The New Criminal on the Internet: Tox Service

Since 1971 when the first concept of a “Malware” surfaced we have been fighting the menace of Virus, Trojan, worm etc which are all “Malicious” programs that automatically spread into the user’s computer. The initial purpose of the viruses was to disrupt the operations of the user for fun or revenge. Gradually it was identified as an attempt to sell an “Anti Virus Software”. But the “Virus Eco System” turned greedy in financial terms and in later years it has become a “Criminal Extortion Tool” in the form of “Ransomware”.

India introduced ITA 2000 as a legislation which identified introduction of Computer virus or any computer contaminant as an offence punishable with 3 years imprisonment. After 2008, the amendments gave CERT In the powers under the statute to regulate the cyber security measures implemented in the industry. CERT In has been issuing many guidelines as well as advisories including the advisory on how to handle ransomware attacks. (September 27, 2022 advisory)

Indian companies are however oblivious to the existence of ITA 2000 and a regulatory agency like CERT IN. They are more enamoured by the ISO 27001 type of business driven audits and remain complacent.

With the advent of Artificial Intelligence, while responsible security professionals speak of using of AI for Cyber Security, the criminals have already started using AI for sending phishing mails and launching malware attacks. Hence even the ransomware attacks will increase.

We therefore urge organizations to take suitable steps to protect their organizations against AI supported cyber attacks.

Despite ChatGPT claiming that it does not support criminals, Cyber Security professionals have pointed out how ChatGPT can be misused. Just like a criminal lies when asked directly if he is a criminal, ChatGPT also denies its involvement in creating malware.

There have been earlier ransomware attacks where amateurs had used an e-mail contact for ransom discussion through “Crimeware assisting services ” like Proton mail. Now professional ransomware attackers are using ToxID to discuss ransom demand. (See here for information on Tox).

Tox which began in the light of the Snowden leaks, started with the idea of creating an instant messaging application that ran without requiring the use of central servers. The system would be distributed, peer-to-peer, and end-to-end encrypted, with no way to disable any of the encryption features; at the same time, the application would be easily usable by the layperson with no practical knowledge of cryptography or distributed systems.

During the Summer of 2013 a small group of developers from all around the globe formed and began working on a library implementing the Tox protocol. The library provides all of the messaging and encryption facilities, and is completely decoupled from any user-interface; for an end-user to make use of Tox, they need a Tox client.

Tox is a FOSS (Free and Open Source) project. All Tox code is open source and all development occurs in the open. Tox is developed by volunteer developers who spend their free time on it, believing in the idea of the project. Tox is not a company or any other legal organization.

Now there exist several independent Tox client projects, and has thousands of users, hundreds of contributors, most of whom are criminals engaged in cyber crime and ransomware attacks.

Tox proudly says that it does not accept any donations probably because all the ransomware attackers pay their own contribution to this “Voluntary Criminals who developed Tox”.

It is unfortunate that law enforcement and law makers donot take sufficient steps to control these malware services and allow them to continue to be in business.

I request CERT In to take steps to ensure that Tox service does not enter the Indian cyber space. I am sure that some experts say this is impossible. But I donot believe that anything is impossible if there is a will. Where there is a will there is a way.

Tox is an intermediary which assists ransomware attackers and hence is ultra-vires the Indian law. Powers are already available within ITA 2000 to take action to declare Tox service as illegal in India. Hope CERT In has the will to use the power available to them under law.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.