The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 41 to 55.
CIS contributes to the Research and Advisory Group of the Global Commission on the Stability of Cyberspace (GCSC)
http://editors.cis-india.org/internet-governance/blog/cis-contributes-to-the-research-and-advisory-group-of-the-global-commission-on-the-stability-of-cyberspace-gcsc
<b>The Global Commission on the Stability of Cyberspace (GCSC) is an initiative of the Hague Centre for Strategic Studies and the East West Institute that seeks to promote mutual awareness and understanding among various cyberspace communities. It seeks to develop norms and policies that advance the stability and security of cyberspace.</b>
<p style="text-align: justify; ">Chaired by Marina Kaljurand, and Co-Chaired by Michael Chertoff and Latha Reddy, the Commission comprises 26 prominent Commissioners who are experts hailing from a wide range of geographic regions representing multiple communities including academia industry, government, technical and civil society.</p>
<p style="text-align: justify; ">As a part of their efforts, the GCSC sent out a call for proposals for papers that sought to analyze and advance various aspects of the cyber norms debate.</p>
<p style="text-align: justify; ">Elonnai Hickok and Arindrajit Basu’s paper ‘ Conceptualizing an International Security Architecture for Cyberspace’ was selected by the Commissioners and published as a part of the Briefings of the Research and Advisory Group.</p>
<p style="text-align: justify; ">Arindrajit Basu represented CIS at the Cyberstability Hearings held by the GCSC at the sidelines of the <a href="https://www.globsec.org/projects/globsec-2018/">GLOBSEC forum </a>in Bratislava-a multilateral conference seeking to advance dialogue on various issues of international peace and security.</p>
<p style="text-align: justify; ">The published paper and the Power Point may be accessed <a href="https://cyberstability.org/research/issue-brief-2-bratislava/">here.</a></p>
<p style="text-align: justify; ">The agenda for the hearings is reproduced below</p>
<p style="text-align: justify; ">GCSC HEARINGS, 19 MAY 2018</p>
<p style="text-align: justify; ">HEARINGS: TOWARDS INTERNATIONAL CYBERSTABILITY</p>
<p style="text-align: justify; ">Venue: “Habsburg” room, Grand Hotel River Park 15:00-15:15</p>
<p style="text-align: justify; ">Welcome Remarks by Marina Kaljurand, Chair of the Global Commission on the Stability of Cyberspace (GCSC) and former Foreign Minister of Estonia 15:15-16:45</p>
<p style="text-align: justify; ">Hearing I: Expert Hearing</p>
<p style="text-align: justify; "><i>This session focuses on the topic Cyberstability and the International Peace and Security Architecture and includes scene settings, food-for-thought presentations on the new GCSC commissioned research, briefings and open statements by government and nongovernmental</i> speakers.</p>
<p style="text-align: justify; ">“Scene setting: ”Cyber Diplomacy in Transition” by Carl Bildt, former Prime Minister of Sweden</p>
<p style="text-align: justify; ">“Commissioned Research I: Lessons learned from three historical case studies on establishing international norms” by Arindrajit Basu, Centre for Internet and Society, India</p>
<p style="text-align: justify; ">Commission Research II: The “pre-normative” framework and options for cyber diplomacy” by Elana Broitman, New America Foundation</p>
<p style="text-align: justify; ">“Some Remarks on current thinking within the United Nations”, by Renata Dwan, Director United Nations Institute for Disarmament Research (UNIDIR) (Registered Statements by Government Advisors) (Statements by other experts)</p>
<p style="text-align: justify; ">(Open floor discussion) 16:45-17:15</p>
<p style="text-align: justify; ">Coffee Break</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/cis-contributes-to-the-research-and-advisory-group-of-the-global-commission-on-the-stability-of-cyberspace-gcsc'>http://editors.cis-india.org/internet-governance/blog/cis-contributes-to-the-research-and-advisory-group-of-the-global-commission-on-the-stability-of-cyberspace-gcsc</a>
</p>
No publisherArindrajit BasuCyber SecurityInternet GovernanceCyberspace2018-07-05T16:00:02ZBlog EntryCybersecurity: The Intersection of Policy and Technology
http://editors.cis-india.org/internet-governance/news/cybersecurity-the-intersection-of-policy-and-technology
<b>Sunil Abraham and Aayush Rathi attended a round-table on 'Cybersecurity: The Intersection of Policy and Technology'. The event was organised by Synergia Foundation, Bengaluru.</b>
<p style="text-align: justify; ">The speakers for the round-table were Deborah Housen-Couriel, Professor at the Kennedy School of Government, Gaurav Gupta - Principal Secretary for IT, BT, and S&T, Government of Karnataka, and Dana Kursh, Consul General of Israel to South India.</p>
<p style="text-align: justify; ">The discussion at the round-table centred around developing approaches aimed at resolving the 'grand challenge' of cyber security. The role of deeper collaborations between various stakeholders such as academia, corporate enterprises, law enforcement and the government in arriving at cogent solutions was emphasised upon. For more on the discussion at the round-table, a press note can be found <a class="external-link" href="https://www.synergiafoundation.in/news-analysis/cybersecurity-intersection-policy-technology">here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/cybersecurity-the-intersection-of-policy-and-technology'>http://editors.cis-india.org/internet-governance/news/cybersecurity-the-intersection-of-policy-and-technology</a>
</p>
No publisherAdminCyber SecurityInternet Governance2018-03-25T03:24:23ZNews ItemPeople Driven and Tech Enabled – How AI and ML are Changing the Future of Cyber Security in India
http://editors.cis-india.org/internet-governance/blog/people-driven-and-tech-enabled-2013-how-ai-and-ml-are-changing-the-future-of-cyber-security-in-india
<b>On the 27th of February, Peter Sparkes the Senior Director, Cyber Security Services, Symantec conducted a webinar on the ‘5 Essentials of Every Next-Gen SOC’. In this webinar, he evaluated the problems that Security Operations Centers (SOCs) are currently facing, and explored possible solutions to these problems. The webinar also put emphasis on AI and ML as tools to improve cyber security. This blog draws key insights from the webinar, and explains how AI and ML can improve the cyber security process of Indian enterprises.</b>
<p style="text-align: justify; "><strong>Introduction</strong></p>
<p style="text-align: justify; ">In a study conducted by Cisco, it was found that in the past 12-18 months, cyber attacks have caused Indian companies to incur financial damages amounting to USD 500,000. <a name="fr1"></a></p>
<p style="text-align: justify; ">There is a need to strengthen the nodal agencies in an enterprise that can deal with these threats to prevent irreparable damage to enterprises and their customers. An SOC within any organization is the team responsible for detecting, monitoring, analyzing, communicating and remedying security threats. The SOC technicians employ a combination of technologies and processes to ensure that an enterprise’s security is not compromised. As instances of cyber attacks increase both in number and sophistication, SOCs need to use state of the art technologies to stay one step ahead of the attackers. Presently, SOCs face a number of infrastructural problems such as the low priority given to a cyber security budget, slower and passive response to threats, dearth of skilled technicians, and the absence of a global intelligence network for cyber-threats. This is where technologies such as Artificial Intelligence and Machine learning are helping, by monitoring the system to identify cyber attacks, and analyse the severity of the threat, and in some cases by blocking such threats. <a name="fr2"></a></p>
<p style="text-align: justify; "><strong>Evolution of Security Operations Centers</strong></p>
<p style="text-align: justify; ">In the same study, Cisco looked at the evolution of cyber threats and how companies were using technologies such as AI and ML to ameliorate those threats. Another key insight the study brought out was that 53 and 51 percent of the subject companies were reliant on ML and AI respectively. One of the reasons behind AI and ML’s effectiveness in cyber security is their capacity not only to detect known threats but also to use their learnings from data to detect unknown threats. In his webinar, Peter Sparkes also stated that SOCs were evolving into a ‘people driven and tech enabled’ system.</p>
<p style="text-align: justify; "><strong>People Driven and Tech Enabled</strong></p>
<p style="text-align: justify; ">In the case of cyber security, which in itself is a relatively new field, technologies such as AI and ML are helping companies to not only overcome infrastructural barriers but also to respond proactively to threats. A study conducted by the Enterprise Strategy Group, revealed that one-third of the respondents believed that ML technology could detect new and unknown malware.<a name="fr3"></a></p>
<p style="text-align: justify; ">The study also stated that the use of machine learning to detect and prevent threats from unknown malware reduced the number of cases the cyber security team had to investigate.<a name="fr4"></a></p>
<p style="text-align: justify; ">Similarly, the tasks of monitoring and blocking which were earlier conducted by entry level analysts were now done by systems, using machine learning. Typically, the AI acts as the first monitoring system after which the threat is examined by the company’s technicians who possess the requisite skill set and experience. By delegating the time consuming task of continuous monitoring to an ML system, the technicians now have time to look at serious threats. In this way AI and humans are working together to build a stronger and responsive security protocol.</p>
<p style="text-align: justify; "><strong>Detecting the Unknown</strong></p>
<p style="text-align: justify; ">Cyber criminals are becoming increasingly sophisticated, and in order to prevent attacks the monitoring systems (both human and automated) need to be able to detect them before the security is compromised. The detection of threats through AI and ML is done in a similar way as it is done for the identification of spam, where the system is trained on a large amount of data which teaches the algorithm to identify right from wrong.<a name="fr5"></a></p>
<p style="text-align: justify; ">There have been numerous cases of stealthy cyber attacks such as wannacry and ransomware, that have evaded detection by conventional security firewalls and caused crippling damage. There is also the need to use deception technology which involves automatic detection and analysis of attacks. This technology then tricks the attackers and defeats them to bring back normalcy to the system.</p>
<p style="text-align: justify; ">The systems that can handle threats by themselves do so by following a predetermined procedure, or playbook where the AI detects activities that go against the procedure/playbook. This is more effective compared to the earlier system where the technicians would analyse the attacks on a case by case basis.<a name="fr6"></a></p>
<p style="text-align: justify; ">AI and ML can help in reducing the time required to detect threats enabling technicians to act proactively and prevent damage. As AI and ML systems are less prone to make mistakes compared to human beings, each threat is dealt with in a prompt and accurate manner. AI systems also help by categorising attacks based on their propensity for damage. These systems can use the large volumes of data collected about previous attacks and adapt over time to give enterprises a strong line of defence against attacks.</p>
<p style="text-align: justify; "><strong>Passive to Active Defense</strong></p>
<p style="text-align: justify; ">Threat to cyber security can emerge even in seemingly safe departments, such as Human Resources. It is therefore important to proactively hunt for threats across all departments uniformly.<a name="fr7"></a></p>
<p style="text-align: justify; ">In order to detect an anomaly, the AI and ML system will require both large volumes of data as well as a significant amount of processing power, which is difficult for smaller companies to provide. A possible solution to improve defense is to have a system of sharing SOC data between companies, and thereby creating a global database of intelligence. A system of global intelligence and threat data sharing could help smaller companies combat cyber threats without having to compromise on core business development.</p>
<p style="text-align: justify; "><strong>Use of AI in Cyber Security in India</strong></p>
<p style="text-align: justify; ">In 2017, Indian enterprises were infected by two lethal cyber attacks called Nyetya that crept through a trusted software - Ccleaner and infected computers<a name="fr8"></a></p>
<p style="text-align: justify; ">. These attacks may just be the tip of the iceberg , since there may be many other attacks that might have gone unreported, or worse, undetected. Cisco reported that less than 55 per cent of the Indian enterprises were reliant on AI or ML for combating cyber threats. Although the current numbers seem bleak, there are a number of Indian enterprises that have recently begun using AI and ML in cyber security.<a name="fr9"></a></p>
<p style="text-align: justify; ">One such example is HDFC bank which is in the process of introducing an AI based Cyber Security Operations Centre (CSOC).<a name="fr10"></a></p>
<p style="text-align: justify; ">This CSOC is based on a four point approach to dealing with threats - prevent, detect, respond and recover. The government of India has also taken its first step towards the use of AI in cyber security through a project that aims to provide cyber forensic services to the various agencies of the government including law enforcement.<a name="fr11"></a></p>
<p style="text-align: justify; ">Indian intelligence agencies have also entered into an agreement with tech startup Innefu, which utilizes AI, to process data and decipher threats by looking at the patterns of past threats.<a name="fr12"></a></p>
<p style="text-align: justify; ">As India is increasingly becoming data dense both private and public organizations need to consider cyber security with utmost seriousness and protect the data from crippling attacks.</p>
<p style="text-align: justify; "><strong>Conclusion</strong></p>
<p style="text-align: justify; ">Enterprises have become storehouses of user data and the SOCs have a responsibility to protect this data. The companies’ SOCs have been plagued with several problems such as lack of skilled technicians, delay in response time and the inability to proactively respond to attacks. AI and ML can help in a system of continuous monitoring as well as take over the more repetitive and time consuming tasks, leaving the technicians with more time to work on damage control. Although it must be kept in mind that AI is not a silver bullet, since attackers will try their best to confuse the AI systems through evasion techniques such as adversarial AI (where the attackers design machine learning models that are intended to confuse the AI model into making a mistake).<a name="fr13"></a></p>
<p style="text-align: justify; ">Hence, human intervention and monitoring of AI and ML systems in cyber security is essential to maintain the defence and protection mechanisms of enterprises.</p>
<p style="text-align: justify; ">A few topics that Indian SOCs need to consider while using AI and ML <strong>:</strong></p>
<p style="text-align: justify; ">1. The companies need to understand that AI and ML need human expertise and supervision to be effective and hence substituting people for AI is not ideal.</p>
<p style="text-align: justify; ">2. The companies need to give equal if not more importance to data security.</p>
<p style="text-align: justify; ">3. The companies need to constantly upgrade their systems and re-skill their technicians to combat cyber security threats.</p>
<p style="text-align: justify; ">4. The AI and ML systems need to be regularly audited to ensure that they are not compromised by cyber attacks and also to ensure that they are not generating false positives.</p>
<div style="text-align: justify; ">
<hr />
<p style="text-align: justify; ">[<a name="fn1"></a>]. <span>Cisco, (2018, February). Annual Cybersecurity Report. Retrieved March 8, 2018, from https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&ccid=cc000160&oid=anrsc005679&ecid=8196&elqTrackId=686210143d34494fa27ff73da9690a5b&elqaid=9452&elqat=2</span></p>
</div>
<p style="text-align: justify; ">[<a name="fn2"></a>]. <span>Ibid.</span></p>
<p style="text-align: justify; ">[<a name="fn3"></a>]. <span>Enterprise Strategy Group (2017, March ). Top-of-mind Threats and Their Impact on Endpoint Security Decisions. Retrieved March 8, 2018 from https://www.cylance.com/content/dam/cylance/pdfs/reports/ESG-Research-Insights-Report-Summary-Cylance-Oct-2017.pdf</span></p>
<p style="text-align: justify; ">[<a name="fn4"></a>]. <span>Ibid.</span></p>
<p style="text-align: justify; "><span style="text-align: justify; ">[</span><a name="fn5" style="text-align: justify; "></a><span style="text-align: justify; ">]. </span><span>Vorobeychik,Y (2016). Adversarial AI. Retrieved March 8, 2018, from https://www.ijcai.org/Proceedings/16/Papers/609.pdf</span></p>
<p style="text-align: justify; "><span style="text-align: justify; ">[</span><a name="fn6" style="text-align: justify; "></a><span style="text-align: justify; ">]. </span><span>Quora. ( 2081, February 15). How Will Artificial Intelligence And Machine Learning Impact Cyber Security? Retrieved March 8, 2018, from https://www.forbes.com/sites/quora/2018/02/15/how-will-artificial-intelligence-and-machine-learning-impact-cyber-security/#569454786147</span></p>
<p style="text-align: justify; "><span style="text-align: justify; ">[</span><a name="fn7" style="text-align: justify; "></a><span style="text-align: justify; ">]. </span><span>Sparkes, P. (2018, February 27). The 5 Essentials of Every Next-Gen SOC. Retrieved March 8, 2018, from https://www.brighttalk.com/webcast/13389/303251/the-5-essentials-of-every-next-gen-soc</span></p>
<p style="text-align: justify; "><span style="text-align: justify; ">[</span><a name="fn8" style="text-align: justify; "></a><span style="text-align: justify; ">]. </span><span>PTI. ( 2018, February 21).Indian companies lost $500,000 to cyber.Retrieved March 8, 2018, from https://economictimes.indiatimes.com/tech/internet/indian-companies-lost-500000-to-cyber-attacks-in-1-5-years-cisco/articleshow/63019927.cms</span></p>
<p style="text-align: justify; "><span style="text-align: justify; ">[</span><a name="fn9" style="text-align: justify; "></a><span style="text-align: justify; ">]. </span><span>Cisco, (2018, February). Annual Cybersecurity Report. Retrieved March 8, 2018, from https://www.cisco.com/c/dam/m/digital/elq-cmcglobal/witb/acr2018/acr2018final.pdf?dtid=odicdc000016&ccid=cc000160&oid=anrsc005679&ecid=8196&elqTrackId=686210143d34494fa27ff73da9690a5b&elqaid=9452&elqat=2</span></p>
<p style="text-align: justify; "><span style="text-align: justify; ">[</span><a name="fn10" style="text-align: justify; "></a><span style="text-align: justify; ">]. </span><span>Raval, A. ( 2018,January 30). AI takes cyber security to a new level for HDFC Bank.Retrieved March 8, 2018, from http://computer.expressbpd.com/magazine/ai-takes-cyber-security-to-a-new-level-for-hdfc-bank/23580/</span></p>
<p style="text-align: justify; "><span style="text-align: justify; ">[</span><a name="fn11" style="text-align: justify; "></a><span style="text-align: justify; ">]. </span><span>“The Centre for Development of Advanced Computing (C-DAC) under the Ministry of Electronics and Information Technology (MeitY) is working on a project to provide cyber forensic services to law-enforcing and other government and non-government agencies.” Ohri, R. (2018, February 15. Government readies AI-muscled cyber security plan. Retrieved March 8, 2018, from https://economictimes.indiatimes.com/news/politics-and-nation/government-readies-ai-muscled-cyber-security-plan/articleshow/62922403.cms utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst</span></p>
<p style="text-align: justify; "><span style="text-align: justify; ">[</span><a name="fn12" style="text-align: justify; "></a><span style="text-align: justify; ">]. </span><span>Chowdhury, P.A. (2017, January 30). Cyber Warfare at large in Southeast Asia, India leverages AI for the same cause Retrieved March 8, 2018, from https://analyticsindiamag.com/cyber-warfare-large-southeast-asia-india-leverages-ai-cause/</span></p>
<p style="text-align: justify; "><span style="text-align: justify; ">[</span><a name="fn13" style="text-align: justify; "></a><span style="text-align: justify; ">]. </span><span>Open AI.(2017 February 24). Attacking Machine Learning with Adversarial Examples. Retrieved March 8, 2018, from https://blog.openai.com/adversarial-example-research/</span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/people-driven-and-tech-enabled-2013-how-ai-and-ml-are-changing-the-future-of-cyber-security-in-india'>http://editors.cis-india.org/internet-governance/blog/people-driven-and-tech-enabled-2013-how-ai-and-ml-are-changing-the-future-of-cyber-security-in-india</a>
</p>
No publisherShweta MohandasCyber SecurityInternet Governance2018-03-11T15:30:50ZBlog EntryMultinational Cyber Security Forum at University of Haifa
http://editors.cis-india.org/internet-governance/news/multinational-cyber-security-forum-at-university-of-haifa
<b>Sunil Abraham participated in a meeting in Israel on Multinational Cyber Security Forum hosted by Center for Cyber, Law and Policy and University of Haifa in collaboration with the Hewlett Foundation Cyber Initiative. </b>
<p style="text-align: justify; ">The workshop was held from November 5 to 7, 2017. The objective of the workshop was to facilitate a free and open exchange among participants under the Chatham House Rules. The workshop sought to identify areas of agreement and dissent pertaining to cyber security regulation and to explore issues that require further research, clarification and development.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/multinational-cyber-security-forum-at-university-of-haifa'>http://editors.cis-india.org/internet-governance/news/multinational-cyber-security-forum-at-university-of-haifa</a>
</p>
No publisherAdminCyber SecurityInternet Governance2017-11-27T14:34:59ZNews ItemGovt working to set up financial CERT to tackle cyber threats
http://editors.cis-india.org/internet-governance/news/livemint-november-16-2017-komal-gupta-govt-working-to-set-up-financial-cert-to-tackle-cyber-threats
<b>IT secretary Ajay Prakash Sawhney says the government is getting the framework in place for financial CERT, which will be followed by other sectoral CERTs later.</b>
<p style="text-align: justify; ">The article by Komal Gupta was <a class="external-link" href="http://www.livemint.com/Industry/KMK5eQsbcJpYvEMPfp5MHI/Govt-working-to-set-up-financial-CERT-to-tackle-cyber-threat.html">published in Livemint</a> on November 16, 2017</p>
<hr />
<p style="text-align: justify; ">The government is working to set up a financial Computer Emergency Response Team (CERT) to tackle a rise in cyber threats to India’s financial institutions.</p>
<p style="text-align: justify; ">This will be the first sectoral CERT to be introduced in India, said IT secretary Ajay Prakash Sawhney on Wednesday.</p>
<p style="text-align: justify; ">“Right now, the one which is directly being worked on is the financial CERT. We are getting the framework in place and once that is there, we will look at other sectors, said Sawhney, responding to a question on the progress of setting up of sectoral CERTs in the country. “It will oversee the entire financial sector including banks and financial institutions,” he added.</p>
<p style="text-align: justify; ">He was addressing the Asia Pacific Computer Emergency Response Team (APCERT) Open Conference in the capital on Wednesday.</p>
<p style="text-align: justify; ">In March, the power ministry had announced setting up of four sectoral CERTs for cyber security in power systems—CERT (Transmission), CERT (Thermal), CERT (Hydro) and CERT (Distribution).</p>
<p style="text-align: justify; ">According to Sawhney, as of now, there is a national CERT and no other sectoral CERTs. While addressing the conference, he said one of the themes to be discussed will be “How sectoral CERTs can function in conjunction with the national CERT.”</p>
<p style="text-align: justify; ">CERT-In is the national nodal agency under the ministry of electronics and IT (MeitY), which deals with cyber security threats such as hacking and phishing. The agency is tasked with the collection, analysis and dissemination of information on cyber incidents and even taking emergency measures for handling cyber security incidents.</p>
<p style="text-align: justify; ">“The biggest task of sectoral CERT is to share information with the others in the industry. For example, if a bank undergoes an attack; normally the bank will perform all the necessary actions to limit the attack and to prevent it from happening in the future. But the obligation of sharing how the attack happened with all the other banks in India to make sure that they can protect their respective systems from such an attack, can be carried out by a financial CERT,” said Udbhav Tiwari, programme manager at the Centre for Internet and Society, a Bengaluru-based think tank</p>
<p style="text-align: justify; ">“From April to October 2017, around 50,000 cyber security incidents have been handled by CERT-In; including phishing, malware attacks, attacks on digital payments and targeted attacks on some of the critical industries,” said cyber security chief Gulshan Rai, who was also present at the event.</p>
<p style="text-align: justify; ">A total of 50 incidents of cyber attacks affecting 19 financial organizations have been reported from 2016 till June 2017, <a href="http://www.livemint.com/Industry/MBqlWLIFkpR4W34sdA6TqN/50-cyber-attack-incidents-reported-in-financial-sector-govt.html" target="_blank">PTI </a>reported in August.</p>
<p style="text-align: justify; "><span> </span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-november-16-2017-komal-gupta-govt-working-to-set-up-financial-cert-to-tackle-cyber-threats'>http://editors.cis-india.org/internet-governance/news/livemint-november-16-2017-komal-gupta-govt-working-to-set-up-financial-cert-to-tackle-cyber-threats</a>
</p>
No publisherAdminCyber SecurityInternet Governance2017-11-25T02:28:18ZNews ItemCyberattacks a significant threat to democracy: Modi
http://editors.cis-india.org/internet-governance/news/livemint-november-24-2017-komal-gupta-cyberattacks-a-significant-threat-to-democracy-modi
<b>We have to ensure that cyberspace does not become a playground for dark horses of radicalism, says PM Narendra Modi at the fifth Global Conference on Cyber Space in Delhi.</b>
<p style="text-align: justify; ">The article by Komal Gupta was published in <a class="external-link" href="http://www.livemint.com/Industry/S0TsLMI3yEzlc6XSxdUmtK/Cyberattacks-a-significant-threat-to-democracy-Narendra-Mod.html">Livemint</a> on November 24, 2017.</p>
<hr />
<p style="text-align: justify; ">Prime Minister Narendra Modi on Thursday said creating a safe and secure cyberspace is on the primary agenda of the government as cyberattacks were a threat to democracy.</p>
<p style="text-align: justify; ">Modi’s assurance of decisively dealing with cyberattacks comes at a time when policymakers are making an unprecedented push to popularize digital transactions and cut down use of cash in order to have a more transparent and accountable economic environment. The government is at present working on a draft policy for tackling ransomware, a malicious software.</p>
<p style="text-align: justify; ">“We have to ensure that cyberspace does not become a playground for dark horses of radicalism,” Modi said, while inaugurating the fifth Global Conference on Cyber Space (GCCS) in the national capital.</p>
<p style="text-align: justify; ">A total of 50 incidents of cyberattacks affecting 19 financial organizations were reported from 2016 until June 2017, <i>PTI </i>reported in August.</p>
<p style="text-align: justify; ">With multiple cyberattacks affecting key infrastructure assets like ports and major payment companies recently, the government has decided to come out with a draft policy for tackling ransomware, a senior government official told <i>Mint </i>during the conference. “CERT-In (The Indian Computer Emergency Response Team) is working on a draft policy for tackling ransomware which will be put up for consultation by various stakeholders, including organized enterprise users of IT (Information Technology), solution providers and internet service providers (ISPs),” Ajay Kumar, additional secretary in the ministry of electronics and information technology said.</p>
<p style="text-align: justify; ">Kumar said the draft policy will focus on the proprietary steps the country will take in case of a ransomware attack. This will include the steps for the sharing of information to try and restrict the loss as much as possible. A centre of excellence will be set up to find solutions to attacks or neutralise the malware, he added.</p>
<p style="text-align: justify; ">The need to set up a safe and secure cyberspace is one the major concerns of the government as it is moving to create a ‘less-cash’ economy. Earlier this year, the government announced the “DigiDhan Mission” to achieve a 25 billion digital transactions target, outlined in the Union budget for this fiscal.</p>
<p style="text-align: justify; ">Modi said empowerment through digital access is the aim of the government and digital technology has saved around $10 billion so far by eliminating middlemen.</p>
<p style="text-align: justify; ">The MyGov platform is a prime example of how technology strengthens offices. PRAGATI has resulted in faster governance decisions through general consensus, he added.</p>
<p style="text-align: justify; ">PRAGATI (Pro-Active Governance And Timely Implementation) is an interactive platform aimed at addressing the common man’s grievances and monitoring and reviewing programmes and projects of the central and state governments.</p>
<p style="text-align: justify; ">Umang stands for Unified Mobile Application for New-age Governance. It provides all pan India e-Gov services ranging from central to local government bodies and other citizen-centric services like Aadhaar and Digilocker on one single platform or mobile app.</p>
<p style="text-align: justify; ">Modi said, “the app will provide over hundred citizen-centric services. It will automatically add pressure among peers and result in a better performance.”</p>
<p style="text-align: justify; ">Law and IT minister Ravi Shankar Prasad, speaking at the event, said privacy of individuals was of utmost importance but “privacy cannot withhold innovation.” He further said the citizens’ right of accessing the internet is “non-negotiable” and the government will not allow any company to restrict people’s entry to the worldwide web.</p>
<p style="text-align: justify; ">Speaking on Facebook’s Free Basics programme, Prasad said the government did not allow social networking giant’s programme because it offered access to select internet services. Facebook had introduced its Free Basics programme in India in 2015 to offer free basic internet access to people in partnership with telecom operators. Prasad said the idea behind Free Basics was that everything will be free, namely eduction, health, entertainment and others, if one enters the Net through one gate (Facebook’s).</p>
<p style="text-align: justify; ">“I said India is a democracy, we don’t believe in one gate. We believe in multiple gates. Therefore, this gate locking for India will not be accepted and I did not allow it. This stems (from) our commitment that internet must be accessible to all,” he added.</p>
<p style="text-align: justify; ">Sri Lankan Prime Minister Ranil Wickremesinghe, who was present at the event, said there was no legal framework on cyberspace and he hoped the conference would lead to a consensus to finalize the terms of the framework. “Our government has a lot more to do in net neutrality but we have taken progressive and revolutionary step in this regard,” added Wickremesinghe.</p>
<p style="text-align: justify; ">Wickremesinghe is on a four-day visit to India with the aim of boosting bilateral ties.</p>
<p style="text-align: justify; ">On the first day of the conference, India agreed to establish a joint working group with Iran to work in different IT areas.</p>
<p style="text-align: justify; ">India will provide technical advice to Mauritius for setting up the digilocker infrastructure. An MoU has been signed with Denmark for future cooperation in the IT sector.</p>
<p style="text-align: justify; ">“While a policy on ransomware is welcome, there is much more to be done. Implementation of the 2014 National Cybersecurity Policy has been very slow. Even the simplest bits, such as a secure process for receiving vulnerability disclosure has been lacking,” said Pranesh Prakash, policy director at the Centre for Internet and Society, a Bengaluru-based think tank.</p>
<p style="text-align: justify; "><i>PTI contributed to this story.</i></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-november-24-2017-komal-gupta-cyberattacks-a-significant-threat-to-democracy-modi'>http://editors.cis-india.org/internet-governance/news/livemint-november-24-2017-komal-gupta-cyberattacks-a-significant-threat-to-democracy-modi</a>
</p>
No publisherAdminCyber SecurityInternet GovernancePrivacy2017-11-24T13:29:17ZNews ItemFinancial CERT to combat cyber threats, says MoS home affairs
http://editors.cis-india.org/internet-governance/news/ciso-mag-financial-cert-to-combat-cyber-threats-says-mos-home-affairs
<b>To tackle cyber threats to India’s financial institutions, the central government is mulling to establish a financial Computer Emergency Response Team (CERT).</b>
<p style="text-align: justify; ">This was published by <a class="external-link" href="https://www.cisomag.com/financial-cert-combat-cyber-threats-says-mos-home-affairs/">CISO MAG</a> on November 17, 2017</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Addressing the 15th Asia Pacific Computer Emergency Response Team (APCERT) Open Conference in New Delhi on November 15, 2017, IT Secretary Ajay Prakash Sawhney said, “right now, the one which is directly being worked on is the financial CERT. We are getting the framework in place and once that is there, we will look at other sectors. It will oversee the entire financial sector including banks and financial institutions.”<br /><br />In March this year, the power ministry had announced to create four sectoral CERTs for cybersecurity in power systems: CERT (Transmission), CERT (Thermal), CERT (Hydro), and CERT (Distribution).<br /><br />Udbhav Tiwari, program manager at the Centre for Internet and Society, a Bengaluru-based think tank, highlighted the responsibilities of the financial CERT in a conversation with Live Mint. “The biggest task of sectoral CERT is to share information with the others in the industry. For example, if a bank undergoes an attack, normally the bank will perform all the necessary actions to limit the attack and to prevent it from happening in the future. But the obligation of sharing how the attack happened with all the other banks in India to make sure that they can protect their respective systems from such an attack, can be carried out by a financial CERT,” he said.<br /><br />Cybersecurity Chief Gulshan Rai, who was also present at the event, said “from April to October 2017, around 50,000 cyber security incidents have been handled by CERT-In; including phishing, malware attacks, attacks on digital payments and targeted attacks on some of the critical industries.”<br /><br />On August 1, 2017, MoS home affairs Hansraj Gangaram Ahir had said “as per the information by the Indian computer emergency response team (CERT-In), 50 incidents affecting 19 financial organizations have been reported during the period of November, 2016 to June, 2017.”</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/ciso-mag-financial-cert-to-combat-cyber-threats-says-mos-home-affairs'>http://editors.cis-india.org/internet-governance/news/ciso-mag-financial-cert-to-combat-cyber-threats-says-mos-home-affairs</a>
</p>
No publisherAdminCyber SecurityInternet Governance2017-11-23T16:07:21ZNews ItemGlobal Commission on the Stability of Cyberspace (GCSC)
http://editors.cis-india.org/internet-governance/news/global-commission-on-the-stability-of-cyberspace-gcsc
<b>The Global Commission on the Stability of Cyberspace organized a meeting on November 21, 2017 in New Delhi. The meeting took place at Taj Diplomatic Enclave Hotel on the sidelines of the 5th Global Conference on Cyberspace. Pranesh Prakash participated in the event.</b>
<p>GSC commissioners engaged in discussions with leading experts on cyber diplomacy, cyber norms and counter-proliferation. See the Draft Agenda <a class="external-link" href="http://cis-india.org/internet-governance/files/cyber-security-hearings-gsc">here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/global-commission-on-the-stability-of-cyberspace-gcsc'>http://editors.cis-india.org/internet-governance/news/global-commission-on-the-stability-of-cyberspace-gcsc</a>
</p>
No publisherAdminCyber SecurityInternet Governance2017-11-23T14:38:12ZNews ItemRoundtable on Enhancing Indian Cyber Security through Multi-Stakeholder Cooperation
http://editors.cis-india.org/internet-governance/events/roundtable-on-enhancing-indian-cyber-security-through-multi-stakeholder-cooperation
<b>A closed door round-table on enhancing Indian cyber security is being organized on 4 November 2017 at Indian Islamic Centre, Lodhi Road in New Delhi.</b>
<p style="text-align: justify; ">With the proliferation of digital technologies and the central role they play in national infrastructure and governance, security of systems and services is fundamental to the economic, political, and social development and success of a nation. Digital India, the National Payments Corporation of India, IndiaStack, and the Aadhaar ecosystem are just a few examples of such digital infrastructure. Yet the digital realm is increasingly becoming more complex and difficult to secure and monitor for vulnerabilities, threats, breaches, and attacks. The responsibility of identifying and monitoring such vulnerabilities can be spearheaded by designated governmental bodies like CERT-IN and NCIIPC, but for effective identification of threats and vulnerabilities, collaboration is needed across stakeholder groups including security researchers, industry, and government bodies. Transparency about breaches and attacks is also key in enabling consumer awareness and building trust with the public. Examples of such mechanisms include bug bounty programs and breach notification frameworks.</p>
<p style="text-align: justify; ">This closed door roundtable will seek to bring together government, industry, civil society, academia, and security researchers to identify different areas and tools of collaboration between stakeholders towards enhancing Indian cyber security. It will broadly focus on vulnerability identification and reporting and vulnerability/breach notification. This will include a reflection on:</p>
<ul>
<li>Existing frameworks, forms of collaborations, policies and practices in India.</li>
<li>Practices, standards, certifications, and programmes adopted in other jurisdictions.</li>
<li style="text-align: justify; ">The way forward for India addressing issues like establishing trust, harmonization and communication across stakeholders and sectors, and ensuring quality and response.</li>
</ul>
<p>RSVP: <a class="mail-link" href="mailto:pranav@cis-india.org">pranav@cis-india.org</a></p>
<hr />
<h3><a class="external-link" href="http://cis-india.org/internet-governance/files/invitation-for-multi-stakeholder-roundtable-on-cyber-security">Download the Invite</a></h3>
<h3><a class="external-link" href="http://cis-india.org/internet-governance/files/enhancing-indian-cyber-security-through-multi-stakeholder-cooperation"><b>See the Report</b></a></h3>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/events/roundtable-on-enhancing-indian-cyber-security-through-multi-stakeholder-cooperation'>http://editors.cis-india.org/internet-governance/events/roundtable-on-enhancing-indian-cyber-security-through-multi-stakeholder-cooperation</a>
</p>
No publisherAdminCyber SecurityEventInternet Governance2018-02-01T14:04:36ZEventCyFy 2017
http://editors.cis-india.org/internet-governance/news/cy-fy-2017
<b>CyFy is a conference on internet governance and cyber security organised by the Observer Research Foundation (ORF) in New Delhi between 2 and 4 October 2017. Sunil Abraham was a speaker.</b>
<p style="text-align: justify; ">Sunil Abraham was a speaker on a panel titled "Security Through Identity?" on the 4 October 2017 and chaired an invite only session titled "Encryption: The End of Surveillance?" on the 3rd of October, 2017. Saikat Dutta and Udbhav Tiwari also participated in the encryption session. Saikat was a speaker in a session titled "Digital Vulnerabilities: Capacity Building for Tackling Cyber Crime" on 3 October 2017. Udbhav Tiwari chaired a session titled "Dangerous Disclosures: Cyber Security Incident Reporting" on 4 October 2017.</p>
<p style="text-align: justify; ">Conference agenda <a class="external-link" href="http://cis-india.org/internet-governance/files/cyfy-2017-agenda">here</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/cy-fy-2017'>http://editors.cis-india.org/internet-governance/news/cy-fy-2017</a>
</p>
No publisherAdminCyber SecurityInternet Governance2017-11-26T09:36:25ZNews ItemZomato hack: You need to enhance online security with a password manager
http://editors.cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-may-23-2017-zomato-hack-you-need-to-enhance-online-security-with-a-password-manager
<b>Hacking incident at Zomato underlines need to employ different passwords for different accounts.</b>
<p style="text-align: justify; ">The article by Sanjay Kumar Singh was published in the <a class="external-link" href="http://www.business-standard.com/article/companies/zomato-hack-you-need-to-enhance-online-security-with-a-password-manager-117052201261_1.html">Business Standard</a> on May 23, 2017.</p>
<hr />
<p style="text-align: justify; "><span class="p-content"> </span></p>
<p style="text-align: justify; ">Recently, food-tech company <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>suffered a security breach where 17 million user records were stolen, including email addresses and passwords. Such hacking incidents can have wider consequences, including, in the gravest of scenarios, financial losses. They emphasise the need for people to adopt newer protection mechanisms, such as <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>managers.</p>
<p style="text-align: justify; ">In Zomato's case, the passwords are said to be hashed, which means they were converted into unintelligible characters. However, experts say that depending on the hashing protocol used, hashes can be re-engineered to generate the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password.</a></p>
<div style="text-align: justify; ">
<div style="float: left; "></div>
</div>
<p style="text-align: justify; ">The hacking of one account can have wider ramifications. "By hacking one account, hackers get access to your email ID and <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password.</a> To save themselves the bother of remembering many passwords, users often use the same <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>in all their accounts. So, the hackers get access to your email and other accounts. Sometimes, they use your email account to reset the passwords in your other accounts," explains Shomiron Das Gupta of NetMonastery, a threat management provider. He adds that people often store sensitive information, including their net banking and credit card numbers and passwords within their email accounts. Also, on a website like Amazon, you can only view the last four digits of your credit card number. Other websites may not blur this information, in which case hackers would get access to this and other sensitive information.</p>
<p style="text-align: justify; "><span class="p-content"> </span></p>
<p style="text-align: justify; ">Experts recommend you create complex passwords and use different ones for different accounts. Since generating complex passwords and remembering them all is difficult, you should use a <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>manager. Some of the good ones are LastPass, 1Password, Dashlane and TrueKey.</p>
<p style="text-align: justify; "><span class="p-content"><a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">Password </a>managers can generate long and complex passwords that are difficult to replicate. They also remember on your behalf the passwords on all the sites and apps you use. Also, hackers sometimes steal passwords by inserting a malware that copies keystrokes. Since a <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>manager inputs the password, you don't have to type them in, thereby doing away with the risk of your keystrokes being captured and stolen.</span></p>
<p><span class="p-content"><span class="p-content"> </span></span></p>
<div style="text-align: justify; ">
<div style="float: left; "><img align="left" alt="graph" class="imgCont" height="352" src="http://bsmedia.business-standard.com/_media/bs/img/article/2017-05/22/full/1495477165-3235.jpg" style="float: left; " title="graph" width="220" /></div>
A <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>manager is a secure vault that stores all your passwords. You get access to the vault with a master <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password.</a> Instead of remembering many passwords, you have to remember just one.</div>
<p> </p>
<p style="text-align: justify; ">Browsers like <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Google+Chrome" target="_blank">Google Chrome </a>and <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Mozilla+Firefox" target="_blank">Mozilla Firefox </a>also offer <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>managers. However, if you wish to use your <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>manager across browsers and apps, use a third-party one like those mentioned above. And while a <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>manager that is stored locally is safer, one that is cloud-based is more convenient, since you can use it across devices having internet connection. <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">Password </a>managers also offer two-factor authentication. They either send a <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>to your phone or generate it on your device. Unless your device also gets stolen, the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>manager is difficult to break into.</p>
<p><span class="p-content"> </span></p>
<p style="text-align: justify; ">As for whether <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>managers are themselves safe, experts concede they are a prime target for hackers who know that the information stored within will be valuable. "The <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>manager is safe provided you set a strong master <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password.</a> Your <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>should have at least 13 characters of which two should be small, two should be in capital, two should be random numbers, and two should be special characters. Using a word that is not there in the dictionary will enhance its strength. Keep changing your master <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>every three-six months," says Udbhav Tiwari, policy officer at the Centre for Internet and Society, Bengaluru. Since their primary job is to provide security, most <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>managers do have strong security practices, he adds.</p>
<p><span class="p-content">Most <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>managers offer a free account but you have to pay to use their advanced security features.</span></p>
<div></div>
<div style="text-align: justify; "></div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-may-23-2017-zomato-hack-you-need-to-enhance-online-security-with-a-password-manager'>http://editors.cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-may-23-2017-zomato-hack-you-need-to-enhance-online-security-with-a-password-manager</a>
</p>
No publisherpraskrishnaCyber SecurityInternet GovernancePrivacy2017-05-23T15:54:50ZNews ItemHacker steals 17 million Zomato users’ data, briefly puts it on dark web
http://editors.cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web
<b>Records of 17 million users were stolen from online restaurant search platform Zomato, the company said in a blog post on Thursday.</b>
<p style="text-align: justify; ">The article by Kim Arora and Digbijay Mishra with inputs from Ranjani Ayyar in Chenna was <a class="external-link" href="http://timesofindia.indiatimes.com/india/hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web/articleshow/58742129.cms">published in the Times of India</a> on May 19, 2017. Pranesh Prakash was quoted.</p>
<hr />
<p style="text-align: justify; ">According to information security blog and news website <a class="key_underline" href="http://timesofindia.indiatimes.com/topic/HackRead">HackRead</a>, the data was being peddled online on the "dark web" for about $1,000. The company, also a food delivery platform, advised users to change passwords. However, late on Thursday night, <a class="key_underline" href="http://timesofindia.indiatimes.com/topic/Zomato">Zomato</a> claimed it had contacted the hacker and persuaded him/her to not only destroy all copies of the data, but also to take the database off the dark web marketplace. The company said it will post an update on how the breach happened once they "close the loopholes".</p>
<p style="text-align: justify; ">In an official blog updated with this information, Zomato said, "The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers." Bug bounties are a standard program among tech companies, where they reward outsiders to highlight bugs and flaws in their software systems.</p>
<p style="text-align: justify; ">The number of user accounts compromised was pegged at 17 million earlier in the day. In the late night update, Zomato said password hashes (passwords in a scrambled, encrypted form) of 6.6 million users was compromised. It wasn't immediately clear whether this 6.6 million was part of the 17 million records stolen.</p>
<p style="text-align: justify; ">Zomato tried assuring users that payment information was safe. "Please note that only 5 data points were exposed - user IDs, names, usernames, email addresses, and password hashes with salt- that is, passwords that were encrypted and would be unintelligible. No other information was exposed to anyone (we have a copy of the 'leaked' database with us). Your payment information is absolutely safe, and there's no need to panic," said the late night update.</p>
<p style="text-align: justify; ">However, the information security community raised concerns over the technique used for "hashing" or encrypting the passwords. A screenshot of the vendor's sale page for stolen data posted on HackRead identifies the hashing algorithm as "MD5", which experts say is "outdated" and "insecure". The research team at infySEC -- a cyber security company from Chennai -- tried to access user information in Zomato's database, as part of its bug bounty program. "We were able to access user names, email IDs, addresses and history of transactions. We highlighted this to Zomato but we have not heard from them," said Karthick Vigneshwar, director, infySEC.</p>
<p style="text-align: justify; ">Zomato joins a long list of tech-enabled businesses that have recently had user data stolen. Such data can ostensibly be used by malicious actors to send phishing mails, or even by hackers to carry out cyber attacks. In February 2017, content delivery network CloudFlare's customer data was leaked. The data leaked had not just password hashes, but even customers' IP addresses and private messages. In June 2015, online password management service LastPass was hacked and had its data leaked online.</p>
<p style="text-align: justify; ">"We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We, however, strongly advise you to change your password for any other services where you are using the same password," Zomato's chief technology officer Gunjan Patidar said in the blog which was updated twice through the day. Affected users have been logged out of the website and the app.</p>
<p style="text-align: justify; ">Password "hashing" is an encryption technique usually used for large online user databases. The strength of the encryption depends on the algorithm employed to do the same. "Salting" is the addition of a string of characters to the passwords when stored on such a database, which adds another layer of difficulty in cracking them.</p>
<p style="text-align: justify; ">In an email to TOI, a company spokesperson said, "Over the next couple of days, we'll be actively working to improve our security systems — we'll be further enhancing security measures for all user information stored within our database, and will also add a layer of authorisation for internal teams having access to this data to avoid any human breach."</p>
<p style="text-align: justify; ">HackRead, a security blog and news website, found the stolen Zomato database of 17 million users for sale on what is called the "dark web". This can be described as a portion of the content available on the World Wide Web, away from the public internet. This content is not indexed on search engines like Google, and can only be accessed using software that can route around the public internet to get there.</p>
<p style="text-align: justify; ">According to the screenshots of the sale posted on HackRead, the Zomato database used a hashing technique called "MD5", which security experts say is inappropriate for encrypting passwords. "If MD5 was used, it shows bad security practices were in place. It isn't industry standard to use this algorithm for password hashing. Algorithms like bcrypt, scrypt, are more secure," says Pranesh Prakash, policy director at Bengaluru's Centre for Internet and Society.</p>
<p style="text-align: justify; ">What if a user does not use an exclusive Zomato account to sign into the service, but signs in through a Google or Facebook account? "In that case, just to be safe, you can delink your Zomato from the account you use to sign in, although your password will not be at risk," says Prakash. Zomato says, 60% of its users use such third party authorisation, and they are at "zero risk."</p>
<p style="text-align: justify; ">Would Zomato be liable to compensate end users for loss of sensitive data? Supreme Court advocate Pavan Duggal says, "Such players, referred to as intermediaries under the IT Act hold sensitive data and are expected to have reasonable security protocols in place. Should an end user face any loss/damage due to a data breach, they can sue Zomato and seek compensation." While most players have end user agreements and disclaimers in place, Duggal adds that the IT Act will prevail over any other law or contract to the extent it is inconsistent.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web'>http://editors.cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web</a>
</p>
No publisherpraskrishnaCyber SecurityHackingInternet GovernancePrivacy2017-05-20T05:57:14ZNews ItemExperts stress on need for enhanced security
http://editors.cis-india.org/internet-governance/news/new-indian-express-may-6-2017-experts-stress-on-need-for-enhanced-security
<b>With more and more people falling prey to phishing scams, experts believe that lack of adequate security features in online payment systems will only increase the number of such cases in the coming days. While admitting that the rise in such crimes would be hard to stop or control, cyber security consultants also blame the lack of preparedness before taking the digital economy route as a cause for such problems.</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="http://www.newindianexpress.com/cities/bengaluru/2017/may/06/experts-stress-on-need-for-enhanced-security-1601631.html">published in the New Indian Express</a> on May 6, 2017. Pranesh Prakash was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Speaking to Express, Dr A Nagarathna of the Advanced Centre on Cyber Law and Forensics, National Law School of India University, said that apart from the push for digital payment solutions, the merger of various State Bank entities also provided chances for criminals to exploit gullible people.</p>
<p style="text-align: justify; ">“People tend to give away critical information since cyber criminals seem so convincing. But they should remember that banks never collect such information over phone,” she said.</p>
<p style="text-align: justify; ">The cyber security features of banks and e-wallets are also questionable. Banks and e-wallet service providers should be held accountable for such crimes, so that they make an effort to ensure necessary safety measures, she said.</p>
<p style="text-align: justify; ">Pranesh Prakash, Policy Director at the Centre for Internet and Society, noted that there were security concerns with e-wallets. “Many e-wallet apps compromise on security in favour of convenience, but, at the same time, have terms of service that hold customers liable for financial losses. There have been many reports of criminals working with rogue telecom company employees to clone SIM cards and steal money via UPI and BHIM,” he said.</p>
<p style="text-align: justify; ">He also criticised the use of biometrics as the only factor for authorising payments to merchants using Aadhaar Pay. He noted, “Your fingerprints cannot be changed, unlike a PIN. So, if a merchant clones your fingerprint, you cannot revoke it or replace it the way you can with a debit card and a PIN.”</p>
<p style="text-align: justify; ">Another activist said the recommendations of Watal Committee, which looked into digital payments, should be implemented. “As of now, the law does not focus on the need for consumer protection in digital payments. The Payment and Settlement Systems Act, 2007, needs to be updated,” he said.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/new-indian-express-may-6-2017-experts-stress-on-need-for-enhanced-security'>http://editors.cis-india.org/internet-governance/news/new-indian-express-may-6-2017-experts-stress-on-need-for-enhanced-security</a>
</p>
No publisherpraskrishnaCyber SecurityInternet GovernancePrivacy2017-05-20T06:13:19ZNews ItemWhat’s Hard To Digest About The Zomato Hacking
http://editors.cis-india.org/internet-governance/news/bloomber-quint-may-19-2017-aayush-ailawadi-whats-hard-to-digest-about-the-zomato-hacking
<b>Yet another day, yet another major security breach. But, this time it’s not a presidential candidate in the U.S. or the U.K.’s National Health Service. Instead. it’s Zomato, the popular Indian online food delivery and restaurant search service.</b>
<div class="story__element__wrapper" style="text-align: justify; ">
<div class="story__element__text story__element">
<div class="story-element-">
<p>The blog post by Aayush Ailawadi was published by <a class="external-link" href="https://www.bloombergquint.com/technology/2017/05/18/whats-hard-to-digest-about-the-zomato-hacking">Bloomberg Quint</a> on May 19, 2017. Pranesh Prakash was quoted.</p>
<hr />
<p>The company disclosed that data from 17 million user accounts was stolen in a security breach. It said in <a href="http://blog.zomato.com/post/160791675411/security-notice" target="_blank">its blog</a> that no financial details were at risk and only user IDs, usernames, names, email addresses and password hashes had been compromised.</p>
</div>
</div>
</div>
<div class="story__element__wrapper" style="text-align: justify; ">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Throughout the course of the day, the company kept updating its blog post and offered different sets of advice to its users. In an earlier post, it only recommended changing one’s password on other sites if you are “paranoid about security like us”. Later, that post mentioned that the passwords were “salted” and hence had an extra layer of security but it still “strongly advises” customers to change passwords.</p>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>In an emailed response, the company explained to BloombergQuint, “We made our disclosure very early, soon after we discovered that it happened. We wanted to be proactive in communicating to our users. As we found more details about the leak, we updated the information”</p>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>But, that wasn’t the only problem. The data was put up on the dark web for sale by the hacker, and the seller was apparently charging 0.5521 bitcoins, or $1001.45, for the data. According to the post, the passwords were stored by Zomato using MD5 encryption, which according to security experts is antiquated and unsuitable for password encryption.</p>
<div class="__container">
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Late on Thursday night, the story took an interesting turn when the company updated <a href="http://blog.zomato.com/post/160807042556/security-notice-update" target="_blank">its blog post yet again</a>. It said that it had gotten in touch with the hacker who was selling the data on the dark web and that apparently the hacker had been very cooperative and helpful. “He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers,” the company said.</p>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Usually, when hackers around the world attack with ransomware, they demand a massive amount of bitcoins as ransom. But, in this case the company claims that all the hacker wants is the assurance that the company will introduce a bug bounty program on Hackerone soon. In return, the hacker has agreed to destroy all copies of the stolen data and take the data off the dark web marketplace.</p>
</div>
</div>
</div>
</div>
<div class="card-block-qsection-technology card">
<div class="__container">
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>But, while it may seem like the storm has passed for Zomato, cybersecurity experts like Pranesh Prakash at the Centre for Internet & Society believe that a lot more could have been done by the company in such a case.</p>
</div>
</div>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<h3><b>Disclose To Confuse?</b></h3>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Concern #1: Prakash feels that Zomato got it all wrong by issuing multiple disclosures and not addressing the problem at hand, which was to clearly explain what happened and immediately request customers to change similar passwords on other websites.</p>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<h3><b>What’s So Scary About The Zomato Hacking?</b></h3>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Concern #2: BloombergQuint reached out to Zomato to confirm whether the passwords were encrypted with “MD5”, a hashing algorithm that Prakash and other Twitter users who accessed the seller’s page on the dark web believe was used by the company. But, the tech company didn’t respond to that specific question.</p>
<p>What’s worse is that Prakash adds that not only is this algorithm antiquated but it is also highly unsuitable for password encryption, as it can be cracked quickly.</p>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<h3><b>Genuine Disclosures Vs False Promises</b></h3>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Concern #3: Prakash suspects that the company wasn’t honest and forthright with its users during this episode. According to him, the company could learn a thing or two about honest disclosures from companies like CloudFlare and LastPass, which fell victim to similar attacks in the past year.</p>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<h3><b>Where’s My Privacy And Security?</b></h3>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Concern #4: According to Prakash, it’s not just about privacy, but also one’s security that has been compromised in this instance. He says that the Zomato hack is like a reminder that an odd section in the Information Technology Act is not sufficient when it comes to data protection. Instead, India needs a robust data protection law where bad security practices can actually be prosecuted and companies can be penalised if they don’t follow standard and reasonable security practices.</p>
<p>Zomato also told BloombergQuint that it has understood how the breach happened but couldn’t share exact details at the moment. The company said, “Our team is working to make sure we have the vulnerability patched. All we can say right now is that it started with a password leak on some other site. We will share more details on our blog over the next few days.”</p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/bloomber-quint-may-19-2017-aayush-ailawadi-whats-hard-to-digest-about-the-zomato-hacking'>http://editors.cis-india.org/internet-governance/news/bloomber-quint-may-19-2017-aayush-ailawadi-whats-hard-to-digest-about-the-zomato-hacking</a>
</p>
No publisherpraskrishnaCyber SecurityInternet GovernancePrivacy2017-05-19T09:22:37ZNews ItemHack exposes Zomato's weak protection of customer data, say Cyber experts
http://editors.cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-may-19-2017-hack-exposes-zomatos-weak-protection-of-customer-data-say-cyber-experts
<b>Online restaurant aggregator says it will beef up security after 17 million user details were stolen.</b>
<p style="text-align: justify; ">The article by <span><a href="http://www.business-standard.com/author/search/keyword/alnoor-peermohamed" target="_blank">Alnoor Peermohamed</a> was published in the Business Standard on May 19, 2017. Pranesh Prakash was quoted.</span></p>
<hr style="text-align: justify; " />
<p style="text-align: justify; "><span><span class="p-content">After details of over 17 million users was stolen and sold online, restaurants discovery and food ordering service <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>has vowed to beef up security measures, including adding a layer of authentication for its own employees to access user data. </span></span></p>
<p style="text-align: justify; "><span class="p-content">
<p>The company in a blog post claimed that the leak appeared to be an internal (human) security breach with an employee's development account getting compromised.</p>
<p>However, <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Cyber+Security" target="_blank">cyber security </a>experts pointed out that <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>was clearly lacking in its technique to protect customer data from unwanted elements .</p>
<div class="article-middle-banner" id="div-gpt-ad-1490771277198-0"></div>
<p>Sajal Thomas, a <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Cyber+Security" target="_blank">cyber security </a>consultant, claimed on Twitter that he verified the sample data being sold on the dark web and found that <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>had used MD5 to hash passwords. MD5 is neither encryption nor encoding, and was known to be easily cracked by attacks and suffered from major vulnerabilities.</p>
<p>Further, he said <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>had not used salting, a technique where random data was used as additional input to make cracking a hashed password much harder. Thomas said that it took just a few seconds to crack the hashed passwords to turn them into plain text.</p>
<p><a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>in its blog post, however, claimed that it protected "passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password."</p>
<p>It said that this was to ensure that passwords could not be easily converted back to plain text. The firm claimed no credit or debit card information of users were leaked.</p>
<p>While <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>says it has reset passwords of all the affected accounts, experts say that users whose data were leaked are still under threat.</p>
<p>"If you had a password for <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>that you used elsewhere (on facebook or email), immediately change that password across all those accounts," tweeted Pranesh Prakash, policy director at the Centre for Internet and Society.</p>
<blockquote class="twitter-tweet">
<p dir="ltr">If you had a password for <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>that you used elsewhere, then IMMEDIATELY change that password across ALL those accounts. Use a pw manager! <a href="https://t.co/CbhtxCwlnD">https://t.co/CbhtxCwlnD</a></p>
— Pranesh Prakash (@pranesh) <a href="https://twitter.com/pranesh/status/865136966190288896">May 18, 2017</a></blockquote>
According to Prakash, a statement by <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>misled people on how serious the security breach was by providing a false sense of security.<br /> <br /> Subsequently, the company reworded its blog post to prompt users to change passwords of other services where they might have used the same password as their <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>account.
<p>The leak was first detected by security blog <i>HackRead</i> when it came across an online handle going by the name of "nclay" claiming to have hacked Zomato's database and selling its data on the dark web. Upon testing some of the data made public by the hacker, <i>HackRead</i> found that each account actually existed on <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato.</a></p>
<p>"The database includes emails and password hashes of registered <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>users while the price set for the whole package is $1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit," <i>HackRead </i>wrote in its post.</p>
</span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-may-19-2017-hack-exposes-zomatos-weak-protection-of-customer-data-say-cyber-experts'>http://editors.cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-may-19-2017-hack-exposes-zomatos-weak-protection-of-customer-data-say-cyber-experts</a>
</p>
No publisherpraskrishnaCyber SecurityInternet GovernancePrivacy2017-05-19T09:11:40ZNews Item