Naavi.org

After the surgical strikes by the Indian army on Pakistan terrorist launch pads, there has been a series of attacks by physical terrorists in different parts of Kashmir. At the same time, it appears that there is a low intensity cyber terrorist attacks across the Cyber LOC.

Just as there is little difference between the physical terrorist attacks and a “War” when it comes to Pakistan (since they have adopted terrorism as a tool of war), the cyber attacks on IT firms in Hyderabad also are not different from a Cyber War.

Refer article here

It is a fine line of distinction between Cyber War and Cyber Terrorism. Cyber War is conducted by state actors and Cyber terrorism is conducted by non state attacks. Cyber War is mostly on military targets while Cyber terror strikes on soft public targets.

The convention for Cyber Wars is yet to be developed internationally and are therefore non existent in practical terms. (Tallin Manual is under development and could eventually become an international agreement on Cyber warfare).

The Hyderabad attack is reported to be a ransom ware attack on many finance companies. Though there has been a denial from the Hyderabad police sources, it is possible that there could at least be a “Defacement Attack” probably at the ISP level. There was also an earlier report of Indian hackers hacking into Pakistani Government websites and planting ransomware.

These mutual attacks have raised an important issue of the role of “Cyber Attacks” in national defense. Obviously, if the attacks are launched by the Government sources, it will be part of the military operations just like the “Surgical Strikes”. But such attacks need to be confined to military targets and not civil targets. When civil targets are hit, it is more akin to a terror attack than a military operation unless it can be justified as collateral damage. If such attacks are launched by non military personnel, there is every right for Pakistan to call it a Cyber Terror attack by Non State Actors in India.

In order to ensure that Indian hackers are not drawn into legal battles in international courts, it is necessary for the Government to define a proper policy for such cross border cyber attacks.

Firstly, the Government of India should develop (If they have not so far done), a Cyber Army which is part of the Military operations. This Cyber Army should focus on military targets. It is not necessary that this should be manned only by the current defense personnel. Other private teams can be used for the purpose. Along with it, if the Government wants to develop a supported non state actor group, it is the Government’s call. China already must be having such an outfit. It will be like the RAW in Cyber Space and part of the intelligence network.

As regards other private parties, it is necessary to classify them as “Non State Actors”. If therefore cyber attacks do take place by hackers on either side, they are open to international legal action and the Governments of each country may disown them if they are identified.

It is open to such hackers to take the risk if they so like but should not expect much support from the Government.

We understand that Mr Modi may have a Cyber Attack Collaboration agreement with Russia which should be the starting point for developing a Cyber Army in India. If this happens, we welcome the move.

We therefore watch the BRICS summit in Goa closely to see if an agreement is signed in this regard between India and Russia.

Naavi

An unprotected open-source data base of Modern Business Solutions (MBS) based in Austin, TX is said to have compromised 58 million to 258 million data base records of its customers because of faulty configuration of its security.

According to this report from riskbasedsecurity.com  the firm provides cloud based data management platform called Hardwell Data allowing the customers to collect, store and transfer data records regardless of format, including a cloud based hosting system for databases. It is stated that the IP address of the insecure data base was identified on an internet search and shared within a small group of friends which ultimately resulted in the mega data breach.

Leaked information included names, IP addresses, birth dates, email addresses, vehicle data and occupations.

It is understood that the data base has now been secured and is no longer accessible. This however confirms that the breach was a result of a gross negligence by the information security managers of the firm.

While the IS professionals look at the problem from their perspective, there is another angle to the whole episode.

“Modern Business Solutions” is a common name used by many businesses and websites many of them in India. At least one of them is known to be providing services to ICICI Bank.  It is possible that the MBS of Austin might not have any connection with the company having business relationship with ICICI Bank.

However, as a part of the “Compliance Requirements”, it is necessary for ICICI Bank to come out with a public disclaimer that there is no business relationship between the MBS of Austin, TX and the Bank and no data of any Indian is involved in the data breach.

The same advisory holds good for all business entities in India who deal with any company called “Modern Business Solutions” to issue necessary disclaimers. Such companies who are “Lookalikes” also need to issue their own disclaimers.

For the future every company  should consider using the services of “www.lookalikes.in” so that when such reputation loss occurs on account of any shared name, their own customers feel re-assured.

Naavi

October 17 is a special day in the Digital history of India since it was this day in the year 2000 that India first provided legal recognition for electronic documents by notifying the Information Technology Act 2000. Since then the life of many IT professionals in India has changed for ever. Along with recognition of electronic documents came the Digital/Electronic signatures and a whole set of business opportunities around that. Cyber Lawyers saw a new field of activity emerging and professionals in law enforcement had to recognize the new domain of Cyber Law enforcement. E Commerce and E-Governance as well as E Banking in particular has also contributed to millions of job opportunities that can be attributed directly to the event of October 17, 2000 notifying the ITA 2000.

Now under the leadership of Mr Modi, India is talking of a new era of Digital progress beyond the e-commerce and e-Governance. We are deep into Mobile Commerce, use of Aadhar as a universal digital ID. Smart Cities and IOTs are slowly making it a part of our life. Electronic circuits are part of many of our day to day gadgets including the wearable Watches, the Cars, the Washing Machines etc.

Along with these developments in technology, the Cyber Crimes are also increasing and Police are under constant challenge to tackle the new age crimes.

In such an environment, it is the duty of every one of us who has directly or indirectly been affected by the advent of Cyber Laws in India and created Netizens out of Citizens to commemorate October 17 with the respect it deserves.

I therefore urge all Cyber Professionals to conduct their own special activities on this October 17 to just remember that this is the day when the “Digital Society of India” was born.

If you are in an educational institution, call your students and hold an awareness meeting.

If you are in a Company, have a “ITA 20008 Compliance Meeting”.

If you are a Bar Council member, call a meeting to discuss “Cyber Laws in India”,

If you are in the Police, conduct a meeting of your subordinates and increase the awareness of Cyber Crimes….

If you are in Indian Defense, develop an awareness of the world of Cyber Wars…the next war will be dominated by Cyber attacks.

And if you are Mr Narender Damodar Das Modi, call a cabinet meeting and make the Cabinet colleagues aware of the importance of developing and managing a “Cyber Law Compliant E Governance system”.

…………Just as “International Yoga Day”, the “Digital Society Day” deserves to be commemorated.

Naavi

Over the last few years, tech enthusiasts have been encouraging the BYOD or Bring Your Own Devices as a concept in corporate environment firstly to reduce the costs and then to bring in more convenience to the employees  in operating in a seemless fashion at Office and Out of Office. Over time, some are even suggesting “Bring Your Own Cloud” to encourage employees using their own cloud storage even for storing corporate data assets handled by them.

However, security professionals have always raised a red flag for such innovative measures since it is a security nightmare to manage the IS principles of protecting the confidentiality of information.

Companies have tried to manage the issue with a firewall control that checks the integrity of the device every time it is connected to the corporate network. But this is hardly sufficient security for the risk of possible deliberate or inadvertent misuse of the device when it is connected to other networks at home or in public and the possibilities of stealth viruses sneaking in. The only control for such possibilities is the updated anti virus which may however be updated only when connected to the corporate network and cannot prevent a zero day malware getting in in between the two working days when the device is off the corporate network.

Now the risks are expanding with mobile phones becoming smarter than what they should. There are malwares that are known to activate the microphone or camera and record conversations in the vicinity and send them out through the network to some command and control center for futher exploitation. This was countered by the companies trying to ban use of mobiles in some sensitive operational areas in the company though many ignore such precautions.

Now, in an interesting security measure, the UK Government has banned the wearing of  “Apple Watch” in cabinet meetings since it is considered a spying threat.

Read the Article here

In the Corporate world, the use of “Wearables” is the next craze and one can see all top executives looking smart with smart wearables to monitor their health and substitute the use of mobiles for some functions such as checking on messages. There  is no doubt that today most of us check the messages on the mobile more often than checking time on the watch and hence it makes sense to display the messages on the wearable watch.

But it is time to recognize that Companies need to start the practice of discouraging too much of gadgetry to be brought by the employees into the sensitive corporate environment putting the security at risk. At the same time it is time to add the “Wearables” to the list of monitored BYOD devices in the Corporate network.

When ITA 2008 undergoes the next revision, perhaps the Government needs to recognize the cyber crime threats arising out of such gadgets as part of the Cyber-eco system it should protect through legislation.

Naavi

(This is a continuation of the series of articles on this subject)

Article1 : Article 2 : Article 3: Article 4 : Article 5

(Easy to Read copy of the Bill)

What’s in It for Business?

The first impression about a new and improved “Consumer Protection Act” set to come into India with the likely passage of the Consumer Protection Bill 2015 in the coming Parliament session is that it is meant for activists and lawyers and of course the small set of vigilant consumers.

However it must be  remembered that it is one of those consumers who want a strict Consumer Protection Law who is also the proprietor or business owner who is at the receiving end of a strong Consumer protection legislation. There is no need to presume that he is interested always in cheating the customer and make money. After all all businessmen are not dishonest and greedy. The new Consumer Protection Bill 2015 (CPA2015) will therefore be of great interest to the businessmen and particularly those professionals working in large business houses who conduct business offline and online. It is not only relevant for the Hindustan lever or Nestle or Colgate or Pathanjali, but also to Flipkart, Snapdeal, Amazon and others.

We shall therefore look at the CPA2015 from the “Compliance” angle and try to identify some focus areas for the business. (Refer to the copy of the Act here whenever needed).

Penalty

Let us first look at the “penalty” clause in the Act.

As per Clause 79 of the CPA 2015,

(1) Where a trader or a person against whom a complaint is made or the complainant fails or omits to comply with any order made by the District Commission, the State Commission or the National Commission, as the case may be,

such trader or person or complainant shall be punishable with imprisonment for a term which shall not be less than one month but which may extend to three years,

or with fine which shall not be less than ten thousand rupees but which may extend to fifty thousand rupees, or with both

(2) Notwithstanding anything contained in the Code of Criminal Procedure, 1973, the District Commission or the State Commission or the National Commission, as the case may be,

shall have the power of a Judicial Magistrate of the first class for the trial of offences under this Act, and on Conferment of such powers, the District Commission or the State Commission or the National Commission, as the case may be, shall be deemed to be a Judicial Magistrate of the first class for the purpose of the Code of Criminal Procedure, 1973.

(3) All offences under this Act may be tried summarily by the District Commission or the State Commission or the National Commission, as the case may be.

It is to be noted that there is both a Civil and Criminal liability attached to non-compliance and the authorities entrusted with the responsibility for adjudication have the magisterial powers and take discussions on a summary basis. The scope for dragging the case and harassing the complainant is therefore limited and businesses cannot take the consequences lightly.

Product Liability

Chapter VI of the Bill states that the “manufacturer” or “producer” of product shall be liable for any product liability action if the claimant establishes all of the following by a preponderance of the evidence.

(a) the product contains a manufacturing defect or there is a deviation from manufacturing specifications;

(b) the product is defective in design;

(c) the product failed to contain adequate instructions of correct use to avoid danger or warnings of the improper/incorrect use;

(d) the product did not conform to an express warranty with respect to the product made by the manufacturer or product seller;

(e) the defendant was the manufacturer of the actual product that was the cause of harm for which the claimant seeks to recover compensatory damages; and

(f) the dangerous aspect of the product was the proximate cause of the harm suffered by the claimant.

The Product Seller will be liable for product liability action in the following circumstances.

(i) the product seller exercised substantial control over the aspect of the design, testing, manufacture, packaging, or labelling of the product that caused the alleged harm for which recovery of damages is sought

(ii) the product seller altered or modified the product, and the alteration or modification was a substantial factor in causing the harm for which recovery of damages is sought

(iii)the product seller made an express warranty as to such product independent of any express warranty made by a manufacturer as to such product, such product failed to conform to the product seller’s warranty, and the failure of such product to conform to the warranty caused the harm complained of by the claimant;

(iv) the claimant is unable, despite a good faith exercise of due diligence, to identify the manufacturer of the product

(v) the manufacturer is not subject to service of process under the laws of the State; or

(vi) the court determines that the claimant would be unable to enforce a judgment against the manufacturer:

From the above, it can be deduced that sellers of products imported from abroad such as the ubiquitous Chinese products could be liable for product liability since either the manufacturer cannot be identified or cannot be sued.

A Product seller other than the manufacturer may also be liable on the basis of negligence if the seller did not exercise reasonable care in assembling, inspecting or maintaining the product or in passing on warnings or instructions from the manufacturer about the dangers and proper use of the product (Provided that failure to exercise such reasonable care was a proximate cause of the harm).

It is to be noted that a “Complaint” under the CPA 2015 may be made for

a) Unfair Trade Practice

b) Defects in the product or Deficiency of Service

c) Excessive charging

d)Unfair contract entered into

and sale of hazardous and unsafe products as well as violation of safety standards if any.

Any act of withholding relevant information from the consumer could be considered as a “Deficiency” of service and any statements made on the internet or website could be considered as “advertisement”. Any aspects of warranty or promise contained in the communication with the consumer which is known to be untrue would constitute an “Unfair Trade Practice”.

The possibilities of deliberate and not so deliberate mis-statements normally arise because many products require the additional services of “Installation” and “Demo” which are some times handled by third party contractors who have no loyalty either to the brand or to the selling outlet and the product liability could arise out of the actions of these “agents”.

The manufacturers as well as the reputed retailers who have their own brand positioning need to ensure that the agents representing them are well trained and informed to avoid any type of mis-communications or over charging or damage or harm to the consumer at the time of installation.

The retailers conducting “Festival Sales” and the online companies running special campaigns such as “Big Billion Sales” often hire temporary employees during the peak sales time who are untrained and unprofessional. Actions of such persons could create liabilities to the suppliers if properly pursued by a vigilant consumer.

It is also essential for all manufacturers and suppliers to put in place a proper “Grievance Redressal Mechanism” which could act as a cushion to soften any adverse impact of deficient service/defective product.

The CPA2015 suggests its own mediation process but it is possible for the product manufacturers/sellers to squeeze in a dispute resolution mechanism before the mediation process or action from the dispute redressal agencies envisaged under the Bill can be invoked. This is mandatory for the online service providers under ITA 2000/8 and should be useful for others too. Such alternate dispute resolution mechanism can be an “Ombudsman” or “Mediation” or “Arbitration”.

If a consumer gets a reasonable redressal of grievance under these service provider’s dispute resolution mechanisms, the adverse impact of the mediation as envisaged under the Bill could be reduced.

Naavi

(This is a continuation of the series of articles on this subject)

Article1 : Article 2 : Article 3: Article 4 : Article 5

(Easy to Read copy of the Bill)

Scope of CPB2015

The reasons for which a Consumer can invoke the protective provisions of the Act are indicated in the definition of “Complaint” are

1.  “Unfair Trade Practice”
2.  “Defect in the Product” or
3. “Deficiency in Service”,
4. “Over charging”,
5. Selling of “hazardous” goods
6. Providing of “hazardous services”, and
7. “Causing loss through unfair contract”

A “Consumer dispute” is recognized when the he person against whom a “Complaint” has been made, denies or disputes the allegations contained in the complaint.

For a valid complaint therefore it is necessary for the complainant to show a cause of action under any of the parameters indicated above and also that the dispute has been raised with the seller who has refused to redress the complaint.

The parameters indicated above have been defined in detail in the Act and can be discussed separately.

Similarly, the procedures for lodging a complaint may also be discussed later particularly when the rules are available.

Naavi

Article1 : Article 2 : Article 3: Article 4