The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 51 to 65.
Zomato hack: You need to enhance online security with a password manager
http://editors.cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-may-23-2017-zomato-hack-you-need-to-enhance-online-security-with-a-password-manager
<b>Hacking incident at Zomato underlines need to employ different passwords for different accounts.</b>
<p style="text-align: justify; ">The article by Sanjay Kumar Singh was published in the <a class="external-link" href="http://www.business-standard.com/article/companies/zomato-hack-you-need-to-enhance-online-security-with-a-password-manager-117052201261_1.html">Business Standard</a> on May 23, 2017.</p>
<hr />
<p style="text-align: justify; "><span class="p-content"> </span></p>
<p style="text-align: justify; ">Recently, food-tech company <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>suffered a security breach where 17 million user records were stolen, including email addresses and passwords. Such hacking incidents can have wider consequences, including, in the gravest of scenarios, financial losses. They emphasise the need for people to adopt newer protection mechanisms, such as <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>managers.</p>
<p style="text-align: justify; ">In Zomato's case, the passwords are said to be hashed, which means they were converted into unintelligible characters. However, experts say that depending on the hashing protocol used, hashes can be re-engineered to generate the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password.</a></p>
<div style="text-align: justify; ">
<div style="float: left; "></div>
</div>
<p style="text-align: justify; ">The hacking of one account can have wider ramifications. "By hacking one account, hackers get access to your email ID and <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password.</a> To save themselves the bother of remembering many passwords, users often use the same <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>in all their accounts. So, the hackers get access to your email and other accounts. Sometimes, they use your email account to reset the passwords in your other accounts," explains Shomiron Das Gupta of NetMonastery, a threat management provider. He adds that people often store sensitive information, including their net banking and credit card numbers and passwords within their email accounts. Also, on a website like Amazon, you can only view the last four digits of your credit card number. Other websites may not blur this information, in which case hackers would get access to this and other sensitive information.</p>
<p style="text-align: justify; "><span class="p-content"> </span></p>
<p style="text-align: justify; ">Experts recommend you create complex passwords and use different ones for different accounts. Since generating complex passwords and remembering them all is difficult, you should use a <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>manager. Some of the good ones are LastPass, 1Password, Dashlane and TrueKey.</p>
<p style="text-align: justify; "><span class="p-content"><a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">Password </a>managers can generate long and complex passwords that are difficult to replicate. They also remember on your behalf the passwords on all the sites and apps you use. Also, hackers sometimes steal passwords by inserting a malware that copies keystrokes. Since a <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>manager inputs the password, you don't have to type them in, thereby doing away with the risk of your keystrokes being captured and stolen.</span></p>
<p><span class="p-content"><span class="p-content"> </span></span></p>
<div style="text-align: justify; ">
<div style="float: left; "><img align="left" alt="graph" class="imgCont" height="352" src="http://bsmedia.business-standard.com/_media/bs/img/article/2017-05/22/full/1495477165-3235.jpg" style="float: left; " title="graph" width="220" /></div>
A <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>manager is a secure vault that stores all your passwords. You get access to the vault with a master <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password.</a> Instead of remembering many passwords, you have to remember just one.</div>
<p> </p>
<p style="text-align: justify; ">Browsers like <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Google+Chrome" target="_blank">Google Chrome </a>and <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Mozilla+Firefox" target="_blank">Mozilla Firefox </a>also offer <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>managers. However, if you wish to use your <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>manager across browsers and apps, use a third-party one like those mentioned above. And while a <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>manager that is stored locally is safer, one that is cloud-based is more convenient, since you can use it across devices having internet connection. <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">Password </a>managers also offer two-factor authentication. They either send a <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>to your phone or generate it on your device. Unless your device also gets stolen, the <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>manager is difficult to break into.</p>
<p><span class="p-content"> </span></p>
<p style="text-align: justify; ">As for whether <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>managers are themselves safe, experts concede they are a prime target for hackers who know that the information stored within will be valuable. "The <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>manager is safe provided you set a strong master <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password.</a> Your <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>should have at least 13 characters of which two should be small, two should be in capital, two should be random numbers, and two should be special characters. Using a word that is not there in the dictionary will enhance its strength. Keep changing your master <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>every three-six months," says Udbhav Tiwari, policy officer at the Centre for Internet and Society, Bengaluru. Since their primary job is to provide security, most <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>managers do have strong security practices, he adds.</p>
<p><span class="p-content">Most <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Password" target="_blank">password </a>managers offer a free account but you have to pay to use their advanced security features.</span></p>
<div></div>
<div style="text-align: justify; "></div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-may-23-2017-zomato-hack-you-need-to-enhance-online-security-with-a-password-manager'>http://editors.cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-may-23-2017-zomato-hack-you-need-to-enhance-online-security-with-a-password-manager</a>
</p>
No publisherpraskrishnaCyber SecurityInternet GovernancePrivacy2017-05-23T15:54:50ZNews ItemHacker steals 17 million Zomato users’ data, briefly puts it on dark web
http://editors.cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web
<b>Records of 17 million users were stolen from online restaurant search platform Zomato, the company said in a blog post on Thursday.</b>
<p style="text-align: justify; ">The article by Kim Arora and Digbijay Mishra with inputs from Ranjani Ayyar in Chenna was <a class="external-link" href="http://timesofindia.indiatimes.com/india/hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web/articleshow/58742129.cms">published in the Times of India</a> on May 19, 2017. Pranesh Prakash was quoted.</p>
<hr />
<p style="text-align: justify; ">According to information security blog and news website <a class="key_underline" href="http://timesofindia.indiatimes.com/topic/HackRead">HackRead</a>, the data was being peddled online on the "dark web" for about $1,000. The company, also a food delivery platform, advised users to change passwords. However, late on Thursday night, <a class="key_underline" href="http://timesofindia.indiatimes.com/topic/Zomato">Zomato</a> claimed it had contacted the hacker and persuaded him/her to not only destroy all copies of the data, but also to take the database off the dark web marketplace. The company said it will post an update on how the breach happened once they "close the loopholes".</p>
<p style="text-align: justify; ">In an official blog updated with this information, Zomato said, "The hacker has been very cooperative with us. He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers." Bug bounties are a standard program among tech companies, where they reward outsiders to highlight bugs and flaws in their software systems.</p>
<p style="text-align: justify; ">The number of user accounts compromised was pegged at 17 million earlier in the day. In the late night update, Zomato said password hashes (passwords in a scrambled, encrypted form) of 6.6 million users was compromised. It wasn't immediately clear whether this 6.6 million was part of the 17 million records stolen.</p>
<p style="text-align: justify; ">Zomato tried assuring users that payment information was safe. "Please note that only 5 data points were exposed - user IDs, names, usernames, email addresses, and password hashes with salt- that is, passwords that were encrypted and would be unintelligible. No other information was exposed to anyone (we have a copy of the 'leaked' database with us). Your payment information is absolutely safe, and there's no need to panic," said the late night update.</p>
<p style="text-align: justify; ">However, the information security community raised concerns over the technique used for "hashing" or encrypting the passwords. A screenshot of the vendor's sale page for stolen data posted on HackRead identifies the hashing algorithm as "MD5", which experts say is "outdated" and "insecure". The research team at infySEC -- a cyber security company from Chennai -- tried to access user information in Zomato's database, as part of its bug bounty program. "We were able to access user names, email IDs, addresses and history of transactions. We highlighted this to Zomato but we have not heard from them," said Karthick Vigneshwar, director, infySEC.</p>
<p style="text-align: justify; ">Zomato joins a long list of tech-enabled businesses that have recently had user data stolen. Such data can ostensibly be used by malicious actors to send phishing mails, or even by hackers to carry out cyber attacks. In February 2017, content delivery network CloudFlare's customer data was leaked. The data leaked had not just password hashes, but even customers' IP addresses and private messages. In June 2015, online password management service LastPass was hacked and had its data leaked online.</p>
<p style="text-align: justify; ">"We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We, however, strongly advise you to change your password for any other services where you are using the same password," Zomato's chief technology officer Gunjan Patidar said in the blog which was updated twice through the day. Affected users have been logged out of the website and the app.</p>
<p style="text-align: justify; ">Password "hashing" is an encryption technique usually used for large online user databases. The strength of the encryption depends on the algorithm employed to do the same. "Salting" is the addition of a string of characters to the passwords when stored on such a database, which adds another layer of difficulty in cracking them.</p>
<p style="text-align: justify; ">In an email to TOI, a company spokesperson said, "Over the next couple of days, we'll be actively working to improve our security systems — we'll be further enhancing security measures for all user information stored within our database, and will also add a layer of authorisation for internal teams having access to this data to avoid any human breach."</p>
<p style="text-align: justify; ">HackRead, a security blog and news website, found the stolen Zomato database of 17 million users for sale on what is called the "dark web". This can be described as a portion of the content available on the World Wide Web, away from the public internet. This content is not indexed on search engines like Google, and can only be accessed using software that can route around the public internet to get there.</p>
<p style="text-align: justify; ">According to the screenshots of the sale posted on HackRead, the Zomato database used a hashing technique called "MD5", which security experts say is inappropriate for encrypting passwords. "If MD5 was used, it shows bad security practices were in place. It isn't industry standard to use this algorithm for password hashing. Algorithms like bcrypt, scrypt, are more secure," says Pranesh Prakash, policy director at Bengaluru's Centre for Internet and Society.</p>
<p style="text-align: justify; ">What if a user does not use an exclusive Zomato account to sign into the service, but signs in through a Google or Facebook account? "In that case, just to be safe, you can delink your Zomato from the account you use to sign in, although your password will not be at risk," says Prakash. Zomato says, 60% of its users use such third party authorisation, and they are at "zero risk."</p>
<p style="text-align: justify; ">Would Zomato be liable to compensate end users for loss of sensitive data? Supreme Court advocate Pavan Duggal says, "Such players, referred to as intermediaries under the IT Act hold sensitive data and are expected to have reasonable security protocols in place. Should an end user face any loss/damage due to a data breach, they can sue Zomato and seek compensation." While most players have end user agreements and disclaimers in place, Duggal adds that the IT Act will prevail over any other law or contract to the extent it is inconsistent.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web'>http://editors.cis-india.org/internet-governance/news/the-times-of-india-may-19-2017-kim-arora-and-digbijay-mishra-hacker-steals-17-million-zomato-users-data-briefly-puts-it-on-dark-web</a>
</p>
No publisherpraskrishnaCyber SecurityHackingInternet GovernancePrivacy2017-05-20T05:57:14ZNews ItemExperts stress on need for enhanced security
http://editors.cis-india.org/internet-governance/news/new-indian-express-may-6-2017-experts-stress-on-need-for-enhanced-security
<b>With more and more people falling prey to phishing scams, experts believe that lack of adequate security features in online payment systems will only increase the number of such cases in the coming days. While admitting that the rise in such crimes would be hard to stop or control, cyber security consultants also blame the lack of preparedness before taking the digital economy route as a cause for such problems.</b>
<p style="text-align: justify; ">The article was <a class="external-link" href="http://www.newindianexpress.com/cities/bengaluru/2017/may/06/experts-stress-on-need-for-enhanced-security-1601631.html">published in the New Indian Express</a> on May 6, 2017. Pranesh Prakash was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Speaking to Express, Dr A Nagarathna of the Advanced Centre on Cyber Law and Forensics, National Law School of India University, said that apart from the push for digital payment solutions, the merger of various State Bank entities also provided chances for criminals to exploit gullible people.</p>
<p style="text-align: justify; ">“People tend to give away critical information since cyber criminals seem so convincing. But they should remember that banks never collect such information over phone,” she said.</p>
<p style="text-align: justify; ">The cyber security features of banks and e-wallets are also questionable. Banks and e-wallet service providers should be held accountable for such crimes, so that they make an effort to ensure necessary safety measures, she said.</p>
<p style="text-align: justify; ">Pranesh Prakash, Policy Director at the Centre for Internet and Society, noted that there were security concerns with e-wallets. “Many e-wallet apps compromise on security in favour of convenience, but, at the same time, have terms of service that hold customers liable for financial losses. There have been many reports of criminals working with rogue telecom company employees to clone SIM cards and steal money via UPI and BHIM,” he said.</p>
<p style="text-align: justify; ">He also criticised the use of biometrics as the only factor for authorising payments to merchants using Aadhaar Pay. He noted, “Your fingerprints cannot be changed, unlike a PIN. So, if a merchant clones your fingerprint, you cannot revoke it or replace it the way you can with a debit card and a PIN.”</p>
<p style="text-align: justify; ">Another activist said the recommendations of Watal Committee, which looked into digital payments, should be implemented. “As of now, the law does not focus on the need for consumer protection in digital payments. The Payment and Settlement Systems Act, 2007, needs to be updated,” he said.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/new-indian-express-may-6-2017-experts-stress-on-need-for-enhanced-security'>http://editors.cis-india.org/internet-governance/news/new-indian-express-may-6-2017-experts-stress-on-need-for-enhanced-security</a>
</p>
No publisherpraskrishnaCyber SecurityInternet GovernancePrivacy2017-05-20T06:13:19ZNews ItemWhat’s Hard To Digest About The Zomato Hacking
http://editors.cis-india.org/internet-governance/news/bloomber-quint-may-19-2017-aayush-ailawadi-whats-hard-to-digest-about-the-zomato-hacking
<b>Yet another day, yet another major security breach. But, this time it’s not a presidential candidate in the U.S. or the U.K.’s National Health Service. Instead. it’s Zomato, the popular Indian online food delivery and restaurant search service.</b>
<div class="story__element__wrapper" style="text-align: justify; ">
<div class="story__element__text story__element">
<div class="story-element-">
<p>The blog post by Aayush Ailawadi was published by <a class="external-link" href="https://www.bloombergquint.com/technology/2017/05/18/whats-hard-to-digest-about-the-zomato-hacking">Bloomberg Quint</a> on May 19, 2017. Pranesh Prakash was quoted.</p>
<hr />
<p>The company disclosed that data from 17 million user accounts was stolen in a security breach. It said in <a href="http://blog.zomato.com/post/160791675411/security-notice" target="_blank">its blog</a> that no financial details were at risk and only user IDs, usernames, names, email addresses and password hashes had been compromised.</p>
</div>
</div>
</div>
<div class="story__element__wrapper" style="text-align: justify; ">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Throughout the course of the day, the company kept updating its blog post and offered different sets of advice to its users. In an earlier post, it only recommended changing one’s password on other sites if you are “paranoid about security like us”. Later, that post mentioned that the passwords were “salted” and hence had an extra layer of security but it still “strongly advises” customers to change passwords.</p>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>In an emailed response, the company explained to BloombergQuint, “We made our disclosure very early, soon after we discovered that it happened. We wanted to be proactive in communicating to our users. As we found more details about the leak, we updated the information”</p>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>But, that wasn’t the only problem. The data was put up on the dark web for sale by the hacker, and the seller was apparently charging 0.5521 bitcoins, or $1001.45, for the data. According to the post, the passwords were stored by Zomato using MD5 encryption, which according to security experts is antiquated and unsuitable for password encryption.</p>
<div class="__container">
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Late on Thursday night, the story took an interesting turn when the company updated <a href="http://blog.zomato.com/post/160807042556/security-notice-update" target="_blank">its blog post yet again</a>. It said that it had gotten in touch with the hacker who was selling the data on the dark web and that apparently the hacker had been very cooperative and helpful. “He/she wanted us to acknowledge security vulnerabilities in our system and work with the ethical hacker community to plug the gaps. His/her key request was that we run a healthy bug bounty program for security researchers,” the company said.</p>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Usually, when hackers around the world attack with ransomware, they demand a massive amount of bitcoins as ransom. But, in this case the company claims that all the hacker wants is the assurance that the company will introduce a bug bounty program on Hackerone soon. In return, the hacker has agreed to destroy all copies of the stolen data and take the data off the dark web marketplace.</p>
</div>
</div>
</div>
</div>
<div class="card-block-qsection-technology card">
<div class="__container">
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>But, while it may seem like the storm has passed for Zomato, cybersecurity experts like Pranesh Prakash at the Centre for Internet & Society believe that a lot more could have been done by the company in such a case.</p>
</div>
</div>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<h3><b>Disclose To Confuse?</b></h3>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Concern #1: Prakash feels that Zomato got it all wrong by issuing multiple disclosures and not addressing the problem at hand, which was to clearly explain what happened and immediately request customers to change similar passwords on other websites.</p>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<h3><b>What’s So Scary About The Zomato Hacking?</b></h3>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Concern #2: BloombergQuint reached out to Zomato to confirm whether the passwords were encrypted with “MD5”, a hashing algorithm that Prakash and other Twitter users who accessed the seller’s page on the dark web believe was used by the company. But, the tech company didn’t respond to that specific question.</p>
<p>What’s worse is that Prakash adds that not only is this algorithm antiquated but it is also highly unsuitable for password encryption, as it can be cracked quickly.</p>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<h3><b>Genuine Disclosures Vs False Promises</b></h3>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Concern #3: Prakash suspects that the company wasn’t honest and forthright with its users during this episode. According to him, the company could learn a thing or two about honest disclosures from companies like CloudFlare and LastPass, which fell victim to similar attacks in the past year.</p>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<h3><b>Where’s My Privacy And Security?</b></h3>
</div>
</div>
</div>
<div class="story__element__wrapper">
<div class="story__element__text story__element">
<div class="story-element-">
<p>Concern #4: According to Prakash, it’s not just about privacy, but also one’s security that has been compromised in this instance. He says that the Zomato hack is like a reminder that an odd section in the Information Technology Act is not sufficient when it comes to data protection. Instead, India needs a robust data protection law where bad security practices can actually be prosecuted and companies can be penalised if they don’t follow standard and reasonable security practices.</p>
<p>Zomato also told BloombergQuint that it has understood how the breach happened but couldn’t share exact details at the moment. The company said, “Our team is working to make sure we have the vulnerability patched. All we can say right now is that it started with a password leak on some other site. We will share more details on our blog over the next few days.”</p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/bloomber-quint-may-19-2017-aayush-ailawadi-whats-hard-to-digest-about-the-zomato-hacking'>http://editors.cis-india.org/internet-governance/news/bloomber-quint-may-19-2017-aayush-ailawadi-whats-hard-to-digest-about-the-zomato-hacking</a>
</p>
No publisherpraskrishnaCyber SecurityInternet GovernancePrivacy2017-05-19T09:22:37ZNews ItemHack exposes Zomato's weak protection of customer data, say Cyber experts
http://editors.cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-may-19-2017-hack-exposes-zomatos-weak-protection-of-customer-data-say-cyber-experts
<b>Online restaurant aggregator says it will beef up security after 17 million user details were stolen.</b>
<p style="text-align: justify; ">The article by <span><a href="http://www.business-standard.com/author/search/keyword/alnoor-peermohamed" target="_blank">Alnoor Peermohamed</a> was published in the Business Standard on May 19, 2017. Pranesh Prakash was quoted.</span></p>
<hr style="text-align: justify; " />
<p style="text-align: justify; "><span><span class="p-content">After details of over 17 million users was stolen and sold online, restaurants discovery and food ordering service <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>has vowed to beef up security measures, including adding a layer of authentication for its own employees to access user data. </span></span></p>
<p style="text-align: justify; "><span class="p-content">
<p>The company in a blog post claimed that the leak appeared to be an internal (human) security breach with an employee's development account getting compromised.</p>
<p>However, <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Cyber+Security" target="_blank">cyber security </a>experts pointed out that <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>was clearly lacking in its technique to protect customer data from unwanted elements .</p>
<div class="article-middle-banner" id="div-gpt-ad-1490771277198-0"></div>
<p>Sajal Thomas, a <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Cyber+Security" target="_blank">cyber security </a>consultant, claimed on Twitter that he verified the sample data being sold on the dark web and found that <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>had used MD5 to hash passwords. MD5 is neither encryption nor encoding, and was known to be easily cracked by attacks and suffered from major vulnerabilities.</p>
<p>Further, he said <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>had not used salting, a technique where random data was used as additional input to make cracking a hashed password much harder. Thomas said that it took just a few seconds to crack the hashed passwords to turn them into plain text.</p>
<p><a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>in its blog post, however, claimed that it protected "passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password."</p>
<p>It said that this was to ensure that passwords could not be easily converted back to plain text. The firm claimed no credit or debit card information of users were leaked.</p>
<p>While <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>says it has reset passwords of all the affected accounts, experts say that users whose data were leaked are still under threat.</p>
<p>"If you had a password for <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>that you used elsewhere (on facebook or email), immediately change that password across all those accounts," tweeted Pranesh Prakash, policy director at the Centre for Internet and Society.</p>
<blockquote class="twitter-tweet">
<p dir="ltr">If you had a password for <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>that you used elsewhere, then IMMEDIATELY change that password across ALL those accounts. Use a pw manager! <a href="https://t.co/CbhtxCwlnD">https://t.co/CbhtxCwlnD</a></p>
— Pranesh Prakash (@pranesh) <a href="https://twitter.com/pranesh/status/865136966190288896">May 18, 2017</a></blockquote>
According to Prakash, a statement by <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>misled people on how serious the security breach was by providing a false sense of security.<br /> <br /> Subsequently, the company reworded its blog post to prompt users to change passwords of other services where they might have used the same password as their <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>account.
<p>The leak was first detected by security blog <i>HackRead</i> when it came across an online handle going by the name of "nclay" claiming to have hacked Zomato's database and selling its data on the dark web. Upon testing some of the data made public by the hacker, <i>HackRead</i> found that each account actually existed on <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato.</a></p>
<p>"The database includes emails and password hashes of registered <a class="storyTags" href="http://www.business-standard.com/search?type=news&q=Zomato" target="_blank">Zomato </a>users while the price set for the whole package is $1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit," <i>HackRead </i>wrote in its post.</p>
</span></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-may-19-2017-hack-exposes-zomatos-weak-protection-of-customer-data-say-cyber-experts'>http://editors.cis-india.org/internet-governance/news/business-standard-alnoor-peermohamed-may-19-2017-hack-exposes-zomatos-weak-protection-of-customer-data-say-cyber-experts</a>
</p>
No publisherpraskrishnaCyber SecurityInternet GovernancePrivacy2017-05-19T09:11:40ZNews ItemIT companies in Bengaluru on high alert over WannaCry ransomware
http://editors.cis-india.org/internet-governance/news/new-indian-express-kiran-parashar-km-and-shruthi-hm-it-companies-in-bengaluru-on-high-alert-over-wannacry-ransomware
<b>In the wake of the ransomware attack triggered by WannaCry virus, IT firms in Bengaluru are racing against time to updating their security systems. At some firms, employees have been asked to stay away from work for a few hours, while many other companies have declared holiday for a day or two for their employees.</b>
<p style="text-align: justify; ">The article by <span><a href="http://www.newindianexpress.com/author/Kiran-Parashar-K-M-&-Shruthi-H-M" target="_blank">Kiran Parashar K M & Shruthi H M</a> was published in the <a class="external-link" href="http://www.newindianexpress.com/cities/bengaluru/2017/may/17/it-companies-in-bengaluru-on-high-alert-over-wannacry-ransomware-1605705--1.html">New Indian Express</a> on May 17, 2017. Pranesh Prakash was quoted.<br /></span></p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">Sources said IT teams in many firms are working overtime to ensure such attacks do not harm their systems. Employees have been communicated to be aware of unsolicited emails and were asked to stay away from work at a few places where the security systems update was in progress.</p>
<p style="text-align: justify; ">A network engineer of a secondary source software firm, who provides security solutions, said, “We were asked to work on weekend and monitor the servers. The monitoring process is likely to continue. Some of the outsourcing companies have declared holiday as network engineers are flooded with work.”<br /> “Recent developments have affected work at IT firms but there is no report of any company getting affected,” a techie said.</p>
<p style="text-align: justify; ">Wipro Ltd officials told Express: “Wipro has not seen any impact. However, we remain vigilant and have strengthened security controls at all layers to detect and mitigate any such threat.”</p>
<p style="text-align: justify; ">Companies providing financial technology are struggling to ensure that all ATMs are running on updated software. “We are in touch with the original equipment manufacturers for the patches that may be required to be rolled out on the ATMs running on Windows XP and Windows 7, to make them additionally secure,” said Radha Rama Dorai (Country Head - ATM & Allied Services), FIS, a financial technology provider.<br /> “Fortunately ATMs in India have not been affected by WannaCry ransomware,” said Dorai.</p>
<p style="text-align: justify; ">Sudesh Shetty, Partner, Forensics, KPMG in India, said: “Banks need to apply the patch which Windows has released for outdated operating systems. Organisations need to make use of it.”</p>
<p style="text-align: justify; "><b>WannaCry under reported</b></p>
<p style="text-align: justify; ">The Indian Cyber Army sources said that there has been under reporting of such incidents as many individuals use pirated version of the Windows software. Also, people have no idea whom to report if they fall prey to WannaCry.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/new-indian-express-kiran-parashar-km-and-shruthi-hm-it-companies-in-bengaluru-on-high-alert-over-wannacry-ransomware'>http://editors.cis-india.org/internet-governance/news/new-indian-express-kiran-parashar-km-and-shruthi-hm-it-companies-in-bengaluru-on-high-alert-over-wannacry-ransomware</a>
</p>
No publisherpraskrishnaCyber SecurityInternet GovernanceDigital Media2017-05-19T09:05:46ZNews ItemDr. Madan M. Oberoi - Digital Forensics and Cyber Investigations (Delhi, April 07)
http://editors.cis-india.org/internet-governance/events/firstfridayatcisindia-dr-madan-oberoi-digital-forensics-april-07
<b>We are proud to announce that Dr. Madan M. Oberoi will be the speaker at the inaugural #FirstFriday@cis_india event at the Delhi office. These events, held on the first Friday of each month, will facilitate open and in-depth discussion and learning on topics crucial to our understanding of internet and society. The event will comprise of the speaker's presentation followed by an open discussion. If you are joining us, please RSVP at the soonest as we have only limited space in our office.</b>
<p> </p>
<h3><strong>RSVP</strong></h3>
<iframe src="https://docs.google.com/forms/d/e/1FAIpQLScDm11yYFioyB6ayVih_duMqmKE7qSkwfTefAf76HRjMtF91g/viewform?embedded=true" frameborder="0" marginwidth="0" marginheight="0" height="400" width="700">Loading...</iframe>
<p> </p>
<h3><strong>Dr. Madan M. Oberoi</strong></h3>
<p><img src="http://editors.cis-india.org/internet-governance/files/madanoberoi.jpg/image_preview" alt="Dr. Madan M. Oberoi" class="image-inline" title="Madan Oberoi" /></p>
<p>Dr. Madan M. Oberoi is an Indian Police Service (IPS) officer of 1992 batch. He is a Fulbright Scholar in the area of "Cyber Security" from University of Washington. He also holds a PhD in the area of cybercrime from Indian Institute of Technology (IIT), Delhi. He also holds a Master’s Degree in ‘Management and Systems’ from IIT Delhi and another Master’s Degree in Police Management.</p>
<p>Till January 2017, he was deployed as Director Cybercrime in INTERPOL in Singapore with global jurisdiction. As part of this, he supervised ‘Cyber Fusion Centre’, ‘Cyber Investigation Support’, ‘Cyber Strategy’ and ‘Cyber Training’ ‘Cyber Research Lab”, “Digital Forensics Lab’ and ‘Innovation Centre’ units of INTERPOL.</p>
<p>Dr. Oberoi has worked as Inspector General of Police, Deputy Inspector General of Police and as Superintendent of Police with Central Bureau of Investigation (CBI), where he has headed the Cyber-Crime Cell. He has also worked in Delhi Police and in his last posting he was heading Delhi Police’s Special Cell, which is responsible for Anti-Terror Operations.</p>
<p>Dr. Oberoi has served in two UN Peace Keeping Missions. He was head of the Management Information Unit of UN Mission in Bosnia and Herzegovina at Mission HQ in Sarajevo. He has also served as Head of Data Centre in Mission HQ of UN Mission in Kosovo at Pristina.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/events/firstfridayatcisindia-dr-madan-oberoi-digital-forensics-april-07'>http://editors.cis-india.org/internet-governance/events/firstfridayatcisindia-dr-madan-oberoi-digital-forensics-april-07</a>
</p>
No publishersaikatCyber SecurityDigital Forensics#FirstFriday@cis_indiaInternet Governance2017-04-04T12:06:26ZEvent50p and Digital Payments Masterclass Learning - CIS
http://editors.cis-india.org/internet-governance/50p-and-digital-payments-masterclass-learning-cis
<b>Sunil Abraham, Saikat Dutta and Udbhav Tiwari from the CIS team attended 50p on the 24 and 25 of January 2017 in Bangalore, India. We had the following learnings from the event, which will shape our work in the digital finance and payments space in the future. </b>
<p style="text-align: justify;" dir="ltr">Sunil Abraham, Saikat Dutta and Udbhav Tiwari from the CIS team attended 50p on the 24 and 25 of January 2017 in Bangalore, India. We had the following learnings from the event, which will shape our work in the digital finance and payments space in the future.</p>
<p style="text-align: justify;" dir="ltr"> </p>
<ol><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">Historical Developments of Digital Payments Regulation in India - The historical development of the digital payments ecosystem in India, starting with mobile/SMS banking around 2004, focusing mostly on high-end consumers. The widely varying implementations across banks led to the RBI taking an active regulatory approach, beginning with the introduction of compulsory two factor authentication in the form of mandatory PIN usage for credit and debit cards. This move helped secure “card not present” (CNP) transactions, which in turn allowed the e commerce, online streaming services and other digital services to rapidly gain customers. This serves as an example of how simple, targeted and uniformly imposed regulations can help secure widely used digital payment modes, securing customers while expanding opportunities for businesses. The Watal Committee report has also stressed on how the the industry and consumers alike, in the medium term, will benefit from focused sectoral regulation for the FinTech industry.</p>
</li></ol>
<p style="text-align: justify;" dir="ltr"> </p>
<ol start="2"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">Expansion in the Modern Digital Payments Industry - The digital payments industry has expanded from having three main stakeholders (banks, card issuing agencies and customers) in mid 2000s to over eight distinct entities who take part in the same payments chain. These include Digital Wallet Providers, Payment Gateways, Payment Processors, Ticketing or Payment Service Providers Billers, all of which are operate with millions of transactions per day. This not only increases the potential attack surface for possible attempts at compromising them but also governance under traditional banking regulations difficult for the regulatory authority. The introduction of BBPS (Bharat Bill Pay System) to integrate the thousands of local utility bill payment system in India, into one centrally administered programme, is just one example of the vast amounts of data being generated (and integrated) by the digital payments industry. Therefore, the need for unique FinTech regulations and standards (maybe even a regulator) to handle the rapidly expanding and critical industry is quite strong in the booming space in India.</p>
</li></ol>
<p style="text-align: justify;" dir="ltr"> </p>
<ol start="3"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">UPI - The Unified Payments Interface (UPI) is a set of standards that allow for a single application to connect to and control multiple bank accounts (of participating banks), allowing users to use several banking services such as funds transfer (P2P), merchant payments, etc. Initially launched in August, 2016 with support from 16 banks and is gaining rapid acceptance among users, businesses and payment providers alike. While built on the same technological underpinnings as the IMPS system, the UPI standard allows for a wide variety of data, including credit scores, Aadhaar numbers and geographical location to be transmitted. While the standard itself seems reasonably secure, its diverse and closed source implementation allow for the usual closed source development risks of security and unresolved bugs. It is stipulated to become the most widely used digital transaction protocol in India and the backbone of the FinTech industry due to its interoperability and regulatory acceptance. A set of security guidelines and practices that allow for a uniform, secure and auditable implementation of the UPI standard as well as its operational usage will aid in faster and more secure development of the standard while simultaneously protecting consumer interest.</p>
</li></ol>
<p style="text-align: justify;" dir="ltr"> </p>
<ol start="4"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">Need for Consumer Advocacy - The need for educating consumers about the technical operations of the digital payments industry, best practices to maximise user facing security and strategies for effective dispute redressal were tagged as key focus areas by various groups. The inadequacy of the Consumer Protection Act to deal with the labyrinth of digital payments and the relative lack of liability and breach notification laws (especially in the non-banking finance companies sector) have lead to bargaining power in consumer contracts to fall in the favour of the digital payments industry. While initiatives such as Cashless Consumer are attempting to rectify this, sustained and well planned initiatives implemented in a diverse and multi-lingual manner will be needed to keep up with the rapid pace of expansion in the industry and is burgeoning user base. Incidental benefits of such programmes (an increase in the demand for data protection and privacy aware practices) will also serve to further consumer interest in a manner that will have a positive impact outside the FinTech industry.</p>
</li></ol>
<p style="text-align: justify;" dir="ltr"> </p>
<p><span id="docs-internal-guid-a0d03bdc-abb4-587e-0c9f-186a5b07117c"></span></p>
<ol start="5"><li style="list-style-type: decimal;" dir="ltr">
<p style="text-align: justify;" dir="ltr">USSD - The recent push towards USSD based banking, which allows banking transactions to be carried using feature phones, has led to various concerns regarding its security, reliability and implementation. The varying levels of GSM encryption in the providers in India, the lack of open standards (such as HTTPS for Internet Banking) that allow consumers to verify security and the rapid but untested implementation by most banks have led to some players raising doubts about the possibility of exploitation of the particularly vulnerable section of users that will use USSD banking. The need for a detailed investigation into current practices, open and auditable standards unique to USSD banking in India and regulations that mandate a minimum level of compliance was expressed by multiple stakeholders.</p>
</li></ol>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/50p-and-digital-payments-masterclass-learning-cis'>http://editors.cis-india.org/internet-governance/50p-and-digital-payments-masterclass-learning-cis</a>
</p>
No publisherUdbhav TiwariFinancial TechnologyDigital PaymentBankingBitcoinDigital MoneyCyber Security2017-06-15T12:29:52ZBlog EntryDon't dive headlong into money-making schemes on the internet
http://editors.cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-february-7-2017-dont-dive-headlong-into-money-making-schemes-on-the-internet
<b>If you do fall victim to fraud, file your complaint at RBI's Sachet web site.</b>
<p>The article by Sanjay Kumar Singh was <a class="external-link" href="http://www.business-standard.com/article/current-affairs/don-t-dive-headlong-into-money-making-schemes-on-the-internet-117020600689_1.html">published in the Business Standard</a> on February 7, 2017. Udbhav Tiwari was quoted.</p>
<hr />
<p style="text-align: justify; ">By now you have surely read the news about a Noida-based company called Ablaze Info Solutions, which is said to have defrauded about 700,000 people of Rs 3,700 crore. In this scheme, participants first had to pay a substantial subscription fee to join it, after which they were compensated for clicking on links. There were also incentives for bringing in other members, which made it akin to a multi-level marketing (MLM) scheme. Experts advise that investors should do the due diligence before putting their money in such schemes. According to cyber experts, this scheme took off because the activity it was pursuing was a legitimate one per se. There is an entire industry on the Internet, wherein you can earn money by clicking on links: This improves the traffic on websites and allows them to demand higher advertising rates. Many websites outsource the task of improving traffic to third parties, which in turn recruit people in countries like India for the task. You can also earn money through activities like filling up forms, answering surveys, etc.</p>
<p style="text-align: justify; ">The mistake participants made in this case was to join the scheme without exploring other options. "Many players would have offered a similar level of compensation without demanding a subscription fee. Moreover, the very fact that the company was demanding a substantial subscription fee should have made people suspicious," says Udbhav Tiwari, policy officer, Centre for Internet and Society, Bengaluru. Before participating in such money-making schemes, spend time doing a detailed background check of the company's credentials, especially if the promised returns are realistic or not. "If the return offered by the company is high compared to the market rates of return, or the company is new, you should be extra cautious. Check various blogs and forums on the internet for possible complaints against the company and its key stakeholders," says Mukul Shrivastava, partner, fraud investigation and dispute services, EY India.</p>
<p style="text-align: justify; ">If you join such a programme, be warned the moment the company defaults on payments, delays them, or avoids your queries. Stop all interactions with it and lodge a complaint with the police. If the company had used forged documents, especially the ones claiming that the scheme had the approval of a regulator like Sebi, submit them.</p>
<p style="text-align: justify; ">You can also file a complaint at Sachet, a website set up by the Reserve Bank of India (see box). Another option is to contact the Serious Fraud Investigation Office (SFIO) under the Ministry of Corporate Affairs. As the police take up a case usually when many complaints pour in against an entity, motivate other victims to complain, too. The state fights the case on your behalf. Your task after complaining is to cooperate with the investigation and depose in court. Nowadays victims can be compensated under the Criminal Procedure Code as well. They also have the option to file a civil suit for recovering their money.</p>
<p style="text-align: justify; ">Finally, there is a need for new laws to tackle online frauds. "There is a gap both in terms of legislation and effective enforcement. We only have a central 1978 Act for Prize Chits and allied rules in states, which need to be updated," says Nishant Joshi, partner, Shardul Amarchand Mangaldas.</p>
<p style="text-align: justify; ">Word box<br />Turn to Sachet</p>
<ul>
<li style="text-align: justify; ">RBI has launched a website, sachet.rbi.org.in, where you can complain if you have been cheated by an entity that has illegally collected money from you</li>
<li>The website also provides information on legitimate entities that are authorised to collect money</li>
<li>Many regulators and enforcement agencies take up the complaints filed on this site</li>
<li>Investors don’t have to know the regulator under whose jurisdiction the company they want to complain against falls</li>
<li>You will get an email informing you about the regulator/entity that will take up your case</li>
</ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-february-7-2017-dont-dive-headlong-into-money-making-schemes-on-the-internet'>http://editors.cis-india.org/internet-governance/news/business-standard-sanjay-kumar-singh-february-7-2017-dont-dive-headlong-into-money-making-schemes-on-the-internet</a>
</p>
No publisherpraskrishnaCyber SecurityInternet Governance2017-02-07T15:02:24ZNews ItemMapping of Sections in India’s MLAT Agreements
http://editors.cis-india.org/internet-governance/blog/india-mlat-agreements-sections-map-dec-2016
<b>This set of infographics by Leilah Elmokadem and Saumyaa Naidu maps out and compares the various sections that exist in the 39 MLATs (mutual legal assistance treaty) between India and other countries. An MLAT is an agreement between two or more countries, drafted for the purpose of gathering and exchanging information in an effort to enforce public or criminal laws.
</b>
<p> </p>
<h4>Download: <a href="https://github.com/cis-india/website/raw/master/docs/CIS_IndiaMLATAgreementsSectionsMap_Dec2016.pdf">Infographic</a> (PDF) and <a href="https://github.com/cis-india/website/raw/master/docs/CIS_IndiaMLATAgreementsSectionsMap_Dec2016.xlsx">data</a> (XLSX)</h4>
<hr />
<p>We have found that India’s 39 MLAT documents are worded, formatted and sectioned differently. At the same time, many of the same sections exist across several MLATs. This diagram lists the sections found in the MLAT documents and
indicates the treaties in which they were included or not included. To keep the list of sections concise and to more easily pinpoint the key differences between the agreements, we have merged sections that are synonymous in meaning but
were worded slightly differently. For example: we would combine “Entry into force and termination” with “Ratification and termination” or “Expenses” with “Costs”.</p>
<p>At the same time, some sections that seemed quite similar and possible to merge were kept separate due to potential key differences that could be overlooked as a result. For example: “Limitation on use” vs. “Limitation on compliance” or “Serving of documents” vs. “Provision of (publicly available) documents/records/objects” remained separate for further analysis and comparison.</p>
<p>These differences in sectioning can be analysed to facilitate a thorough comparison between the effectiveness, efficiency, applicability and enforceability of the various provisions across the MLATs. The purpose of this initial mapping is to provide an overall picture of which sections exist in which MLAT documents. There will be further analysis of these sections to produce a more holistic content-based comparison of the MLATs.</p>
<p> </p>
<h2>Aggregated Analysis of Sections of MLAT Agreements</h2>
<img src="https://github.com/cis-india/website/raw/master/img/CIS_IndiaMLATAgreementsSectionsMap_Dec2016_Aggregate_01.png" alt="Aggregated analysis of sections of MLAT agreements by India" />
<img src="https://github.com/cis-india/website/raw/master/img/CIS_IndiaMLATAgreementsSectionsMap_Dec2016_Aggregate_02.png" alt="Aggregated analysis of sections of MLAT agreements by India" />
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/india-mlat-agreements-sections-map-dec-2016'>http://editors.cis-india.org/internet-governance/blog/india-mlat-agreements-sections-map-dec-2016</a>
</p>
No publisherLeilah Elmokadem and Saumyaa NaiduInternational RelationsCybersecurityBilateral AgreementInternet GovernanceMLATCyber Security2016-12-31T06:52:46ZBlog EntryIncident Response Requirements in Indian Law
http://editors.cis-india.org/internet-governance/blog/incident-response-requirements-in-indian-law
<b>Cyber incidents have serious consequences for societies, nations, and those who are victimised by them. The theft, exploitation, exposure or otherwise damage of private, financial, or other sensitive personal or commercial data and cyber attacks that damage computer systems are capable of causing lasting harm. </b>
<p style="text-align: justify; ">A recent example of such an attack that we have seen from India is the recent data breach involving an alleged 3.2 million debit cards in India.<a href="#_ftn1" name="_ftnref1"><sup>[1]</sup></a> In the case of this hack the payment processing networks such as National Payments Corporation of India, Visa and Mastercard, informed the banks regarding the leaks, based on which the banks started the process of blocking and then reissuing the compromised cards. It has also been reported that the banks failed to report this incident to the Computer Emergency Response Team of India (CERT-In) even though they are required by law to do so.<a href="#_ftn2" name="_ftnref2"><sup>[2]</sup></a> Such risks are increasingly faced by consumers, businesses, and governments. A person who is a victim of a cyber incident usually looks to receive assistance from the service provider and government agencies, which are prepared to investigate the incident, mitigate its consequences, and help prevent future incidents. It is essential for an effective response to cyber incidents that authorities have as much knowledge regarding the incident as possible and have that knowledge as soon as possible. It is also critical that this information is communicated to the public. This underlines the importance of reporting cyber incidents as a tool in making the internet and digital infrastructure secure.. Like any other crime, an Internet-based crime should be reported to those law enforcement authorities assigned to tackle it at a local, state, national, or international level, depending on the nature and scope of the criminal act. This is the first in a series of blog posts highlighting the importance of incident reporting in the Indian regulatory context with a view to highlight the Indian regulations dealing with incident reporting and the ultimate objective of having a more robust incident reporting environment in India.</p>
<p style="text-align: justify; "><b>Incident Reporting under CERT Rules</b></p>
<p style="text-align: justify; ">In India, section 70-B of the Information Technology Act, 2000 (the “<b>IT Act</b>”) gives the Central Government the power to appoint an agency of the government to be called the Indian Computer Emergency Response Team. In pursuance of the said provision the Central Government issued the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (the “<b>CERT Rules</b>”) which provide the location and manner of functioning of the Indian Computer Emergency Response Team (CERT-In). Rule 12 of the CERT Rules gives every person, company or organisation the option to report cyber security incidents to the CERT-In. It also places an obligation on them to mandatorily report the following kinds of incidents as early as possible:</p>
<ul style="text-align: justify; ">
<li>Targeted scanning/probing of critical networks/systems;</li>
<li>Compromise of critical systems/information;</li>
<li>Unauthorized access of IT systems/data;</li>
<li>Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites, etc.;</li>
<li>Malicious code attacks such as spreading of virus/worm/Trojan/botnets/spyware;</li>
<li>Attacks on servers such as database, mail, and DNS and network devices such as routers;</li>
<li>Identity theft, spoofing and phishing attacks;</li>
<li>Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks;</li>
<li>Attacks on critical infrastructure, SCADA systems and wireless networks;</li>
<li>Attacks on applications such as e-governance, e-commerce, etc.</li>
</ul>
<p style="text-align: justify; ">The CERT Rules also impose an obligation on service providers, intermediaries, data centres and body corporates to report cyber incidents within a reasonable time so that CERT-In may have scope for timely action. This mandatory obligation of reporting incidents casts a fairly wide net in terms of private sector entities, however it is notable that prima facie the provision does not impose any obligation on government entities to report cyber incidents unless they come under any of the expressions “service providers”, “data centres”, “intermediaries” or “body corporate”. This would mean that if the data kept with the Registrar General & Census Commissioner of India is hacked in a cyber incident, then there is no statutory obligation under the CERT Rules on it to report the incident. It is pertinent to mention here that although there is no obligation on a government department under law to report such an incident, such an obligation may be contained in its internal rules and guidelines, etc. which are not readily available.</p>
<p style="text-align: justify; ">It is pertinent to note that although the CERT Rules provide for a mandatory obligation to report the cyber incidents listed therein, the Rules themselves do not provide for any penalty for non compliance. However this does not mean that there are no consequences for non compliance, it just means that we have to look to the parent legislation i.e. the IT Act for the appropriate penalties for non compliance. Section 70B(6) gives the CERT-In the power to call for information and give directions for the purpose of carrying out its functions. Section 70B(7) provides that any service provider, intermediary, data center, body corporate or person who fails to provide the information called for or comply with the direction under sub-section (6), shall be liable to imprisonment for a period up to 1 (one) year or fine of up to 1 (one) lakh or both.</p>
<p style="text-align: justify; ">It is possible to argue here that sub-section (6) only talks about calls for information by CERT-In and the obligation under Rule 12 of the CERT Rules is an obligation placed by the central government and not CERT-In. It can also be argued that sub-section (6) is only meant for specific requests made by CERT-In for information and sub-section (7) only penalises those who do not respond to these specific requests. However, even if these arguments were to be accepted and we were to conclude that a violation of the obligation imposed under Rule 12 would not attract the penalty stipulated under sub-section (7) of section 70B, that does not mean that Rule 12 would be left toothless. Section 44(b) of the IT Act provides that where any person is required under any of the Rules or Regulations under the IT Act to furnish any information within a particular time and such person fails to do so, s/he may be liable to pay a penalty of upto Rs. 5,000/- for every day such failure continues. Further section 45 provides for a further penalty of Rs.25,000/- for any contravention of any of the rules or regulations under the Act for which no other penalty has been provided.</p>
<p style="text-align: justify; "><b>Incident Reporting under Intermediary Guidelines</b></p>
<p style="text-align: justify; ">Section 2(1)(w) of the IT Act defined the term “intermediary” in the following manner;</p>
<p style="text-align: justify; ">“intermediary” with respect to any particular electronic record, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes.</p>
<p style="text-align: justify; ">Rule 3(9) of the Information Technology (Intermediaries Guidelines) Rules, 2011 (the “<b>Intermediary Guidelines</b>”) also imposes an obligation on any intermediary to report any cyber incident and share information related to cyber security incidents with the CERT-In. Since neither the Intermediary Guidelines not the IT Act specifically provide for any penalty for non conformity with Rule 3(9) therefore any enforcement action against an intermediary failing to report a cyber security incident would have to be taken under section 45 of the IT Act containing a penalty of Rs. 25,000/-.</p>
<p style="text-align: justify; "><b>Incident Reporting under the Unified License</b></p>
<p style="text-align: justify; ">Clause 39.10(i) of the Unified License Agreement obliges the telecom company to create facilities for the monitoring of all intrusions, attacks and frauds on its technical facilities and provide reports on the same to the Department of Telecom (DoT). Further clause 39.11(ii) provides that for any breach or inadequate compliance with the terms of the license, the telecom company shall be liable to pay a penalty amount of Rs. 50 crores (Rs. 50,00,00,000) per breach.</p>
<p style="text-align: justify; "><b>Conclusion</b></p>
<p style="text-align: justify; ">It is clear from the above discussion that there is a legal obligation service providers to report cyber incidents to the CERT-In. Presently, the penalty prescribed under Indian law may not be enough to incentivise companies to adopt comprehensive and consistent incident response programmes. , except in cases of telecom companies under the Unified License Agreement. A fine of Rs. 25,000/- appears to be inconsequential when compared to the possible dangers and damages that may be caused due to a security breach of data containing, for example, credit card details.. Further, it is also imperative that apart from the obligation to report the cyber incident to the appropriate authorities (CERT-In) there should also be a legal obligation to report it to the data subjects whose data is stolen or is put at risk due to the said breach. A provision requiring notice to the data subjects could go a long way in ensuring that service providers, intermediaries, data centres and body corporates implement the best data security practices since a breach would then be known by general consumers leading to a flurry of bad publicity which could negatively impact the business of the data controller, and for a business entity an economic stimulus may be an effective way to ensure compliance.</p>
<p style="text-align: justify; ">As we continue to research incident response, the questions and areas we are exploring include the ecosystem of incidence response including what is reported, how, and when, appropriate incentives to companies and governments to report incidents, various forms of penalties, the role of cross border sharing of information and jurisdiction and best practices for incident reporting and citizen awareness.</p>
<p style="text-align: justify; "><i>Published under Creative Commons License CC BY-SA. Anyone can distribute, remix, tweak, and build upon this document, even for commercial purposes, as long as they credit the creator of this document and license their new creations under the terms identical to the license governing this document</i></p>
<hr />
<p style="text-align: justify; "><a href="#_ftnref1" name="_ftn1"><sup>[1]</sup></a> <a href="http://www.huffingtonpost.in/2016/10/21/atm-card-hack-what-banks-are-saying-about-india-s-biggest-data/">http://www.huffingtonpost.in/2016/10/21/atm-card-hack-what-banks-are-saying-about-india-s-biggest-data/</a></p>
<p style="text-align: justify; "><a href="#_ftnref2" name="_ftn2"><sup>[2]</sup></a> <a href="http://tech.economictimes.indiatimes.com/news/internet/cert-in-had-warned-banks-on-oct-7-about-expected-targeted-attacks-from-pakistan/54991025">http://tech.economictimes.indiatimes.com/news/internet/cert-in-had-warned-banks-on-oct-7-about-expected-targeted-attacks-from-pakistan/54991025</a></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/incident-response-requirements-in-indian-law'>http://editors.cis-india.org/internet-governance/blog/incident-response-requirements-in-indian-law</a>
</p>
No publishervipulCyber SecurityInternet GovernancePrivacy2016-12-28T01:19:28ZBlog EntryDeveloper team fixed vulnerabilities in Honorable PM's app and API
http://editors.cis-india.org/internet-governance/blog/major-security-flaw-namo-app
<b>The official app of Narendra Modi, the Indian Prime Minister, was found to contain a security flaw in 2015 that exposed millions of people's personal data. A few days ago a very similar flaw was reported again. This post by Bhavyanshu Parasher, who found the flaw and sought to get it fixed last year, explains the technical details behind the security vulnerability.</b>
<p><strong>This blog post has been authored by Bhavyanshu Parasher</strong>. The original post can be<a class="external-link" href="https://bhavyanshu.me/major-security-flaw-pm-app/09/29/2015"> read here</a>.</p>
<hr />
<h2 style="text-align: justify; ">What were the issues?</h2>
<p style="text-align: justify; "><span>The main issue was how the app was communicating with the API served by narendramodi.in.</span></p>
<div id="_mcePaste" style="text-align: justify; "><ol>
<li>I was able to extract private data, like email addresses, of each registered user just by iterating over user IDs.</li>
<li>There was no authentication check for API endpoints. Like, I was able to comment as any xyz user just by hand-crafting the requests.</li>
<li>The API was still being served over HTTP instead of HTTPS.</li>
</ol></div>
<h3 style="text-align: justify; ">Fixed</h3>
<ol style="text-align: justify; ">
<li>The most important issue of all. Unauthorized access to personal info, like email addresses, is fixed. I have tested it and can confirm it.</li>
<li>A check to verify if a valid user is making the request to API endpoint is fixed. I have tested it and can confirm it.</li>
<li>Blocked HTTP. Every response is served over HTTPS. The people on older versions (which was serving over HTTP) will get a message regarding this. I have tested it. It says something like “Please update to the latest version of the Narendra Modi App to use this feature and access the latest news and exciting new features”. It’s good that they have figuered out a way to deal with people running older versions of the app. Atleast now they will update the app.</li>
</ol>
<h2 style="text-align: justify; ">Detailed Vulnerability Disclosure</h2>
<p style="text-align: justify; ">Found major security loophole in how the app accesses the “api.narendramodi.in/api/” API. At the time of disclosure, API was being served over “HTTP” as well as “HTTPS”. People who were still using the older version of the app were accessing endpoints over HTTP. This was an issue because data (passwords, email addresses) was being transmitted as plain text. In simple terms, your login credentials could easily be intercepted. MITM attack could easily fetch passwords and email addresses. Also, if your ISP keeps log of data, which it probably does, then they might already have your email address, passwords etc in plain text. So if you were using this app,<strong> I would suggest you to change your password immediately</strong>. Can’t leave out a possibility of it being compromised.</p>
<p style="text-align: justify; ">Another major problem was that the token needed to access API was giving a false sense of security to developers. The access token could easily be fetched & anyone could send hand-crafted HTTP requests to the server. It would result in a valid JSON response without authenticating the user making the request. This included accessing user-data (primarily email address, fb profile pictures of those registered via fb) for any user and posting comments as any registered user of the app. There was no authentication check on the API endpoint. Let me explain you with a demo.</p>
<p style="text-align: justify; ">The API endpoint to fetch user profile information (email address) was getprofile. Before the vulnerability was fixed, the endpoint was accessible via “http://www.narendramodi.in/api/getprofile?userid=useridvalue&token=sometokenvalue”. As you can see, it only required two parameters. userid, which we could easily iterate on starting from 1 & token which was a fixed value. There was no authentication check on API access layer. Hand-crafting such requests resulted in a valid JSON response which exposed critical data like email addresses of each and every user. I quickly wrote a very simply script to fetch some data to demonstrate. Here is the sample output for xrange(1,10).</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/App.png/@@images/7bec3ca6-0808-4d19-9711-bc084b507f61.png" alt="App" class="image-inline" title="App" /></p>
<p style="text-align: justify; ">Not just email addresses, using this method you could spam on any article pretending to be any user of the app. There was no authentication check as to who was making what requests to the API. See,</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/copy_of_App.png/@@images/2e499adb-b621-4bc4-a490-f8957c9ac1d7.png" alt="App" class="image-inline" title="App" /></p>
<p style="text-align: justify; ">They have fixed all these vulnerabilities. I still believe it wouldn’t have taken so long if I would have been able to get in touch with team of engineers directly right from the beginning. In future, I hope they figure out an easier way to communicate. Such issues must be addressed as soon as they are found but the communication gap cost us lot of time. The team did a great job by fixing the issues and that’s what matters.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Disclosure to officials</h2>
<p style="text-align: justify; ">The email address provided on Google play store returned a response stating “The email account that you tried to reach is over quota”. Had to get in touch with authorities via twitter.</p>
<p style="text-align: justify; ">Vulnerability disclosed to authorities on 30th sep, 2015 around 5:30 AM</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Tweet1.png" alt="Tweet 1" class="image-inline" title="Tweet 1" /></p>
<p style="text-align: justify; ">After about 30 hours of reporting the vulnerabillity</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Tweet2.png" alt="Tweet 2" class="image-inline" title="Tweet 2" /></p>
<h2 style="text-align: justify; ">Proposed Solution</h2>
<p style="text-align: justify; "><span>Consulted </span><a href="https://twitter.com/pranesh_prakash">@pranesh_prakash</a><span> as well regarding the issue.</span></p>
<p style="text-align: justify; "><span><img src="http://editors.cis-india.org/home-images/Tweet3.png" alt="Tweet 3" class="image-inline" title="Tweet 3" /></span></p>
<p style="text-align: justify; ">After this, I mailed them a solution regarding the issues.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Discussion with developer</h2>
<p style="text-align: justify; ">Received <strong>phone call</strong> from a developer. Discussed possible solutions to fix it.</p>
<p style="text-align: justify; "><strong>The solution that I proposed could not be implemented </strong>since the vulnerability is caused by a design flaw that should have been thought about right from the beginning when they started developing the app. It just proved how difficult it is to fix such issues for mobile apps. For web apps, it’s lot easier. Why? Because for mobile apps, you need to consider backward compatibility. If they applied my proposed solution, it would crash app for people running the older versions. Main problem is that <strong>people don’t upgrade to latest versions leaving themselves vulnerable to security flaws</strong>. The one I proposed is a better way of doing it I think but it will break for people using older versions as stated by the developer. Though, they (developers) have come up with solutions that I think would fix most of the issues and can be considered an alternative.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Tweet4.png" alt="Tweet 4" class="image-inline" title="Tweet 4" /></p>
<p style="text-align: justify; ">On Oct 3rd, I received mail from one of the developers who informed me they have fixed it. I could not check it out at that time as I was busy but I checked it around 5 PM. <strong>I can now confirm they have fixed all three issues</strong>.</p>
<hr style="text-align: justify; " />
<h2 style="text-align: justify; ">Update 12/02/2016</h2>
<p style="text-align: justify; "><a class="external-link" href="http://www.dailyo.in/variety/narendra-modi-namo-app-hacker-security-concerns-javed-khatri-demonetisation-survey-bjp-voter-data/story/1/14347.html">This vulnerability</a> in NM app is similar to the one I got fixed last year. Like I said before also, the vulnerability is because of how the API has been designed. They released the same patch which they did back then. Removing email addresses from the JSON output is not really a patch. I wonder why would they introduce personal information in JSON output again if they knew that’s a privacy problem and has been reported by me a year back. He showed how he was able to follow any user being any user. Similarly, I was able to comment on any post using account of any user of the app. When I talked to the developer back then he mentioned it will be difficult to migrate users to a newer/secure version of the app so they are releasing this patch for the meantime. It was more of a backward compatibility issue because of how API was designed. The only solution to this problem is to rewrite the API from scratch and add standard auth methods for API. That should take care of most of vulnerabilities.</p>
<p style="text-align: justify; ">Also read:</p>
<ul>
<li><a class="external-link" href="http://www.newindianexpress.com/nation/2016/dec/02/narendra-modi-app-hacked-by-youngster-points-out-risk-to-7-million-users-data-1544933--1.html">Narendra Modi app hacked by youngster, points out risk to 7 million users’ data</a> (New Indian Express; December 2, 2016)</li>
<li><a class="external-link" href="http://indiatoday.intoday.in/story/security-22-year-old-hacks-modi-app-private-data-7-million/1/825661.html">Security flaw: 22-year-old hacks Modi app and accesses private data of 7 million people</a> (India Today; December 2, 2016)</li>
<li><a class="external-link" href="http://thewire.in/84148/tech-security-namo-api/">The NaMo App Non-Hack is Small Fry – the Tech Security on Government Apps Is Worse</a> (The Wire; December 3, 2016)</li>
</ul>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/major-security-flaw-namo-app'>http://editors.cis-india.org/internet-governance/blog/major-security-flaw-namo-app</a>
</p>
No publisherpraneshPrivacySecurityInternet GovernanceData ProtectionCyber SecurityHackingMobile AppsData Management2016-12-04T19:08:56ZBlog EntryThe thrill of saving India from cybercrime
http://editors.cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-november-20-2016-the-thrill-of-saving-india-from-cybercrime
<b>Geeks seize the chance to help the government, defence forces and banks draw up fences against tech crimes.</b>
<p class="body" style="text-align: justify; ">The <a class="external-link" href="http://www.thehindu.com/business/Industry/the-thrill-of-saving-india-from-cybercrime/article9367640.ece">article by Peerzada Abrar was published in the Hindu </a>on November 20, 2016.</p>
<hr />
<p class="body" style="text-align: justify; ">Saket Modi loves long flights. The 26-year-old hacker likes to do most of his reasoning while criss-crossing the world. It was on one such flight from the United States to India that the co-founder of cybersecurity start-up Lucideus Tech read about India's largest data security breaches. While surfing the in-flight Internet he came to know that the security of about 3.2 million debit cards had been compromised.</p>
<p class="body" style="text-align: justify; ">“I was not surprised but I started thinking about how it would have happened. What was the ‘exploit’ used, how long was it there,” said Mr. Modi. Soon after reaching New Delhi, he received multiple requests from several banks and organisations to protect them from the hacking incident, which is just one of the thousands of cybercrimes that the country is facing.</p>
<p class="body" style="text-align: justify; ">In India, there has been a surge of approximately 350 per cent of cybercrime cases registered under the Information Technology (IT) Act, 2000 from the year of 2011 to 2014, according to a joint study by The Associated Chambers of Commerce and Industry of India and consulting firm PricewaterhouseCoopers. The Indian Computer Emergency Response Team (CERT-In) has also reported a surge in the number of incidents handled by it, with close to 50,000 security incidents in 2015, noted the Assocham-PwC joint study.</p>
<p style="text-align: justify; "><b>Ethical hackers</b></p>
<p class="body" style="text-align: justify; ">Mr. Modi is among a new breed of ethical hackers-turned-entrepreneurs who are betting big on this opportunity. An ethical hacker is a computer expert who hacks into a computer network on the behalf of its owner in order to test or evaluate its security, rather than with malicious or criminal intent.</p>
<p class="body" style="text-align: justify; ">“You cannot live in a world where you think that you can't be hacked. It doesn’t matter who you are,” said Mr. Modi who cofounded Lucideus four years ago. The company clocked revenues of Rs.4 crore in the last fiscal. This compares with the Rs.2.5 lakh revenues in the first year. The New Delhi-based firm now counts Reserve Bank of India, Ministry of Defence and Standard Chartered among its top clients.</p>
<p class="body" style="text-align: justify; ">Mr. Modi, who is also a pianist, discovered his skills for hacking into secure computer systems while preparing for his board exams. He hacked into his school computer and stole the chemistry question paper, after realising that he would not be able to clear the test conducted by his school. However, a guilty conscience compelled him to confess to his teacher who permitted him to still take the test. The incident transformed him to use his skills to protect and not misuse them. This year, Lucideus was hired by National Payments Corporation of India (NPCI) along with other information security specialists to protect its most ambitious project, the Unified Payment Interface (UPI) platform, from cyber attacks. UPI aims to bring digital banking to 1.2 billion people in the country. Lucideus has a team of 70 people mostly fresh college graduates who do hacking with authorisation.</p>
<p class="body" style="text-align: justify; ">“The reason behind choosing Lucideus was their young, energetic and knowledgeable team," said Bhavesh Lakhani, chief technology officer of DSP BlackRock, one of the premier asset management companies. Mr. Lakhani said that India is currently the epicentre of financial and technological advancements which make it a probable target of cyber-attacks.</p>
<p style="text-align: justify; "><b>Hacking lifeline</b></p>
<p class="body" style="text-align: justify; ">Indeed, a new breed of cyber criminals has emerged, whose main aim is not just financial gains but also cause disruption and chaos to businesses in particular and the nation at large, according to the Assocham-PwC study. Attackers can gain control of vital systems such as nuclear plants, railways, transportation and hospitals. This can subsequently lead to dire consequences such as power failures, water pollution or floods, disruption of transportation systems and loss of life, noted the study.</p>
<p class="body" style="text-align: justify; ">“The hacker doesn’t care whether he is attacking an Indian or a U.S. company. It is bread and butter for him and he wants to eat it wherever he gets it from,” said Trishneet Arora, a 22-year-old ethical hacker. In an office tucked away in Mohali, a commercial hub lying adjacent to the city of Chandigarh in Punjab, Mr.Arora fights these cyberattacks on a daily basis to protect his clients. His start-up TAC Security provides an emergency service to customers who have been hacked or are anticipating a cyberattack. It alerted a hospital in the U.S. after detecting vulnerabilities in their computer network.</p>
<p class="body" style="text-align: justify; ">Mr.Arora said that the hackers could have easily shut down the intensive care unit which was connected to it and remotely killed the patients. TAC said the data server of a bank in the UAE containing critical information got hacked recently. The bank also lost access to the server. TAC said that it not only helped the organisation to get back access to the server but also traced the hacker’s identity.</p>
<p class="body" style="text-align: justify; ">A school drop out, Mr.Arora founded TAC three years ago. But he initially found it tough to convince enterprises about his special skills. “I was a backbencher in the classroom and not good in studies, but I loved playing video games and hacking,” he said. He conducted workshops on hacking and provided his expertise to law enforcement agencies such as the Central Bureau of Investigation and various State police departments. His firm now provides its services to customers such as Reliance Industries, dairy brand Amul and tractor manufacturer Sonalika.</p>
<p class="body" style="text-align: justify; ">“We were surprised by their expertise,” said R.S. Sodhi, managing director of Amul. “We wanted to be sure that the company’s vital IT infrastructure is in the right hands – the big question was, ‘Who can that be?’ In TAC, we found that team.”</p>
<p class="body" style="text-align: justify; ">TAC expects to cross revenues of $5 million (Rs.33 crore) and employ about 100 ethical hackers by next year.</p>
<p style="text-align: justify; "><b>Budget woes</b></p>
<p class="body" style="text-align: justify; ">Security watchers such as Sunil Abraham, executive director of Bengaluru-based think tank Centre for Internet and Society said that India’s cybersecurity budget is woefully inadequate when compared to the spending by other countries. In 2014-15, the government doubled its cybersecurity budget by earmarking Rs.116 crore. “We require a budget of $1 billion per annum or every two years to build the cybersecurity infrastructure. The current cyber security policy has no such budget,” said Mr. Abraham.</p>
<p class="body" style="text-align: justify; ">According to Data Security Council of India (DSCI), India's cybersecurity market is expected to grow nine-fold to $35 billion by 2025, from about $4 billion. This would mainly be driven by an ecosystem to promote the growth of indigenous security product and services start-up companies.</p>
<p class="body" style="text-align: justify; ">The Cyber Security Task Force (CSTF) set up by DSCI and industry body Nasscom expects to create a trained base of one million certified and skilled cybersecurity professionals. It also aims to build more than 100 successful security product companies from India. Investors who normally focus on e-commerce ventures or public markets are now taking note of this opportunity and are betting on such ventures. Amit Choudhary, director, MotilalOswal Private Equity and an investor in Lucideus, said he saw tremendous opportunity in the cybersecurity market as hackers are shifting their focus from developed countries to emerging countries like India.</p>
<p class="body" style="text-align: justify; ">“There is a huge opportunity. The recent security breaches of a few Indian banks are an example,” said Vijay Kedia an ace stock picker and an investor in TAC Security. He said that organisations are still unaware of the widespread damage that can be caused by hackers. “The next war will be a ‘cyberwar’,” he said.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-november-20-2016-the-thrill-of-saving-india-from-cybercrime'>http://editors.cis-india.org/internet-governance/news/the-hindu-peerzada-abrar-november-20-2016-the-thrill-of-saving-india-from-cybercrime</a>
</p>
No publisherpraskrishnaCyber SecurityInternet GovernanceIT Act2016-11-21T02:42:48ZNews ItemCERT-In's Proactive Mandate - A Report on the Indian Computer Emergency Response Team’s Proactive Mandate in the Indian Cyber Security Ecosystem
http://editors.cis-india.org/internet-governance/blog/cert-ins-proactive-mandate-a-report-on-indian-computer-emergency-response-teams-proactive-mandate-in-indian-cyber-security-ecosystem
<b>CERT-IN’s proactive mandate is defined in the IT Act, 2000 as well as in the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Function and Duties ) Rules, 2013 (CERT-In Rules, 2013) both of which postdate the existence of the organisation itself, which has been operational since 2004. </b>
<p style="text-align: justify; ">Regarding the proactive mandate, the IT Act and CERT-In Rules include the following areas where CERT-In is required to carry out proactive measures in the interests of cyber security:</p>
<ol>
<li>Forecast and alert cyber security incidents (IT Act, 2000) & Predict and prevent cyber security incidents (CERT-In Rules, 2013)</li>
<li>Issue guidelines, advisories and vulnerability notes etc. relating to information security practices, procedures, prevention, response and reporting (IT Act, 2000)</li>
<li>Information Security Assurance (CERT-In Rules, 2013)</li>
</ol>
<p style="text-align: justify; ">This article will track and analyse the CERT-In’s operations in each of these areas over the past twelve years, by analysing the information available on CERT-In’s website as well as other media in the public domain.</p>
<p style="text-align: justify; ">The analysis will be carried out using a mixed methodology. The basic quantitative analysis of the information available on the CERT-In’ website will be carried out in the form of simple comparatives of updates, bulletins and other forms of publicly available interaction and critical information dispersal on CERT-In’s website. The qualitative sections, on the other hand, will contain a comparative analysis of the content present in the technical documents of the CERT-In with the equivalent documentation (where present) of similar bodies in the USA and EU. Each section will then illustrate normative suggestions as to how CERT-In’s performance of that respective obligation can be improved to better serve its cyber security mandate.</p>
<hr />
<p style="text-align: justify; "><b><a class="external-link" href="http://cis-india.org/internet-governance/files/cert-ins-proactive-mandate.pdf">Read the full article</a></b></p>
<p style="text-align: justify; "><i>The image is published under Creative Commons License CC BY-SA. Anyone can distribute, remix, tweak, and build upon this document, even for commercial purposes, as long as they credit the creator of this document and license their new creations under the terms identical to the license governing this document</i>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/cert-ins-proactive-mandate-a-report-on-indian-computer-emergency-response-teams-proactive-mandate-in-indian-cyber-security-ecosystem'>http://editors.cis-india.org/internet-governance/blog/cert-ins-proactive-mandate-a-report-on-indian-computer-emergency-response-teams-proactive-mandate-in-indian-cyber-security-ecosystem</a>
</p>
No publishertiwariCyber SecurityInternet Governance2016-11-19T04:14:51ZBlog EntryHow Long Have Banks Known About The Debit Card Fraud?
http://editors.cis-india.org/internet-governance/blog/bloomberg-udbhav-tiwari-october-22-2016-how-long-have-banks-known-about-debit-card-fraud
<b>The recent security breach in an Indian payment switch provider, confirmed earlier this week by the National Payments Corporation of India Ltd (NPCIL), has forced domestic banks into damage control mode over the past few days.</b>
<p>The article was <a class="external-link" href="http://www.bloombergquint.com/opinion/2016/10/21/how-long-have-banks-known-about-the-debit-card-fraud">published by Bloomberg</a> on October 22, 2016.</p>
<hr />
<p style="text-align: justify; ">The breach was detected when various customers began to lodge complaints with their banks about unauthorised transactions on their accounts, which upon investigation were said to originate from a foreign location such as China. The security breach has affected actively at least 641 customers to the tune of Rs 1.8 crore, with lakhs more being affected by the pro-active measures (including card revocation) being taken by banks to prevent further financial losses.</p>
<p style="text-align: justify; ">Surprisingly little is known, however, about the nature of the attack responsible for the breach, the extent or scope of damage it has caused and the sufficiency of the countermeasures being initiated by the banks against the attacks. This article will talk about these aspects of the attack and also suggest normative measures that can be carried out to minimize harm and prevent such attacks in the future.</p>
<h3 style="text-align: justify; ">The Modus Operandi</h3>
<p style="text-align: justify; ">According to reports, the compromise may have happened at the level of the Hitachi Payment Services, which is a payment services provider which operates, among other financial services, ATMs for a variety of banks across the country. One or a certain number of ATMs were apparently compromised by a malware, which then infected the payment services provider network, leading to a far larger potential target area than just the physical ATMs for malware to act against. The malware could have infected the payment switch provider via physically being uploaded onto vulnerable ATM machines, which are known to run out-dated embedded operating systems with various documented loopholes that are rarely patched. The malware then could have recorded the details of the cards used on the infected ATMs (or even in the network generally) and then, via the same compromised network, transmitted confidential details, including ATM pins and CVV numbers, to the operators of the malware.</p>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/Malware.jpg/@@images/13c6e6b2-e9be-4056-bd2d-ad540cff88dc.jpeg" alt="Malware" class="image-inline" title="Malware" /></p>
<p style="text-align: justify; ">The attack could have also occurred from some other vulnerable part of the payment network, such as a payment switch within the bank itself, making it far more dangerous as it still maybe be active on parts of the network within the bank and would have access to a far wider range & variety of information than a mere ATM. There is no real way to know if the threat has been even contained, forget neutralised, as the audits being carried out by PCI-DSS authorised agencies have been on-going for the past month and their reports are not due at least another 15 days, as intimated by NPCIL.</p>
<h3 style="text-align: justify; ">Massive Financial Implications</h3>
<table class="invisible">
<tbody>
<tr>
<th>
<p><img src="http://editors.cis-india.org/home-images/Bank.png/@@images/5a9bda35-ccdc-4895-a841-609c4c7c0958.png" alt="Bank" class="image-inline" title="Bank" /></p>
</th>
</tr>
<tr>
<td>Policemen guard the banking hall of a State Bank of India branch in New Delhi. (Photographer: Sondeep Shankar/Bloomberg News) <br /></td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The compromise of these details, regardless of the source of the compromise, has massive financial implications. This is because various international services allow debit/credit cards to be used only with the card number, expiry date, name & CVV number. They do not require the use of ATM Pins or an OTP (one time password) sent to a mobile phone for online transactions. In fact, unlike India where the RBI mandates OTPs for debit cards, this CVV based simplified online usage is the standard practice of using ATM Cards digitally in most of the developed world.</p>
<p style="text-align: justify; ">This would mean that merely changing ATM pins, something which SBI alleges less than 7 percent of its customers had done prior to all 6 lakh cards being blocked, would serve as almost no protection if the cards are enabled for international online transactions. The fact that most of the dubious, unauthorised financial transactions are occurring from foreign locations probably demonstrates that it is these kinds of internationally enabled cards that are being targeted for this sort of an attack.</p>
<h3 style="text-align: justify; ">Are Banks Concealing Information?</h3>
<table class="invisible">
<tbody>
<tr>
<th>
<p style="text-align: justify; "><img src="http://editors.cis-india.org/home-images/copy_of_Bank.png/@@images/0f5235cb-4909-4885-b12e-d83bb4202230.png" alt="Bank" class="image-inline" title="Bank" /></p>
</th>
</tr>
<tr>
<td>A customer exits a Yes Bank Ltd. automated teller machine (ATM) in Ahmedabad. (Photographer: Dhiraj Singh/Bloomberg)</td>
</tr>
</tbody>
</table>
<p style="text-align: justify; ">The absence of data/security breach laws in India is being sharply felt as there as has been an abject lack of clarity and information from the banking sector and the government regarding the attack. Over 47 states in the USA and most of the countries in the EU have enacted strict data security breach laws that mandate public intimation & disclosure of key information pertaining to the attack along with detailed containment measures. The presence of such a law in India would have gone a long way in preventing the breach from being under the wraps for so long (it occurred at the bank level in September, almost a month ago) and also ensured far more vigilant active compliance by corporations & banks to international security standards and best practices. For now, the only true countermeasure to prevent future harm to affected card holders is for all affected cards to be revoked by the banks and new cards being issued to affected customers.</p>
<p style="text-align: justify; ">Constant vigilance & comprehensive security audits by banks to detect affected cards and active protection for customers, using financial and identity insurance services such as AllClear ID Plus (used by Sony in the 2011 Playstation Hack) will go a long way in mitigating the harm of the breach. The banking industry, government & security agencies should all learn from this breach and a combination of new legislation, updated industry practices and consumer awareness is necessary for proactive & reactive actions in the future.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/bloomberg-udbhav-tiwari-october-22-2016-how-long-have-banks-known-about-debit-card-fraud'>http://editors.cis-india.org/internet-governance/blog/bloomberg-udbhav-tiwari-october-22-2016-how-long-have-banks-known-about-debit-card-fraud</a>
</p>
No publishertiwariCyber SecurityInternet GovernancePrivacy2016-10-22T08:06:51ZBlog Entry