Naavi.org

When a catastrophe is about to hit us, we look upon leaders to respond with alacrity and with decisiveness. The difference between a Man Mohan Singh and Modi lies in that character of decisive action. Now such a challenge is before Mr Urjit Patel, the new Governor of RBI in the wake of new threat on the Indian ATM network system.

It is reported today that SBI has recalled 6 lakh debit cards and will be replacing them because there has been a “Malware” related security breach in one of the non-SBI ATM network. SBI tries to pose as if the breach is outside its system but tries to hide the fact that the “Vulnerability” is in its cards and hence there is a need to replace them.

We will not know the details of the threat but it could be because many ATMs may still be using the Windows XP based operating systems, operating without physical guards so that fraudsters can plant all sorts of attachments like skimmers to steal data or even at the network data transmission level where unencrypted data could have been moving.

While the security professionals focus on unraveling the mystery over this card recall, I would like to point out that the risk of fraudulent withdrawals will fall on the Bank customers and we need to ensure that the negligence of Bankers in maintaining their systems properly does not end up with frauds in which customer’s accounts are debited. Already mass ATM frauds have been reported in Kerala and Karnataka in which  a number of customers lost money and I am not sure they have got their money back.

We all know that when confronted by a victim of a card, Banks will always say that they have fool proof security and the fault always lies with the customer. In the ATM transactions Banks simply tell the customer that his card could have been used by any of their relatives and he should own the responsibility. The Banking Ombudsmen have been notoriously biased on the side of Banks and have failed to protect consumer interests. Adjudicators under ITA 2000 are also either uninterested or in collusion with the Banks to protect their interests. The CyAT as we know is non existent and Courts take ages to even take up preliminary hearing of such cases.

In this context the August 11, 2016 draft circular of RBI on “Limited Liability on Customers for Bank Frauds” appeared like a great relief.  But that circular was a draft for public comment and ought to have been re issued as an operating circular after August 31. The draft circular was issued during Raghuram Rajan’s fag end of tenure and the baton passed on to Mr Urjit Patel to confirm it.

Unfortunately, so far there is no news about the circular from RBI.

In the past also when committees like Damodaran Committee on Customer Service presented recommendations favouring customers, RBI did nothing and ignored the report. It was clear that Banks had exercised their unholy influence on the RBI to stall such reforms. SBI was in the forefront of such stalling technique along with ICICI Bank.

Now that we are faced with a prospect of huge customer loss in SBI, RBI and Mr Urjit Patel will have to be considered as culpable for the negligence of SBI.

I suppose Mr Urjit Patel will realize the gravity of the situation and immediately take steps to confirm the August 11 circular that states that

a) Banks must send alerts of every debit without fail

b) Customer shall not be liable if a misuse is reported within 3 days

c) Customer’s liability will be limited to Rs 5000/- if a wrong payment is reported within 7 days or such other limited amount if it is reported thereafter

d) Onus of providing proof of any customer’s culpability is with the Bank… etc

Now there has been an unreasonably long delay in confirming the circular and either it should be presumed as “Confirmed” or Mr Urjit Patel will be personally responsible for holding it up when there is a judicial scrutiny.

My reminders to RBI have so far not evoked response. But I will be forwarding this note to them and this will also be available on the public web and hence should be considered as a good notice to RBI about what they have failed to do.

Any customer who faces any Bank fraud may quote this public information and argue that RBI has been compliant by negligence by not operationalizing the circular…

I hope Mr Urjit Patel will call  an emergency meeting of his subordinate officers and issue a clarification immediately. If so, my advance congratulations for his quick response.

Naavi

Whenever a new law is framed, there are many stakeholders whose interests get affected. A law is normally meant for the Citizen of a country but is framed by the Government in consultation with those who are close to the law making body at the time of its formation.

Since the days of ITA 2000, a practice has emerged even in India where a proposed law is placed for public comments so that views of the public can be incorporated in the legislation. However, it is a fact that once a basic draft is framed by the group of experts in a Ministry, changing any part of it is next to impossible. Except some cosmetic changes, real changes are impossible. We have seen this happen in the framing of ITA 2000 and its amendments in 2008. (See Here for details).

Once the law was framed, there were complaints that the law was insufficient, draconian, drafted without understanding the industry realities, etc. The same politicians who defended the law in 2000 opposed it in 2008 and industry ignored it until in 2011, it started pinching them under Section 79 and 43A. Even now, when we talk of ITA 2008 compliance, industry finds it difficult to accept the law as it is and complains of misuse by Police and misinterpretation by the Judiciary.

Now that a new law is being proposed for “Health Care Data Privacy”, we should endevour to avoid the same mistakes that were committed when ITA 2000 was drafted and implemented.

One of the problems which Indian law faces particularly in the type of laws such as ITA 2000/8 or Data Protection is that the impact of law is on the industry and sensible industry captains want to be compliant with the law and not be at the wrong end of the stick.

When new laws are made, they are notified on a specific day which will be the day when it is passed in the Parliament or otherwise notified for effect. For example, until 17th October 2000, there was no recognition of legal documents in India and overnight it became recognized along with digital signatures, digital contracts and cyber crimes. Though Naavi.org had been preparing the ground in the industry since around 1998, until the rules were notified no body knew there would be such a law in effect.

Similarly, on 27th October 2009, suddenly, a host of regulations related to compliance under ITA 2008 became effective overnight. Along with it all IT companies in India without exception became “Legally Non Compliant to ITA 2008” and became “Rogue Companies not following the law of the land. Of course even the Police did not understand so that no case was booked immediately anywhere but the fact was that there were some legal provisions which all of us were not compliant.

Such forced state of “Non Compliance” should not be hapen once again when this new Privacy law for the healthcare is introduced in India.

We can recall here how the HIPAA was implemented in USA in 1996. HIPAA is a law which will be reflected in the proposed Health Care Data Privacy and Security Act (HDPSA) that is our subject of discussion here and hence we need to draw lessons from the implementation of this law.

When HIPAA was introduced as well as it was amended through the HITECH Act in 2009, there was a clear time line given to the industry for compliance….like Data standards by such and such data, Privacy rule by such and such date, Security rule by such and such date, with extensions for small business, time for running out of existing contracts etc.

All this meant that though the law became effective from a certain date, the industry was given time for compliance over an extended time so that all those in the industry who always wanted to be compliant had their opportunity.

This fixing of a time line for compliance is the first important thing which we need to incorporate in the law. We need to bring in this practice for the first time when this new law HDPSA is notified.

Additionally when such acts are drafted by non-industry persons, there will be many provisions which are difficult are too complex to implement and industry may try to find loopholes to avoid them or try to save costs by implementing it wrongly.

To avoid this, industry should be proactively involved in the framing of the law. Here again when we suggest this to the Government, it will simply say that NASSCOM or FICCI is represented in the working group and therefore industry is represented. But we all know that the NASSCOM Chair person or FICCI Secretary is not the person who can go to the micro level discussions that are required to make the law “Compliance Friendly”. He has to depend on his secretariat for bringing things to his attention to be raised before the Government.

In such cases the large companies may be able to have their say but the SMEs and public will never get to be heard.

This proposed law on Health Care Privacy will affect many small companies some of them are startups which have developed medical industry related Apps. It will include small Nursing homes and pharmacies as well as diagnostic centers. They need to have their say in the law.

I would like the community participation to be at a high level in the framing of this law, so that we will not have to accuse the Government of framing the laws that cannot be implemented.

We are still in the beginning of the thinking process as regards this law but we know the direction in which the Government is moving. We donot want to embarass the Government later by calling it a bad law by contributing our ideas in the beginning itself.

Hence I invite the stake holders to join this online forum and contribute both in the form of detailed articles and in the form of discussions in the Whats app group.

Naavi

Related Article: Times of India

I refer to an article which appeared in Hindustan Times recently, (Read the article here). I also refer to the article on Police action in Tamil Nadu on rumours on Jayalalithaa’s health.

The article on Jharkhand is headlined “WhatsApp admin to face action if sensitive posts shared in the group”. The news is about the Jharkhand police putting out a notice in the light of a Custodial death of a person who was arrested for posting some communally sensitive message. The Police appear to have issued a notice that action will be initiated against the Admin if he does not inform the police about posting of information considered sensitive under ITA 2008.

What we donot understand is that if a person had posted a sensitive information on a Whats App group and has been arrested and later dies in police custody, how is the WhatsApp admin be responsible for this custodial death. Also under what provisions of law in ITA 2008 does the Police intend to take action?.

By trying to cover up their custodial death problem, Police seems to be creating a panic in the WhatsApp community and diverting attention of the public.

By such actions the LEA will lose their credibility and fail to get sympathy of the larger sections of the society. They will also be open to question under the Human Rights Action.

Naavi.org had already covered the responsibilities of WhatsApp admins in great detail earlier. A link to the earlier article is available here : WhatsApp Model Admin Policy

It is however necessary to reiterate here some thoughts on the mistakes that Police are committing.  Since the Government of India is also revising ITA 2000/8, they also need to take into account different view points in this regard.

It is possible that different “Experts” may have different views. It requires a nationwide debate on controversial points to arrive at the most appropriate interpretation of the law.

Unfortunately, “Law” is always an “Interpretation” of the words contained in a statute which could have been drafted in a certain set of circumstances and with certain objectives, which gets forgotten over time.  Hence the “Legislative Intent” and the “Overall interest of the Community” has to be taken into account before interpreting the law.

There is no argument on the fact that if any activity is intended to create a law and order problem or commit any illegal activity, then the Police should have all the right to curb it by both preventive and punitive action. My views on this is too well known to the community to repeat here.

However, what this Circular of Jharkhand Police represents and what is happenning in Taml Nadu where more than 50 persons have been arrested for what the Police calls as “Spreading Rumours” on the health of J. Jayalalithaa are to be condemned as excesses that should be curbed.

There is however a difference between the Jharkhand-WhatsApp issue and TN-Facebook issue.  WhatsApp is a closed communication group and is more like an indoor meeting. Posting a message as “Public” in a facebook page may however may be similar to making a public comment on the street corner which anybody can hear.  WhatsApp posting is a “One to Many Message” where as FaceBook posting is “Publishing” though both may be called “message” loosely. One is a “private speech” and the other could be a “public speech”. Law has to distinguish the two.

Whether such “Speech” requires punitive action depends on “What is Said” and “With What intent”, “in What Context” and “With What effect”.

A street urchin wondering “Is Jayalalithaa Brain dead”? may be out of concern for her and may be in great anguish. To term it as an attempt to create law and order problem is the height of over reaction.  Similarly, in the Jharkhand case, if the person has died in custody Police cannot absolve of their responsibility by suppressing public speech on why the person was arrested  or the criticism of the Police there after.

The Police need to clarify both in Jharkhand and TN what followed the initial reaction expressed in Facebook or WhatsApp before the public can consider that the action was justified. But what has happened in TN is that several Facebook pages and you tube pages have been shut down and we donot really know what was the comment made by the 50 different persons which can be called an “Attempt to create unrest in the society”. In the Jharkhand case I presume that the Police want to stop public outcry on the custodial death rather than preventing communal hatred.

Further, in Jharkhand or TN  if the Police fear a large scale unrest, they can shut down the Internet and call for an “Internal Emergency” so that no information goes out.

I wonder how professional are doctors giving out misleading statements and politicians making a fool of themselves in visiting the doctor and giving a medical bulletin about the patient. Suppose the statements made by the doctors and the political leaders about Jayalalithaa’s health turns out to be incorrect, will they stand trial for lying before the public?.

It is sad that even the Madras High Court did not have the guts to ask for making the information public and it is clear that we are in a state of “Emergency” in Tamil Nadu which is more severe than what is there in Srinagar. The Central Government as well as the Courts seem to be willing parties to this suppression of information that needs to be made public in the interest of Democracy.

I seriously wish Mr Modi does not contribute to this farce by visiting Chennai to have a discussion with Dr Pratap Reddy and return to certify that Jaya’s health is improving. Let’s presume that her health is improving and she will return to rule Tamil Nadu without a certificate from Mr Modi.

In the case of Jharkhand, unless a WhatsApp Admin can be considered as part of a conspiracy, it is difficult to understand how he can be punished for a post.

I consider it a responsibility for the Admin to identify the member by the telephone number and possibly by name. If a post is inappropriate, it should be pointed out to the member. But not doing so should not immediately be considered as an offence grave enough for the admin to be arrested. Also most of the time the so called evidence that the Police may have on the WhatsApp posting should be considered as “Illegally acquired” and cannot stand in a Court of law unless a police officer is part of the group.

I completely agree and endorse that what is objectionable is “an incitement to violence” either on Cyber space or real space….and if it materializes. There can also be instances under Section 79 where non-cooperation of the Admins in an ongoing crime investigation can be objected to by Law Enforcement. But liabilities in such cases should be only when a notice is issued and there is a clear case of non cooperation that can be considered as complicity.

I am sure that what I say above could upset a lot of people including many of my friends. But there is a need for all adults in LEA to avoid irrational and inappropriate application of law which can create wrong precedence. I have many friends in the Police force and I know that they are aware of the law better than myself. I donot want their professional image to be sullied by such inappropriate action taken under some pressure political or otherwise.

We have already seen the ill effects of such over enthusiasm of Police in Palghar who by arresting two ladies for a facebook posting/like ended up getting Section 66A scrapped from ITA 2008.

The actions of the Jharkhand and TN police may end up banning of WhatsApp and Facebook or force the Government of India to introduce new provisions in the amendments proposed in ITA 2000/8 that would render ITA 2000 a draconian law to be feared with rather than a E Commerce promotional law for the progress of Digital India. If so, it would be a tragedy.

Naavi

Considering the threat that ransom ware poses to all businesses, it is possible that even small businesses and individuals may get trapped though they are not the primary target for the fraudster in view of their small value. While the big businesses need to secure themselves with the best of the tools with realtime updation and realtime back up facility, small businesses may need to look for a combination of personalized backup with a good anti malware software.

In this connection apart from the fundamental anti virus and anti malware software, there are some specific anti-ransomware tools that one needs to look for. Ransomware’s primary behaviour is “Encryption” and hence these anti ransomware tools may focus on spotting any signature that attempts to encrypt files.

The following page gives details of some of the available free tools in this regard. http://www.thewindowsclub.com/free-anti-ransomware-tools.

1] BitDefender Anti-Ransomware will immunize your computer. What it does is, basically it does not allow executable files from %appdata% and %startup% to run.

2] Kaspersky Anti-Ransomware Tool for Business offers complimentary security to protect corporate users from ransomware, It identifies ransomware behavior patterns and protects Windows-based endpoints effectively.

3] Trend Micro AntiRansomware Tool remove ransomware on infected computers. To use this tool, enter Safe Mode with Networking. Download the Anti-Ransomware software and save it to your desktop. Next double-click on it to install it. Once it has been installed, restart your computer and go to the normal mode where the screen is locked by the ransomware. Now trigger the Anti-Ransomware software by pressing the following keys: Left CTRL+ALT+T+I. Run the Scan, Clean and then Reboot your computer. This tool is useful in cases of ICE Ransomware infections.

4] CryptoMonitor will actually kill an encryption infection, blacklist it from running again, and notify you as soon as the infection starts. The tool detects ransomware as soon as the latter tries to take over your computer. It then alerts you via email and removes ransomware in most cases. In some cases, where it cannot remove ransomware, it will lock down the computer so that ransomware cannot take over until you get professional help.

5] CryptoPrevent modifies a few group policy settings to prevent executable files from running from some specific locations. CryptoPrevent can change about 200 such settings depending on the version and OS you are using. Some locations it keeps its eyes on are, Recycle Bin, default app directory, local temporary files, All Users application and local data settings folder and more.

6] HitmanPro.Alert is a free browser integrity & intrusion detection tool that alerts users when online banking and financial transactions are no longer safe. The latest version HitmanPro.Alert also contains a new feature, called CryptoGuard that monitors your file system for suspicious operations including CryptoLocker ransomware. When suspicious behavior is detected, the malicious code is neutralized, and your files remain safe from harm.

7] Cryptolocker Prevention Kit is a tool that automates the process of making a Group Policy to disable files running from the App Data and Local App Data folders, as well as disabling executable files from running from the Temp directory of various unzipping utilities.

8] CryptoLocker Tripwire follows a different approach. It runs on the file server.  After loading your data share folders, the free tool will copy a witness file that you choose, to a hidden subfolder in each of the folders you have selected.

9] Kaspersky WindowsUnlocker can be useful if the Ransomware totally blocks access to your computer or even restrict access to select important functions, as it can clean up a ransomware infected Registry.

10] Malwarebytes Anti-Ransomware is a simple software, light in weight capable of running in the background while quietly monitoring the behavior of the machine associated with file encrypting ransomware. Currently, this program is in the beta stage – and free to download and use. Once it goes out of beta, it is likely that it may not remain free.

Also added:

11. WinAntiRansom+ from the makers of WinPatrol (Not a Free Tool: For one computer costs US$14.95 per year)

Hope it would be useful. Please note that this is only given for information and I have not made any evaluation of any of these tools. I invite experts to submit their views if any

Naavi

Happy Digital Society Day of India

This day in the year 2000, India stepped into the world of Cyber Space with a recognition of electronic documents as equivalent to paper. Along with the recognition of digital signature as equivalent to “Signature” in law, the world of Digital Contracts became a Judically recognized reality. Thus was born the legally recognized Digital Society of India.

Let’s commemorate the day with some positive action that helps in the development of a Responsible Cyber Society in India.

Naavi.org takes a Digital Society Day resolution to fight a war against ransom ware by creating greater awareness in all stake holders about the dangers of Ransomware and how to fight it.

The theme for the year is

Naavi

Our war against ransomware  should start with better awareness about the epidemic as it is evolving. Ignorance is not the the concern only in India. Even in US it is stated that more than two thirds of US office workers are unaware of ransomware threat.

A recent survey of 1000 workers in US conducted by a security firm Avecto revealed that widespread ignorance prevails about the ransomware threat. About 39% of the respondents expressed that they donot have confidence that their employer may have adequate safetguards for their online safety.

Nearly 40% of businesses were hit by ransomware atacks in the past one year with more than one third of them losing revenue and 20% forced to close down.  More than 4000 ransomware attacks happen every day making it the leading threat in the cyberworld. The average ransom demand is reportedly doubled to $679 from $294 at the end of 2015 and over 100 new families of ransomware has been discovered.

Ransomware on Android has grown in several parts of Europe spreading through malicious APK files which users download and install, as well as through tricky spam messages, and malvertising. The malware may some times simply lock the screen and change the PIN to demand ransom.

The next wave of ransom ware is expected to attack the IOT s making life miserable for the tech savvy digital society resident. While the traditional ransomware attacks data residing inside the computing devices, IOT ransomware may take control of the devices and make them act under their control leading to dangerous consequences such as crashing of Cars, burning out of devices, causing fire and other physical hazards including causing death of a person using the IOT devices near his person.

The growing problems observed in Samsung mobile devices could also be a manifestation of a malware meant to hurt the company. Similar malwares can also turn into ransomware to threaten… “Pay up or else, your mobile/device will burst”.  With the kind of social engineering that precedes a targetted attack, it is possible that ransomware may be installed in a user’s family device such as the son/daughter’s mobile and threat sent to the father so that immediate compliance is guaranteed.

The risk becomes larger since  “Ransomware as Service” (RaaS) is being increasingly offered by the underworld. This  ensures that it can be used just as “Supari Killers” are used in the physical world for committing murders. This empowers all and sundry to adopt ransomware to settle personal scores and make money.

The raise of “Crime ware as a Service” requires to be tackled at the same level as we handle “Terrorism” as a part of global security. I wish global leaders like Mr Modi as well as the ISIS baiters like Donald Trump donot forget to fight the threat of “Crime ware as a Service” to protect the digital world of the next decade”.

The Fight against ransomware in corporate world has to focus on reducing the possibility of the employees falling victim to spearphishing attacks. While most infections are being caused by “Opening of Attachments” from e-mails and we often say “Donot open attachments from unknown persons”, the fraudsters who use spearfishing spend time in researching the victim and finding out his weaknesses before sending out an attachment. It may be possible to teach an employee not to open an attachment that says “Exclusive Pictures of the URI attack” or “A Bollywood star in Bed with a Cricketer”, it would be difficult to make him not open an attachment which appears to come from his boss and says, “Proposed Salary Revision”.

Phishing of e-mails and websites have become so sophisticated that we need “Two factor authentication” for every e-mail to add to its trustworthiness.

Recently, in India a phishing website in the name of “lCICI” was found to confuse the Netizen with “ICICI” (The leading Bank in India).

Watch the adjoining picture and let me know if you can spot the difference in the URL from a URL that would represent the genuine ICICI Bank.

If such phishing succeeds, as in most cases it would, one cannot blame the eye sight of the Netizen.

(Let RBI which is holding up the limited liability circular under the vested interest’s pressure take note that Customer cannot be held responsible for negligence if he is tricked into believing that such phishing e-mails are genuine).

Cylance, a security firm has recently put out a detailed account of how Cerber Ransomware operates which is an excellent guide for everyone watching this space to study.

Cerber  is the third most prevalent ransomware  in the wild with a market share of 24% behind CryptoWall (41%) and Locky (34%). Its uniqueness is that it uses a continuous change of its file name make it impossible for anti virus software to identify it by its signature file name. It is known to spread via weaponized Microsoft Word documents and also exploiting the vulnerabilities such as Adobe Flash Player. Sophisticated distribution mechanisms with “Affiliate Programs” are on offer. It is using “Bitcoins” as the payment made.

It is said that the average cost of ransomware in large corporations could be $1 mllion to $10 million making it a risk that cannot be ignored. The Bitcoin community which wants to legitimize the use of Bitcoin as a recognized currency needs to take steps to ensure that ransomware does not become the new “SilkRoute” as the war against Ransomware will start with the complete shutting down of “Bitcoin” as a legit currency.

I urge the Government of India and Mr Narendra Modi to use the occassion of the anniversary of the Digital Society Day of India falling on 17th October to declare the “War on Ransomware” open.

To start with the Government should announce its intention to tackle this as “Cyber Terrorism”, register cases under Section 66F of ITA 2008 so that it falls within the international cooperation treaties to enlist the support of law enforcement agencies in other countries. The rest of the strategy can be dicussed subsequently.

It would be better if the Government sets up an expert committee to develop the strategy for tackling the menace of Ransomware (without limiting it to the coterie in Delhi)..

Dear Mr Modi…. are you listening?

Naavi