Sunday, March 6, 2011

E-Discovery In India And Its Uses

By
Baljeet Singh

Electronic discovery has many purposes to achieve. It can be used as an effective measure to prevent frauds from being committed by timely detection of suspicious activities. It can also be used for detection of these frauds and crimes after their commission. Thus, e-discovery is both preventive and curative in nature.

E-discovery must be regulated by a legal framework to give it legitimacy. E-discovery law in India has still to be enacted. Although India has the cyber law of India incorporated in the form of information technology act 2000 (IT Act 2000) yet it is far from being sufficient for cyber forensics and e-discovery purposes. Suitable legislation in this regard is urgently needed in India.

E-discovery is also relevant for law enforcement, lawyers and judiciary. Legal and judicial fraternity of India needs a temperament for scientific knowledge. This includes knowledge about cyber law, cyber forensics, digital evidencing and e-discovery.

E-discovery requirements for banks in India have also significantly increased due to the recent guidelines by Reserve Bank of India that requires banks in India to exercise cyber due diligence and adopt sound cyber security practices.

E-discovery can also supplement due diligence, incidence response and periodic inspection of computers and other technology related systems. This helps in timely detection of frauds and other crimes.

We have a single techno legal e-courts training and consultancy centre of India. It is managed by Perry4Law Techno Legal Base (PTLB). It provides techno legal research, training and education in the fields like digital evidencing in India, e-discovery in India, e-courts training in India, judges training, etc.

Friday, March 4, 2011

Cyber Due Diligence Could Have Prevented Citibank Fraud

By
Praveen Dalal
The Gurgaon based Branch of Citibank was in controversies recently due to the fraud committed by one of its employees. Many depositors and high networth individuals (HNIs) of Citibank were defrauded upto the tune of Rs 460.91 crore in that fraud.

The modus operandi of the crime was very simple. The accused committed the fraud by mobilising funds to the tune of Rs 460.91 crore without authorisation from HNIs customers and certain corporate for the purpose of investing in stock market, assuring them high returns. The accused fabricated a circular of the Securities and Exchange Board of India (SEBI) to lure people into investing into accounts held by his accomplices.

However, Banks and Financial institutions must also be conscious of these fraudulent possibilities and they must be well prepared to prevent and tackle the same. For instance, Banks and Financial Institutions must regularly engage in “Forensics Audit” and “Incidence response”. Presently, Banks and Financial Institutions engage in these “Essential Exercises” when something fraudulent or wrong has already taken place.

Incidence Response and Forensics Audits are essential part of the overall “Due Diligence Strategy” of a Bank or Financial Institution. Recently, the Reserve Bank of India (RBI) executive director G Gopalakrishna said that all banks would have to create a position of Chief Information Officers (CIOs) as well as Steering Committees on Information Security at the Board Level at the earliest. This also means that Banks and Financial Institutions now have to engage in “Cyber Due Diligence” on a “Mandatory Basis”.

Similarly, Amendments have been proposed in the Banking Regulations Act 1949 (BRA 1949) by the Finance Ministry of India. Under the proposed Amendments, RBI would get more “Regulatory Powers” to regulate the affairs of Banks. RBI has also made it clear that it would consider issuing fresh licences for private banks only after getting more regulatory powers, including “Supersession” of bank Boards.

RBI must also constitute a “Core Working Group” consisting of Techno Legal Experts from all fields. This Group can analyse Frauds and Regulatory Aberrations committed by Banks and Financial Institutions or their employees.

The Banking Reforms in India are already in progress and these suggestions can also be a part of the same so that confidence and trust of Bank Customers and Investors is retained.

Banking Regulation Act Amendments Approved By Cabinet

By
Praveen Dalal
Finance Ministry of India and Reserve Bank of India (RBI) have been working in the direction of bringing many good Financial and Banking Sector Reforms in India. In this direction RBI has already issued two good policy documents that would streamline use of Information Technology to enhance core banking practices in India.

The first document is a report of its Working Group on information security, electronic banking, technology risk management, and cyber frauds. In this report, the RBI mandated cyber due diligence for banks in India.

The second document is known as Information Technology Vision Document for 2011-17 (IT Vision 2011-17). The vision document has recommended many good suggestions including requiring that all banks in India now would have to create a position of CIOs as well as steering committees on information security. These requirements must be fulfilled at the highest level of Board of Directors.

Further, RBI has shown its willingness to allow big industrial houses to set up banks in India. However, it would not allow them to open the banks unless RBI gets the “Power to Supersede” Boards of banks that are not being run properly. RBI also wants the right to oversee the operations of the promoting company and any affiliates that will have business relationships with the bank. RBI has been suggesting bringing suitable Amendments in the Banking Regulation Act, 1949 (BRA 1949) in this regard.

Reacting immediately the Cabinet approved the long-pending amendment to the BRA 1949. The proposed amendments align voting rights of shareholders in proportion to the equity held and provide more regulatory teeth to the RBI. These powers now include the power to supersede bank boards.

Finance Minister Pranab Mukherjee would bring the proposed amendments in the BRA 1949 in current session of Parliament (March 2011) to carry forward the proposals made by RBI in this regard. Mukherjee said RBI proposes to issue guidelines for new private bank licences by the end of March. RBI has also made it clear that it would consider issuing fresh licences for private banks only after getting more regulatory powers, including supersession of bank Boards.

These are the much needed Banking and Financial Sector Reforms that were long pending. By including the contemporary issues of Information and Communication Technology, RBI has also covered a wide area. Hopefully Parliament of India would approve the amendments as soon as possible.

Chief Information Officers (CIOs) Made Mandatory For All Banks In India

Reserve Bank of India (RBI) executive director G Gopalakrishna recently said that all banks would have to create a position of chief information officers (CIOs) as well as steering committees on information security at the board level at the earliest. G Gopalakrishna further said the banks will have to implement the facility of "second factor verification" at merchant establishments and ATMs shortly.

The requirements are arising out of the two recently released documents by RBI. The first document is a report of its working group on information security, electronic banking, technology risk management, and cyber frauds. In this report, the RBI mandated cyber due diligence for banks in India.

The second document is known as information technology vision document for 2011-17 (IT Vision 2011-17). The vision document envisages that all banks in India now would have to create a position of CIOs as well as steering committees on information security. These requirements must be fulfilled at the highest level of board of directors. The vision document also requires that while following the above, legal aspects relating to the provisions of the Acts such as Payments and Settlement Act, 2007 and IT Act, 2000 may be strictly adhered to.

This requirement of CIO/CTO is arising because many small banks do not have a designated CTO and also do not have a clear framework on information sharing. RBI is interested in gradual shift to an online system where it can access all the information from the main server of the bank once the RBI's IT Vision is implemented. Those banks having no CIO/CTOs and a steering committee are now required to have these requirements fulfilled as soon as possible.

The objectives of vision document are to ensure the use of information technology beyond core banking and into newer areas like management of information systems (MIS) and better regulatory reporting.

The vision document has been prepared by a high-level committee chaired by deputy governor K.C. Chakrabarty. The vision document also recognises the growing operational risks arising out of adopting technology in the banking sector like use of Internet banking, which could affect financial stability.

If the vision document is fully implemented, it will ensure that the RBI gets access to the servers of all banks, including foreign banks so that it has access to all the banking transactions. Further, the vision document also emphasises on the need for internal controls, risk mitigation systems, fraud detection/prevention and business continuity plans. These are good banking reforms and they must be implemented by banks in India as soon as possible.

Tuesday, March 1, 2011

Intelligence Infrastructure Of India Is in Big Mess

By
Praveen Dalal
Intelligence Gathering and its timely Analysis and Utilisation are the bench mark of any good and effective Intelligence Infrastructure. When the terrorists attacked Mumbai recently, lack of Intelligence Sharing proved fatal.

Although Intelligence Inputs were available, they were not shared and made available in a timely manner. In other words, although Intelligence Agencies did no fail yet Intelligence Infrastructure failed to act in a timely manner. This happened for a simple reason that we have good Intelligence Agencies but we have a very bad Intelligence Infrastructure.

Intelligence Infrastructure of India needs streamlining. There are numerous Intelligence Agencies operating in India. However, there is no “Centralised Command” for the same. This results in an anomaly as there is no single authority to whom all of them can report and share their intelligence and other inputs.

The worst part is that the acts and omissions of these Intelligence Agencies are not governed by any Legal Framework. Parliamentary Scrutiny of Intelligence Agencies in general and Intelligence Infrastructure in particular are absolutely missing.

The example of the former is lack of Legal Framework for Intelligence Agencies and Law Enforcement Agencies of India. The example of the latter is absence of Legal Framework for Projects like Crime and Criminal Tracking Network System (CCTNS), National Intelligence Grid (NATGRID), Central Monitoring System (CMS), Aadhar/UID Project, etc.

CCTNS links up all of India's Police Stations and NATGRID would connect 21 sets of available databases for instant analysis and results. The “Biometric Details” obtained by Aadhar Project would be added to this list.

In short, the Intelligence Agencies and Intelligence Infrastructure of India have no clear cut direction, guidance and control. Time has come to create a good and effective “Intelligence Infrastructure” in India. We have already recommended that a “Centralised ICT Control System” (CICS) must be established by the Home Ministry of India under the guidance of Mr. P.Chidambaram.

If there are numerous Intelligence Agencies working for different Government Ministries/Departments, there is a possibility of “Lack of Coordination” and “Inadequate and Inappropriate Information Sharing”. Nothing can be more beneficial than a “Centralised ICT Control Centre” for the Indian National and Internal Security.

In fact, Mr. P.Chidambaram has already expressed his desire to establish a National Counter Terrorism Centre (NCTC) that would act as an “Umbrella Organisation” for all Intelligence Agencies. It may also be considered as a “Centralised ICT Control System” and Home Minister must work really hard to establish NCTC as soon as possible.

Monday, February 21, 2011

India’s Premier Book On Cyber Forensics In India

Cyber Forensics is an important field that is gaining importance in India. However, there is very scarce Research Material on Cyber Forensics in India. Further Techno Legal Research Material on Cyber Forensics is even lesser.

Keeping this in mind, the First Edition (September 2010) of Exclusive Techno Legal Book on Cyber Forensics in India has been published by Perry4Law/Perry4Law Techno Legal Base (PTLB) Publications. It is written by Praveen Dalal, the Leading Techno Legal Expert of India and Cyber Forensics Specialist of India.

Presently, the Book is available under “Limited Circulation Only” and that also after receiving a “Written Request” in this regard from the Head of the Department (HOD) of the “Selective” Governmental Department alone.

Central Ministers/HOD/Chief/Chairman of the following Governmental Institutions/Offices can request a “Copy” of the same on the “Official Letterhead” of their respective Institutions/Organisations/Offices:

(1) The Prime Minister’s Office (PMO),

(2) Parliament of India,

(3) Supreme Court of India,

(4) President of India,

(5) Home Ministry of India,

(6) Ministry of Law and Justice,

(7) Ministry of Science and Technology,

(8) Ministry of Communication and Information Technology,

(9) Ministry of Finance,

(10) Ministry of Personnel, Public Grievances and Pensions,

(11) Ministry of Parliamentary Affairs, and

(12) Delhi High Court, etc.

The “Availability” of the Book is on “First Come First Basis”. Further, there are “Limited Copies Only” and these would be provided at the “Absolute Discretion” of Author/Perry4Law/PTLB.

We reserve the right to provide or refuse to provide the Copy to any Person/Institution/Organisation/Governmental Department/International Organisation or Institution, etc.

The Cost of the Book would be Rs. 800, which may be waived if Author/Perry4Law/PTLB decided to do so.

Postal Charges would be charged extra.

Requests for the Copies of First Edition (September 2010) can be placed immediately as the Book is already written but we would start dispatching the same only after 31st April, 2011. Address for sending the “Requests” can be obtained by sending an e-mail to both pd37 at rediffmail dot com and perry4law at yahoo dot com.

Further, if we find that there is a “Scope for Improvements” in the same, we would intimate the Requester accordingly and provide the “Improved and Updated Copy” alone.

Public Version or Copies of the Book would be available after June 2011. All those interested in Public Version may “Contact Us” and send their requests in this regard through e-mail. Kindly do not remit any Cash, Cheque, DD, etc till we expressly ask you to do so.

Details Of The Book

The Book covers Nine Chapters in all. It includes the following Chapters:

(1) Introduction,

(2) Traditional Forensics Science v. Cyber Forensics,

(3) The Emerging Trends of Crimes and Criminals,

(4) Legal Framework for Cyber Forensics in India,

(5) Need of Cyber Forensics in India,

(6) Methods of Cyber Forensics,

(7) Jurisdictional Issues of Cyber Law and Cyber Forensics,

(8) Information Technology and Judicial Attitude

(9) Conclusions and Suggestions

Publishers and Distributors, both National and International, may also contact us with their “Proposals”.

Any other comments, suggestions and views are most welcome.

Tuesday, February 8, 2011

Draft Electronic Delivery Of Services Bill 2011

By
Praveen Dalal

The Draft Electronic Delivery of Services Bill 2011 (EDS Bill 2011) is a recent legislative exercise by the Central Government of India. The EDS Bill 2011 intends to provide delivery of Government services to all citizens by electronic means by phasing out of manual delivery of services delivered by the Government including matters connected therewith or incidental thereto.

It applies to whole of India and save as provided in this Bill, it applies to any contravention or offence thereunder committed outside India by any person. The Bill, if passed, would become an applicable law in India the moment Central Government notifies it in Official Gazette.

The EDS Bill 2011 defines “Electronic Delivery of Services” as the delivery of public services in the form of receipt of forms and applications, issue or grant of any license, permit, certificate, sanction or approval and the receipt or payment of money by electronic means by following the procedure specified hereunder.

The EDS Bill 2011 provides that where any law provides for –

(a) the delivery of services in the form of receipt of forms, application or any other document by any office, authority, body or agency owned or controlled by the appropriate Government in a particular manner;

(b) the delivery of any licence, permit, sanction or approval by whatever name called in a particular manner;

(c) the receipt or payment of money in a particular manner,

then, notwithstanding anything contained in any other law for the time being in force, such requirement shall be deemed to have been satisfied if such delivery of services, receipt or payment, as the case may be, is effected by means of such electronic mode as may be prescribed by the appropriate Government.

Every office, authority, body or agency owned or controlled by the appropriate Government for electronic delivery of service shall within one hundred and eighty days from the enactment of this EDS Bill 2011 –

(a) identify the service or type of service;

(b) plan the manner and format of such service or type of service;

(c) provide a cut-off date, wherever possible, for rendering any such service or type of service;

(d) prescribe the manner or procedure which facilitates such service or type of service;

(e) devise processes and procedures to ensure adequate integrity, security and confidentiality of information or data thus collected, preserved and retained; and

(f) create appropriate framework which is necessary to give legal effect to such service or type of service.

The appropriate Government may, for above mentioned purposes, shall prescribe for all its agencies etc a framework for –

(a) computerisation of records,

(b) web presence or enablement;

(c) use of shared technology infrastructure; and

(d) electronic authentication.

Notwithstanding anything contained in any other law for the time being in force, subject to provisions of this Bill, all citizens shall have the right to electronic delivery of services. The appropriate Government for this purpose has to provide electronic delivery of services as per prescribed manner and format.

Central Commissioner and State Commissioners would be appointed to manage electronic delivery of services. The obligation and accountability to implement the provisions of this Bill rests with the appropriate Government. EDS Bill 2011 also provides punishment for various offences and contraventions.

This includes punishment for impersonation, unauthorised access, cyber contraventions, cyber crimes, etc with imprisonment for a term which may extend to three years and with fine. The residuary penalty take cares of other contraventions and offences with a punishable with imprisonment for a term which may extend to three years or with a fine which may extend to twenty-five thousand rupees or both. Offences by companies are also covered by the EDS Bill 2011.

The EDS Bill 2011 also applies to offence or contravention committed outside India as well. Further, no officer below the rank of Inspector can investigate any contravention or offence under the EDS Bill 2011. The penalty imposed under the EDS Bill 2011 would be additional to any penalty imposable under any other law for the time being in force.

No court shall take cognisance of any offence punishable under the EDS Bill 2011, except upon a complaint made by the Central Commissioner or State Commissioner or any officer or person authorised by it. Further, no court inferior to that of a Chief Metropolitan Magistrate or a Chief Judicial Magistrate shall try any offence punishable under the EDS Bill 2011. The provisions of this Act shall have effect notwithstanding anything inconsistent therewith contained in any other law for the time being in force.

Every notification or rule made by the Central Government shall be laid, as soon as may be after it is made, before each House of Parliament, while it is in session, for a total period of thirty days which may be comprised in one session or in two or more successive sessions, and if, before the expiry of the session immediately following the session or the successive sessions aforesaid, both Houses agree in making any modification in the rule or both Houses agree that the rule should not be made, the rule shall thereafter have effect only in such modified form or be of no effect, as the case may be; so, however, that any such modification or annulment shall be without prejudice to the validity of anything previously done under that notification or rule.

The Central Commissioner also has power to make regulations under the EDS Bill 2011 subject to certain conditions. Even State governments are entitled to make rules under the EDS Bill 2011 subject to certain conditions.

Sunday, January 30, 2011

Internet Kill Switch Is A Misnomer

Of late lots of people are using the term “Internet Kill Switch”. But is it possible to kill Internet altogether or is it possible to completely turn off Internet in a big country that is highly dependent upon computers and Internet?

While Egypt has proved that a complete shut off of a national portion of Internet is possible but this does not mean that a single country, even United States of America, can shut off the entire Internet. So Internet kill switch seems to be a “Misnomer” to me. No body has a complete and centralised control over Internet at the International level.

If it is a simple case of restriction of access to certain sites, use of proxy server can circumvent the same. But when there is no Internet at all, proxies cannot work and online communication comes to a halt.

So how does a regional or national Internet segment is shut off? The technical requirements to shut off a portion of Internet are not complicated at all. All the authority in control need to do is to make a simple change to the instructions for the companies' networking equipment. The router configuration file is changed by this command and upon executing the command, the relevant portion of Internet is shut down.

But is it possible to shut down Internet absolutely even within a small area or country? I do not think so. We can cut off almost all International connectivity, but there are lots of ways to get out onto the Internet: satellite phones, obscure ISPs in Canada and Mexico, long-distance phone calls to Asia, says Bruce Schneier.

Even in Egypt people have turned to landline phones, fax machines and ham radio in order to communicate messages out of the country. Similarly, people can call a number to reach a modem available in another country which directs them with access to the outside world. In fact, satellite modems and phones are entering Egypt in order to bypass Government controlled telecommunication companies to connect with the United States or Europe.

Meanwhile, USA has decided to enact a law that empowers the President of America to use Internet kill switch. However, the bigger question remains whether USA can actually use this kill switch with thousands of internet service providers (ISPs). Egypt was able to shut down the internet because there were very few ISPs that are closely regulated by the Government. The same is not possible for USA even for commercial, technical, Constitutional and Other Reasons.

As a matter of fact, even if all the countries of the World decide to shut off the Internet, people would form their own Internet and communicate through the same. Instead of wasting resources upon initiatives like kill switch, countries must concentrate more upon securing critical infrastructure and sound cyber security and this applies to India as well.

Wednesday, November 24, 2010

India Is Blind Towards Cyber Law, Cyber Security And Cyber Forensics

Information Technology Act 2000 (IT Act 2000) of India deals with E-governance, E-commerce, Cyber Contraventions and Cyber Crimes. However, it is a poorly drafted law and badly implemented legislation. It is weak and ineffective in dealing with growing Cyber Crimes in India as it is the most “Soft and Cyber Criminal Friendly Legislation” of the World.

Indian Cyber Law is the exclusive cyber law that has made cyber crimes “Bailable”. This means that if a person commits the offence of Cracking, he must be released on bail as a “Matter of Right”.

Department of Information Technology (DIT) India is the main department that was responsible for the enactment of IT Act 2000. However, its upgradation and amendment is the responsibility of Ministry of Law. Law Minister Veerappa Moily has not played a pro active role in the use of Information Technology for Legal and Judicial purposes.

Whether it is E-courts, Online Dispute Resolution (ODR), Cyber Law or Cyber Forensics, Law Minister has not paid enough attention to incorporate the same in Legal and Judicial System of India.

Similarly, the Home Ministry of India is also responsible for some of the aspects of Legal System of India. For instance Home Minister P. Chidambaram has not paid any attention towards Cyber Security and Cyber Forensics. The same is not only relevant for the Legal System of India but also for the National Security of India. Issues like Cyber War and Cyber Terrorism have also skipped the attention of Home Minister.

Instead of improving the situation, DIT India, Law Ministry and Home Ministry are stressing too much upon E-surveillance and illegal snooping powers that have no “Procedural Safeguards and Guidelines” under the IT Act 2000.

With so many Government Departments responsible for various aspects of Cyber Law, Cyber Security and Cyber Forensics, India is heading nowhere. It would be better if a “Single Department” is entrusted with the responsibilities of Cyber Law, Cyber Security and Cyber Forensics so that India can have “Guided and Committed” actions in these crucial directions.

Sunday, July 11, 2010

Reverse Engineer Malware Through REMnux

Dennis Fisher has written a story on a tool known as REMnux. According to the story malware reverse engineering expert Lenny Zeltser has released a stripped-down Ubuntu distribution in the form of REMnux so that malware can be analysed by reverse engineering process. The tool carries many popular malware-analysis, network monitoring and memory forensics tools for analysing the malware and reaching to the malicious code.

The traditional approach of malware analysis is limited in nature and unless we engage in memory analysis many crucial details would go unreported. It is claimed that REMnux is designed to remove this limitation. It can be booted via several VMware products, or through X-Windows.

REMNux has three separate tools for analysing Flash-specific malware, including SWFtools, Flasm and Flare, as well as several applications for analysing malicious PDFs, including Didier Stevens' analysis tools.

REMNux also has a number of tools for de-obfuscating JavaScript, including Rhino debugger, a version of Firefox with NoScript, JavaScript Deobfuscator and Firebug installed, and Windows Script Decoder.

In addition to the JavaScript and Adobe analysis tools, Zeltser also included a small Web server, and IRC server and a pseudo-DNS server. He also included Honeyd, the virtual honeypot server. There also is a customised shellcode analyser that will take malicious shellcode, create a Windows executable from it and then run it so you can observe its behavior.

In short, REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. It is also useful for analysing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tool for analysing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics.

At the moment, REMnux is only available as a virtual machine. Nothing is better than converting it into an ISO image of a Live CD/DVD. We will wait for its ISO version.