esecure - welcome to cybersociety of india.murugan r panchi s advisors: srinivasan k na...
TRANSCRIPT
Publishers: Cyber Society of
India
(Regd No: 245/04;
http://www.cysi.in)
Editor-In-Chief: Rajendran V
(Ex-officio – President of CySI)
Editor:
Kapaleeswaran V
Editorial Committee:
Dr. Ramamurthy N
Murugan R
Panchi S
Advisors:
Srinivasan K
Na Vijayashankar
This Issue
1. Editorial 1
2. From the Presidential Desk 2
3. Cyber Security, forecast for 2015 3
4. Dummy’s Corner 5
5. CySI related events 6
6. eGovernance through Board
room best practice 7
7. Near Miss 8
8. Cyber news across the world 9
9. CySI is proud 10
*****
The hue and cry over cyber risks is on the rise with the resulting crescendo slowly making the netizens realize that they no more enjoy wandering around the cyber space, as hitherto. Despite a feeling of stifling of cyber breath, with every step taken with utmost caution and in spite of it, still one hears news of the security fortress considered safe, crumbling gradually. With the analysts predicting worsening of cyber attacks in the days to come, are we closer to defining the third type of emergency viz., 'Cyber Emergency' after the well known External and Internal emergencies? From kids to senior citizens, the constant drumming on the ear is 'with caution over the net', which makes one weary of browsing as none will enjoy a stroll with someone always breathing down the neck. But then, do we have a choice, anymore? Can we afford to live without this dreaded but loved companion? - Slowly the backpack of the school-going are being replaced by sleek tablets and some schools are already expecting the kids to email their homework and demand attractive presentations for celebrations kissing good bye to the traditional festoons and ribbons! - Common man's daily needs are increasingly becoming dependent on internet, be it payment of utility bills or gifts for the ageing parents living far away. - Fearing robberies, one is forced to use the plastic cards, whose vulnerability is on the rise. - For want of time and speed of accomplishing a task, busy executives are forced to seek refuge under internet banking. - The college students' only source of dole for his monthly maintenance from the parents is ATMs and the World Wide Web for references. - Senior citizens are forced to interact with children across the geography through various chat channels, blissfully unaware of the malwares and cookies that are gnawing at their credentials. - Businessmen conduct business and share business critical documents and b2b artifacts over the networks, proving to be porous with every passing day. With so much of dependency on the cyber world , it is only the awareness, constant updates of knowledge levels and deployment of preventive mechanisms that will help to stay in the race avoiding loss of business, personal identity and property. It is time to pull up the socks and meet the challenge head on, as we wait to greet the New year! Kapaleeswaran, V [email protected]
eSecure
Secure and be Aware!
An e-zine from CySI [[Volume 2, Number 2]
December 2014
Editorial
Editorial Board
eSecure
http://cysi.in Cyber Society of India [email protected] P a g e | 2
Any youngster of today identifies his bank only with either his ATM card or through the key-board, mouse and computer monitor. Days are gone when people identified their banks with a brick and mortar structure with human interfaces. Such is the penetration of technology in banking. With the advent of Core Banking Solution, even the concept of branch banking is slowly waning and personal banking is fading.
Where is the personal touch? With RBI speaking about ‘disincentivizing’ the usage of cheque and driving people towards ATMs , Internet Banking and away from physical presence in the branches, service gets computerized, feedback is mechanized, complaints are automated and redress, at least acknowledgement is systemic i.e., system-driven and not personal. Even for making complaints we approach computers, an Interactive Voice Response System and there is no person on the other side to listen to you if you want to shout and vent your anger!
Response automated, but, is the happiness automatic? Some banks even take upto 120 days
intimating the same as part of the acknowledgement itself for final redress and closure of the complaint.
And there are many complaint redress mechanism for a cyber crime victim in banking. The step by step
approach would be to
Prefer a complaint to the branch manager and if redress not received, then
Escalate it to the next higher official like regional manager etc and
Escalate it to the top management at the HO on the 15th i.e. customer service day
File a complaint with the Banking Ombudsman
Approach the IT Adjudicator if there is financial loss in an e-transaction
File a civil complaint in an appropriate legal forum i.e. court
File a criminal complaint if the offence involves criminality
The above is a step by step redress mechanism, though in some cases, simultaneously taking recourse
concurrently to more than one of these steps, may be advisable.
Banks as intermediaries have to ensure “due diligence” and put in place all reasonable security places, as
per Section 43-A read with Sec 79 of the I.T. Act 2000 IT Amendment Act 2008. . What is 'reasonable
security practices and procedures' has also been elaborated in the Rules issued subsequently. In the days to
come, with more cases being fought in courts, perhaps the courts may provide a larger interpretation of the
concept of ‘due diligence’ and ‘reasonable security practices'.
Speed is the essence: Complaint on Internet banking crimes, fraudulent withdrawals from ATMs should be
acted upon instantly and even inaction of a few seconds may result in huge financial loss to the customer. In
all such cases, the customer will strive to prove that he actually did lodge the complaint and the bank’s delay
of a few minutes cost him the loss (since it is during those seconds that the amounts were fraudulently
withdrawn). The bank then, is in a legally unenviable position and will certainly be accused of not putting in
place “reasonable security practices” and contravening the due diligence concept of a banker (read with the
age old ‘Payment in Due Course’ and the principle of ‘good faith and without negligence’ of Negotiable
Instruments Act of 1881).
Rajendran, V - [email protected]
(President, Cyber Society of India)
Cyber Crimes in eBanking - Complaints & Compliance
eSecure
http://cysi.in Cyber Society of India [email protected] P a g e | 3
Cyber-security created headlines and headaches in 2014, with large-scale data breaches at retail chains,
attacks on data stored in the Cloud and massive vulnerabilities revealed in decades-old codes. The Cyber-
security researchers have outlined their 2015 top security predictions to help global businesses interpret
and anticipate threat trends to defend against innovative and sophisticated attacks. Highlights of a research
recently conducted on this include:
1. The healthcare sector will see an increase in data stealing attack campaigns. Healthcare records hold a treasure trove of personally identifiable information that can be used in a multitude of attacks and frauds. In an environment still transitioning millions of patient records from paper to digital form, many organizations are playing catch-up when it comes to the security challenge of protecting personal data. As a result, cyber-attacks against this industry will increase.
2. Attacks on the Internet of Things (IoT) will focus on businesses, not consumer products. As the Internet of Things accelerates the connectivity of everyday items, proof-of-concept hacks against refrigerators, home thermostats and cars have been widely reported. However, the real threat from IoT will likely occur in a business environment over consumer. Every new internet-connected device in a business environment further increases a business attack surface. These connected devices use new protocols, present new ways to hide malicious activity and generate more noise that must be accurately filtered to identify true threats. Attacks are likely to attempt to use control of a simple connected device to move laterally within an organization to steal valuable data. In the coming year, manufacturing and industrial environments, in particular, are likely to see an increase in attack volume.
3. Credit card thieves will morph into information dealers. As the retail sector escalates their defenses and security measures such as mandating Chip and PIN technology, look for cybercriminals to accelerate the pace of their credit card data theft. In addition, these criminals will begin to seek a broader range of data about victims. These fuller, richer, personal identity dossiers of individual users, consisting of multiple credit cards, regional and geographic data, personal information and behavior, will be increasingly traded in the same manner that stolen credit cards are today.
4. Mobile threats will target credential information more than the data on the device. With the auto-login capability of mobile apps, mobile devices will increasingly be targeted for broader credential-stealing or authentication attacks to be used at later. These attacks will use the phone as an access point to the increasing Cloud-based enterprise applications and data resources that the devices can freely access.
5. New vulnerabilities will emerge from decades-old source code. OpenSSL, Heartbleed and Shellshock all made headlines this year, but have existed within open source code for years, waiting to be exploited. The pace of software development demands that new applications are built on open source, or legacy proprietary source code. As new features and integrations build on top of that base code, vulnerabilities continue to be overlooked. Next year, attackers will successfully exploit seemingly divergent application software through vulnerabilities in the old source code that these applications share.
6. Email threats will take on a new level of sophistication and evasiveness. Though the Web remains the largest channel for attacks against businesses, new highly-sophisticated email evasion techniques will be introduced and designed to circumvent the latest enterprise-grade defenses. Traditionally used as a lure in past attack scenarios, email will become a more pervasive element of other stages of an attack, including the reconnaissance stage.
Cyber Security - Forecast for 2015
eSecure
http://cysi.in Cyber Society of India [email protected] P a g e | 4
7. As companies increase access to Cloud and social media tools, command and control
instructions will increasingly be hosted on legitimate sites. Criminals will increasingly use social and collaborative tools to host their command and control infrastructure. Those charged with protecting business from attack will have a difficult time discerning malicious traffic from legitimate traffic when communications to Twitter and Google Docs are not only allowed, but also encouraged.
8. There will be new (or newly revealed) players on the global cyber espionage/cyber war
battlefield. The techniques and tactics of nation-state cyber espionage and cyber warfare activities have primarily been successful. As a result, additional countries will look to develop their own cyber-espionage programs, particularly in countries with a high rate of forecasted economic growth. In addition, because the barrier of entry for cyber activities is minimal compared to traditional espionage and war costs, the researchers believe that the world will see an increase in loosely affiliated ‘cells’ that conduct cyber-terrorist or cyber warfare initiatives independent from, but in support of, nation-state causes.
Courtesy and more details: http://www.dynamicciso.com/blog-
details/01386bd6d8e091c2ab4c7c7de644d37b.html#sthash.L8qzUTmJ.dpuf
Author, Dr. Ramamurthy is a versatile personality with unique blend of experience in various walks of Banking and related IT solutions. His specialty is continuous learning and his qualifications include – M.Sc., B.G.L., CISA, PMP, CGBL, Black Belt in Six-sigma and so on. He spread his knowledge through consulting and teaching and is also on the editorial board of the ezine.
Dr. Ramamurthy, N - [email protected]
It was just after Thanksgiving, and the judge was in a happy mood. He asked the prisoner who was in the dock, 'What are you charged with?' The prisoner replied, 'Doing my Christmas shopping too early'. 'That's no crime', said the judge. 'Just how early were you doing this shopping?'
'Before the shop opened', answered the prisoner.
Smile Corner
Cyber Security - Forecast for 2015 (contd.,)
eSecure
http://cysi.in Cyber Society of India [email protected] P a g e | 5
The questions below may seem silly, but they carry lot of messages. These are meant for laymen and not experts.
Question: One day suddenly I receive a text message and I observe that my debit card has been used for withdrawing a certain amount from an ATM. What are the immediate steps to be taken by me for recovering my money and prevent further misuse of my card?
Answer: Instances of misuse of ATM card (i.e. fraudulent cash
withdrawals) are extremely rare and the rarest of rare cases,
considering the volume of ATM withdrawal transactions happening
in the country. However, if one still becomes a victim of one such
case, the immediate and instant step should be to contact the
bank's 24 x 7 helpline to block the card and should also report to the
nearest police station. Immediate action and reporting is the
essence because any delay in reporting will result in loss of evidence
from the CCTV in the ATM room, non-retrieval of the logs and data from the computer systems and non-
availability of other circumstantial evidences. Such complaint should also be followed up continually. There
are cases when police have busted gangs of ATM card cloning and fraudulent withdrawals, all involving
ATMs in a particular location, and based upon the evidence gathered, police have advised the banks of the
victim customers to refund the money too. On the safety and preventive side, it is always better to keep the
ATM withdrawal daily limit to the minimum that we feel is necessary for us, say Rs.10,000 or Rs.20,000, by
giving suitable instructions to the bank. Otherwise, some banks routinely fix the minimum daily withdrawal
limit as Rs.40,000/- for all customers, in which case the risk too is so high. In fact, even while taking a credit
card, it is always better to keep the credit eligibility to the minimum that we need and to keep the cash limit
to a very low amount or even nil, since it is very rare that we withdraw cash from credit card, exposing
ourselves to the exorbitant rate of interest.
Picture courtesy: www.Google.com Answers by Mr. Rajendran V [email protected] Password protect your device
Turn on two factor authentication of your email.
Put a Google alert on your name
Sign out of online applications, when not in use
Avoid using of cards at suspicious outlets
Change your Facebook settings to safety
Clear browser history and cookies regularly
Courtesy: www.forbes.com
Dummies Corner
Tips to keep your identity safe!
eSecure
http://cysi.in Cyber Society of India [email protected] P a g e | 6
Cyber Society of India was invited by the CII to the CIO Summit 2014, titled 'Keeping pace with IT Security and Compliance' at Chennai, on Dec 5th, 2014.
Participating in the Panel discussion on "Managing threats in a connected world", CySI President Mr. V. Rajendran delivered a brief but forceful account on the need for better awareness, which was well received by the august audience.
The daylong event was also attended by the Vice President Mr. V.Kapaleeswaran and Joint Secretary Mr. P.N.A.Shanker Kumar, from CySI.
A two day National
seminar on "Cyber Security
with special focus to Cyber
Crimes and Cyber Laws"
was organized by the
Department of Computer
Science of P.B.Siddhartha
College of Arts & Science,
at Vijayawada on the 15th
and 16th of November,
2014. On an invitation, the
President, Secretary and
Vice President of Cyber
Society of India,
participated in the event,
inaugurated by the Commissioner of Police, Vijayawada, delivering a very informative lecture in
the inaugural session.
The speech of Mr. Rajendran, President, CySI though curtailed due to time was well received with
active interaction from the participants consisting of students and faculty of many colleges in the
place.
Mr. Kapaleeswaran, Vice President CySI underlined the need for caution and awareness while
browsing the internet, during his presentation on 'Social Networking Sites and Cyber Crimes'.
Mr. Ramesh Bhashyam, Secretary, CySI spoke on " Future of Technology: Cyber Crimes Scenario".
Through all sessions, there were interesting interactions with queries from the faculty, students and
other invitees.
CySI at CII Summit
National Seminar on Cyber Security
eSecure
http://cysi.in Cyber Society of India [email protected] P a g e | 7
We have now consciously transformed our lives from physical presence, physical attendance,
physical meetings to virtual meetings, video conferences and webinars. Perhaps in the years to
come, the best practices in Board Room will simply mean ensuring the presence of – believe me --
some electronic gadgets, some network equipment and no directors physically! Directors will log
on and discuss, deliberate, debate and demystify all major corporate affairs virtually with digital
records.
Carrying a laptop to the Board Room and the conduct of such meetings electronically has already
been discussed in the paper submitted by Shri Prem Anand from IOD, Chennai. Hence we will
now discuss briefly the e-Records component of such meetings, techno-legal issues in e-records and
the evidentiary value of such records in cyberspace.
Records stored or maintained in any computer system have been recognized as legally valid, thanks
to the passing of the Information Technology Act 2000. Procedures for authentication of electronic
records and digital signatures to ensure the concepts of ‘confidentiality, integrity, availability and
non-repudiation’ of e-records were laid down in the Act of 2000. Digital Signatures which are
based on the specific technology of public key infrastructure and digital signature certificates were
later replaced by ‘electronic signatures’ by the IT Amendment Act 21008, to make it technology-
neutral.
As stated in the paper submitted by Shri Prem Anand referred above, board members can express
their views or give approval or otherwise, even when on the move, say from airport or any other
place, so long as they are connected to the Board Room and accessible to the other board members.
In all such cases, the broader question would be on the retrievability of such records, admissibility
of such evidences and acceptability for other members, in the event of any dispute.
There should be a clear, well-drafted e-Records Maintenance Policy in organisations and a cyber
law compliance mechanism with well-defined roles and responsibilities for the various levels of
executives like the Chief Information Security Officer, Information Security Administrator or
Officer. The Information Systems Security Policy should clearly spell out the guidelines for broadly
all e-records and specifically the issues connected with e-attendance in such meetings, e-circulation
and of course e-approval of important decisions too.
Not just the issues connected with records maintenance, but also the network through which the
significant data and minutes pass, the criticality of those information assets, some of which would
be time-bound confidentiality, some person-based confidentiality and some geographic location
based. These security issues have much wider ramifications and have to be viewed in the larger
perspective of not just protecting the organization data but also protecting the board member’s
rights to keep his records confidential and duty to express what he should.
But these days, more and more corporate are going towards the concept of ‚Work from Home‛
encouraging or at least permitting their staff members to login to the organization's information
resources and access them, with due process of Access Privileges. Hence the day is not far off that
E-Governance through Board Room Best Practices
eSecure
http://cysi.in Cyber Society of India [email protected] P a g e | 8
the Board Room too becomes virtual, permitting the board members to login to the company’s
resources (ensuring that the board notes with annexure are electronically circulated well in
advance) and permitted to discuss and express their approval or otherwise.
After all, was it not Kautilya who in his administrative treatise ‚Arthashastra‛ around 300 BCE,
emphasized the importance of record-keeping and the duty of King to protect them? In today’s
digital world with so much of e-governance being spoken about, it is the duty of king, read the
Board Room, to protect not just the company, but the directors and all other stake holders as well.
The above article was written by Shri V Rajendran, President, CySI, especially for the corporate
executives and published in the Souvenir released by the Institute of Directors in their recently
concluded Conference held in Chennai.
This column is being introduced from the Dec'2014 issue, to enable the netizens to share their experiences encountered compromising their personal security in the cyber world. Readers are requested to send their similar experiences to [email protected]
"I received a phone call on my registered mobile with that popular bank, which started with
greeting me for the festival around and said that they wanted to verify my card details. As I was on
a train, I requested them to call later. Promptly came the call the next day, when the same voice
asked me whether I possess a credit card from that bank and recited my card number.
On my confirmation, the caller went on to ask about the card validity period. When I protested that
he can get all these from the bank database since he already have the card details, he said he
wanted the customer to confirm it and proceeded to other questions like address. After few
questions, he came back and asked for the date of birth, when I really grew suspicious and hung up.
The call from the same number came repeatedly for the next few days and when threatened that I
am planning to report this incident to the bank as well as to the cyber crime police as I was not
convinced he is from the bank and also the bank keeps assuring the customers that they will never
ask for such details over phone or email, the caller hung up. That was the last I heard from that
caller.
Some observations are that the caller was very polite with a very good language pronunciation and
plants the vital questions such as Date of birth and expiry period carefully among other trivial
questions and comes back again and again to impress you about the genuineness of the call. The
caller also says that failing to have the personal details confirmed will deprive the card holder of
some of the new facilities being offered by the Bank.
Please be aware and stay enlightened of such bogus callers
Experiences shared by Kapaleeswaran, V ([email protected])
NEAR MISS
eSecure
http://cysi.in Cyber Society of India [email protected] P a g e | 9
Sony is not the only company…."
Sony Is Not The Only Company With Subpar Data Security, New Survey Finds
Employees with excessive data access privileges represent a growing risk for organizations due to both accidental and malicious exposure of sensitive data. This is the conclusion of a new survey . . . 71 percent of employees report that they have access to data they should not see, and 54 percent say that this access is
frequent or very frequent. . . . there have been 708 data breaches in the U.S. so far this year, with more than 81 million records compromised. Are hackers becoming more numerous and sophisticated or are companies letting down their guard for the sake of increasing employee productivity and reducing what they spend on data protection? For more details read at: http://news360.com/digestarticle/4kFZq9-2zE-FT0u7kmzKFg
Spammers use timely, but malicious, emails to trick holiday shoppers
Scammers taking advantage of the holiday shopping frenzy are leveraging the Asprox botnet, notorious for furthering spam campaigns, to deliver malware to unsuspecting users. Emails made to look like order confirmations from major retailers, like Best Buy, Target, and Walmart, were used as bait, Malcovery Security revealed Wednesday. The campaign, observed spreading spam, delivered two versions of malware to victims: one sent via malicious email attachments, and another version spread through links to malicious websites, Refer: http://news360.com/digestarticle/TgnZO2tS8kmz6ZRGVOjUPQ
Stuxnet worm infected high-profile targets before hitting Iran nukes
The Stuxnet computer worm that attacked Iran's nuclear development program was first seeded to a handful of carefully selected targets before finally taking hold in uranium enrichment facilities, according to a book published . More details at: http://news360.com/digestarticle/yepe59_56k-4rSvt-vi4Fw
Did Russian Cyber attackers Raid Big US Banks?
The big banks are staying tight-lipped about it, but multiple sources say several major US financial firms were hit by hackers who made off with gigabytes of data earlier this month. The banks included JPMorgan Chase and at least four others, according to New York Times sources, who say the stolen data included checking and savings account information and the motivation of the attackers is still unclear. An FBI spokesman says the agency is working with the Secret Service to investigate the reported attacks, Reuters reports. A JPMorgan spokeswoman says "companies of our size unfortunately experience cyber attacks nearly every day" and the bank has "multiple layers of defense." Read more at: http://www.newser.com/story/193114/did-russian-cyberattackers-raid-big-us-banks.html
Cyber News across the world
eSecure
http://cysi.in Cyber Society of India [email protected] P a g e | 10
CySI Secretary Mr. Ramesh Bhashyam is in the news again!
'IT NEXT 100 Team' organized Next 100 winners for 2014 batch and identified few members from the previous award winners to do a presentation.
Mr. Ramesh Bhashyam, being one amongst the chosen few, delivered a presentation on the "Latest trends and technology".
While the presentation was well received, Mr. Ramesh was also awarded a Silver Coin, from Next 100 Team.
CySI is proud of his constant recognitions by the august body and also appreciates his persistent efforts of endearing himself with the current trends on the chosen topics.
Here is wishing him the Very Best!
Pictures are added to the articles of this ezine for effective reading/ understanding. Most of the pictures are taken from Internet. Our editorial board wishes to convey its thanks for the courtesy of whoever has taken strains to draw and uploaded the pictures.
This ezine and all the previous issues, as well, can be read from our web-site http://cysi.in/. The contents in this ezine are meant for sharing of knowledge and hence readers are requested to circulate this ezine in full or in part to anyone they like. Readers may acknowledge CySI while reproducing the articles or any part thereof. Readers are requested to send their feedback, articles, jokes, etc., to [email protected]. Neither CySI nor the members of the Editorial Committee/ Board owns any responsibility for the views expressed by the authors in the articles. The views expressed are the concerned author’s individual views only. For any further clarification on any of the articles or stories in this eZine, kindly contact the author directly or email [email protected] Editorial Board
CySI is proud!
CySI wishes everyone a Very Happy New Year!