Tuesday, February 26, 2013

Chinese Hardware - A Cyber Security Threat to India

Chinese Hardware - A Cyber Security Threat to India

I remember when I was a child and use to ask questions to self, if Japanese wants to revenge on USA then are they putting some kind of Trojan bombs activated remotely in various televisions, music systems, Water Heaters, emergency lights and cars they export heavily and cheaply to the USA. Japanese could in the long awaited need of revenge and what could worst then detonating multiple bombs in the television sets across American cities and causing panic with havoc without any atom bomb.
These Chinese have resident revenge in their minds because of India being towering in the Asian region with IT revolution and largest English speaking population. Indians also always keep china scratching them wrongly by exhibiting His Holiness Dalai Lama.
Now let’s look at how cyber security critical items are being used by Indian companies in the pretext of cost cutting and Chinese executives who serve majorly there state are fully aware the “kanjusi“ or more white collar word “value for money” buying psyche of Indians. Many a times to please higher up bosses all executives have this mantra of getting cheap things which look overtly technologically advance but covertly are security wise harmful and dangerous to security posture of the organization and the country.
Items being used, bought or I say covertly forced to buy are
1. Routers
2. Switches
3. Devices & Chips used for data transmission
4. Mobile phones
5. Cameras

India has load of Cheap Routers from Huawei and ZTE and according to a U.S. Congressional intelligence committee report made public on October 8 2012.Chinese routers from Huawei and ZTE are "a threat" for the United States, or even the world, The committee suspects that these machines, which transmit Internet communications, could be working for the Chinese government. These two Chinese telecom firms, already singled out by the U.S. Department of Defense, as well as, in France, by Senator Jean-Marie Bockel.
The American authorities have suspected for a long time that chips, routers, and other digital equipment from China could be equipped with "back doors," hidden access that would allow an ill-intentioned remote user to connect, giving the Chinese government the chance to access sensitive information as it passes through the machines.

Chinese made pen drives specially unbranded or pirated are now considered threat world over due to firmware present in the pen drive which can be vary of harping data from millions of machines to which it is attached. According to Chief of Army Staff General Bikram Singh, restricting the use of pendrives and PowerPoint presentations is the key to preventing cyber invasion against India. Analysis of Indian cyber breaches have shown that over 70 percent have been caused by the use of USB Pen drives. General Singh has also ordered that all sensitive war plan meetings be done paperless and that PowerPoint use is to be restricted. His he even suspecting Microsoft?
This is not the first time that the two Chinese manufacturers have been under fire. In August 2012, Felix Lindner and Gregor Kopf, computer security specialists at Recurity Labs, criticized the vulnerability of Huawei's machines. According to Felix Lindner, Huawei routers are actually dangerous. Even earlier, the alarm was sounded by Jean-Marie Bockel, a centrist French senator and former secretary of state for defense. On July 19, the senator presented a report on French cyber-defense. It proposed "banning at-risk routers and other core network equipment." On his short list of brands to ban: Huawei and ZTE.

According to the Bockel report, "There is nothing to prevent a country that produces network routers from inserting devices for surveillance or interception, or even a system that completely interrupts all communication at any time." Bock also asked for a ban on the sale or use of Chinese equipment to companies that manage Internet communications.

I feel greatest threat to the world from Chinese manufacturers are from mobile phone devices, even leading brands manufacture from cheaper Chinese companies. The amount of malware on mobile platforms and dependency on mobile phones by individuals and corporate have both increased exponentially across the world.
Mounting worries that smartphones and tablets represent the next frontier for malware, security researchers have discovered a vast botnet on over a million devices in China. The Chinese news agency Xinhua and the BBC report that the botnet makes it so that smartphones can be hijacked remotely, potentially for DDOS attacks  or other malevolent purposes. As recently as September of 2011, it was big news to find 20,000 Android devices communicating with known criminal command and control networks on a given week. One of the worst Android botnets to date was called Rootstrap; it was reported to have reached 100,000 compromised devices about a year ago. 
I strongly feel android users while accessing Chinese apps on even Indian phones (if there exists any?) should be very cautious and avoid getting into the great data mining trap set up by Chinese app makers.

Finally, china has made art of camera making a joke, today in only hundreds of rupees you get filthy branded Chinese cameras which are used for various espionage related operations. Majority of IP cameras are imported from china in throw away rates with no or very little certification, I see CCTV cameras been widely put up by municipalities and police for increased surveillance. Now the billion dollar question who is surveilling who?
OMG are we using thermal cameras or night vision cameras on our defence equipments on old our pricey birds  or on LOC, Time save us from china coz everything seems to be Made in China except our babies..

Adv Prashant Mali is a Cyber Security & Cyber Law Expert in India

Note: While writing this to various material available on Internet was made referred also

Wednesday, February 20, 2013

Intermediary (ISP,Website Hosters,Facebook,Google,Banks,Stock Exchanges) Law in India

Who is an Intermediary in India ?
Ans: As per Section 2(1)(w) of the IT Act, 2000 (Indian Cyber Law) "Intermediary" with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes;
1. All Banks ,Insurance & Finance companies
2. All Stock Exchanges(NSE,BSE,MCX etc)
3. All ISP's(BSNL,MTNL,SIFY,Tikona etc)
4. All Telecom Companies(Airtel, Vodafone, Aircel, Reliance etc)
5. All Auction Sites(ebay.in,Quickr,mybid.in,Auto auction sites etc)
6. All ecommerce sites(flipkart,myntra,jabong,amazon etc)
7. All Payment gateways
8. Search Engines 
9. cyber cafe(Any place where public surfing on internet is allowed)
10. to be interpreted an case to case basis

Responsibility of an Intermediary

The intermediary or person in-charge of computer resource shall be responsible for the actions of
their employees also, and in case of violation of the provision of the Act and rules made 
there under pertaining to maintenance of secrecy and confidentiality of Information or any 
unauthorised  monitoring or collection of traffic data or information, the intermediary or 
person in-charge of computer resource shall be liable for any action under the relevant provision 
of the laws for the time being in force.

        Intermediary to ensure effective check in handling monitoring or collection of traffic data or information.

  The Intermediary or person in-charge of computer resources shall put in place adequate and effective
         internal checks to ensure that unauthorised  monitoring or collection of traffic data or information does not take 
         place and extreme secrecy is maintained and utmost care and precaution is taken in the matter of monitoring or 
         collection of traffic data or information as it affects privacy of citizens and also that this matter is handled only 
         by the designated officer of the intermediary or person in-charge of computer resource.

        Destruction of records by Intermediary
       (1) Every record, including electronic records pertaining to such directions for monitoring or collection of traffic 
data shall be destroyed by the designated officer after the expiry of a period of nine months from the receipt 
        of direction or creation of record, whichever is later, except in a case where the traffic data or information is, or likely to be, required for  functional requirements.

         (2) Save as otherwise required for the purpose of any ongoing investigation, criminal complaint or legal 
        proceedings the intermediary or the person in-charge of computer resource shall destroyed records 
        pertaining to directions for monitoring or collection of information within a period of six months of 
        discontinuance of the monitoring or  collection of traffic data and in doing so they shall maintain extreme secrecy.

         Due diligence to be observed by intermediary in India
The intermediary shall observe following due diligence while discharging his duties, namely : ―
(1) The intermediary shall publish the rules and regulations, privacy policy and user agreement for access or usage of the intermediary’s computer resource by any person. 

(2) Such rules and regulations, terms and conditions or user agreement shall inform the users of computer resource not to host, display, upload, modify, publish, transmit, update or share any information that —
(a) belongs to another person and to which the user does not have any right to;
(b) is grossly harmful, harassing, blasphemous, defamatory, obscene, pornographic, pedophilic,  libelous, invasive of another's privacy, hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful in any manner whatever; 
(c) harm minors in any way;
(d) infringes any patent, trademark, copyright or other proprietary rights;
(e) violates any law for the time being in force; 
(f) deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive or menacing in nature;
(g) impersonate another person;
(h) contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer resource;
(i)   threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or or public order or causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation.

(3) The intermediary shall not knowingly host or publish any information or shall not initiate the transmission, select the receiver of transmission, and select or modify the information contained in the transmission as specified in sub-rule (2):
Provided that the following actions by an intermediary shall not amount to hosting, publishing, editing or storing of any such information as specified in sub-rule (2) ―
(a) temporary or transient or intermediate storage of information automatically within the computer resource as an intrinsic feature of such computer resource, involving no exercise of any human editorial control, for onward transmission or communication to another computer resource;
(b) removal of access to any information, data or communication link by an intermediary after such information, data or communication link comes to the actual knowledge of a person authorised by the intermediary pursuant to any order or direction as per the provisions of the Act;

(4) The intermediary, on whose computer system the information is stored or hosted or published, upon obtaining knowledge by itself or been brought to actual knowledge by an affected person in writing or through email signed with electronic signature about any such information as mentioned in sub-rule (2) above, shall act within thirty six hours and where applicable, work with user or owner of such information to disable such information that is in contravention of sub-rule (2). Further the intermediary shall preserve such information and associated records for at least ninety days for investigation purposes.

(5) The Intermediary shall inform its users that in case of non-compliance with rules and regulations, user agreement and privacy policy for access or usage of intermediary computer resource, the Intermediary has the right to immediately terminate the access or usage rights of the users to the computer resource of Intermediary and remove non-compliant information..

(6) The intermediary shall strictly follow the provisions of the Act or any other laws for the time being in force.

(7)  When required by lawful order, the intermediary shall provide information or any such assistance to Government Agencies who are lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of offences under any law for the time being in force, on a request in writing stating clearly the purpose of seeking such information or any such assistance.

(8) The intermediary shall take all reasonable measures to secure its computer resource and information contained therein following the reasonable security practices and procedures as prescribed in the Information Technology (Reasonable security practices and procedures and sensitive personal information) Rules, 2011.

(9) The intermediary shall report cyber security incidents and also share cyber security incidents related information with the Indian Computer Emergency Response Team.

      (10) The intermediary shall not knowingly deploy or install or modify the technical configuration of computer resource or become party to any such act which may change or has the potential to change the normal course of operation of the computer resource than what it is supposed to perform thereby circumventing any law for the time being in force:

   Provided that the intermediary may develop, produce, distribute or employ technological means for the sole purpose of performing the acts of securing the computer resource and information contained therein.

   (11) The intermediary shall publish on its website the name of the Grievance Officer and his contact details as well as mechanism by which users or any victim who suffers as a result of access or usage of computer resource by any person in violation of rule 3 can notify their complaints against such access or usage of computer resource of the intermediary or other matters pertaining to the computer resources made available by it. The Grievance Officer shall redress the complaints within one month from the date of receipt of complaint.

Credit Cards to be More Secure Now But is your Personal Data Secure?

After Shouting and advocating for Chip & Pin cards for more than two years in various National TV Channels and demonstrating loop holes and easy cloning process of currently employed Magnetic strip debit and credit cards, finally RBI has woken now and has asked banks to change the Cards technology to embed Chips & make entering of pin number compulsory by June 2013.
One more thing i have advocating further that is sharing of client/customer data by bank to its subsidiaries or different legal entities like credit card division is blatant violation of Indian Cyber Law aka The IT Act,2000. Banks can be hammered with crores of rupees in damages and compensation for the very act. Every Bank customer should know this that if bank has to share his data with other legal entity then Bank should take (written/email/electronic) permission.

Navy man in Jail for 2 years for Child Pornography, cyber crime in India

Navy man gets 2 years Jail for Child Pornography, cyber crime in India : Cyber crime conviction By Prashant Mali In the case of D...