Newsletter
IT and Cyber Security News Update from
Centre for Research and Prevention of Computer
Crimes,
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
Since June 2005 January
14, 2015 Issue
no 1530
Tenth year of
uninterrupted publication
Todays edition
PUNISHED : 6
banks, telecom firm to pay for credit card frauds
NET NEUTRALITY : Internet an instrument for masses, so net
neutrality is key: Ravi Shankar Prasad
LAW : Obama pushes cybercrime law
HACKED : US Centcom Twitter account hacked by pro-IS group
(Click on heading above to jump to related item. Click on Top to be back here)
PUNISHED : 6 banks, telecom firm to
pay for credit card frauds
TNN
Mayur Shetty
Jan
14, 2015
MUMBAI:
In a landmark judgment on online banking frauds, six banks, a telecom giant and
a card company have been asked to pay out Rs 1.06 crore compensation to customers who have been victims of
various online frauds in the past two years. In most of the cases, customers
had lost money to fraudsters but banks had held customers responsible for their
accounts being compromised.
The
order for compensation was issued by the state government's equivalent of a
cyber crime court which is presided over by the principal secretary in charge
of information technology. The principle secretary, Rakesh Aggarwal,
functions as adjudication officer under Section 45 of the IT Act 2000. The
banks that have been ordered to pay compensation include Central Bank of India,
Royal Bank of Scotland, Punjab National Bank, IndusInd
Bank, Yes Bank, State Bank of India. Other institutions who have been directed
to pay are Vodafone and SBI Cards.
The
order is significant as this is the first time that any authority has said that
an individual's liability in respect of online frauds should be capped. The Banking
Standards and Codes Board of India had earlier last year suggested that the
onus of establishing liability in the event of online fraud should rest with
the banks. Until now banks have been throwing up their hands whenever a
customer's credentials were compromised, holding the customer fully liable for
anyone hacking into his email or mobile.
Advocate
Prashant Mali, who specializes in IT cases and has
appeared for the complainant, said "Banks should ideally pay off the
aggrieved consumer instead of making him run pillar to post and then spend
money in courts and costly appeals. This way less harassment would be caused to
consumers and confident online banking customers will evolve."
The
largest order has been against SBI which has been
directed to pay Rs 40 lakh to Chander
Kalani whose funds were transferred to an account in
London on the basis of an email. The fraudster had hacked into Kalani's email and instructed the bank to transfer funds.
In his order directing SBI to pay a compensation of Rs 40 lakh, Aggarwal observed
that "the Banking Codes and Standard Board of India (BCSBI)
unit has issued a Code of Bank's Commitment wherein customers of such fraud
will be liable to the extent of Rs 10,000 only and
the bank has to make good the rest of the amount. But acceptance of this code
by banks is not visible."
In
another case, the account of Prabhakar Sadekar a businessman, with Punjab National Bank was hacked
and funds transferred to accounts in IndusInd Bank
and Yes Bank. Sadekar did not receive SMS alerts as his mobile accounts were also cloned. In this
case Agarwal had held that banks had not followed RBI guidelines on money mule
accounts and guidelines on information technology. Vodafone was asked to pay a
compensation of Rs 20 lakh for not following
reasonable security practices and procedure and the established guidelines
before issuing a duplicate SIM card. PNB, IndusInd and Yes Bank have been asked to pay Rs 20 lakh, Rs 5 lakh and Rs 3 lakh respectively.
In the fourth case where a company, Raatronics, was defrauded of its account in Central Bank by
changing the mobile number in the bank's online database, Central Bank and
Royal Bank of Scotland were asked to pay Rs 8 lakh
each for lack of due diligence. The adjudicating officer also ordered compensation
of Rs 1.3 lakh and Rs 1.4
lakh for frauds committed upon users of SBI Credit
Card and SBI's International Debit Card.
Also see-
NET NEUTRALITY
: Internet an instrument for masses, so net neutrality is key: Ravi
Shankar Prasad
The principle of net neutrality implies
that service providers will treat all data on the Internet equally and not
impose differential pricing. The principle of net neutrality implies that
service providers will treat all data on the Internet equally and not impose
differential pricing.
ET Bureau
14 Jan, 2015
NEW DELHI: The government is in favour
of maintaining net neutrality as the Internet is an instrument for the masses
and must remain so, Telecom Minister Ravi Shankar Prasad has said, marking the
first time the Centre has adopted a public stand on the subject.
"The Internet must promote local
along with the global. For India, net neutrality is very important,"
Prasad, also the IT minister, said at a meeting with US Under-Secretary of
State Catherine Novelli.
The principle of net neutrality
implies that service providers will treat all data on the Internet equally and
not impose differential pricing or discriminate among users, content sites,
apps and platforms.
"As far as government
architecture to deal with this issue is concerned, India is studying this and
discussing it with stakeholders," Prasad added. The minister's comments
came as the Telecom Regulatory Authority of India (Trai)
is set to begin working on the issue. Trai Chairman Rahul Khullar had told ET that
the sectoral watchdog would issue a consultation
paper on the subject by the third week of January.
US Official Reaffirms Firm Stand
Late December, Bharti
Airtel, India's largest telecom operator, faced a
backlash on social media after it became the first telecom operator globally to
introduce higher charges for making voice calls over the Internet, thus
breaching net neutrality.
The firm withdrew the plan in less
than a week, saying it would wait for Trai's
consultation process. "Net neutrality is an area on which the US federal
government has taken a firm stand that we do not want any compromises," Novelli told Prasad. The US communications regulator
postponed its decision on the matter with President Barack Obama openly backing
net neutrality and suggesting that the Internet be treated like a utility.
The Federal Communications Commission
(FCC) is expected to come up with its recommendations on matter this year. The
two leaders also wanted more cooperation between the countries on the issue of cyber
security.
Prasad also discussed the government's
Digital India vision and its Make in India push with
the US leader. "Electronic manufacturing is an area that this government
is promoting in a big way," Prasad said, assuring Novelli
of equal and fair treatment to all US companies investing in India.
Novelli, on her part,
said that while companies from the US are excited to promote manufacturing in
India, "the constraints of global supply chain must also be understood
while promoting Make in India". "If they manufacture in India, they
not only sell their products in India but also export it to the rest of the
world and avail incentives," Novelli said.
LAW : Obama pushes cybercrime law
By David Perera
January 13, 2015
http://www.politico.com/story/2015/01/obama-cybersecurity-crime-proposal-114211.html
President Barack Obama will
unveil another cybersecurity legislative package
Tuesday, proposing limited liability protection for companies that share cyberthreat information and new powers to tackle
cybercrime, according to the White House.
The law enforcement proposal
will contain provisions broadening prosecutors powers against cyber crime, for
example by criminalizing the overseas sale of stolen U.S. financial
information. It would also allow for the prosecution of the sale or rent of botnets, and would allow courts to shut down botnets engaged in criminal activity such as distributed
denial of service attacks.
It would also expand federal
law enforcement authority to deter the sale of spyware, according to a White
House fact sheet.
The proposal would update the
Racketeering Influenced and Corrupt Organizations Act to apply to cybercrime,
while also reforming the Computer Fraud and Abuse Act to ensure that
insignificant conduct does not fall within the scope of the statute.
CFAAs broad language has been the subject of heavy
criticism by observers, who cite a litany of prosecutions underpinned by the
statutes prohibition of vague actions such as exceeding authorized access.
The information sharing
proposal is meant to encourage private sector entities to share cyber threat
data with the NCCIC, the cybersecurity
operations center Obama will tour on Tuesday afternoon.
It also is designed to allay
privacy concerns that stalled similar legislation last Congress.
Under the proposal, DHS and
the Attorney General would develop guidelines for the receipt, retention, use
and disclosure of cyber threat data within the federal government. Those
guidelines would be developed in consultation with the Privacy and Civil
Liberties Oversight Board.
When sharing cybersecurity threat data, companies would gain targeted
liability protection, a phrase White House officials used during an industry
association briefing Friday regarding administration plans, recounted an
individual who attended the meeting. What exactly that means is uncertain,
however. I would like to know that, too, he said.
The package, adding to
yesterdays call for a national data breach notification law, will be rolled
out just after 3 p.m., when the president visits the DHS 24-hour cyber watch
center, known as the National Cybersecurity and
Communications Integration Center, according to the fact sheet.
The administration believes
that public fears about hackers and cybercrime, in the wake of the devastating cyberattack on Sony, can build momentum for reforms stalled
out in Congress over fears about privacy implications and through partisan
deadlock.
Talk about striking while
the iron is hot, said a former White House official, who noted that the White
House likes to use the run up to the State of the Union address to unveil
policy initiatives for the coming year.
A financial services cybersecurity advocate said liability protection is a
necessary element of any information sharing legislation, since fear of exposure
to lawsuits stemming from frank disclosure of cyber threats is a main stumbling
block to information sharing, one that can only be solved through legislation.
Under the administration
proposal, NCCIC would share data it receives in close
to real-time with other federal agencies, and with new private sector
organization information sharing organizations. Those organizations would
comply with privacy safeguards, the administration says.
The administration uses the
term information sharing and analysis organization, rather than information
sharing and analysis center to describe information sharing entities.
The difference, though small,
is significant
ISACs are federally-recognized organizations for
cyber-threat information sharing typically organized around industrial
verticals. Theyve been in existence since the late 1990s but theyve come in
for criticism by some who see them as too oriented around officialdom in
Washington, D.C.
ISACs often are more about what the federal governments
wants, rather than what industry needs, said Chris Blask,
head of the Industrial Control System ISAC.
Another criticism is that the
organizing principle of ISACs specific industrial
sectors is outliving its usefulness. Large banks and large manufacturers have
probably more in common with each other than they do with small companies in
the same field, said Larry Clinton, president of the Internet Security
Alliance, a trade group. Its a really good idea to re-examine the
architecture of how these organizations are run, he added.
One possible reorganization
or rethink of U.S. information security architecture thats under discussion in
cybersecurity policy circles might address both
criticisms: Its development of regionally-based
information sharing organizations. Proponents say a regional approach would
also provide more opportunities for small and medium businesses to participate
in information sharing.
Obama signed into laws on
Dec. 18 a bill (S. 2519) that formally authorizes the DHS 24 hour/7 day a week cybersecurity operations
center he will tour, and designated it as the federal civilian interface for
sharing cybersecurity data with entities, both
federal and non-federal.
The NCCIC,
pronounced en-kick, is located in the Ballston neighborhood of suburban
Arlington. Staff there monitor the status of federal networks and analyze
threats. In a high-end setting of multi-screen computers, dimmed lighting and
sit-stand desks, staff can communicate with outside partners, including in the
private sector.
Also see -
http://www.hollywoodreporter.com/news/white-house-unveils-proposal-cybersecurity-763269
http://thehill.com/homenews/administration/229299-obama-to-business-share-data-for-cyber-protection
HACKED : US Centcom
Twitter account hacked by pro-IS group
BBC
12
January 2015
The
Twitter and YouTube accounts of the US military command were suspended for a
few hours after being hacked by a group claiming to back Islamic State.
One
message on Centcom's Twitter feed said:
"American soldiers, we are coming, watch your back."
It
was signed by Isis, another name for the Islamic State. Some internal military
documents also appeared on the Centcom Twitter feed.
Centcom
said it was "cyber-vandalism" and not a serious data breach.
In a
statement, it said there was no operational impact and no classified
information was posted.
"We
are viewing this purely as a case of cyber-vandalism," it said. Later on
Monday, its Twitter feed became visible again, although not active.
Embarrassingly,
the hack happened as President Barack Obama was giving a speech on
cyber-security.
Reflecting
on major breaches like a recent hack of Sony Pictures, Mr Obama said in his
speech the US had been reminded of "enormous vulnerabilities for us as a
nation and for our economy".
His
spokesman Josh Earnest said the US is looking into the Centcom
hacking.
He
said they were investigating the extent of the incident, and that there was a
significant difference between a large data breach and the hacking of a Twitter
account.
line
Analysis
- Jonathan Marcus, BBC defence correspondent
This
is an irritating hack rather than a matter of major security concern, but it
will inevitably lead to a review to see if there are any more fundamental vulnerabilities in the US military's public facing web and
Twitter accounts.
The
material posted on the site represents an amateurish and unconvincing attempt
to publicise "secrets". Most of the
information is hardly secret at all - the postal address at the Pentagon of the
Chairman of the US Joint Chiefs of Staff, General Martin Dempsey.
A
variety of maps and diagrams were also posted by the hackers. Two appeared to
be slides from a presentation at the Lincoln Laboratory - a government funded
think-tank at the Massachusetts Institute of Technology.
They
showed maritime defences on the Chinese coast, but
not in any great detail. There were also simple maps of North Korea showing
population centres, nuclear installations and missile
sites.
You
can find maps showing the same things on the websites of many US think-tanks.
An
unnamed Pentagon official told Reuters the hacking was an embarrassment but did
not appear to be a security threat.
And
Professor Alan Woodward, from the University of Surrey, said he did not
consider the attack to be a major breach of security.
"I
wouldn't say it's trivial, but it's just a slip," he told the BBC.
"Twitter
accounts are usually looked after by an individual in an organisation - it's
very easy to give away that password.
"In
terms of if this is a hack into something secret, or sensitive - no, it's not.
An individual has made a slight mistake."
Also
see-
Domain
While the term "domain" is often used
synonymously with "domain name," it also has a definition specific to
local networks.
A domain contains a group of computers that can be accessed
and administered with a common set of rules. For example, a company may require
all local computers to be networked within the same domain so that each
computer can be seen from other computers within the domain or located from a
central server. Setting up a domain may also block outside traffic from
accessing computers within the network, which adds an extra level of security.
While domains can be setup using a variety of networking
software, including applications from Novell and Oracle, Windows users are most
likely familiar with Windows Network Domains. This networking option is built
into Windows and allows users to create or join a domain. The domain may or may
not be password-protected. Once connected to the domain, a user may view other
computers within the domain and can browse the shared files and folders available
on the connected systems.
Windows XP users can browse Windows Network Domains by
selecting the "My Network Places" option on the left side of an open
window. You can create a new domain by using the Network Setup Wixard. Mac users using Mac OS X 10.2 or later can also
connect to a Windows Network by clicking the "Network" icon on the
left side of an open window. This will allow you to browse local Macintosh and
Windows networks using the SMB protocol.
Justice and power must be
brought together, so that whatever is just may be powerful, and whatever is
powerful may be just.
Blaise Pascal
Note -