Centre for Internet and Society

Improving the Processes for Disclosing Security Vulnerabilities to Government Entities in India

Karan Saini, Pranesh Prakash and Elonnai Hickok — 2019-04-01T12:02:05Z

The aim of this policy brief is to recommend changes pertaining to current legislation, policy and practice to the Government of India regarding external vulnerability reporting and disclosure. The changes we recommend within this brief aim to strengthen the processes around voluntary vulnerability and bug disclosure by third parties.

This is an update to our previously released paper titled "Leveraging the Coordinated Vulnerability Disclosure Process to Improve the State of Information Security in India". The full document can be accessed here.

The ubiquitous adoption and integration of information and communication technologies in almost all aspects of modern life raises with it the importance of being able to ensure the security and integrity of the systems and resources that we rely on. This importance is even more pressing for the Government, which is increasing its push of efforts towards digitising the operational infrastructure it relies on, both at the State as well as the Central level.

This policy brief draws from knowledge that has been gathered from various sources, including information sourced from newspaper and journal articles, current law and policy, as well as from interviews that we conducted with various members of the Indian security community. This policy brief touches upon the issue of vulnerability disclosures, specifically those that are made by individuals to the Government, while exploring prevalent challenges with the same and making recommendations as to how the Government’s vulnerability disclosure processes could potentially be improved.

Key learnings from the research include:

There is a noticeable shortcoming in the availability of information with regard to current vulnerability disclosure programmes and process of Indian Government entities, which is only exacerbated further by a lack of transparency;
There is an observable gap in the amount and quality of interaction between security researchers and the Government, which is supported by the lack of proper channels for mediating such communication and cooperation;
There are several sections and provisions within the Information Technology Act, 2000, which have the potential to disincentivise legitimate security research, even if the same has been carried out in good faith.

For more details visit https://cis-india.org/internet-governance/blog/improving-the-processes-for-disclosing-security-vulnerabilities-to-government-entities-in-india

IEEE-SA InDITA Conference 2018

Admin — 2018-08-01T23:04:18Z

Gurshabad Grover participated in the IEEE-SA InDITA Conference 2018 organized by IEEE Standards Association held IIIT-Bangalore on July 10 and 11, 2018.

Gurshabad gave a brief presentation on how we could apply or reject 'Trust Through Technology' principles in the design of public biometric authentication. The agenda for the event can be accessed here. More details on event website here.

For more details visit https://cis-india.org/internet-governance/news/ieee-sa-indita-conference-2018

How Long Have Banks Known About The Debit Card Fraud?

tiwari — 2016-10-22T08:06:51Z

The recent security breach in an Indian payment switch provider, confirmed earlier this week by the National Payments Corporation of India Ltd (NPCIL), has forced domestic banks into damage control mode over the past few days.

The article was published by Bloomberg on October 22, 2016.

The breach was detected when various customers began to lodge complaints with their banks about unauthorised transactions on their accounts, which upon investigation were said to originate from a foreign location such as China. The security breach has affected actively at least 641 customers to the tune of Rs 1.8 crore, with lakhs more being affected by the pro-active measures (including card revocation) being taken by banks to prevent further financial losses.

Surprisingly little is known, however, about the nature of the attack responsible for the breach, the extent or scope of damage it has caused and the sufficiency of the countermeasures being initiated by the banks against the attacks. This article will talk about these aspects of the attack and also suggest normative measures that can be carried out to minimize harm and prevent such attacks in the future.

The Modus Operandi

According to reports, the compromise may have happened at the level of the Hitachi Payment Services, which is a payment services provider which operates, among other financial services, ATMs for a variety of banks across the country. One or a certain number of ATMs were apparently compromised by a malware, which then infected the payment services provider network, leading to a far larger potential target area than just the physical ATMs for malware to act against. The malware could have infected the payment switch provider via physically being uploaded onto vulnerable ATM machines, which are known to run out-dated embedded operating systems with various documented loopholes that are rarely patched. The malware then could have recorded the details of the cards used on the infected ATMs (or even in the network generally) and then, via the same compromised network, transmitted confidential details, including ATM pins and CVV numbers, to the operators of the malware.

The attack could have also occurred from some other vulnerable part of the payment network, such as a payment switch within the bank itself, making it far more dangerous as it still maybe be active on parts of the network within the bank and would have access to a far wider range & variety of information than a mere ATM. There is no real way to know if the threat has been even contained, forget neutralised, as the audits being carried out by PCI-DSS authorised agencies have been on-going for the past month and their reports are not due at least another 15 days, as intimated by NPCIL.

Massive Financial Implications


Policemen guard the banking hall of a State Bank of India branch in New Delhi. (Photographer: Sondeep Shankar/Bloomberg News)

The compromise of these details, regardless of the source of the compromise, has massive financial implications. This is because various international services allow debit/credit cards to be used only with the card number, expiry date, name & CVV number. They do not require the use of ATM Pins or an OTP (one time password) sent to a mobile phone for online transactions. In fact, unlike India where the RBI mandates OTPs for debit cards, this CVV based simplified online usage is the standard practice of using ATM Cards digitally in most of the developed world.

This would mean that merely changing ATM pins, something which SBI alleges less than 7 percent of its customers had done prior to all 6 lakh cards being blocked, would serve as almost no protection if the cards are enabled for international online transactions. The fact that most of the dubious, unauthorised financial transactions are occurring from foreign locations probably demonstrates that it is these kinds of internationally enabled cards that are being targeted for this sort of an attack.

Are Banks Concealing Information?


A customer exits a Yes Bank Ltd. automated teller machine (ATM) in Ahmedabad. (Photographer: Dhiraj Singh/Bloomberg)

The absence of data/security breach laws in India is being sharply felt as there as has been an abject lack of clarity and information from the banking sector and the government regarding the attack. Over 47 states in the USA and most of the countries in the EU have enacted strict data security breach laws that mandate public intimation & disclosure of key information pertaining to the attack along with detailed containment measures. The presence of such a law in India would have gone a long way in preventing the breach from being under the wraps for so long (it occurred at the bank level in September, almost a month ago) and also ensured far more vigilant active compliance by corporations & banks to international security standards and best practices. For now, the only true countermeasure to prevent future harm to affected card holders is for all affected cards to be revoked by the banks and new cards being issued to affected customers.

Constant vigilance & comprehensive security audits by banks to detect affected cards and active protection for customers, using financial and identity insurance services such as AllClear ID Plus (used by Sony in the 2011 Playstation Hack) will go a long way in mitigating the harm of the breach. The banking industry, government & security agencies should all learn from this breach and a combination of new legislation, updated industry practices and consumer awareness is necessary for proactive & reactive actions in the future.

For more details visit https://cis-india.org/internet-governance/blog/bloomberg-udbhav-tiwari-october-22-2016-how-long-have-banks-known-about-debit-card-fraud

Hakon 2016

praskrishna — 2016-10-15T10:04:41Z

Udbhav Tiwari attended attended Hakon 2016, a conference held between September 30 and October 2, 2016 at Indore, Madhya Pradesh, India,on behalf of CIS under the Hewlett Cyber Security Project.

Hakon 2016 was the third edition of the conference which has been organised by Ninja Information Security Systems, an ISO 27001:2013 & 9001:2008 certified training organisation and the primary sponsor of the conference from Indore. The conference was efficiently organised, had about 150 to 200 people attending overall and provided an unique window into the non-tech hub/big city ethical hacker ecosystem and their place within the cyber security setup in India. The agenda of this year's conference was the Underground Digital Black Market & Digital Terrorism, with a fair mix of participants from the industry, academia and the government. The conference website can be looked up at http://www.hakonindia.org/ for further details, including a look at past editions of the conference.

The technical workshops held during the first two days of the conference were well organised and networking with the teachers during and mostly at the end of the conference was very helpful in understanding a practitioners perspective on cutting edge aspects of cyber security. This was particularly true for Chuck Easttom Williams, an accomplished cyber security expert from the USA who regularly trains government agencies and in a fairly reputed industry veteran who has been an invited speaker at DEFCON and even has a couple of patents to his name.

For more details visit https://cis-india.org/internet-governance/news/hakon-2016

Hacker steals 17 million Zomato users’ data, briefly puts it on dark web

praskrishna — 2017-05-20T05:57:14Z

Records of 17 million users were stolen from online restaurant search platform Zomato, the company said in a blog post on Thursday.

The article by Kim Arora and Digbijay Mishra with inputs from Ranjani Ayyar in Chenna was published in the Times of India on May 19, 2017. Pranesh Prakash was quoted.

According to information security blog and news website HackRead, the data was being peddled online on the "dark web" for about $1,000. The company, also a food delivery platform, advised users to change passwords. However, late on Thursday night, Zomato claimed it had contacted the hacker and persuaded him/her to not only destroy all copies of the data, but also to take the database off the dark web marketplace. The company said it will post an update on how the breach happened once they "close the loopholes".

In an official blog updated with this information, Zomato said, "The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers." Bug bounties are a standard program among tech companies, where they reward outsiders to highlight bugs and flaws in their software systems.

The number of user accounts compromised was pegged at 17 million earlier in the day. In the late night update, Zomato said password hashes (passwords in a scrambled, encrypted form) of 6.6 million users was compromised. It wasn't immediately clear whether this 6.6 million was part of the 17 million records stolen.

Zomato tried assuring users that payment information was safe. "Please note that only 5 data points were exposed - user IDs, names, usernames, email addresses, and password hashes with salt- that is, passwords that were encrypted and would be unintelligible. No other information was exposed to anyone (we have a copy of the 'leaked' database with us). Your payment information is absolutely safe, and there's no need to panic," said the late night update.

However, the information security community raised concerns over the technique used for "hashing" or encrypting the passwords. A screenshot of the vendor's sale page for stolen data posted on HackRead identifies the hashing algorithm as "MD5", which experts say is "outdated" and "insecure". The research team at infySEC -- a cyber security company from Chennai -- tried to access user information in Zomato's database, as part of its bug bounty program. "We were able to access user names, email IDs, addresses and history of transactions. We highlighted this to Zomato but we have not heard from them," said Karthick Vigneshwar, director, infySEC.

Zomato joins a long list of tech-enabled businesses that have recently had user data stolen. Such data can ostensibly be used by malicious actors to send phishing mails, or even by hackers to carry out cyber attacks. In February 2017, content delivery network CloudFlare's customer data was leaked. The data leaked had not just password hashes, but even customers' IP addresses and private messages. In June 2015, online password management service LastPass was hacked and had its data leaked online.

"We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We, however, strongly advise you to change your password for any other services where you are using the same password," Zomato's chief technology officer Gunjan Patidar said in the blog which was updated twice through the day. Affected users have been logged out of the website and the app.

Password "hashing" is an encryption technique usually used for large online user databases. The strength of the encryption depends on the algorithm employed to do the same. "Salting" is the addition of a string of characters to the passwords when stored on such a database, which adds another layer of difficulty in cracking them.

In an email to TOI, a company spokesperson said, "Over the next couple of days, we'll be actively working to improve our security systems — we'll be further enhancing security measures for all user information stored within our database, and will also add a layer of authorisation for internal teams having access to this data to avoid any human breach."

HackRead, a security blog and news website, found the stolen Zomato database of 17 million users for sale on what is called the "dark web". This can be described as a portion of the content available on the World Wide Web, away from the public internet. This content is not indexed on search engines like Google, and can only be accessed using software that can route around the public internet to get there.

According to the screenshots of the sale posted on HackRead, the Zomato database used a hashing technique called "MD5", which security experts say is inappropriate for encrypting passwords. "If MD5 was used, it shows bad security practices were in place. It isn't industry standard to use this algorithm for password hashing. Algorithms like bcrypt, scrypt, are more secure," says Pranesh Prakash, policy director at Bengaluru's Centre for Internet and Society.

What if a user does not use an exclusive Zomato account to sign into the service, but signs in through a Google or Facebook account? "In that case, just to be safe, you can delink your Zomato from the account you use to sign in, although your password will not be at risk," says Prakash. Zomato says, 60% of its users use such third party authorisation, and they are at "zero risk."

Would Zomato be liable to compensate end users for loss of sensitive data? Supreme Court advocate Pavan Duggal says, "Such players, referred to as intermediaries under the IT Act hold sensitive data and are expected to have reasonable security protocols in place. Should an end user face any loss/damage due to a data breach, they can sue Zomato and seek compensation." While most players have end user agreements and disclaimers in place, Duggal adds that the IT Act will prevail over any other law or contract to the extent it is inconsistent.

For more details visit https://cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web

Hack exposes Zomato's weak protection of customer data, say Cyber experts

praskrishna — 2017-05-19T09:11:40Z

Online restaurant aggregator says it will beef up security after 17 million user details were stolen.

The article by Alnoor Peermohamed was published in the Business Standard on May 19, 2017. Pranesh Prakash was quoted.

After details of over 17 million users was stolen and sold online, restaurants discovery and food ordering service Zomato has vowed to beef up security measures, including adding a layer of authentication for its own employees to access user data.

The company in a blog post claimed that the leak appeared to be an internal (human) security breach with an employee's development account getting compromised.

However, cyber security experts pointed out that Zomato was clearly lacking in its technique to protect customer data from unwanted elements .

Sajal Thomas, a cyber security consultant, claimed on Twitter that he verified the sample data being sold on the dark web and found that Zomato had used MD5 to hash passwords. MD5 is neither encryption nor encoding, and was known to be easily cracked by attacks and suffered from major vulnerabilities.

Further, he said Zomato had not used salting, a technique where random data was used as additional input to make cracking a hashed password much harder. Thomas said that it took just a few seconds to crack the hashed passwords to turn them into plain text.

Zomato in its blog post, however, claimed that it protected "passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password."

It said that this was to ensure that passwords could not be easily converted back to plain text. The firm claimed no credit or debit card information of users were leaked.

While Zomato says it has reset passwords of all the affected accounts, experts say that users whose data were leaked are still under threat.

"If you had a password for Zomato that you used elsewhere (on facebook or email), immediately change that password across all those accounts," tweeted Pranesh Prakash, policy director at the Centre for Internet and Society.

If you had a password for Zomato that you used elsewhere, then IMMEDIATELY change that password across ALL those accounts. Use a pw manager! https://t.co/CbhtxCwlnD
— Pranesh Prakash (@pranesh) May 18, 2017

According to Prakash, a statement by Zomato misled people on how serious the security breach was by providing a false sense of security.

Subsequently, the company reworded its blog post to prompt users to change passwords of other services where they might have used the same password as their Zomato account.

The leak was first detected by security blog HackRead when it came across an online handle going by the name of "nclay" claiming to have hacked Zomato's database and selling its data on the dark web. Upon testing some of the data made public by the hacker, HackRead found that each account actually existed on Zomato.

"The database includes emails and password hashes of registered Zomato users while the price set for the whole package is $1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit," HackRead wrote in its post.

For more details visit https://cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-may-19-2017-hack-exposes-zomatos-weak-protection-of-customer-data-say-cyber-experts

Guidelines for the Protection of National Critical Information Infrastructure: How Much Regulation?

jon — 2013-08-01T04:48:01Z

July has been a busy month for cyber security in India. Beginning with the release of the country’s first National Cyber Security Policy on July 2 and followed just this past week by a set of guidelines for the protection of national critical information infrastructure (CII) developed under the direction of the National Technical Research Organization (NTRO), India has made respectable progress in its thinking on national cyber security.

Yet the National Cyber Security Policy, taken together with what little is known of the as-yet restricted guidelines for CII protection, raises troubling questions, particularly regarding the regulation of cyber security practices in the private sector. Whereas the current Policy suggests the imposition of certain preferential acquisition policies, India would be best advised to maintain technology neutrality to ensure maximum security.

According to Section 70(1) of the Information Technology Act, Critical Information Infrastructure (CII) is defined as a “computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.” In one of the 2008 amendments to the IT Act, the Central Government granted itself the authority to “prescribe the information security practices and procedures for such protected system[s].” These two paragraphs form the legal basis for the regulation of cyber security within the private sector.

Such basis notwithstanding, private cyber security remains almost completely unregulated. According to the Intermediary Guidelines [pdf], intermediaries are required to report cyber security incidents to India’s national-level computer emergency response team (CERT-In). Other than this relatively small stipulation, the only regulation in place for CII exists at the sector level. Last year the Reserve Bank of India mandated that each bank in India appoint a chief information officer (CIO) and a steering committee on information security. The finance sector is also the only sector of the four designated “critical” by the Department of Electronics and Information Technology (DEIT) Cyber Security Strategy to have established a sector-level CERT, which released a set of non-compulsory guidelines [pdf] for information security governance in late 201

The new guidelines for CII protection seek to reorganize the government’s approach to CII. According to a Times of India article on the new guidelines, the NTRO will outline a total of eight sectors (including energy, aviation, telecom and National Stock Exchange) of CII and then “monitor if they are following the guidelines.” Such language, though vague and certainly unsubstantiated, suggests the NTRO may ultimately be responsible for enforcing the “[mandated] security practices related to the design, acquisition, development, use and operation of information resources” described in the Cyber Security Policy. If so, operators of systems deemed critical by the NTRO or by other authorized government agencies may soon be subject to cyber security regulation—with teeth.

To be sure, some degree of cyber security regulation is necessary. After all, large swaths of the country’s CII are operated by private industry, and poor security practices on the part of one operator can easily undermine the security of the rest. To quote security expert Bruce Schneier, “the externalities in cybersecurity are so great that even the freest free market would fail.” In less academic terms, networks are only as secure as their weakest links. While it is true that many larger enterprises take cyber security quite seriously, small and medium-sized businesses either lack immediate incentives to invest in security (e.g. no shareholders to answer to) or more often lack the basic resources to do so. Some form of government transfer for cyber security related investments could thus go a long way toward shoring up the country’s overall security.

Yet regulation may well extend beyond the simple “fiscal schemes and incentives” outlined in section IV of the Policy and “provide for procurement of indigenously manufactured ICT products that have security implications.” Such, at least, was the aim of the Preferential Market Access (PMA) Policy recently put on hold by the Prime Minister’s Office (PMO). Under pressure from international industry groups, the government has promised to review the PMA Policy, with the PMO indicating it may strike out clauses “regarding preference to domestic manufacturer[s] on security related products that are to be used by private sector.” If the government’s aim is indeed to ensure maximum security (rather than to grow an infant industry), it would be well advised to extend this approach to the Cyber Security Policy and the new guidelines for CII protection.

Although there is a national security argument to be made in favor of such policies—namely that imported ICT products may contain “backdoors” or other nefarious flaws—there are equally valid arguments to be made against preferential acquisition policies, at least for the private sector. First and foremost, it is unlikely that India’s nascent cyber security institutions will be able to regulate procurement in such a rapidly evolving market. Indeed, U.S. authorities have been at pains to set cyber security standards, especially in the past several years. Secondly, by mandating the procurement of indigenously manufactured products, the government may force private industry to forgo higher quality products. Absent access to source code or the ability to effectively reverse engineer imported products, buyers should make decisions based on the products’ performance records, not geo-economic considerations like country of origin. Finally, limiting procurement to a specific subset of ICT products likewise restricts the set of security vulnerabilities available to hackers. Rather than improve security, however, a smaller, more distinct set of vulnerabilities may simply make networks easier targets for the sorts of “debilitating” attacks the Policy aims to avert.

As India broaches the difficult task of regulating cyber security in the private sector, it must emphasize flexibility above all. On one hand, the government should avoid preferential acquisition policies which risk a) overwhelming limited regulatory resources, b) saddling CII operators with subpar products, and/or c) differentiating the country’s attack surface. On the other hand, the government should encourage certain performance standards through precisely the sort of “fiscal schemes and incentives” alluded to in the Cyber Security Policy. Regulation should focus on what technology does and does not do, not who made it or what rival government might have had their hands in its design. Ultimately, India should adopt a policy of technology neutrality, backed by the simple principle of trust but verify. Only then can it be truly secure.

For more details visit https://cis-india.org/internet-governance/blog/guidelines-for-protection-of-national-critical-information-infrastructure

Ground Zero Summit

Amber Sinha — 2016-01-03T06:06:56Z

The Ground Zero Summit which claims to be the largest collaborative platform in Asia for cyber-security was held in New Delhi from 5th to 8th November. The conference was organised by the Indian Infosec Consortium (IIC), a not for profit organisation backed by the Government of India. Cyber security experts, hackers, senior officials from the government and defence establishments, senior professionals from the industry and policymakers attended the event.

Keynote Address

The Union Home Minister, Mr. Rajnath Singh, inaugurated the conference. Mr Singh described cyber-barriers that impact the issues that governments face in ensuring cyber-security. Calling the cyberspace as the fifth dimension of security in addition to land, air, water and space, Mr Singh emphasised the need to curb cyber-crimes in India, which have grown by 70% in 2014 since 2013. He highlighted the fact that changes in location, jurisdiction and language made cybercrime particularly difficult to address. Continuing in the same vein, Mr. Rajnath Singh also mentioned cyber-terrorism as one the big dangers in the time to come. With a number of government initiatives like Digital India, Smart Cities and Make in India leveraging technology, the Home Minister said that the success of these projects would be dependent on having robust cyber-security systems in place.

The Home Minister outlined some initiatives that Government of India is planning to take in order to address concerns around cyber security - such as plans to finalize a new national cyber policy. Significantly, he referred to a committee headed by Dr. Gulshan Rai, the National Cyber Security Coordinator mandated to suggest a roadmap for effectively tackling cybercrime in India. This committee has recommended the setting up of Indian Cyber Crime Coordination Centre (I-4C). This centre is meant to engage in capacity building with key stakeholders to enable them to address cyber crimes, and work with law enforcement agencies. Earlier reports about the recommendation suggest that the I-4C will likely be placed under the National Crime Records Bureau and align with the state police departments through the Crime and Criminal Tracking and Network Systems (CCTNS). I-4C is supposed to be comprised of high quality technical and R&D experts who would be engaged in developing cyber investigation tools.

Other keynote speakers included Alok Joshi, Chairman, NTRO; Dr Gulshan Rai, National Cyber Security Coordinator; Dr. Arvind Gupta, Head of IT Cell, BJP and Air Marshal S B Dep, Chief of the Western Air Command.

Technical Speakers

There were a number of technical speakers who presented on an array of subjects. The first session was by Jiten Jain, a cyber security analyst who spoke on cyber espionage conducted by actors in Pakistan to target defence personnel in India. Jiten Jain talked about how the Indian Infosec Consortium had discovered these attacks in 2014. Most of these websites and mobile apps posed as defence news and carried malware and viruses. An investigation conducted by IIC revealed the domains to be registered in Pakistan. In another session Shesh Sarangdhar, the CEO of Seclabs, an application security company, spoke about the Darknet and ways to break anonymity on it. Sarangdhar mentioned that anonymity on Darknet is dependent on all determinants of the equation in the communication maintaining a specific state. He discussed techniques like using audio files, cross domain on tor, siebel attacks as methods of deanonymization. Dr. Triveni Singh. Assistant Superintendent of Police, Special Task Force, UP Police made a presentation on the trends in cyber crime. Dr. Singh emphasised the amount of uncertainty with regard to the purpose of a computer intrusion. He discussed real life case studies such as data theft, credit card fraud, share trading fraud from the perspective of law enforcement agencies.

Anirudh Anand, CTO of Infosec Labs discussed how web applications are heavily reliant on filters or escaping methods. His talk focused on XSS (cross site scripting) and bypassing regular expression filters. He also announced the release of XSS labs, an XSS test bed for security professionals and developers that includes filter evasion techniques like b-services, weak cryptographic design and cross site request forgery. Jan Siedl, an authority on SCADA presented on TOR tricks which may be used by bots, shells and other tools to better use the TOR network and I2P. His presentation dealt with using obfuscated bridges, Hidden Services based HTTP, multiple C&C addresses and use of OTP. Aneesha, an intern with the Kerala Police spoke about elliptical curve cryptography, its features such as low processing overheads. As this requires elliptic curve paths, efficient Encoding and Decoding techniques need to be developed. Aneesha spoke about an algorithm called Generator-Inverse for encoding and decoding a message using a Single Sign-on mechanism. Other subjects presented included vulnerabilities that remained despite using TLS/SSL, deception technology and cyber kill-chain, credit card frauds, Post-quantum crypto-systems and popular android malware.

Panels

There were also two panels organised at the conference. Samir Saran, Vice President of Observer Research Foundation, moderated the first panel on Cyber Arms Control. The panel included participants like Lt. General A K Sahni from the South Western Air Command; Lt. General A S Lamba, Retired Vice Chief Indian Army, Alok Vijayant, Director of Cyber Security Operation of NTRO and Captain Raghuraman from Reliance Industries. The panel debated the virtues of cyber arms control treaties. It was acknowledged by the panel that there was a need to frame rules and create a governance mechanism for wars in cyberspace. However, this would be effective only if the governments are the primary actors with the capability for building cyber-warfare know-how and tools. The reality was that most kinds of cyber weapons involved non state actors from the hacker community. In light of this, the cyber control treaties would lose most of their effectiveness.

The second panel was on the Make for India’ initiatives. Dinesh Bareja, the CEO of Open Security Alliance and Pyramid Cyber Security was the moderator for this panel which also included Nandakumar Saravade, CEO of Data Security Council of India; Sachin Burman, Director of NCIIPC; Dr. B J Srinath, Director General of ICERT and Amit Sharma, Joint Director of DRDO. The focus of this session was on ‘Make in India’ opportunities in the domain of cyber security. The panelist discussed the role the government and industry could play in creating an ecosystem that supports entrepreneurs in skill development. Among the approaches discussed were: involving actors in knowledge sharing and mentoring chapters which could be backed by organisations like NASSCOM and bringing together industry and government experts in events like the Ground Zero Summit to provide knowledge and training on cyber-security issues.

Exhibitions

The conference was accompanied by a exhibitions showcasing indigenous cybersecurity products. The exhibitors included Smokescreen Technologies, Sempersol Consultancy, Ninja Hackon, Octogence Technologies, Secfence, Amity, Cisco Academy, Robotics Embedded Education Services Pvt. Ltd., Defence Research and Development Organisation (DRDO), Skin Angel, Aksit, Alqimi, Seclabs and Systems, Forensic Guru, Esecforte Technologies, Gade Autonomous Systems, National Critical Information Infrastructure Protection Centre (NCIIPC), Indian Infosec Consortium (IIC), INNEFU, Forensic Guru, Event Social, Esecforte Technologies, National Internet Exchange of India (NIXI) and Robotic Zone.

The conference also witnessed events such Drone Wars, in which selected participants had to navigate a drone, a Hacker Fashion Show and the official launch of the Ground Zero’s Music Album.

For more details visit https://cis-india.org/internet-governance/blog/ground-zero-summit

Govt working to set up financial CERT to tackle cyber threats

Admin — 2017-11-25T02:28:18Z

IT secretary Ajay Prakash Sawhney says the government is getting the framework in place for financial CERT, which will be followed by other sectoral CERTs later.

The article by Komal Gupta was published in Livemint on November 16, 2017

The government is working to set up a financial Computer Emergency Response Team (CERT) to tackle a rise in cyber threats to India’s financial institutions.

This will be the first sectoral CERT to be introduced in India, said IT secretary Ajay Prakash Sawhney on Wednesday.

“Right now, the one which is directly being worked on is the financial CERT. We are getting the framework in place and once that is there, we will look at other sectors, said Sawhney, responding to a question on the progress of setting up of sectoral CERTs in the country. “It will oversee the entire financial sector including banks and financial institutions,” he added.

He was addressing the Asia Pacific Computer Emergency Response Team (APCERT) Open Conference in the capital on Wednesday.

In March, the power ministry had announced setting up of four sectoral CERTs for cyber security in power systems—CERT (Transmission), CERT (Thermal), CERT (Hydro) and CERT (Distribution).

According to Sawhney, as of now, there is a national CERT and no other sectoral CERTs. While addressing the conference, he said one of the themes to be discussed will be “How sectoral CERTs can function in conjunction with the national CERT.”

CERT-In is the national nodal agency under the ministry of electronics and IT (MeitY), which deals with cyber security threats such as hacking and phishing. The agency is tasked with the collection, analysis and dissemination of information on cyber incidents and even taking emergency measures for handling cyber security incidents.

“The biggest task of sectoral CERT is to share information with the others in the industry. For example, if a bank undergoes an attack; normally the bank will perform all the necessary actions to limit the attack and to prevent it from happening in the future. But the obligation of sharing how the attack happened with all the other banks in India to make sure that they can protect their respective systems from such an attack, can be carried out by a financial CERT,” said Udbhav Tiwari, programme manager at the Centre for Internet and Society, a Bengaluru-based think tank

“From April to October 2017, around 50,000 cyber security incidents have been handled by CERT-In; including phishing, malware attacks, attacks on digital payments and targeted attacks on some of the critical industries,” said cyber security chief Gulshan Rai, who was also present at the event.

A total of 50 incidents of cyber attacks affecting 19 financial organizations have been reported from 2016 till June 2017, PTI reported in August.

For more details visit https://cis-india.org/internet-governance/news/livemint-november-16-2017-komal-gupta-govt-working-to-set-up-financial-cert-to-tackle-cyber-threats

Global Commission on the Stability of Cyberspace (GCSC)

Admin — 2017-11-23T14:38:12Z

The Global Commission on the Stability of Cyberspace organized a meeting on November 21, 2017 in New Delhi. The meeting took place at Taj Diplomatic Enclave Hotel on the sidelines of the 5th Global Conference on Cyberspace. Pranesh Prakash participated in the event.

GSC commissioners engaged in discussions with leading experts on cyber diplomacy, cyber norms and counter-proliferation. See the Draft Agenda here.

For more details visit https://cis-india.org/internet-governance/news/global-commission-on-the-stability-of-cyberspace-gcsc

First Look: CIS Cybersecurity documentary film

purba — 2013-12-17T08:16:42Z

CIS presents the trailer of its documentary film DesiSec: Cybersecurity & Civil Society in India

The Centre for Internet and Society is pleased to release the trailer of its first documentary film, on cybersecurity and civil society in India.

The documentary is part of the CIS Cybersecurity Series, a work in progress which may be found here.

DesiSec: Cybersecurity and Civil Society in India

The trailer of DesiSec: Cybersecurity and Civil Society in India was shown at the Internet Governance Forum in Bali on October 24. It was a featured presentation at the Citizen Lab workshop, Internet Governance For The Next Billion Users.

The transcript of the workshop is available here: http://www.intgovforum.org/cms/component/content/article/121-preparatory-process/1476-ws-344-internet-governance-for-the-next-billion-users

This work was carried out as part of the Cyber Stewards Network with aid of a grant from the International Development Research Centre, Ottawa, Canada.

For more details visit https://cis-india.org/internet-governance/blog/cis-cybersecurity-series-film-trailer

Financial CERT to combat cyber threats, says MoS home affairs

Admin — 2017-11-23T16:07:21Z

To tackle cyber threats to India’s financial institutions, the central government is mulling to establish a financial Computer Emergency Response Team (CERT).

This was published by CISO MAG on November 17, 2017

Addressing the 15th Asia Pacific Computer Emergency Response Team (APCERT) Open Conference in New Delhi on November 15, 2017, IT Secretary Ajay Prakash Sawhney said, “right now, the one which is directly being worked on is the financial CERT. We are getting the framework in place and once that is there, we will look at other sectors. It will oversee the entire financial sector including banks and financial institutions.”

In March this year, the power ministry had announced to create four sectoral CERTs for cybersecurity in power systems: CERT (Transmission), CERT (Thermal), CERT (Hydro), and CERT (Distribution).

Udbhav Tiwari, program manager at the Centre for Internet and Society, a Bengaluru-based think tank, highlighted the responsibilities of the financial CERT in a conversation with Live Mint. “The biggest task of sectoral CERT is to share information with the others in the industry. For example, if a bank undergoes an attack, normally the bank will perform all the necessary actions to limit the attack and to prevent it from happening in the future. But the obligation of sharing how the attack happened with all the other banks in India to make sure that they can protect their respective systems from such an attack, can be carried out by a financial CERT,” he said.

Cybersecurity Chief Gulshan Rai, who was also present at the event, said “from April to October 2017, around 50,000 cyber security incidents have been handled by CERT-In; including phishing, malware attacks, attacks on digital payments and targeted attacks on some of the critical industries.”

On August 1, 2017, MoS home affairs Hansraj Gangaram Ahir had said “as per the information by the Indian computer emergency response team (CERT-In), 50 incidents affecting 19 financial organizations have been reported during the period of November, 2016 to June, 2017.”

For more details visit https://cis-india.org/internet-governance/news/ciso-mag-financial-cert-to-combat-cyber-threats-says-mos-home-affairs

Fair process frameworks for cross-border online spaces

praskrishna — 2013-10-21T09:02:02Z

This workshop is being organised by the Internet & Jurisdiction Project, Civil Society of France, Western Europe and Others Group and Internet & Jurisdiction Project, Civil Society of Germany, Western Europe and Others Group. Sunil Abraham is one of the panelists for this workshop.

The Internet Governance Forum 2013 is being held at Bali from October 22 to 25. The overarching theme for the 2013 IGF meeting is: "Building Bridges"- Enhancing Multistakeholder Cooperation for Growth and Sustainable Development".

Read the original published on IGF website. Also read it on Internet & Jurisdiction website.

Theme: Legal Frameworks and Cyber-crime (Spam, Cyber-security, etc.)

This workshop is organized by the Internet & Jurisdiction Project, a global multi-stakeholder dialogue process launched in January 2012, which engages key actors from states, international organizations, companies, civil society, academia and the technical community from all around the world to address the tension between the cross-border Internet and national jurisdictions.

Over 2,5 billion Internet users interact in shared cross-border online spaces where they can post content potentially accessible worldwide. On the one hand platforms’ Terms of Service try to set transnational rules on acceptable postings, but on the other hand content that is legal in one jurisdiction can be illegal or sensitive in other territories. No clear frameworks exist yet to handle the tensions between these competing normative orders or values and enable peaceful cohabitation in cross-border cyberspaces. This challenge constitutes a rare issue of common concern for all stakeholder groups.

Building upon the intersessional work conducted by the Internet & Jurisdiction Project since the 2012 IGF, the roundtable will address the following topics:

Can commonly agreed interoperability procedures ensure fair process in interactions between platforms, public authorities, technical operators and users regarding seizures, content takedowns and access to user data? regarding seizures, content takedowns and LEA access to user data? - See more at: http://www.internetjurisdiction.net/igf2013-workshop/#sthash.q6PQ3uMn.dpuf

How could appropriate multi-stakeholder frameworks be developed?

Note: This roundtable is listed above under the “legal frameworks and cybercrime” track. However it equally touches upon other thematic areas: Human Rights/ Freedom of Expression on the Internet (addressing takedown procedures); Internet Governance Principles (eg. fair process and accountability) and Principles of Multi-Stakeholder Cooperation (the development of mutual frameworks).

Has the proponent organised a workshop with a similar subject during past IGF meetings?

Yes

Indication of how the workshop will build on but go beyond the outcomes previously reached

At the IGF 2012, after a year of interaction with different stakeholders, the Internet & Jurisdiction Project organized two workshops titled: “What is the Geography of Cyberspace?” and “What frameworks for cross-border online communities and services?” These sessions explored the roots of the tension between the Internet and the patchwork of national jurisdictions and examined how to address this common concern. Both these two workshops and the ongoing dialogue facilitated by the I&JProject in 2013 (including several preparatory meetings around the world) confirmed the need to explore how to develop appropriate frameworks to handle the tension in a multi-stakeholder setting. Therefore, the I&J Project will gather involved stakeholders at the 2013 workshop “Fair process frameworks for cross-border online spaces” to discuss the way forward: How could appropriate frameworks be developed and what commonly agreed interoperability procedures could ensure fair process?

Background Paper: No background paper provided

Session Type: Roundtable

Mr. Bertrand De La Chapelle, Internet & Jurisdiction Project, Civil Society, France, Western Europe and Others Group - WEOG

Mr. Paul Fehlinger, Internet & Jurisdiction Project, Civil Society, Germany, Western Europe and Others Group - WEOG

Have the Proponent or any of the co-organisers organised an IGF workshop before?

Yes

The link(s) to the workshop report(s):

Panelists

Please click on biography to view the biography of the panelist:

Fiona Alexander, Department of Commerce, NTIA, Female, Government, United States, Western Europe and Others Group – WEOG
Biography
Anne Carblanc, OECD, Female, Intergovernmental Organizations, France, Western Europe and Others Group – WEOG
Biography
Elvana Thaci, Council of Europe, Female, Intergovernmental Organizations, France, Western Europe and Others Group – WEOG
Biography
Sunil Abraham, Centre for Internet & Society, Male, Civil Society, India, Asia-Pacific Group
Biography
Anriette Esterhuysen, Association for Progressive Communications, Female, Civil Society, South Africa, African Group
Biography
Carlos Affonso Pereira Da Souza, Fundacao Getulio Vargas, Male, Technical Community, BRAZIL, Latin American and Caribbean Group – GRULAC
Biography
Ross Lajeunesse, Google, Male, Private Sector, United States, Western Europe and Others Group – WEOG Biography
Ebele Okobi, Yahoo, Female, Private Sector, United States, Western Europe and Others Group – WEOG
Biography
Linda Corugedo Steneberg, European Commission, Belgium, Western Europe and Others Group – WEOG
Biography

Agenda

Can commonly agreed interoperability procedures ensure fair process in interactions between platforms, public authorities, technical operators and users regarding seizures, content takedowns and access to user data?
How could appropriate multi-stakeholder frameworks be developed?

Inclusiveness of the Session

The format of the workshop is going to be an open roundtable discussion between a diverse group of stakeholders on the basis of a structured agenda, without formal presentations. Taking stock of the preparatory process with meetings around the world, the participants will be able to discuss the outcomes of the multi-stakeholder dialogue process, explore the components of possible frameworks and how to move forward. The objective is to produce a structured but fluid and dynamic discussion that includes the audience in the debate.

Suitability for Remote Participation

In addition to the remote participation tools provided by the IGF, the session will be covered live on Twitter with a dedicated hashtag and questions can also be submitted through tweets to open the discussion and engage new stakeholders. Moreover, participants of the Internet & Jurisdiction dialogue process around the world will be encouraged to participate remotely in the discussion.

For more details visit https://cis-india.org/news/igf-2013-workshop-42-fair-process-frameworks-for-cross-border-online-spaces

Extra-Territorial Surveillance and the Incapacitation of Human Rights

Arindrajit Basu — 2020-01-02T11:02:26Z

This paper was published in Volume 12 (2) of the NUJS Law Review.

Our networked data trails dictate, define, and modulate societies in hitherto inconceivable ways. The ability to access and manipulate that data is a product of stark power asymmetry in geo-politics, leading to a dynamic that privileges the interests of a few over the right to privacy and dignity of the many. I argue that the persistent de facto violation of human rights norms through extraterritorial surveillance conducted by western intelligence agencies, compounded by the failure of judicial intervention in the West has lead to the incapacitation of international human rights law. Despite robust jurisprudence including case law, comments by the United Nations, and widespread state practice on the right to privacy and the application of human rights obligations to extraterritorial stakeholders, extraterritorial surveillance continues with aplomb. Procedural safeguards and proportionality tests regularly sway towards a ‘ritual incantation’ of national security even in scenarios where a less intrusive option is available. The vulnerable citizen abroad is unable to challenge these processes and becomes an unwitting victim of nefarious surveillance practices that further widens global power asymmetry and entrenches geo-political fissures.

The full article can be found here.

For more details visit https://cis-india.org/internet-governance/extra-territorial-surveillance-and-the-incapacitation-of-human-rights

Experts stress on need for enhanced security

praskrishna — 2017-05-20T06:13:19Z

With more and more people falling prey to phishing scams, experts believe that lack of adequate security features in online payment systems will only increase the number of such cases in the coming days. While admitting that the rise in such crimes would be hard to stop or control, cyber security consultants also blame the lack of preparedness before taking the digital economy route as a cause for such problems.

The article was published in the New Indian Express on May 6, 2017. Pranesh Prakash was quoted.

Speaking to Express, Dr A Nagarathna of the Advanced Centre on Cyber Law and Forensics, National Law School of India University, said that apart from the push for digital payment solutions, the merger of various State Bank entities also provided chances for criminals to exploit gullible people.

“People tend to give away critical information since cyber criminals seem so convincing. But they should remember that banks never collect such information over phone,” she said.

The cyber security features of banks and e-wallets are also questionable. Banks and e-wallet service providers should be held accountable for such crimes, so that they make an effort to ensure necessary safety measures, she said.

Pranesh Prakash, Policy Director at the Centre for Internet and Society, noted that there were security concerns with e-wallets. “Many e-wallet apps compromise on security in favour of convenience, but, at the same time, have terms of service that hold customers liable for financial losses. There have been many reports of criminals working with rogue telecom company employees to clone SIM cards and steal money via UPI and BHIM,” he said.

He also criticised the use of biometrics as the only factor for authorising payments to merchants using Aadhaar Pay. He noted, “Your fingerprints cannot be changed, unlike a PIN. So, if a merchant clones your fingerprint, you cannot revoke it or replace it the way you can with a debit card and a PIN.”

Another activist said the recommendations of Watal Committee, which looked into digital payments, should be implemented. “As of now, the law does not focus on the need for consumer protection in digital payments. The Payment and Settlement Systems Act, 2007, needs to be updated,” he said.

For more details visit https://cis-india.org/internet-governance/news/new-indian-express-may-6-2017-experts-stress-on-need-for-enhanced-security