due to unregulated internet architecture in India and highly decentralised encrypted structure of Skype.

It was also decided that all ‘ISPs and telcos must designate a nodal officer in each State with access to GGSN gateway. In common parlance, the nodal officer must have access to that part of the network that is responsible for the delivery of data packets from and to the mobile stations within a geographical service area.

RAKBANK And Bank Of Muscat Oman Became Victims Of International ATM Heist

RAKBANK And Bank Of Muscat Oman Became Victims Of International ATM HeistATM frauds have become very prominent these days. The cyber criminals have devised novel methods to successfully compromise the banking channels and their computer systems. Internet banking frauds have also increased tremendously all over the worlds.

In the latest move, an international gang of cyber criminals successfully breached the security of National Bank of Ras Al Khaimah PSC (RAKBANK) and Bank of Muscat Oman.

These banks were victims of the multi-million-dollar ATM heist. It has been claimed that this could have happened by compromising the computer systems of Pune-based ElectraCard Services, which provides credit card payments processing services for the UAE-based bank.

As per the version of US federal prosecutors, RAKBANK and Bank of Muscat Oman were hacked by a global cyber-crime ring that first breached the computers at an outsourced Indian credit card processor in December and then the computers of a similar American processor to gain access to critical data that made the crime possible. The cyber thieves are believed to have stolen $45 million (Rs 247 crore).

This has put some pressure upon India to make its cyber security more effective and ensure a data protection law in India. Recently the national cyber security policy of India was cleared by the cabinet committee on security. However, we have still to take care of the weak cyber law of India that deserves to be repealed.

We also need to spread cyber law and cyber security awareness in India. Further, cyber security skills development in India is need of the hour.

India is presently negotiating a very important Free Trade Agreement with Europe. Further, India is expecting a Data Secure Nation Status from European Union.  Once this status is granted, formal objections against India as a weak data protection nation would be discarded out rightly. This would also attract more outsourced work in India.

However, the European Union has been unwilling to give India the status given the lack of enforcement, accountability and penalty guidelines in the country’s existing cyber law of India.

Whatever the result of these negotiations may be, we must adopt cyber security best practices in India to safeguard our own as well as outsourced data and information. Further, cyber security infrastructure must be established by those handling high end works.

Command And Control Servers For FinFisher Found In 36 Countries Including India

Command And Control Servers For FinFisher Found In 36 Countries Including IndiaE-surveillance has become a major nuisance for civil liberty activists and law abiding citizens looking to protect their privacy rights. E-surveillance in India is in existence for long for all wrong reasons. India is also least interested in ensuring civil liberties protection in cyberspace.

This is not an India specific problem. Recently, Japan asked ISPs to block Tor and thereby showed its intention to engage in e-surveillance. Similarly, the use of spy software like FinFisher by governments around the word shows the intention of governments around the world to disregard civil liberties.

It is not the case that the malware FinFisher was controlled from a single place. In fact, as per the report of Citizen Lab, there were 36 countries, including India, that were hosting the command and control servers for FinFisher.

What is even worst is that FinFisher masqueraded itself as Firefox application to avoid detection from anti virus and anti malware software. Mozilla has even sent a cease-and-desist letter to Gamma International that sells spyware allegedly disguised as the Firefox browser to governments.

The countries where Citizen Lab identified FinFisher command-and-control servers are Australia, Austria, Bahrain, Bangladesh, Brunei, Bulgaria, Canada, Czech Republic, Estonia, Ethiopia, Germany, Hungary, India, Indonesia, Japan, Latvia, Lithuania, Macedonia, Malaysia, Mexico, Mongolia, Netherlands, Nigeria, Pakistan, Panama, Qatar, Romania, Serbia, Singapore, South Africa, Turkey, Turkmenistan, United Arab Emirates, United Kingdom, United States, and Vietnam.

Cyber Security Virtual Campus In India

Cyber Security Virtual Campus In IndiaThe importance of online education and e-learning cannot be ignored these days. Information and communication technology (ICT) has greatly transformed the way we impart and receive education.

Now education and trainings are imparted through a distance learning or e-learning mode and students in one part of the world can enroll to a course provided by an institution located in another part of the world.

At Perry4Law’s Techno Legal Base (PTLB) we firmly believe that there is a stark difference between academic education and skills development. A majority of educational institutions around the world are imparting just academic courses. They make little efforts to provide actual and practical aspects of their courses.

Any potential cyber security professional must make a choice between skills and degree. This is a difficult choice to make as most of the educational institutions are providing either the skills based trainings or a degree based discourse. Only handful institutions in the world have combined both skills and degree at the same place.

For instance, at PTLB we do not provide any degree or diploma as on date. Of course, we are in talk with national and international educational institutions and universities that have shown interest in collaborating with us. Many professionals and institutions have also shown interest in getting themselves empanelled at our platform. However, as on date we are stressing purely upon skills development and not upon degree and diplomas.

We have been managing the exclusive techno legal virtual campus of India that has been providing techno legal trainings and skills development in the fields like cyber law, cyber security, cyber forensics, cyber crimes investigation, e-discovery, e-commerce, e-courts, online dispute resolution (ODR), etc.

We achieve this task through the exclusive techno legal cyber security e-learning platform of India that is managed by PTLB. The “application form” can be downloaded from here. See the students’ enrollment and FAQs segments of PTLB for more details. For payment of the fees, see the payment mechanism of PTLB.

We have been managing the exclusive techno legal cyber security software repository of India that consists of numerous techno legal software and tools of great importance. Our repository consists of the best and most effective open source software and tools pertaining to cyber security, cyber forensics, malware analysis, penetration testing, websites security analysis, etc.

We hope our initiatives would prove to be useful for meeting the skills development initiatives and efforts of Indian government.

Indian Central Monitoring System Project Needs PMO Intervention

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW CEO PTLB

By Praveen Dalal

The central monitoring system (CMS) project of India intends to be a centralised system where all analogous and digital communications, messages, data, information, etc can be intercepted, stored, analysed and used for law enforcement and intelligence agencies purposes.

On the face of it, the CMS project of India is an essential tool to serve the crucial law enforcement purposes of India. It may also be handy to safeguard the national security of India. However, there are many troublesome aspects of CMS project that must be resolved first before it is implemented in India.

In the past Indian government has initiated the implementation of untested projects like Aadhaar. Now the Aadhaar project has been challenged in multiple courts around the country. Even worst, the Aadhaar project is highly vulnerable from cyber security and data security perspective.

It seems the history is repeating itself and now the CMS project has been pushed in the similar manner as has been done in case of Aadhaar. In a parallel development the PMO has questioned the preferential market access (PMA) policy of ministry of information and communication technology (MICT). However, this is too little and too late that also for the wrong reasons.

If at all the PMO is interested in regulating the unregulated, arbitrary and unconstitutional acts, omissions and projects of MICT and other ministries, the PMO must start with Aadhaar and CMS projects.

PMO must also ensure that India reconciles civil liberties and national security requirements. Further, PMO must also be a forerunner for formulation and implementation of the telecom security policy of India and cyber security policy of India that are still missing as on date.

Some areas that require special attention of PMO in general and Indian Parliament in particular are human rights protection in cyberspace, e-surveillance in India, cell site location based e-surveillance, cell site data location laws in India, lawful interception laws in India, etc. We need to formulate dedicated laws like privacy laws, data protection laws, data security laws and cyber security laws in India. Further, the cyber law of India must be repealed as it carries many unconstitutional provisions.

During the recent hearing in the Coalgate case, the Supreme Court of India expressed its opinion that the Central Bureau of Investigation (CBI) must be independent and autonomous in nature and political involvement in its matters must be missing. However, this is not possible in India as there is no parliamentary oversight of law enforcement and intelligence agencies of India that is urgently needed in India.

Take the example of the recent private bill titled Intelligence Services (Powers and Regulation) Bill, 2011. It was shelved out by none other than the Indian Prime Minister Dr. Manmohan Singh who announced that law on intelligence agencies would be formulated soon. However, it proved nothing but a “time gaining tactics” and so far intelligence agencies of India are not governed by any legal framework and parliamentary oversight.

Interestingly, even the CBI is riding the same boat. The Draft Central Bureau of Investigation Act, 2010 is another example where the Indian government is just interested in making “declaration” with no actual “intention” to implement the same.

In these circumstances, the proposed Indian central monitoring system project is nothing more than an e-surveillance tool in the hands of Indian government and its agencies. With softwares like FinFisher and projects like Aadhaar and CMS, Indian civil liberty advocates have to fight a very difficult and prolonged battle with the Indian government.