Publishers: Cyber Society of

India

(Regd No: 245/04;

http://www.cysi.in)

Editor-In-Chief: Rajendran V

(Ex-officio – President of CySI)

Editor:

Kapaleeswaran V

Editorial Committee:

Dr. Ramamurthy N

Murugan R

Panchi S

Advisors:

Srinivasan K

Na Vijayashankar

This Issue

1. Editorial 1

2. From the Presidential Desk 2

3. Cyber Security, forecast for 2015 3

4. Dummy’s Corner 5

5. CySI related events 6

6. eGovernance through Board

room best practice 7

7. Near Miss 8

8. Cyber news across the world 9

9. CySI is proud 10

*****

The hue and cry over cyber risks is on the rise with the resulting crescendo slowly making the netizens realize that they no more enjoy wandering around the cyber space, as hitherto. Despite a feeling of stifling of cyber breath, with every step taken with utmost caution and in spite of it, still one hears news of the security fortress considered safe, crumbling gradually. With the analysts predicting worsening of cyber attacks in the days to come, are we closer to defining the third type of emergency viz., 'Cyber Emergency' after the well known External and Internal emergencies? From kids to senior citizens, the constant drumming on the ear is 'with caution over the net', which makes one weary of browsing as none will enjoy a stroll with someone always breathing down the neck. But then, do we have a choice, anymore? Can we afford to live without this dreaded but loved companion? - Slowly the backpack of the school-going are being replaced by sleek tablets and some schools are already expecting the kids to email their homework and demand attractive presentations for celebrations kissing good bye to the traditional festoons and ribbons! - Common man's daily needs are increasingly becoming dependent on internet, be it payment of utility bills or gifts for the ageing parents living far away. - Fearing robberies, one is forced to use the plastic cards, whose vulnerability is on the rise. - For want of time and speed of accomplishing a task, busy executives are forced to seek refuge under internet banking. - The college students' only source of dole for his monthly maintenance from the parents is ATMs and the World Wide Web for references. - Senior citizens are forced to interact with children across the geography through various chat channels, blissfully unaware of the malwares and cookies that are gnawing at their credentials. - Businessmen conduct business and share business critical documents and b2b artifacts over the networks, proving to be porous with every passing day. With so much of dependency on the cyber world , it is only the awareness, constant updates of knowledge levels and deployment of preventive mechanisms that will help to stay in the race avoiding loss of business, personal identity and property. It is time to pull up the socks and meet the challenge head on, as we wait to greet the New year! Kapaleeswaran, V -mail2kapali@gmail.com

eSecure

Secure and be Aware!

An e-zine from CySI [[Volume 2, Number 2]

December 2014

Editorial

Editorial Board

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 2

Any youngster of today identifies his bank only with either his ATM card or through the key-board, mouse and computer monitor. Days are gone when people identified their banks with a brick and mortar structure with human interfaces. Such is the penetration of technology in banking. With the advent of Core Banking Solution, even the concept of branch banking is slowly waning and personal banking is fading.

Where is the personal touch? With RBI speaking about ‘disincentivizing’ the usage of cheque and driving people towards ATMs , Internet Banking and away from physical presence in the branches, service gets computerized, feedback is mechanized, complaints are automated and redress, at least acknowledgement is systemic i.e., system-driven and not personal. Even for making complaints we approach computers, an Interactive Voice Response System and there is no person on the other side to listen to you if you want to shout and vent your anger!

Response automated, but, is the happiness automatic? Some banks even take upto 120 days

intimating the same as part of the acknowledgement itself for final redress and closure of the complaint.

And there are many complaint redress mechanism for a cyber crime victim in banking. The step by step

approach would be to

Prefer a complaint to the branch manager and if redress not received, then

Escalate it to the next higher official like regional manager etc and

Escalate it to the top management at the HO on the 15th i.e. customer service day

File a complaint with the Banking Ombudsman

Approach the IT Adjudicator if there is financial loss in an e-transaction

File a civil complaint in an appropriate legal forum i.e. court

File a criminal complaint if the offence involves criminality

The above is a step by step redress mechanism, though in some cases, simultaneously taking recourse

concurrently to more than one of these steps, may be advisable.

Banks as intermediaries have to ensure “due diligence” and put in place all reasonable security places, as

per Section 43-A read with Sec 79 of the I.T. Act 2000 IT Amendment Act 2008. . What is 'reasonable

security practices and procedures' has also been elaborated in the Rules issued subsequently. In the days to

come, with more cases being fought in courts, perhaps the courts may provide a larger interpretation of the

concept of ‘due diligence’ and ‘reasonable security practices'.

Speed is the essence: Complaint on Internet banking crimes, fraudulent withdrawals from ATMs should be

acted upon instantly and even inaction of a few seconds may result in huge financial loss to the customer. In

all such cases, the customer will strive to prove that he actually did lodge the complaint and the bank’s delay

of a few minutes cost him the loss (since it is during those seconds that the amounts were fraudulently

withdrawn). The bank then, is in a legally unenviable position and will certainly be accused of not putting in

place “reasonable security practices” and contravening the due diligence concept of a banker (read with the

age old ‘Payment in Due Course’ and the principle of ‘good faith and without negligence’ of Negotiable

Instruments Act of 1881).

Rajendran, V - venkrajen@yahoo.com

(President, Cyber Society of India)

Cyber Crimes in eBanking - Complaints & Compliance

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 3

Cyber-security created headlines and headaches in 2014, with large-scale data breaches at retail chains,

attacks on data stored in the Cloud and massive vulnerabilities revealed in decades-old codes. The Cyber-

security researchers have outlined their 2015 top security predictions to help global businesses interpret

and anticipate threat trends to defend against innovative and sophisticated attacks. Highlights of a research

recently conducted on this include:

1. The healthcare sector will see an increase in data stealing attack campaigns. Healthcare records hold a treasure trove of personally identifiable information that can be used in a multitude of attacks and frauds. In an environment still transitioning millions of patient records from paper to digital form, many organizations are playing catch-up when it comes to the security challenge of protecting personal data. As a result, cyber-attacks against this industry will increase.

2. Attacks on the Internet of Things (IoT) will focus on businesses, not consumer products. As the Internet of Things accelerates the connectivity of everyday items, proof-of-concept hacks against refrigerators, home thermostats and cars have been widely reported. However, the real threat from IoT will likely occur in a business environment over consumer. Every new internet-connected device in a business environment further increases a business attack surface. These connected devices use new protocols, present new ways to hide malicious activity and generate more noise that must be accurately filtered to identify true threats. Attacks are likely to attempt to use control of a simple connected device to move laterally within an organization to steal valuable data. In the coming year, manufacturing and industrial environments, in particular, are likely to see an increase in attack volume.

3. Credit card thieves will morph into information dealers. As the retail sector escalates their defenses and security measures such as mandating Chip and PIN technology, look for cybercriminals to accelerate the pace of their credit card data theft. In addition, these criminals will begin to seek a broader range of data about victims. These fuller, richer, personal identity dossiers of individual users, consisting of multiple credit cards, regional and geographic data, personal information and behavior, will be increasingly traded in the same manner that stolen credit cards are today.

4. Mobile threats will target credential information more than the data on the device. With the auto-login capability of mobile apps, mobile devices will increasingly be targeted for broader credential-stealing or authentication attacks to be used at later. These attacks will use the phone as an access point to the increasing Cloud-based enterprise applications and data resources that the devices can freely access.

5. New vulnerabilities will emerge from decades-old source code. OpenSSL, Heartbleed and Shellshock all made headlines this year, but have existed within open source code for years, waiting to be exploited. The pace of software development demands that new applications are built on open source, or legacy proprietary source code. As new features and integrations build on top of that base code, vulnerabilities continue to be overlooked. Next year, attackers will successfully exploit seemingly divergent application software through vulnerabilities in the old source code that these applications share.

6. Email threats will take on a new level of sophistication and evasiveness. Though the Web remains the largest channel for attacks against businesses, new highly-sophisticated email evasion techniques will be introduced and designed to circumvent the latest enterprise-grade defenses. Traditionally used as a lure in past attack scenarios, email will become a more pervasive element of other stages of an attack, including the reconnaissance stage.

Cyber Security - Forecast for 2015

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 4

7. As companies increase access to Cloud and social media tools, command and control

instructions will increasingly be hosted on legitimate sites. Criminals will increasingly use social and collaborative tools to host their command and control infrastructure. Those charged with protecting business from attack will have a difficult time discerning malicious traffic from legitimate traffic when communications to Twitter and Google Docs are not only allowed, but also encouraged.

8. There will be new (or newly revealed) players on the global cyber espionage/cyber war

battlefield. The techniques and tactics of nation-state cyber espionage and cyber warfare activities have primarily been successful. As a result, additional countries will look to develop their own cyber-espionage programs, particularly in countries with a high rate of forecasted economic growth. In addition, because the barrier of entry for cyber activities is minimal compared to traditional espionage and war costs, the researchers believe that the world will see an increase in loosely affiliated ‘cells’ that conduct cyber-terrorist or cyber warfare initiatives independent from, but in support of, nation-state causes.

Courtesy and more details: http://www.dynamicciso.com/blog-

details/01386bd6d8e091c2ab4c7c7de644d37b.html#sthash.L8qzUTmJ.dpuf

Author, Dr. Ramamurthy is a versatile personality with unique blend of experience in various walks of Banking and related IT solutions. His specialty is continuous learning and his qualifications include – M.Sc., B.G.L., CISA, PMP, CGBL, Black Belt in Six-sigma and so on. He spread his knowledge through consulting and teaching and is also on the editorial board of the ezine.

Dr. Ramamurthy, N - ramamurthy.n@gmail.com

It was just after Thanksgiving, and the judge was in a happy mood. He asked the prisoner who was in the dock, 'What are you charged with?' The prisoner replied, 'Doing my Christmas shopping too early'. 'That's no crime', said the judge. 'Just how early were you doing this shopping?'

'Before the shop opened', answered the prisoner.

Smile Corner

Cyber Security - Forecast for 2015 (contd.,)

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 5

The questions below may seem silly, but they carry lot of messages. These are meant for laymen and not experts.

Question: One day suddenly I receive a text message and I observe that my debit card has been used for withdrawing a certain amount from an ATM. What are the immediate steps to be taken by me for recovering my money and prevent further misuse of my card?

Answer: Instances of misuse of ATM card (i.e. fraudulent cash

withdrawals) are extremely rare and the rarest of rare cases,

considering the volume of ATM withdrawal transactions happening

in the country. However, if one still becomes a victim of one such

case, the immediate and instant step should be to contact the

bank's 24 x 7 helpline to block the card and should also report to the

nearest police station. Immediate action and reporting is the

essence because any delay in reporting will result in loss of evidence

from the CCTV in the ATM room, non-retrieval of the logs and data from the computer systems and non-

availability of other circumstantial evidences. Such complaint should also be followed up continually. There

are cases when police have busted gangs of ATM card cloning and fraudulent withdrawals, all involving

ATMs in a particular location, and based upon the evidence gathered, police have advised the banks of the

victim customers to refund the money too. On the safety and preventive side, it is always better to keep the

ATM withdrawal daily limit to the minimum that we feel is necessary for us, say Rs.10,000 or Rs.20,000, by

giving suitable instructions to the bank. Otherwise, some banks routinely fix the minimum daily withdrawal

limit as Rs.40,000/- for all customers, in which case the risk too is so high. In fact, even while taking a credit

card, it is always better to keep the credit eligibility to the minimum that we need and to keep the cash limit

to a very low amount or even nil, since it is very rare that we withdraw cash from credit card, exposing

ourselves to the exorbitant rate of interest.

Picture courtesy: www.Google.com Answers by Mr. Rajendran V venkrajen@yahoo.com Password protect your device

Turn on two factor authentication of your email.

Put a Google alert on your name

Sign out of online applications, when not in use

Avoid using of cards at suspicious outlets

Change your Facebook settings to safety

Clear browser history and cookies regularly

Courtesy: www.forbes.com

Dummies Corner

Tips to keep your identity safe!

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 6

Cyber Society of India was invited by the CII to the CIO Summit 2014, titled 'Keeping pace with IT Security and Compliance' at Chennai, on Dec 5th, 2014.

Participating in the Panel discussion on "Managing threats in a connected world", CySI President Mr. V. Rajendran delivered a brief but forceful account on the need for better awareness, which was well received by the august audience.

The daylong event was also attended by the Vice President Mr. V.Kapaleeswaran and Joint Secretary Mr. P.N.A.Shanker Kumar, from CySI.

A two day National

seminar on "Cyber Security

with special focus to Cyber

Crimes and Cyber Laws"

was organized by the

Department of Computer

Science of P.B.Siddhartha

College of Arts & Science,

at Vijayawada on the 15th

and 16th of November,

2014. On an invitation, the

President, Secretary and

Vice President of Cyber

Society of India,

participated in the event,

inaugurated by the Commissioner of Police, Vijayawada, delivering a very informative lecture in

the inaugural session.

The speech of Mr. Rajendran, President, CySI though curtailed due to time was well received with

active interaction from the participants consisting of students and faculty of many colleges in the

place.

Mr. Kapaleeswaran, Vice President CySI underlined the need for caution and awareness while

browsing the internet, during his presentation on 'Social Networking Sites and Cyber Crimes'.

Mr. Ramesh Bhashyam, Secretary, CySI spoke on " Future of Technology: Cyber Crimes Scenario".

Through all sessions, there were interesting interactions with queries from the faculty, students and

other invitees.

CySI at CII Summit

National Seminar on Cyber Security

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 7

We have now consciously transformed our lives from physical presence, physical attendance,

physical meetings to virtual meetings, video conferences and webinars. Perhaps in the years to

come, the best practices in Board Room will simply mean ensuring the presence of – believe me --

some electronic gadgets, some network equipment and no directors physically! Directors will log

on and discuss, deliberate, debate and demystify all major corporate affairs virtually with digital

records.

Carrying a laptop to the Board Room and the conduct of such meetings electronically has already

been discussed in the paper submitted by Shri Prem Anand from IOD, Chennai. Hence we will

now discuss briefly the e-Records component of such meetings, techno-legal issues in e-records and

the evidentiary value of such records in cyberspace.

Records stored or maintained in any computer system have been recognized as legally valid, thanks

to the passing of the Information Technology Act 2000. Procedures for authentication of electronic

records and digital signatures to ensure the concepts of ‘confidentiality, integrity, availability and

non-repudiation’ of e-records were laid down in the Act of 2000. Digital Signatures which are

based on the specific technology of public key infrastructure and digital signature certificates were

later replaced by ‘electronic signatures’ by the IT Amendment Act 21008, to make it technology-

neutral.

As stated in the paper submitted by Shri Prem Anand referred above, board members can express

their views or give approval or otherwise, even when on the move, say from airport or any other

place, so long as they are connected to the Board Room and accessible to the other board members.

In all such cases, the broader question would be on the retrievability of such records, admissibility

of such evidences and acceptability for other members, in the event of any dispute.

There should be a clear, well-drafted e-Records Maintenance Policy in organisations and a cyber

law compliance mechanism with well-defined roles and responsibilities for the various levels of

executives like the Chief Information Security Officer, Information Security Administrator or

Officer. The Information Systems Security Policy should clearly spell out the guidelines for broadly

all e-records and specifically the issues connected with e-attendance in such meetings, e-circulation

and of course e-approval of important decisions too.

Not just the issues connected with records maintenance, but also the network through which the

significant data and minutes pass, the criticality of those information assets, some of which would

be time-bound confidentiality, some person-based confidentiality and some geographic location

based. These security issues have much wider ramifications and have to be viewed in the larger

perspective of not just protecting the organization data but also protecting the board member’s

rights to keep his records confidential and duty to express what he should.

But these days, more and more corporate are going towards the concept of ‚Work from Home‛

encouraging or at least permitting their staff members to login to the organization's information

resources and access them, with due process of Access Privileges. Hence the day is not far off that

E-Governance through Board Room Best Practices

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 8

the Board Room too becomes virtual, permitting the board members to login to the company’s

resources (ensuring that the board notes with annexure are electronically circulated well in

advance) and permitted to discuss and express their approval or otherwise.

After all, was it not Kautilya who in his administrative treatise ‚Arthashastra‛ around 300 BCE,

emphasized the importance of record-keeping and the duty of King to protect them? In today’s

digital world with so much of e-governance being spoken about, it is the duty of king, read the

Board Room, to protect not just the company, but the directors and all other stake holders as well.

The above article was written by Shri V Rajendran, President, CySI, especially for the corporate

executives and published in the Souvenir released by the Institute of Directors in their recently

concluded Conference held in Chennai.

This column is being introduced from the Dec'2014 issue, to enable the netizens to share their experiences encountered compromising their personal security in the cyber world. Readers are requested to send their similar experiences to editor@cysi.in

"I received a phone call on my registered mobile with that popular bank, which started with

greeting me for the festival around and said that they wanted to verify my card details. As I was on

a train, I requested them to call later. Promptly came the call the next day, when the same voice

asked me whether I possess a credit card from that bank and recited my card number.

On my confirmation, the caller went on to ask about the card validity period. When I protested that

he can get all these from the bank database since he already have the card details, he said he

wanted the customer to confirm it and proceeded to other questions like address. After few

questions, he came back and asked for the date of birth, when I really grew suspicious and hung up.

The call from the same number came repeatedly for the next few days and when threatened that I

am planning to report this incident to the bank as well as to the cyber crime police as I was not

convinced he is from the bank and also the bank keeps assuring the customers that they will never

ask for such details over phone or email, the caller hung up. That was the last I heard from that

caller.

Some observations are that the caller was very polite with a very good language pronunciation and

plants the vital questions such as Date of birth and expiry period carefully among other trivial

questions and comes back again and again to impress you about the genuineness of the call. The

caller also says that failing to have the personal details confirmed will deprive the card holder of

some of the new facilities being offered by the Bank.

Please be aware and stay enlightened of such bogus callers

Experiences shared by Kapaleeswaran, V (mail2kapali@gmail.com)

NEAR MISS

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 9

Sony is not the only company…."

Sony Is Not The Only Company With Subpar Data Security, New Survey Finds

Employees with excessive data access privileges represent a growing risk for organizations due to both accidental and malicious exposure of sensitive data. This is the conclusion of a new survey . . . 71 percent of employees report that they have access to data they should not see, and 54 percent say that this access is

frequent or very frequent. . . . there have been 708 data breaches in the U.S. so far this year, with more than 81 million records compromised. Are hackers becoming more numerous and sophisticated or are companies letting down their guard for the sake of increasing employee productivity and reducing what they spend on data protection? For more details read at: http://news360.com/digestarticle/4kFZq9-2zE-FT0u7kmzKFg

Spammers use timely, but malicious, emails to trick holiday shoppers

Scammers taking advantage of the holiday shopping frenzy are leveraging the Asprox botnet, notorious for furthering spam campaigns, to deliver malware to unsuspecting users. Emails made to look like order confirmations from major retailers, like Best Buy, Target, and Walmart, were used as bait, Malcovery Security revealed Wednesday. The campaign, observed spreading spam, delivered two versions of malware to victims: one sent via malicious email attachments, and another version spread through links to malicious websites, Refer: http://news360.com/digestarticle/TgnZO2tS8kmz6ZRGVOjUPQ

Stuxnet worm infected high-profile targets before hitting Iran nukes

The Stuxnet computer worm that attacked Iran's nuclear development program was first seeded to a handful of carefully selected targets before finally taking hold in uranium enrichment facilities, according to a book published . More details at: http://news360.com/digestarticle/yepe59_56k-4rSvt-vi4Fw

Did Russian Cyber attackers Raid Big US Banks?

The big banks are staying tight-lipped about it, but multiple sources say several major US financial firms were hit by hackers who made off with gigabytes of data earlier this month. The banks included JPMorgan Chase and at least four others, according to New York Times sources, who say the stolen data included checking and savings account information and the motivation of the attackers is still unclear. An FBI spokesman says the agency is working with the Secret Service to investigate the reported attacks, Reuters reports. A JPMorgan spokeswoman says "companies of our size unfortunately experience cyber attacks nearly every day" and the bank has "multiple layers of defense." Read more at: http://www.newser.com/story/193114/did-russian-cyberattackers-raid-big-us-banks.html

Cyber News across the world

eSecure

http://cysi.in Cyber Society of India ezine@cysi.in P a g e | 10

CySI Secretary Mr. Ramesh Bhashyam is in the news again!

'IT NEXT 100 Team' organized Next 100 winners for 2014 batch and identified few members from the previous award winners to do a presentation.

Mr. Ramesh Bhashyam, being one amongst the chosen few, delivered a presentation on the "Latest trends and technology".

While the presentation was well received, Mr. Ramesh was also awarded a Silver Coin, from Next 100 Team.

CySI is proud of his constant recognitions by the august body and also appreciates his persistent efforts of endearing himself with the current trends on the chosen topics.

Here is wishing him the Very Best!

Pictures are added to the articles of this ezine for effective reading/ understanding. Most of the pictures are taken from Internet. Our editorial board wishes to convey its thanks for the courtesy of whoever has taken strains to draw and uploaded the pictures.

This ezine and all the previous issues, as well, can be read from our web-site http://cysi.in/. The contents in this ezine are meant for sharing of knowledge and hence readers are requested to circulate this ezine in full or in part to anyone they like. Readers may acknowledge CySI while reproducing the articles or any part thereof. Readers are requested to send their feedback, articles, jokes, etc., to editor@cysi.in. Neither CySI nor the members of the Editorial Committee/ Board owns any responsibility for the views expressed by the authors in the articles. The views expressed are the concerned author’s individual views only. For any further clarification on any of the articles or stories in this eZine, kindly contact the author directly or email editor@cysi.in Editorial Board

CySI is proud!

CySI wishes everyone a Very Happy New Year!