Naavi.org

This is a continuation of the previous article “The Great Data Robbery in India…64 crore data sets…weaponized for the next election...”

We have seen many data breaches from Hospitals. Banks, Payment Gateways etc. Most of these are targeted at financial crimes and result in ransomware attacks or direct phishing attacks. But what has been unearthed now in Cyberabad appears different. This data heist is not limited to financial objectives.

The classification of the data into different categories is really intriguing and raises alarm. The catch has been of a person who is said to be operating through a website “InspireWebz”.

We can stumble upon www.inspirewebz.com which is a website which is marketing several “Data Extractor Softwares”. Whether the arrested person is a user of this these tools or the owner of this website is not known. But the data extractor tools marketed in this website are clearly tools that can be used to commit what a data protection law would consider as “Objectionable Extraction”.

We are aware that DPDPB 2022 considers extraction of data from publicly available data space does not require specific consent. However, systematic marketing of these tools is facilitating criminals and hence the website should be considered as part of a “Conspiracy” to commit Cyber Crimes.

From the initial indications, the person arrested by Cyberabad police could have bought all the available tools in this website and later filtered and classified the data into different categories.

The press report referred to in the earlier article lists about 109 categories besides 25 state categories.

The classifications state wise had the following information.

The state-wide classification read along with the profession wise classification indicate multiple mis-use possibilities.

It could be used for all types of Cyber Crimes and also for structured AI assisted communication including sending deep fake videos to influence the free choice of the public during the next elections on the lines of what Cambridge Analytica was accused of.

It is time for data protection and cyber security community to debate how this threat should be viewed. Is it a simple cyber crime? or Cyber Terrorism?. Is it only an “Attempt” or an “Executed crime”? What are the labilities of all those who might have purchased the different packs of software? How have they used it? By this time all buyers should have been raided by NIA and records should have been collected on their activities.

Naavi

Following was a press note issued by Cyberbad police on a recent data theft investigation which is considered the largest data theft in the world.

Copy of the Press note

We shall discuss this in greater details in the follow up article.

What is important to note is that the seizure of the data indicates collection from different sources in a systematic manner and organization of the data according to location in different states, practice of different professions, holders of different credit/debit cards, Defence personnel, etc.

The systematic organization indicates that the data could be used for different purposes.

The statewide classification indicates that this was structured could be used for the election campaign purpose also.

This is a classic indication of how information can be weaponized for nefarious purposes.

Hence this is a bigger scandal than the Cambridge Analytica. It involves multiple states and perhaps an attempt to destabilize the country.

We donot know if this investigation leads to George Soros funding or PFI activities. The ramifications would be beyond Telengana and hence this needs a very serious consideration and investigation at the national level.

We congratulate the Cyberbad Police for their excellent work. However in view of the multiple state’s involvement and the potential use of the data for Cyber Crimes and also for manipulation of public opinion for political purpose, I request NIA to consider this as “Cyber Terrorism” under Section 66F of ITA 2000 and take over the investigation.

Naavi

Since 1971 when the first concept of a “Malware” surfaced we have been fighting the menace of Virus, Trojan, worm etc which are all “Malicious” programs that automatically spread into the user’s computer. The initial purpose of the viruses was to disrupt the operations of the user for fun or revenge. Gradually it was identified as an attempt to sell an “Anti Virus Software”. But the “Virus Eco System” turned greedy in financial terms and in later years it has become a “Criminal Extortion Tool” in the form of “Ransomware”.

India introduced ITA 2000 as a legislation which identified introduction of Computer virus or any computer contaminant as an offence punishable with 3 years imprisonment. After 2008, the amendments gave CERT In the powers under the statute to regulate the cyber security measures implemented in the industry. CERT In has been issuing many guidelines as well as advisories including the advisory on how to handle ransomware attacks. (September 27, 2022 advisory)

Indian companies are however oblivious to the existence of ITA 2000 and a regulatory agency like CERT IN. They are more enamoured by the ISO 27001 type of business driven audits and remain complacent.

With the advent of Artificial Intelligence, while responsible security professionals speak of using of AI for Cyber Security, the criminals have already started using AI for sending phishing mails and launching malware attacks. Hence even the ransomware attacks will increase.

We therefore urge organizations to take suitable steps to protect their organizations against AI supported cyber attacks.

Despite ChatGPT claiming that it does not support criminals, Cyber Security professionals have pointed out how ChatGPT can be misused. Just like a criminal lies when asked directly if he is a criminal, ChatGPT also denies its involvement in creating malware.

There have been earlier ransomware attacks where amateurs had used an e-mail contact for ransom discussion through “Crimeware assisting services ” like Proton mail. Now professional ransomware attackers are using ToxID to discuss ransom demand. (See here for information on Tox).

Tox which began in the light of the Snowden leaks, started with the idea of creating an instant messaging application that ran without requiring the use of central servers. The system would be distributed, peer-to-peer, and end-to-end encrypted, with no way to disable any of the encryption features; at the same time, the application would be easily usable by the layperson with no practical knowledge of cryptography or distributed systems.

During the Summer of 2013 a small group of developers from all around the globe formed and began working on a library implementing the Tox protocol. The library provides all of the messaging and encryption facilities, and is completely decoupled from any user-interface; for an end-user to make use of Tox, they need a Tox client.

Tox is a FOSS (Free and Open Source) project. All Tox code is open source and all development occurs in the open. Tox is developed by volunteer developers who spend their free time on it, believing in the idea of the project. Tox is not a company or any other legal organization.

Now there exist several independent Tox client projects, and has thousands of users, hundreds of contributors, most of whom are criminals engaged in cyber crime and ransomware attacks.

Tox proudly says that it does not accept any donations probably because all the ransomware attackers pay their own contribution to this “Voluntary Criminals who developed Tox”.

It is unfortunate that law enforcement and law makers donot take sufficient steps to control these malware services and allow them to continue to be in business.

I request CERT In to take steps to ensure that Tox service does not enter the Indian cyber space. I am sure that some experts say this is impossible. But I donot believe that anything is impossible if there is a will. Where there is a will there is a way.

Tox is an intermediary which assists ransomware attackers and hence is ultra-vires the Indian law. Powers are already available within ITA 2000 to take action to declare Tox service as illegal in India. Hope CERT In has the will to use the power available to them under law.

Naavi

The saga of India passing a new data protection law to replace ITA 2000/8 has still not reached the final chapter. There are completely contradictory statements coming from the Government and the Opposition. We are aware that the opposition political parties in India are determined not to allow any significant legislation to pass through the Parliament and the Data Protection law is one such law considered politically significant.

Some time back the minister of IT Sri Ashwini Vaishnaw stated (according to press reports which many times are false and unreliable) that the Standing committee has passed the draft. Now some members of the opposition say that they have suggested 40 amendments to the Bill and they will discuss this further in the next meeting. Mr Rajeev Chandrashekar had suggested regarding the cross border transfer of data that India would opt for a “Positive list” based on mutual agreements with some countries. Of late he has changed his version (again according to press reports which many times are false and unreliable) and is now indicating that there will be a negative list of countries to which data transfer would be regulated and all other countries would be in the “Adequacy and Allowed” list.

There is a slew of articles published from Dr Amar Patnaik in some part of the media suggesting a complete revision of the approach to the law itself. (Refer here).

Mr Karti Chidambaram as a member of the IT Standing committee has indicated (As per the George Soros supported “Wire”) has said that 40 amendments have been proposed by the committee.

Some of the concerns expressed by the committee are said to be

These are the laundry list of objections that have been raised in every draft presented earlier. He has also pointed out that since the Bill was never introduced in Parliament, it was never referred to the standing committee for discussion and whatever discussions happened were preliminary in nature and happened when the bill was put out for public consultation. He has also said that it does not address the concerns of the Supreme Court on Privacy.

In what indicates an indefinite delay, he has suggested “In a letter to Union IT minister Ashwini Vaishnaw on Monday, Mr Karti Chidambaram has sought to widen the scope of consultation for the Bill as well as the Digital India Bill, and hold stakeholder consultations across states, and ensure that the discussion is also held in regional languages.”

There was one report that the Bill now be presented in the Monsoon session but it is yet to be confirmed.

For those who are aware of the Indian political scenario, the situation is very clear. Whatever be the proposition from the Government, it will not be accepted by the opposition. Hence there is no way the legislation can be passed by consensus. The Minister also should be aware of this.

If despite this, Ministers are making statements that the bill will be presented, passed etc., they are to be treated nothing more than political statements.

The current version of DPDPB 2022 is one of the most industry friendly provisions suggested by the Government and if the opposition stalls the Bill then there is no option for the Government to continue to use the current law namely ITA 2000 with Section 43A, Intermediary guidelines etc as the Data Protection regulation of India. The Adjudicators and CERT need to become more active and provide the “Regulatory oversight in the absence of the Data Protection Board” for which the law as is present now can be sufficient.

The objections raised by the IT Standing committee are related to the Regulatory authority, Government powers and the Cross border transfer. Other than this the Bill should be considered as “Acceptable”. Out of these two categories of objections, Regulatory authority and Government powers are not affecting the “Compliance” in the industry. Whoever is the regulator and whatever are the exemptions granted, industry level compliance is not directly affected. The Cross border related issues and the exemptions to the industry are being covered by the ITA 2000-Section 43A rules which will continue to apply as “Due Diligence” under ITA 2000.

What is required is for some Adjudicating officer taking up a data breach issue and imposing a fine of Rs 500 crores to stamp the authority of ITA 2000 and CERT In to initiate a prosecution. Then the industry will realize that there is already a law in India and what DPDPB 2022 is likely to do is only to replace it with an improved version. Politicians will also realize that what they are stalling is not the law itself but an improvement of the existing law.

Hence irrespective of the statements of the politicians, industry needs to go ahead and continue its Privacy and Data Protection implementation from the current “Best Practices Perspective”.

But what is disappointing is that the Government has shown no commitment to pass the law and is happy to play along with the opposition to postpone the passing of the law.

Naavi

I would recall my several writings on naavi.org regarding how to handle fake news on the internet.

Today, read an article about Wikipedia inventor who had a noble objective in giving away knowledge free. But when I reflect back on the developments of Internet, I have realized that Wikipedia is not longer a source of information relied upon on many aspects of our society . In aspects related to information which is Political and Social, Wikipedia has been poisoned and often needs to be read with circumspection. This is a tragedy.

Similarly the P2P media like Twitter or FaceBook has become totally unreliable except as a propaganda vehicle for vested interests.

Further, I also saw a video where AI was used to create a fake video by just taking a few mobile pictures and inserting it into a video in an app. This appears to be the final straw that breaks the back of the camel. We will see rogue techies creating fake videos of all politicians to ensure that Internet as a news purveying media becomes completely worthless since it will be filled with false information alround.

We are aware that the last USA election was defrauded with manipulation of postal ballots. We can expect that the next elections both in USA and India will be full of fake videos of all political figures including Joe Biden, Donald Trump, Narendra Modi and Rahul Gandhi created by AI. Hence any video or any article that appears on the Internet need to be fact-checked and the entity doing the fact-check itself need to be fact-checked.

We have also discussed the solution for countering the misuse of Internet for spread of fake news. The first suggestion was way back in December 2000 when I wrote “How to Respond to Rogue web Sites” which was further referred to in the latest article in March 2023.

In terms of solutions, I had discussed the “Mandatory Counter Views link display”, “Mandatory Identification of content contributors” through verification of IDs including Aadhaar type of reliable verification methods, “Intermediary Liabilities with self regulation in the form of Uniform Intermediary Dispute Resolution” on the lines of UDRP.

Out of this, Mandatory verification of contributors to Twitter kind of platforms have been introduced int he form of “Verified” status and Indian Data Protection laws are expected to carry it through. The Intermediary guidelines are being introduced through ITA 2000/8 and the Grievance Redressal Committee set up by the Government (instead of a self regulatory set up which was suggested by the Government but not accepted by the industry).

Now we are learning that Mr Adani the person who is being used by the opposition to defame Mr Modi has been moving in to introduce the other strategy of taking over some of the rogue media houses. Accordingly after NDTV, we understand that substantial interests have been bought in “Quint”. With such moves, there is a competition being created to George Soros who was holding the control on one sided narrative through paid journalists.

With these moves, “Information Warfare” is being commercialized. This development may not be desirable but it is inevitable to atleast correct the skewed behaviour of Internet and the possibility of further damage through biased AI algorithms.

When Adani was attacked for political reasons by Hindenberg report the loss of market capitalization was depicted by media as “Adani’s loss”. But the real loss was actually that of investors who had no stake in the political narrative. Even Mr Modi would be only marginally affected and perhaps will come out strongly after the fake narrative dies down. Adani also will come back albeit with some delays in some projects. But common investors who have lost their hard earned savings will never pardon Indian politicians who tried to use the bear operators of the stock market for their political propaganda.

The latest fake news corroborating the conspiracy of the Soros media was the article in Economic times calling Adani groups statement of premature repayment of debts as unsubstantiated and causing a 5% loss to investors in Stock markets yesterday. With such articles, Economic Times has once again showed its bias and why it is losing credibility.

We therefore welcome Adani’s move of taking over Quint. His control of NDTV and Quint may not fully match the combined weight of George Soros supported media but could at least create a counter weight. We hope that some “Journalists” who are caught in the Soros network by fate would consider defecting to create a better balance in the use of Internet as a news media.

If this does not happen, then the trust of Internet as an “Information Super Highway” would be further eroded.

As Data Security professionals, the preservation of “Integrity” of information does not end with the binary data but also extends to the preservation of integrity of the data as interpreted by the users of the binary data. Under the Theory of Data, I have stated Data is created by technology but interpreted by humans. Hence if the integrity of interpretation is corrupted, it is a “Data Security” issue.

Just has “Privacy Protection” has expanded the domain of Information Security in to the domain of human rights, it is time to recognize that “Prevention of Information warfare” is an extension of the “Prevention of Cyber Crimes” and hence the Information and Privacy protection domain may need to extend itself into preservation of “Information Integrity” .

Naavi