Center Of Excellence (CoE) For Internet Of Things (IoT) In India

Friday, November 27, 2015

Indian Govt To Launch Internet Safety Campaign Soon

Internet safety is a serious requirement these days when everything has been connected to Internet. Form education to healthcare, everything depends upon information and communication technology (ICT). It is natural to seek measures to protect various infrastructures and digital assets that are connected with Internet or cyberspace.

Indian government has announced that an Internet safety campaign would be started very soon in India. Perry4Law Organisation (P4LO) welcomes this move of Indian government. From the media reports it seems that the awareness drive would cover all stakeholders ranging from school level to government departments.

By covering school children, Indian government has taken a significant step in the direction of making Indian cyberspace decent and law abiding. Many times school students are not even aware that they are committing something wrong. If they are suitably made aware, many cyber violations would not take place at the very beginning itself.

At Perry4Law’s Techno Legal Base (PTLB) we believe that school children in India must be suitably educated about cyber issues. These may include areas like cyber law, cyber security awareness, etc. Further, we also believe that online skills development methods must be widely used in India for better results. We have launched the PTLB Virtual Campus in this regard that may be helpful for providing online education, skills development and training in various techno legal fields.

Indian government would also issue directions to various departments to formulate cyber security best practices that must be used across various departments. However, the real problem is the actual implementation of cyber security initiatives in India that are missing so far. Now the stakes are very high and Indian government cannot afford to be lax in the cyber security field.

We at PTLB believe that there is an urgent need to rejuvenate our education system that has failed to keep a pace with the contemporary times. We need to shed our academic preferences and stress more upon skills and training based education in India. Internet has become a better education system than our universities and most of the people who have learned from Internet perform better than those who have graduated from universities across the world. Some of these geniuses are not even graduate or formally educated yet they are much more skilled than formally educated people.

While launching the Internet safety campaign, Indian government must keep in mind the skills oriented and problem solving approach rather than launching another academic project of low value. We wish Indian government and its partners all the best in this regard and hope that they would be successful in their endeavours.

Saturday, November 21, 2015

Lenovo Accused Of Pre Installing Adware In Laptops Compromising Their Security

Spyware and malicious software has become a big nuisance for companies and individuals alike. While these companies and individuals can ensure cyber security as per their best judgment yet they have little control over pre installed malware and malicious software or codes in hard disks and operating systems.

Recently Kaspersky revealed that hardware based stealth spyware were used by. intelligence agencies to indulge in selective and targeted e-surveillance. Similarly, malicious firmware and BIOS are also big security threats for all stakeholders. Persistent BIOS infection using hidden rootkit is especially annoying and a major cyber security threat.

It has been reported that China’s Lenovo Group Ltd, the world’s largest PC maker, had pre-installed virus-like software on laptops that makes the devices more vulnerable to hacking. Users have complained that a programme called Superfish pre-installed by Lenovo on consumer laptops was “Adware”, or software that automatically displays adverts.

According to Robert Graham, CEO of U.S.-based security research firm Errata Security, Superfish was malicious software that hijacks and throws open encrypted connections, paving the way for hackers to also commandeer these connections and eavesdrop. This can give rise to a man-in-the-middle attack.

Lenovo had installed Superfish on consumer computers running Microsoft Corp’s Windows, he added. “This hurts Lenovo’s reputation,” Graham told Reuters. “It demonstrates the deep flaw that the company neither knows nor cares what it bundles on their laptops”. “The way the Superfish functionality appears to work means that they must be intercepting traffic in order to insert the ads,” said Eric Rand, a researcher at Brown Hat Security. “This amounts to a wiretap.”

An administrator on Lenovo’s official web forum said on Jan. 23 that Superfish has been temporarily removed from consumer computers. Lenovo has also promised that the allegations regarding Superfish will be investigated and the problem would be fixed.

Concerns about cyber security have dogged Chinese firms, including telecoms equipment maker Huawei Technologies Ltd over ties to China’s government and smartphone maker Xiaomi over data privacy. Huawei and ZTE are already in telecom security tangle of India. Huawei has also been accused of breaching national security of India by hacking base station controller in Andhra Pradesh. Cyber security concerns have already excluded Huawei from Australian broadband project. US House Intelligence Committee is also investigating Huawei cyber espionage angle.

These episodes prove that countries are becoming more and more aware about use of malware in software and hardware and companies must be wary of using anything that make the hardware/software potentially risky for cyber security purposes.

Telecom Security Policy Of India 2014 And Unconstitutional E-Surveillance Issues

India literally borrows a majority of Security and Intelligence related ideas from United States (U.S.). This creates many unique problems for India. Firstly, these projects and ideas are meant for western countries and they are not at all suitable for a country like India. Secondly, if something goes wrong with the U.S. model, the “Infirmity and Irregularity” automatically creeps into Indian Projects and Initiatives as well.

In U.S., Civil Liberty Activists have started challenging U.S. Government’s E-Surveillance Projects and Policies. Even U.S. Courts have started taking a strict note of these E-Surveillance Activities of U.S. Agencies. Recently, the Massachusetts Supreme Judicial Court declared that phone users have Legitimate Expectation of Privacy while using their phones. Similarly, the Texas Appeals Court ruled that law enforcement officials do need a warrant to search an arrested person’s cell phone he/she has been jailed.  

The U.S. Government is also facing many lawsuits regarding illegal and excessive gathering and retention of phone details and metadata. The White House is also facing limited and difficult options to restructure National Security Agency’s phone surveillance program.

Now let us come to India that “Dedicatedly and Blindly Follows” these U.S. Models. The Cell Site Data Location Laws in India and Privacy Issues are still ignored by Indian Law Makers. The Cell Site Location Based E-Surveillance in India is rampant “without any Regulatory Checks and Judicial Scrutiny”. We have no dedicated Data Protection and Privacy Rights Laws in India.  Even the Fifty-Second Report of Standing Committee on Information Technology (2013-14) titled Cyber Crime, Cyber Security and Right to Privacy (PDF) has slammed Indian Government for poor Privacy Laws in India. The Cyber Law of India and the Indian Telegraph Act, 1885 also deserve an “Urgent Repeal”.

India has also launched E-Surveillance and Privacy Violating Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), Internet Spy System Network And Traffic Analysis System (NETRA) of India, etc. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. Even the essential E-Surveillance Policy of India is missing till now.

Now it has been reported that Indian Government plans to put in place systems and regulations that will allow Law Enforcement Agencies to trace cellular phone users and provide access to targeted communication, text messages, information data and even value added services on a real-time basis, according to the draft guidelines of the country’s Telecom Security Policy.

The Department of Telecommunication (DOT) has proposed comprehensive norms in the draft policy after the Ministry of Home Affairs expressed strong reservations since the department had not created provisions for law enforcement agencies to intercept communication.

In a version of the draft policy that addresses National Security concerns, the DOT has said that the policy would “put in place effective systems, processes and regulations to ensure the traceability of telecom users or devices in terms of identity, permanent address and current location with specified accuracy and resolution in the case of need”. India intends to deal with Telecom Security issues in an in-depth manner as the open telecom environment has made it easier to intrude on networks and cause damage to information they contain. The recent allegation of hacking by Huawei of Indian Telecom Infrastructure proves this point. India has been planning to undergo technological upgrade of border broadcast infrastructure due to Chinese broadcasts. The Telecom Commission’s cellular loop’s proposal would strengthen Mobile Based Surveillance in India on National Security Grounds.

Techno Legal Compliances like Privacy Law Compliances, Data Protection Requirements (PDF), Cloud Computing Compliances, Encryption Related Compliances, Cyber Law Due Diligence (PDF), etc are not followed by the Law Enforcement Agencies of India. The Telecom Security Policy of India must address all these issues while keeping in mind the Telecom and National Security of India. Further, India must Reconcile Civil Liberties and National Security Requirements as well.

The proposed policy also envisages providing analysis of information and data including decrypted messages, flowing through the telecom network, stored in systems and devices. Abilities of security agencies to analyse information quicker will be enhanced by making latest technology and systems available which will cut down delays and minimise information leakage.

However, security agencies will uphold privacy rights of Indian citizens, the draft norms said. This is difficult to believe as the proposed Privacy Law of India is already facing Intelligence Agencies Obstacles. Even the National Cyber Security Policy of India has failed to protect Privacy Rights in India.

A Telecom Security Directorate (TSD) has been proposed for implementing and updating the proposed Telecom Policy. Meanwhile, security certification centre for testing telecom equipment, centralised monitoring system for interception and monitoring and emergency response team for detecting and analysing cyber attacks, internet traffic hijacks and telecom sectoral frauds would be created.

DOT is of the opinion that the sector requires a separate security policy since the cybersecurity policy is not sufficient to deal with security issues specific to the telecom industry that has created critical information infrastructure.

The Government will largely depend on mobile phone companies that will implement the security instructions as a key stakeholder and also share the cost with the government. Telecom operators would have to build systems, procedures and methods to make their network resilient so that any damage has a minimum impact on the network and it can be revived quickly.

Telcos would have to share information on attacks on their networks, intrusion and frauds with Government agencies, including telecom sectoral CERT, the national CERT and the National Cyber Coordination Centre, that may monitor all web traffic passing through internet service providers in the country and issue ‘actionable alerts’ to government departments in cases of perceived security threats. Indian Government is also planning a legislation mandating strict Cyber Security Disclosure Norms in India.

These Proposals, Policies and Initiative are not only “Controversial and Unconstitutional” in nature but they are also far from being actually implemented. At the time of their implementation, they must be supported with “Constitutionally Sound Laws” to avoid “Constitutional Attacks”. Otherwise this would only increase unnecessary and unproductive litigations in India.

Kaspersky Reveals Hardware Based Stealth Spyware Used By Intelligence Agencies

Cyber espionage is not a new game but it has become more apparent and visible these days. World over intelligence agencies have been using various techniques and methods to infiltrate and track users of their interest. These methods include hardware and software based spyware. The National Security Agency (NSA) of United States has even used radio waves to do e-surveillance.

As per the Cyber Security Trends in India 2015 by Perry4Law Organisation (P4LO), Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, Gameover Zeus (GOZ), Carbanak, etc would further increase in the year 2015. These are sophisticated and customised malware that remained in operation for decades without being tracked by the victims.

Traditional hardware and software based security mechanisms have failed to protect crucial assets and sensitive information of various organisations and nations. An out of the box solution is need of the hour to tackle present day malware. For instance, the Moscow-based security software maker Kaspersky Lab has recently discovered hidden spyware in hard drives of computers. Kaspersky called the authors of the spying program “the Equation group,” named after their embrace of complex encryption formulas. More details can be found at the documents titled Equation Group- Questions and Answers (PDF) released by Kaspersky.

These hard drives are manufactured by Western Digital, Seagate, Toshiba and other top manufacturers, thereby making their use a potential cyber hazard. Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said.

Although Kaspersky has not publicly named the country or organisation behind this spyware yet it has claimed that the work is attributed to the same people who are behind Stuxnet malware. Some claim that Stuxnet is a product of National Security Agency (NSA) of U.S. This view has been affirmed by a former NSA employee who told Reuters that Kaspersky’s analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it. NSA spokeswoman Vanee Vines declined to comment.

Kaspersky believes that this sort of cyber espionage is possible only if a person or organisation has access to source code of the hardware known as firmware. Once the access is there, the source code can be manipulated the way it has been alleged to be done by NSA. The spyware is activated the moment a computer with infected hard drive is switched on. Since the spyware/malware is booting from the firmware, antivirus and ant malware products cannot detect the same and the malware keep on working stealthily.

A firmware infection is the second most sought after method by crackers and cyber criminals to infect and compromise a system. Obviously, BIOS infection through rootkit is the favourite methods of such cyber criminals. No matter how many times a user disinfects his computer, the hardware/BIOS based malware would keep on infecting it again and again. This is so even if a user reinstalls the operating system as the infection is not at the OS level but at the root level itself.

Kaspersky has informed that the owner of this still-active malware could have taken complete control of the systems that were using the infected hard drives but they preferred to target selective few of high interest. According to Kaspersky, the malware owner also used other methods of cyber espionage and cyber spying like compromising jihadist websites, infecting USB sticks and CDs, and developing a self-spreading computer worm called Fanny. There seems to be collaboration between the authors of Fanny and Stuxnet as both exploit two of the same undisclosed software flaws, known as zero days. Kaspersky believes that it is quite possible that the Equation group used Fanny to scout out targets for Stuxnet in Iran and spread the virus.

Carbanak Steals About A Billion US Dollars From Financial Institutions Worldwide

The legendary bank robber Willie Sutton was once asked why he robbed the banks to which he replied “because that is where the money is”. Although this famous answer was disputed by the Willie subsequently yet it has become Sutton’s law that is relied upon by many people and institutions while giving examples and explaining various principles. This is so because the legendary answer may be of 1934 period but its core principle still applies to banks and financial institutions of present era.

Banks and financial institutions of India and other jurisdictions are still struggling to secure their financial assets and infrastructure. Sophisticated malware are targeting banks and financial institutions and with good success rate as well. For instance, the Vskimmer Trojan capable of stealing credit card information from Windows systems is already in circulation. Similarly, the Malware Dump Memory Grabber is also targeting POS systems and ATMs of major U.S. banks. These malware are creating havoc in India and international levels.

Now it has been reported that a multi-national gang of cyber-criminals known as Carbanak has stolen about a billion US dollars from financial institutions worldwide over the past two years. The gang is alleged to have operatives from Russia, Ukraine, Europe and China who are using various techniques to steal the money. The gang’s activities have been uncovered by the combined efforts of INTERPOL and Europol working with Kaspersky lab as well as authorities from several other countries.

Kaspersky reports that since 2013, the criminals sought to attack 100 banks, e-payment systems and other financial institutions in some 30 countries and that attacks remain active. Targets included financial organisations in Russia, USA, Germany, China, Ukraine, Canada, Hong Kong, Taiwan, Romania, France, Spain, Norway, India, the UK, Poland, Pakistan, Nepal, Morocco, Iceland, Ireland, Czech Republic, Switzerland, Brazil, Bulgaria, and Australia.

The gang used the commonly prevalent technique of compromising the systems of banks and financial institutions through installing malware using spear phishing mails. The attackers stole money directly from banks, rather than targeting end users, signifying use of spear phishing instead of simple phishing. The attackers must have studied the banking system of concerned bank or financial institution before siphoning the money.

The attackers used online banking or international e-payment systems to transfer money from the victim banks’ accounts to their own. For transfers, the stolen money was deposited with banks in China or America – and others may have also been used. In some cases the attackers compromised the key accounting systems and inflated account balances before taking the extra funds via a fraudulent transaction. By changing an account with 1,000 pounds to 10,000 pounds, the criminals then transfer 9,000 to themselves. And the account holder doesn’t suspect a problem because the original 1,000 pounds is still there.

The cyber-thieves also seized control of banks’ ATMs and ordered them to dispense cash at a pre-determined time. When the payment was due, one of the gang was waiting beside the machine to collect the ‘voluntary’ payment.

Indian Govt Enforces Ban On Private E-Mails For Official Communications

E-mails are important mode of communications these days. With the increasing webspace most of us also store crucial data, information and documents in our e-mail accounts. Obviously the access to these information and documents is available to the e-mail service providers and the law enforcement agencies of the countries where such e-mail service providers are located. This access can be legal as well as illegal though unlawful e-surveillance and eavesdropping methods.

Indian government has been struggling long to formulate and implement the e-mail policy of India. This is important for India as sensitive documents cannot be transferred out of India as per Indian laws like Public Records Act, 1993. Even Delhi High Court is analysing the e-mail policy of India and has shown its displeasure over slow action on the part of Indian government in this regard.

The Delhi High Court has also directed central government to issue notification regarding electronic signature under Information Technology Act 2000. An advisory by Maharashtra Government to use official e-mails has already been issued.

Now its has been reported that Indian government has decided to ban the use of Gmail or any other private email for official communication across all its organisations, and make it mandatory for them to migrate to email services provided by the National Informatics Centre (NIC). This is a good step in the right direction and Perry4Law Organisation (P4LO) welcomes this move.

As per the e-mail policy of Indian government, notified on February 18, each employee of the government of India or any state/UT government staff using e-mail services of GoI will be provided two e-mail IDs, one based on designation for use in official communication and the other based on name for both official and personal communication. Not only will the employees be barred from using email services provided by any other service provider for official communication, but they also cannot provide details of the GoI email account to private e-mail service providers.

P4LO believes that this is a significant policy decision as it would allow not only keeping the government documents within Indian territories but would also help in cyber security initiatives. If details of the GoI email accounts are not made public, there are much lesser chances of spam, spear phishing, cyber attacks through malicious links, etc.

As per the email policy notified by the department of electronics and IT (DeitY), forwarding of email from the official GoI ID to the official’s personal ID outside the GoI e-mail service will not be allowed. Though official email ID provided can be used to communicate with any other user, whether private or public, the users must exercise due discretion on the contents being sent as part of the email.

For emails deemed as classified or sensitive, the policy mandates use of digital signature certificate and encryption. This would increase the authenticity and integrity of e-mail communications using digital signature certificate and encryption. It would also means that any eavesdropping or e-surveillance would not be easy as the contents of the e-mail would not be in plain text but in encrypted format.

The user will have to update their current mobile numbers under their personal profile. The phone number will be used as alternative means to reach the user and send alerts. In case a user ID is compromised and this impacts a large user base or data security of the deployment, the NIC shall reset the password of the user ID without prior notice to the user. In normal circumstances, where the compromise of an email user ID is detected, an SMS alert will be sent to the user with details of the action to be taken by him/her. If no action is initiated after five such alerts, the NIC would reserve the right to reset the password. Auto-save of password in the government email service will not be permitted due to security reasons.

The email policy lists the examples of “inappropriate use of the email service”, including in it the creation and exchange of harassing, obscene or threatening emails; transmission of emails involving language derogatory to religion, caste or ethnicity; unauthorized exchange of confidential information; distribution of anonymous emails from another officer’s ID; masking of identity of the sender of email and willful transmission of an email containing a computer virus.

The NIC will maintain email logs for all user IDs for two years. Any security incident, or an adverse event that can impact availability, integrity, confidentiality of government data, must immediately be reported to the computer emergency response team (CERT-IN).

In case of a threat to security of the government service, the NIC may de-activate or suspend the email ID used to impact the service. The security audit of NIC email services and other organizations maintaining their own mail service shall be conducted periodically by an organization approved by the department of electronics and IT.

SC Has Killed Cyber Law Due Diligence In India To A Great Extent

Cyber law due diligence in India (PDF) for Internet Intermediaries is incorporated in the Information Technology Act 2000 (IT Act 2000). Section 79 read with Information Technology (Intermediaries Guidelines) Rules, 2011 (PDF) deals with cyber law due diligence obligations of Internet Intermediaries of India.

There has been lots of confusion and protests against the Internet Intermediary liability applicable to the Intermediaries. Although internet intermediary liability in India has been clarified yet doubts and problems persisted in this regard. As a result cyber law due diligence requirements in India is neglected with impunity.

According to the cyber law developments of India 2014 provided by Perry4Law Organisation (P4LO) and Cyber Crimes Investigation Centre of India (CCICI), some serious cyber law related issues deserve immediate attention of Indian government. We were waiting for a positive response from Indian government but meanwhile the judgment of Shreya Singhal v. Union of India (24th March 2015), Writ Petition (Criminal) No.167 Of 2012 (PDF) was delivered by Indian Supreme Court.

This judgement has come as a big blow to the cyber law due diligence obligations of Intermediaries in India. The main problem seems to be reading down of Section 79(3) (b) and Rule 3(4) By Supreme Court in a manner that would be counter productive in the long run. In fact, reading down of Section 79(3) (b) and Rule 3(4) is more problem than solution as the Supreme Court erred in adopting this approach.

Now it has become necessary for Modi government to urgently bring suitable amendments in the IT Act 2000. Unfortunately, Indian Parliament and Indian government are not capable of enacting effective techno legal legislations. This is the reason why even the most draconian and unconstitutional rules are simply approved by Indian Parliament without any analysis, debate and application of mind. Once approved, such rules become part of the parent Act and this creates serious law and order enforcement problems.

Even worst is constitution of authorities and projects by mere Executive orders. For instance, Aadhaar project is an unconstitutional project that has been created by an Executive order. Indian Parliament has not deemed it fit to dissolve the same and come up with a robust law in this regard. Supreme Court if India has directed on multiple occasions that Aadhaar is not compulsory for government services but Indian government is not paying any heed towards those directions. Aadhaar has been made compulsory by direct and indirect means and very soon even the Aadhaar project would be declared to be unconstitutional by Indian Supreme Court.

Even Modi government is following the steps of Congress government and is very indifferent towards ensuring Parliamentary oversight of various projects and initiatives. For instance, promising projects like Digital India and Internet of Things (IoT) (PDF) are still not governed by any legislative process. Naturally, there is no accountability and transparency for these projects as on date. In fact, Digital India project of India is heading for rough waters in these circumstances.

Indian cyber law has not been appropriate since its inception. Too much stress is given to suppress civil liberties and enhance e-surveillance. However, it has now reached a stage where immediate steps must be taken to protect civil liberties in cyberspace on the one hand and projects like Digital India on the other. This is also the high time to leave politics and do positive things for Indian masses.

Pakistan’s Mobile Communications Security Is Much Better Than India

Intercept has recently published an article describing that U.S. and British spies hacked into the internal network of Gemalto in 2010 that is one of the largest manufacturers of SIM cards in the world. They stole the encryption keys used to protect the privacy of mobile cellular communications across the globe.

GSM (Global System for Mobile Communications) was originally designed with a moderate level of service security. At the time of that initial security level it was thought that GSM communications cannot be compromised. The basic level security system was designed to authenticate the subscriber using a pre-shared key and challenge-response. However, a higher level security is possible by encrypting the communications between the subscriber and the base station.

GSM uses several cryptographic algorithms for security. The A5/1, A5/2, and A5/3 stream ciphers are used for ensuring over-the-air voice privacy. The Hacker’s Choice started the A5/1 cracking project with plans to use FPGAs that allow A5/1 to be broken with a rainbow table attack. On 28 December 2010 German computer engineer Karsten Nohl announced that he had cracked the A5/1 cipher. He also said that it is possible to build “a full GSM interceptor from open-source components” but that they had not done so because of legal concerns. Nohl claimed that he was able to intercept voice and text conversations by impersonating another user to listen to voicemail, make calls, or send text messages using a seven-year-old Motorola cellphone and decryption software available for free online.

New attacks have been observed that take advantage of poor security implementations, architecture, and development for smartphone applications. Some wiretapping and eavesdropping techniques hijack the audio input and output providing an opportunity for a third party to listen in to the conversation. GSM uses General Packet Radio Service (GPRS) for data transmissions like browsing the web that was cracked by Nohl and his co-researcher Luca Melette in 2011.

U.S. law enforcement agencies have also been using fake cell phone towers to illegally intercept mobile communications and data. Surveillance hardware and software like Stingray, Triggerfish, etc are commonly used in U.S. and other jurisdictions. For instance, India has been using secret wires, central monitoring system (CMS), NETRA, etc to indulge in illegal and unconstitutional-surveillance. There is no parliamentary oversight of these e-surveillance projects and intelligence agencies of India.

Let us now come back to the disclosures of Intercept. What make it relevant for India are the Intercept claims that these spies mined the private communications of Gemalto engineers and employees in multiple countries, including India. Once someone has access to these encryption keys they can monitor all mobile communications on those SIM cards without seeking permission from Indian courts, the government, the mobile operator, etc. And the worst part is that there is no trace on the mobile operator’s network that communications were monitored by a third party since they have the actual keys and are not using brute force to break encryption. But in the Indian context this fallacy seems to be more by a “thoughtful design” than a negligence and lapse on the part of Indian government and telecom operators. It seems India and U.S. are collaborating on illegal and unconstitutional e-surveillance on a mutual basis. This is one of the main reasons why there is no encryption policy of India (PDF) till date and why privacy and data protection (PDF) laws are still missing in India despite much protests.

German Chancellor Angela Merkel’s voice calls were monitored by U.S. spies and this forced the German government to use BlackBerry smartphones with an additional layer of voice encryption. Even Indian Prime Minister Narendra Modi now uses a BlackBerry with possible security mechanisms.

However, the most interesting revelation comes in the form that GCHQ could not intercept keys used by mobile operators in Pakistan, even though Pakistan is a priority target for Western intelligence agencies. This is because Pakistanis used more secure methods to transfer the encryption keys between the SIM card manufacturers and Pakistani mobile operators.

Mobile cyber security in India is in a bad shape. The cyber security trends in India 2013 (PDF) and 2014 by Perry4Law Organisation (P4LO) have proved that mobile cyber security in India is in real bad shape. Even the cyber security trends in India 2015 have also short listed mobile cyber security as a priority area that deserves immediate attention of Indian government. The Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) hopes that Indian government would take mobile cyber security in general and cyber security in particular seriously in the year 2015.

Technical Advisory Committee (TAC) Of SEBI To Address Cyber Security Issues As Well

Cyber security has become a priority issue for stakeholders’ around the world. Though governments are slow to adapt to cyber security requirements yet there is no escape from the necessity to have a robust and resilient cyber security infrastructure. India has been adopting technology driven project that have little cyber security support. For instance, cyber security for Digital India, e-governance, e-commerce, etc is still missing in India. Till now India is a sitting duck in cyberspace and civil liberties fields and it must be suitably prepared to deal with the cyber security challenges that would further increase in India in the near future.

There are many cyber law and cyber security obligations of Directors of Indian companies that are still not fulfilled by them. Indian government is also slow in enforcing these cyber law and cyber security obligations of Indian directors. The recent judgment of Supreme Court of India on Sections 66A, 69A and 79 of Information Technology Act, 2000 has further killed cyber law due diligence requirements in India to a great extent. This judgment must be reviewed by the Supreme Court to remove the unintended consequences of the same.

We at Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) has suggested that Narendra Modi government must formulate the Cyber Security Policy of India 2015 as soon as possible. The Cyber Security Policy of India 2013 is suffering from many shortcomings that must be removed in the 2015 policy. India must also be cyber prepared to protect its cyberspace.

CECSRDI has also suggested that a dedicated cyber security law of India is need of the hour. The same must be a techno legal framework keeping in mind contemporary cyber security threats. Further cyber security disclosure norms in India must be formulated by Modi government. The cyber security awareness in India must be further improved with a special emphasis upon clearly specifying the cyber security obligations of directors of Indian companies.

The Cyber Security Trends of India 2015 by CECSRDI have outlined that state sponsored cyber attacks and an increased use of malware is on the cards. Cyber security of banks in India is need of the hour as cyber criminals have been targeting banking and financial institutions in India for long. Even the capital markets of India are vulnerable to sophisticated cyber attacks. The Securities and Exchange Board of India (SEBI) has been mandated to regulate the entire gamut of capital markets in India and it is required to ensure cyber security of capital markets as well.

Now it has been reported that SEBI has expanded the ambit of its Technical Advisory Committee (TAC) to include cyber security of the markets. CECSRDI welcomes this move of SEBI and is committed to help it in every possible manner to achieve this benign cyber security objective.

The five-member TAC formed in 2010 is headed by Ashok Jhunjhunwala, faculty-member, Indian Institute of Technology-Madras. The other members are H Krishnamurthy of the Indian Institute of Science (Bangalore), Abhay Karandikar of IIT-Bombay and Vibhakar Bhushan of Trignon Business Consulting and

The TAC advises SEBI on various policy and internal technological safety issues. It also aids the regulator on framing appropriate policies arising out of technological advancements in areas such as wireless trading, co-location, algorithmic trading, smart order routing, Application Programming Interface (API). SEBI is particularly worried about the growing cyber crimes that have become complicated and stealth in nature. State sponsored attacks are also a caused of concern for various cyber security stakeholders. SEBI believes that Indian capital market needs a framework for future plan of action on securities market resilience.

This move of SEBI aims at securing the data, applications, database, operating systems and network layers of (FMIs) from various forms of cyber attacks such as Denial of Service (DoS) attacks, phishing, hacking, man-in-the-middle attack, sniffing, spoofing, key-logging and malware attacks. Critical infrastructure protection in India (PDF) is still struggling to deal with sophisticated cyber attacks and malware. In the past it was declared that NTRO would protect the critical ICT infrastructures of India. The National Critical Information Infrastructure Protection Centre (NCIPC) of India has also been established to protect Indian critical infrastructures. Nevertheless, cyber security of critical infrastructure of India is yet to be achieved.

CECSRDI hopes that Indian government and authorities like SEBI would help in securing Indian critical infrastructures like banks, capital markets, etc very soon. The starting point can be the cyber security policy of India 2015 as already suggested by CECSRDI.

Indian Cyber Security Infrastructure Must Be Strengthened

India has launched technology driven and ambitious projects that rely heavily upon information and communication technology (ICT). In the past these projects were put under an umbrella known as national e-governance plan (NEGP). However, cyber security issues of e-governance in India were left ignored by Indian government. Now the NEGP has been renamed as Digital India and it is also plagued by inadequate cyber security. As a result, Digital India project is heading towards rough waters in India.

Cyber security infrastructure in India is never given any siginificance. Even when some policy initiatives were undertaken by Indian government from time to time, they were more on the side of lip works and paper tiger only. For instance, the cyber security policy of India 2013 is just a facade to cover the inadequate cyber security of India.

An analysis of the cyber security policy of India would make it clear that it is useless and the cyber security policy of India 2015 must be urgently formulated by Indian government. The same must be accompanied by a Cyber Attack Crisis Management Plan of India that can address threats arising in Indian cybersapce. Cyber security should also be made part of national security policy of India.

At Perry4Law Organisation (P4LO) and Perry4Law's Techno Legal Base (PTLB), we firmly believe that a robust, strong and resilient cyber security infrastructure of India must be established as soon as possible. This cyber security infrastructure must be capable of thawarting the sophisticated malware and cyber attacks that have tremendously increased in the recent past. We also recommend that dedicated cyber security law of India must also be formulated that must put an obligation to inform about cyber security breaches upon individuals and organisations.

Recently the Prime Minister's Office (PMO) appointed Dr. Gulshan Rai as the first chief information security officer (CISO) of India. This is a positive development as Dr. Gulshan Rai is well capable to deal with cyber security related issues in India. We hope that he would also take care of cyber security of smart cities in India. Smart cities in India are presently facing many problems including the issues of civil liberties. Further, cyber security of smart grids of India must also be ensured to protect our power grids.

Another related problem is lack of cyber security in banking industry of India. This is the reason why the Reserve Bank of India (RBI) has decided to open an IT Subsidiary so that cyber security related issues of banks in india can be effectively managed by RBI.

P4LO recommend that cyber security infrastructure of India must be strengthen immediately. This is also relevant for the Digital India project that is facing many cyber security challenges. The sooner this is done the better it would be for Indian cyberspace.

Digital India Project Of India Lacks Cyber Security Infrastructure

In this article, Praveen Dalal, Managing Partner and CEO of Perry4Law Organisation (P4LO) and PTLB, is discussing shortcomings of Digital India project of Indian government. Digital India and cyber security issues in India have been ignored by Indian government so far and this article is addressing that aspect as well.

The success or failure of any project depends upon it due research and analysis. Without a proper homework and due diligence, a project may face many shortcomings, lacuna and limitations. One such project is known as Digital India. As on date, the Digital India project of India government is heading towards rough waters and problems. This is because Digital India project is suffering from many shortcomings and limitations that Indian government has failed to remove.

For instance, the cyber security infrastructure of India is not in a good shape. Take the example of smart grids cyber security in India. India is contemplating using of smart meters but the same has become a headache for the power companies. Even a Grid Security Expert System (GSES) of India was suggested by Indian government in the past but the same has not been implemented till now.

The Digital India Project of India Government is the classic example of use of Information and Communication Technology (ICT) for delivery of public services. Like any great project, Digital India is also suffering from some “Shortcomings”. The chief among them are lack of Cyber Security, ineffective Civil Liberties Protection, absence of Data Protection (PDF) and Privacy Protection, unregulated E-Surveillance in India, absence of Intelligence Agencies Reforms in India, etc.

Unfortunately, the initial objective of public delivery of services through use of ICT seems to be fading away day by day. Instead of public services the focus has now been shifted towards e-surveillance and data mining. To make this work, Indian Government has been using e-surveillance projects like Aadhaar, Central Monitoring System, Network and Traffic Analysis System (NETRA), National Intelligence Grid (NATGRID), National Cyber Coordination Centre (NCCC), etc. None of them is supported by any “Legal Framework” and “Parliamentary Oversight”.

In fact, Vodafone has confirmed that India has been using “Secret Wires” in the Telecom Infrastructure to indulge in e-surveillance. Indian Department of Telecommunications suppressed the whole incidence with a mere assurance of “Investigation” that never took place. As per my personal information, no “Public Report” was made available in this regard by Indian Government so far.

In a latest twist, the Indian Government clubbed its latest Project named Digital Locker with Aadhaar. Essentially it means that Digital Locker is a legal project based upon illegal technology named Aadhaar. I have serious doubts that Digital Locker would serve its or Digital India’s purpose in these circumstances. The matter does not end here. Indian Government has claimed before the Supreme Court that Aadhaar is not mandatory for availing public services. However, this stand of Indian Government is not correct as Aadhaar has already been made compulsory for many public services and many more are added on regular basis.

Surprisingly, Supreme Court has not invoked either the Contempt or the Perjury proceedings against Central Government and States for making false claims and giving incorrect statements. Is not it the duty of Supreme Court to protect the Fundamental and Human Rights of Indian Citizens and residents? It is difficult to believe that Supreme Court is not aware of the ground situation that is actually happening in India. How can the Supreme Court simply rely upon false and misleading statements and allow the Central Government and States to operate in a manner that is clearly prejudicial to the Constitutional Protections and Principles?

It would be really unfortunate if Digital India Project is made the biggest Panopticon of Human History and an endemic E-Surveillance Instrumentality for the Indian Government where every bit of “Digital Information” can be accessed and manipulated by Indian Government. If this is the intention of Indian Government then Digital India Project is heading for rough waters.

Source: ICTPS Blog.

Smart Grids Cyber Security In India

Cyber security is no more an ignored area for governments around the world. India has also recognised the significance of cyber security but its efforts in this direction are still scatterd, unstructured and inadequate. Perry4Law Organisation (P4LO) has been advocating for establishing a strong, robust and resilient cyber security infrastructure in India for almost a decade.

P4LO also believes that international legal issues of cyber security must be resolved on mutual cooperation basis among various countries. Countries may work in the direction of formulating international cyber law treaty and international cyber security treaty (PDF). Similarly, international legal issues of cyber security and conflict of laws in cyberspace must also be resolved by Indian government.

These days most of the public utilities are managed and coordinated by information and communication technology (ICT). In many cases, these utilities are managed through remote administration as well. This is also the stage and process that makes these utilities vulnerable to cyber attacks.

Keeping this fact in mind, critical infrastructure protection in India in general and cyber security of automated power grids of India in particular must be ensured with latest technology and international best practices.

Cyber security issues in India are emerging day by day. Similarly, the cyber security awareness in India is also increasing. However, cyber security capabilities of India are still not up to the mark. Cyber security skills developments in India are urgently required.

There would be many cyber security challenges for future smart grids of India. The evolution of SCADA system, deficiencies and shortcomings of existing power devices and vulnerabilities of software managing SCADA systems are areas of special concern for India.

These days power grids are centrally connected and integrated in nature from the stage of power generation to it transmission and distribution. A compromise of such power grids   can lead to power outages/blackout or even damage to power system devices and thereby huge loss to the utilities.

Further, renewable energy/distributed generation demands are the added feature of smart grid and due to networked control future power system will be much more vulnerable to cyber terrorism attacks, cyber warfare activities and cyber espionage attempts. Therefore, before switching to smart grids, India must consider cyber security challenges for them as well.

Perry4Law and Perry4Law Techno Legal Base (PTLB) are in the process of drafting of cyber security best practices for smart grids in India. We invite professional collaborations and cooperation in this regard from various smart grid stakeholders. If interested, kindly send your proposals while communicating with us so that we can consider collaborative aspects of such proposals.

Friday, November 20, 2015

Hacked USB Can Damage Computer’s Circuit And Crucial Components

USBs have been used for long to infect systems and to steal data. This is done by first infecting the concerned USB with a customised malware and then running the same on the target computer or system. Wherever physical access to the target system is not available, the USB can be simply left within the visibility and reach of the person managing such system. This social engineering tactics is very effective even today and in majority of cases the system administrator runs such infected USB upon his system.

Some users also allow autorun option for the media outputs including USBs. This is a serious cyber security risk as the malware would automatically start running and installing with such an option. By default autorun must be disabled by the users for security reasons.

For long, USBs have been used for corporate and cyber espionage. Now USB has also become a tool of cyber warfare as it can be customised to create damage rather than corrupting the system. A Russian hacker/researcher created a USB that can crash the victim system once the modified/hacked USB is plugged into it.

The researcher, nicknamed Dark Purple, hacked a standard USB stick, and installed an inverting DC-DC converter and some capacitors bought from a Chinese website. When the USB is plugged in, it charges the capacitors to -110V before shutting down. Next, a transistor discharges the stored electricity through the USB port’s data pins. This continues until the capacitors are down to -7V, at which point the DC-DC converter is switched back on, and begins to charge the capacitor back for the next cycle.

The basic idea of the USB drive is quite simple. When we connect it up to the USB port, an inverting DC/DC converter runs and charges capacitors to -110V. When the voltage is reached, the DC/DC is switched off. At the same time, the filed transistor opens. It is used to apply the -110V to signal lines of the USB interface. When the voltage on capacitors increases to -7V, the transistor closes and the DC/DC starts. The loop runs till everything possible is broken down.

USB ports are typically well protected from electrical attacks, but the inverting DC-DC converter gets around these defenses – and eventually overloads them to damage the PC’s sensitive inner electronics. Clearly cyber security and the defence against cyber warfare have to be moved to the next level as present day’s safeguards are not enough to ward off these customised and stealth cyber attacks.

Grid Security Expert System (GSES) Of India Proposed To Ensure Cyber Security Of Power Grids

Present days critical infrastructures are connected to information and communication technology (ICT) for portability, convenience and remote control purposes. Although this process brings many advantages yet this usage of ICT for critical infrastructures also exposes them for potential cyber attacks.

According to the Cyber Security Trends of India 2015 by Perry4Law Organisation (P4LO), Critical Infrastructure Protection in India (PDF) would be required in the year 2015 as India has launched projects like Digital India and Internet of Things (IoT) (PDF). Indian Government needs to work hard in this regard as cyber security challenges in India are very daunting in nature.

The cyber security challenges before the Narendra Modi government are more demanding than its predecessor government due to heavy reliance upon ICT and technology. However, India is not yet prepared to deal with the same. We at Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) believe that Modi government must urgently formulate the Cyber Security Policy of India 2015 as the previous policy is just a paper work with no actual benefits.

Now here lies the real problem. Formulation of a techno legal framework and robust cyber security policy of India 2015 require tremendous techno legal acumen. Further, the actual implementation of the proposed 2015 policy would be even more difficult. This may be the reason that Modi government is shy in bringing any change in the otherwise outdated and redundant 2013 cyber security policy of India. Nevertheless, a call has to be made in this regard and immediate action is need of the hour.

It is not the case the Modi government has not taken pro cyber security initiatives in India. Firstly, Modi government has appointed Dr. Gulshan Rai as the first chief information security officer (CISO) of India. Secondly, Narendra Modi has suggested to Nasscom that a task force be set up to solve the growing cyber security menace in India. According to Nasscom the taskforce would be constituted within a period of one month. Now it has been reported that the Grid Security Expert System (GSES) of India has been proposed to be developed by Powergrid.

GSES would involve installation of knowledge based Supervisory Control and Data Acquisition (SCADA) system, numerical relays and Remote Terminal units upto 132 kV stations and the reliable Optical fibre Ground wire (OPGW) communication system at an estimated cost of around Rupees 1200 crores. The objective of the GSES is implementation of the Automatic Defense mechanism to facilitate reliable and secure grid operation.

CECSRDI welcomes this move of Indian government. We have been advocating that a robust cyber crisis management plan of India is need of the hour. A crisis management plan for preventing cyber attacks on the power utilities in India has also been suggested by CECSRDI. We have also suggested that crisis management plan of India for cyber attacks and cyber terrorism is required. Power grids cyber security in India and its challenges are not much known as on date but awareness about the same is fast increasing. The present decision of Indian government to establish GSES is an example of the same.

It has also been stated that the Computer Emergency Response Team-India (CERT-IN), Department of Information Technology, Ministry of Communication and Information Technology, Government of India has prepared a Crisis Management Plan (CMP) for countering cyber attacks and cyber terrorism. The CMP intends to prevent large scale disruption in the functioning of critical information systems of Government, public and private sector resources and services. A framework has also been outlined for dealing with cyber related incidents for rapid identification, swift response and remedial actions to mitigate and recover from cyber related incidents impacting critical national processes.

In December 2010, Ministry of Power had constituted CERTs (Computer Emergency Response Teams) for power sector. At CECSRDI we welcome establishment of these dedicated CERTs as they can manage cyber security issues in a better manner. For instance, CERT-Thermal (nodal agency- National Thermal Power Corporation (NTPC)), CERT-Hydro (nodal agency- National Hydroelectric Power Corporation (NHPC)) and CERT-Transmission (nodal agency- Power Grid Corporation of India Limited (PGCIL) can take necessary action to prevent cyber attacks in their domains. The State Power Utilities have also been advised to prepare their own sectorial Crisis Management Plan (CMP) and align themselves with the Nodal Agencies i.e. NTPC, NHPC & PGCIL and CERT-In for the necessary actions.

Cyber security of automated power grids of India is need of the hour. It is only after a massive power blackout in 2012 that Indian government has woken up to the dangers of cyber attacks against Indian power sector. Based on the recommendations of the Enquiry Committee, constituted by Ministry of Power to enquire into the causes of the grid collapse of 2012, several measures like third party protection audit, review of Unscheduled Interchange mechanism, review of Central Electricity Authority transmission planning criterion, tightening of frequency band, coordinated planning of outages, development of islanding schemes, proper maintenance of under frequency relays etc. have been taken by the Government to prevent grid failures. We welcome these pro active efforts on the part of Indian government.

However, it would be really interesting to observe what actual steps would be taken by Modi government to strengthen Indian cyber security. Till now Modi government has not come out with even a single cyber security related policy decision or initiative. These policy decisions and projects, with their own merits and demerits, are the legacy of Congress government. What Modi government would do in this regard is yet to be seen. We wish all the best to Modi government in the field of cyber security and other related projects.

PMO Appoints Dr. Gulshan Rai As The First Chief Information Security Officer (CISO) Of India

India has been pushing for delivery of public services through e-governance for long. However, India failed to consider the cyber security aspects of e-governance and this is a dangerous situation. When everything is connected to the Internet or cyberspace, the risks of cyber attacks are very real and significant. Now India has once again adopted an ambitious technology driven project named Digital India.

Even Digital India has been heading towards rough waters due to lack of clear policies and implementation plan. Besides civil liberties protection in cyberspace, Indian Government must also keep in mind the cyber security aspects of Digital India project. As on date India is a sitting duck in cyberspace and civil liberties protection fields.

The Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) has provided the cyber security trends and developments in India in 2013 (PDF), 2014 and 2015. These trends have proved that India has failed on the front of developing offensive and defensive cyber security capabilities. At CECSRDI we believe that cyber security challenges in India would increase many folds in the near future and India must be prepared to deal with the same effectively and efficiently.

The cyber security challenges before the Narendra Modi Government are both complicated and voluminous in nature. Unlike other readymade and almost completed projects and schemes that the Congress Government has left for the BJP Government, the cyber security related issues were not properly dealt with by the Congress Government. Even the National Cyber Security Policy of India 2013, as formulated by Congress Government, is grossly defective and useless. BJP Government has the challenge of managing the cyber security related issues on its own and from the very beginning.

In a significant move, the Prime Minister’s Office (PMO) has appointed Gulshan Rai as the first Chief Information Security Officer (CISO) of India. We at Perry4Law Organisation (P4LO) and CECSRDI welcome this pro active move of PMO and Indian Government. This would go a long way in ensuring critical infrastructure protection in India (PDF). We also strongly recommend that a revised Cyber Security Policy of India 2015 must be drafted by Modi Government that must address cyber security issues in a more comprehensive and holistic manner.

This CISO position would operate directly under the PMO and this is a good move. We believe that issues of cyber security and national security must be managed at the highest levels and nothing is better than the present PMO. Gulshan Rai has been heading the computer emergency response team (CERT-IN) at the department of electronics and information technology (DeitY) and he has done a wonderful job at CERT-IN. Appointing him as the CISO is a good move of Modi Government as he is already well aware of the cyber threats landscape in India. He would now take charge as special secretary for cyber security.

Rai has been working since 1998 in the area of evolving legal framework to address issues arising out of cyberspace. He is also expected to head the national cyber coordination centre (NCCC) that the Government is also setting up with a budget of Rs 1,000 crore. Since Rai’s expertise and services would be required as a CISO, DeitY has already posted a vacancy for the post of director general for CERT-IN.

We wish all the best to Indian Government and Dr. Gulshan Rai for this challenging job.

Advertisement Space- Bid Now

Advertisement Space- Bid Now