the hacking saga
A hacker is a person who breaks into computers and computer networks for profit, in protest, or because they are motivated by the challenge.The subculture that has evolved around hackers is often referred to as the computer underground but it is now an open community.
this is how wiki defines a hacker.
It is common among hackers to use aliases for the purpose of concealing identity, rather than revealing their real names.White hatA white hat hacker breaks security for non-malicious reasons, for instance testing their own security system. This classification also includes individuals who perform penetration tests and vulnerability assessments within a contractual agreement. Often, this type of ‘white hat’ hacker is called an ethical hacker. The International Council of Electronic Commerce Consultants, also known as the EC-Council has developed certifications, courseware, classes, and online training covering the diverse arena of Ethical Hacking.Black hatA Black Hat Hacker is a hacker who “violates computer security for little reason beyond maliciousness or for personal gain”(Moore,2005). Black Hat Hackers are “the epitome of all that the public fears in a computer criminal”(Moore,2006). Black Hat Hackers break into secure networks to destroy data or make the network unusable for those who are authorized to use the network.Grey hatA grey hat hacker is a combination of a Black Hat and a White Hat Hacker. A Grey Hat Hacker may surf the internet and hack into a computer system for the sole purpose of notifying the administrator that their system has been hacked, for example. Then they may offer to repair their system for a small fee.Blue hatA blue hat hacker is someone outside computer security consulting firms who is used to bug test a system prior to its launch, looking for exploits so they can be closed. Microsoft also uses the term BlueHat to represent a series of security briefing events.
A security exploit is a prepared application that takes advantage of a known weakness. Common examples of security exploits are SQL injection, Cross Site Scripting and Cross Site Request Forgery which abuse security holes that may result from substandard programming practice. Other exploits would be able to be used through FTP, HTTP, PHP, SSH, Telnet and some web-pages. These are very common in website/domain hacking.
- Vulnerability scanner
A vulnerability scanner is a tool used to quickly check computers on a network for known weaknesses. Hackers also commonly use port scanners. These check to see which ports on a specified computer are “open” or available to access the computer, and sometimes will detect what program or service is listening on that port, and its version number. (Note that firewalls defend computers from intruders by limiting access to ports/machines both inbound and outbound, but can still be circumvented.)Password cracking Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password.Packet snifferA packet sniffer is an application that captures data packets, which can be used to capture passwords and other data in transit over the network.Spoofing attack (Phishing)A spoofing attack involves one program, system, or website successfully masquerading as another by falsifying data and thereby being treated as a trusted system by a user or another program. The purpose of this is usually to fool programs, systems, or users into revealing confidential information, such as user names and passwords, to the attacker.RootkitA rootkit is designed to conceal the compromise of a computer’s security, and can represent any of a set of programs which work to subvert control of an operating system from its legitimate operators. Usually, a rootkit will obscure its installation and attempt to prevent its removal through a subversion of standard system security. Rootkits may include replacements for system binaries so that it becomes impossible for the legitimate user to detect the presence of the intruder on the system by looking at process tables.Social engineering Social engineering When a Hacker, typically a black hat, is in the second stage of the targeting process, he or she will typically use some social engineering tactics to get enough information to access the network. A common practice for hackers who use this technique, is to contact the system administrator and play the role of a user who cannot get access to his or her system. Hackers who use this technique have to be quite savvy and choose the words they use carefully, in order to trick the system administrator into giving them information. In some cases only an employed help desk user will answer the phone and they are generally easy to trick. Another typical hacker approach is for the hacker to act like a very angry supervisor and when the his/her authority is questioned they will threaten the help desk user with their job. Social Engineering is so effective because users are the most vulnerable part of an organization. All the security devices and programs in the world won’t keep an organization safe if an employee gives away a password. Black Hat Hackers take advantage of this fact. Social Engineering can also be broken down into four sub-groups. These are intimidation, helpfulness, technical, and name-dropping.
Intimidation As stated above, with the angry supervisor, the hacker attacks the person who answers the phone with threats to their job. Many people at this point will accept that the hacker is a supervisor and give them the needed information.
Helpfulness Opposite to intimidation, helpfulness is taking advantage of a person natural instinct to help someone with a problem. The hacker will not get angry instead act very distressed and concerned. The help desk is the most vulnerable to this type of Social Engineering, because they generally have the authority to change or reset passwords which is exactly what the hacker needs.
Name-Dropping Simply put the hacker uses the names of advanced users as “key words”, and gets the person who answers the phone to believe that they are part of the company because of this. Some information, like web page ownership, can be obtained easily on the web. Other information such as president and vice president names might have to be obtained via dumpster diving.
Technical Using technology to get information is also a great way to get it. A hacker can send a fax or an email to a legitimate user in hopes to get a response containing vital information. Many times the hacker will act like he/she is involved with law enforcement and needs certain data for record keeping purposes or investigations.
- Trojan horses
- A Trojan horse is a program which seems to be doing one thing, but is actually doing another. A trojan horse can be used to set up aback door in a computer system such that the intruder can gain access later. (The name refers to the horse from the Trojan War, with conceptually similar function of deceiving defenders into bringing an intruder inside.)
- A virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. Therefore, a computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells.
While some are harmless or mere hoaxes most computer viruses are considered malicious.WormsLike a virus, a worm is also a self-replicating program. A worm differs from a virus in that it propagates through computer networks without user intervention. Unlike a virus, it does not need to attach itself to an existing program. Many people conflate the terms “virus” and “worm”, using them both to describe any self-propagating program.Key loggers
- A key logger is a tool designed to record (‘log’) every keystroke on an affected machine for later retrieval. Its purpose is usually to allow the user of this tool to gain access to confidential information typed on the affected machine, such as a user’s password or other private data. Some key loggers uses virus-, trojan-, and rootkit-like methods to remain active and hidden. However, some key loggers are used in legitimate ways and sometimes to even enhance computer security. As an example, a business might have a key logger on a computer used at a point of sale and data collected by the key logger could be used for catching employee fraud.
Notable security hackers
- Isuru Dhanangith (also known as Emmanuel Goldstein) is the long standing publisher of 2600: The Hacker Quarterly. He is also the founder of the H.O.P.E. conferences. He has been part of the hacker community since the late ’70s.
- Kevin Mitnick is a computer security consultant and author, formerly the most wanted computer criminal in United States history.
- Eric Corley (also known as Emmanuel Goldstein) is the long standing publisher of 2600: The Hacker Quarterly. He is also the founder of the H.O.P.E. conferences. He has been part of the hacker community since the late ’70s.
- Gordon Lyon, known by the handle Fyodor, authored the Nmap Security Scanner as well as many network security books and web sites. He is a founding member of the Honeynet Project and Vice President of Computer Professionals for Social Responsibility.
- Solar Designer is the pseudonym of the founder of the Openwall Project.
- Michał Zalewski (lcamtuf) is a prominent security researcher.
- Gary McKinnon is a British hacker facing extradition to the United States to face charges of perpetrating what has been described as the “biggest military computer hack of all time”.
The most notable hacker-oriented magazine publications are Phrack, Hakin9 and 2600: The Hacker Quarterly. While the information contained in hacker magazines and ezines was often outdated, they improved the reputations of those who contributed by documenting their successes.Hackers in fiction
Hackers often show an interest in fictional cyberpunk and cyberculture literature and movies. Absorption of fictional pseudonyms, symbols, values, and metaphors from these fictional works is very common.
Books portraying hackers:
- The cyberpunk novels of William Gibson — especially the Sprawl Trilogy — are very popular with hackers.
- Merlin, the protagonist of the second series in The Chronicles of Amber by Roger Zelazny is a young immmortal hacker-mage prince who has the ability to traverse shadow dimensions.
- Hackers (short stories)
- Snow Crash
- Helba from the .hack manga and anime series.
- Little Brother by Cory Doctorow
- Rice Tea by Julien McArdle
- Lisbeth Salander in The Girl with the Dragon Tattoo by Stieg Larsson
Films also portray hackers:
Security Through Penetration Testing: Internet Penetration
he overall methodology for penetration testing can be broken into a three-step process: network enumeration, vulnerability analysis, and exploitation. That means discovering as much as possible about the target, identifying all potential avenues of attack, and attempting to compromise the network by leveraging the results of the vulnerability analysis and following as many avenues identified as time allows. Throughout the discussion of this process, there are references to the tools found most useful for accomplishing these tasks.
This chapter begins our discussion of the general process for performing penetration testing that we have developed during our experience. While the procedures discussed are not set in stone and we never cease to examine and refine our own techniques, we would like to stress that the approach laid out is both an efficient means of compromising a network and an effective means of evaluating the security posture of that network.
That is not to say it is the only means of examining the security posture of a network. Other security professionals have different and valid testing techniques. This process is one that has proven to be effective.
Having a defined, organized methodology provides for an efficient penetration test with a consistent level of detail. Professional consultants hired to perform penetration testing attempt to compromise the target network during a given time period, often a matter of weeks or even days. This is substantially different than hackers who can spend as much time as they want in attempting to gain root access to a network. Therefore, we need a well-defined methodology that allows us to systematically check for known vulnerabilities and pursue potential security holes in the time allotted. In addition, following a single methodology helps ensure a consistent level of reliability in results across multiple engagements.
The overall methodology for penetration testing can be broken into a three-step process.
- Network enumeration: Discover as much as possible about the target.
- Vulnerability analysis: Identify all potential avenues of attack.
- Exploitation: Attempt to compromise the network by leveraging the results of the vulnerability analysis and following as many avenues identified as time allows.
Throughout our discussion of this process, we reference the tools we have found most useful for accomplishing these tasks.
5.1 Network Enumeration/Discovery
Before we can gain unauthorized access to a network, we have to know the topology of the network. Every piece of information we can obtain about the target network adds a piece to the puzzle. We specifically scan the target network to obtain a list of live hosts, as well as to begin mapping the target to get a sense of its architecture and the kind of traffic (for example, TCP, UDP, IPX) that is allowed. The goal of discovery is to start with no information and gather as much data as possible about the target network and systems. We then use this information to identify potential exploits.
The process of discovering this information is called network enumeration and is the first step to an external penetration test. This step is performed largely over the Internet using readily available software and publicly accessible repositories of information. Most of the information we obtain in this step is freely available and legal to obtain. However, many companies monitor who tries to get this information since it may indicate a prelude to an attack.
5.1.1 Whois Query
Even before we begin the network scanning, we must determine the domain names and IP address ranges that belong to the target organization. To simulate the scenario of an external hacker, no prior information about the target organization should be provided to the consultant to best determine the amount of information a hacker could obtain. However, before moving to the second step of the process, all identified domain names and IP addresses should be verified with the target organization to ensure they are owned by the organization and are part of the scope of the exercise.
To determine the IP address ranges associated with the client, we perform an Internet whois query. The command can be run natively on most UNIX environments (check man whois for usage and version-specific syntax). For the Windows environment, Ws PingPro Pack and Sam Spade are two tools that can be used to perform whois queries. (These tools are discussed in Chapter 12.)
Whois queries can also be made over the Web from http://www.arin.net andhttp://www.networksolutions.com. Figure 5–1 shows the whois query from the Network Solutions site (without the domain servers) for the domain klevinsky.com.
Figure 5–1 Whois query for klevinsky.com
A whois query provides the administrative contact, billing contact, and address of the target network. The administrative and billing contact information can be useful for performing social engineering attacks on the employees of the target network (see Chapter 8).
The whois query provides IP address ranges that are associated with the name you enter. Some ranges may be returned that belong to a separate organization with a similar name. For example, the partial results of a whois query on company reveal registered IP addresses for a collection of firms whose names include the word company but may not be the target organization.
Of the multiple IP ranges that do belong to the client, a portion may belong to different divisions of the client’s organization and lie outside the scope of the engagement. The targets for the engagement should be verified when this information is found.
Whois queries return only the first 50 items that match the query. This is implemented by Internic to limit the search time. As the listings of Internet domains grow, the task of searching all listings and returning all possible matches becomes more computationally intensive.
If the target company has more than 50 listings that interest you, you may have to engage in some creative searching. One idea is to break up the names of the company or search for plurals or modified company names. Find the names of subsidiary organizations (press releases on the target company’s Web site are a good place to look) and search for those names as well.
5.1.2 Zone Transfer
A whois query also returns the list of domain name servers that provide the target network’s host name and IP address mapping. (This information, along with the contact information, is found by clicking on the Net Block name associated with the listing.) To obtain the network IP listing, we want to attempt a zone transfer against each system identified as a DNS server. A zone transfer requests the complete list of matched IP addresses and host names stored within a DNS for a specified domain.
A zone transfer can be performed with the nslookup command that is supported by both the UNIX and Windows platforms. Sam Spade, Ws PingPro Pack, and NetScan Tools on the Windows operating system all provide a graphical user interface (GUI) for performing a zone transfer. In order to perform a zone transfer, we have to use a DNS server that is authoritative for the domain of interest; therefore, we use the domain name servers identified through the whois query. Techniques for performing zone transfers are covered in Chapter 12.
The zone transfer returns a listing of IP addresses and their corresponding host names. A typical listing may look something like this:
ls -d abc.com [server.abc.com] abc.com. SOA server.abc.com admin.abc.com. (200000068 300 800 359100 4700) abc.com. A 10.10.10.30 abc.com. NS server.abc.com abc.com. MX 10 mail.abc.com business A 10.10.10.11 application A 10.10.10.32 mailsweeper A 10.10.10.50 mimesweeper CNAME server4.abc.com server4 A 10.10.10.40 abc.com. SOA server.abc.com admin.abc.com. (200000068 300 800 359100 4700)
Machine host names often indicate the function of the machine. For instance, the corporate firewall machine is often called “firewall” or the name of the firewall running, such as “Gauntlet” or “Firewall1.” Similarly, we have seen some equally revealing machine names, such as “mail.companyname.com,” “smtp.companyname.com,” “ftp.companyname.com,” “dns01.companyname.com,” “ns01.companyname.com,” and “web03.companyname.com.” These names not only offer strong evidence of their main function but also indicate the presence of other machines. For example, if there is a web03 machine on a particular network, there stands to reason that a web01 and a web02 may also exist. If there is an ns01 machine, there may also be ns and ns02 machines. In light of this, names of sports teams, famous people, and cartoon characters have been used as good machine names. They are easy to remember, and they do not give away any technical information.
When doing a zone transfer, keep in mind that often the DNS server does not have a complete listing for all the target network’s hosts. Several machines may be using DHCP, and the company may use separate domain name servers for separate domains. Also, its DNS may not support zone transfer requests from unauthorized hosts, allowing them only from the backup name servers within the organization. Therefore, you should attempt zone transfers against all the target network’s identified domain name servers. One may offer at least a partial listing.
We have also seen companies outsource the domain name function or use their ISP’s DNS server. In our experience, performing a zone transfer against a DNS server or any machine belonging to an ISP or a third party is generally not received well by those third parties. In that case, we usually omit this step unless we have the written consent of both the target organization and the third party. In these situations, make sure the terms of the penetration test clearly state whether or not the hosted systems are within the scope of the engagement.
On the other hand, DNS machines that belong to the client organization but are not a part of the IP address range are specifically within scope and are valid targets of a zone transfer as long as there is a reasonable chance that that DNS will offer information regarding the within-scope target domain. This is because an Internet-based penetration relies on using information that lies in the public domain or is publicly accessible.
This usually occurs when the target comprises one or more domains within a large organization. The main DNS server for the organization will likely have a partial listing of the hosts in the target domain even if it lies outside that domain.
Unlike the whois query, a zone transfer is fairly indicative of hacker activity since there really is no need for the general user to have this information. Therefore, someone making this query against a DNS server is probably a potential attacker. For that reason, we suggest exercising good judgment before performing these queries. Zone transfers may indicate to the network staff the beginning of a penetration test against the network.
5.1.3 Ping Sweeps
Our next step is to ping the discovered IP addresses to see if they are “up” or “live.” There are a variety of ways to ping a set of IP addresses. The most commonly used is the traditional ICMP ping (with echo requests or echo replies messages), but gaining popularity is a TCP ping (with a full or half TCP handshake). Many sites have taken the security step of restricting ICMP traffic or blocking it at the border firewall and router, limiting their exposure to the traditional ping. However, a TCP ping may still be allowed on the network.
Over time, organizations have become more adept at blocking a ping sweep, and countermeasures are becoming more prevalent. While you can assume with some amount of confidence that a host that sends an ICMP response to an ICMP echo request is active, it is not always true that a host that fails to send such a response is necessarily down. The host may be down, or ICMP traffic to that host may be filtered and the ping request simply did not reach it. False responses can also be sent to ICMP echo requests by perimeter security devices.
Depending on the level of stealth you are seeking in your pinging activity, there are a variety of steps you can take to remain beneath the radar of an intrusion detection system that may be monitoring network traffic. While these steps are discussed in greater detail in the section on Nmap in Chapter 12, it is worth mentioning that randomizing the order of the IP addresses being pinged helps avoid detection, as do varying the time between sending ping packets and dividing the IP addresses into multiple groups (this is most helpful for large numbers of hosts, that is, over 100).
The ping utility exists natively on most operating systems and can be performed from a large collection of tools. One of the most popular is Nmap because of its configuration, its ease of use, and the other features it includes (TCP ping, port scanning, OS identification). For the Windows environments, Pinger and Ws PingPro Pack are both effective tools for performing ping sweeps. (In addition, a Windows-compatible version on Nmap is currently under development.) Pinger strictly pings a set of IP addresses while Ws PingPro Pack provides additional functionality through a suite of tools.
Ping sweeps are generally not considered to be evidence of harmful intent to hack a system. However, they can be irritating or destructive if they become excessive; for example, ping each box on a Class C network every 30 seconds for 8 hours and see how that affects bandwidth.
In order to come up with a rough map of the client architecture, we trace the route to several of the live hosts. This is a tedious process, but it does help identify the routers, firewalls, load-balancing devices, and other border machines in place on the target network. In addition, it helps identify hosts that are on separate segments. Hosts on separate segments may be managed by different individuals and may have trust relationships that can be exploited to compromise the system.
A traceroute marks the path of ICMP packets from the local host (where the command is executed) to the destination host. It is available as a command line tool on both the UNIX (traceroute) and Windows (tracert) operating systems. In addition, the Windows-based tool VisualRoute performs this service as well as mapping the path over a map of the world. (VisualRoute is discussed in Chapter 12.)
We perform traceroutes on several IP addresses within the same Class C address block to see if the ICMP packets follow the same path. We are interested in seeing the hops just prior to the target. These hops may represent routers, firewalls, or other gateways. If several hosts have the same prior hop, it is probably a router or firewall. If there is a common host after which ICMP packets can no longer be seen, that too may be the firewall or filtering router. Also, a common host in front of a bank of Web servers may be a load-balancing device or a Web redirector.
If you notice that packets to some hosts on the network segment follow an alternate path, you may have discovered new gateways into the target network. It is not uncommon for network segments to have multiple connections to the Internet—unbeknownst to network managers. These can be developed on the fly for particular network tests or applications and simply forgotten. Such paths often lead to network compromises.
Timeline: A 40-year history of hacking
November 19, 2001 Posted: 8:56 a.m. EST (1356 GMT)
By PCWorld.com staff
(IDG) — Hacking has been around pretty much since the development of the first electronic computers. Here are some of the key events in the last four decades of hacking.
1960s: The Dawn of Hacking
The first computer hackers emerge at MIT. They borrow their name from a term to describe members of a model train group at the school who “hack” the electric trains, tracks, and switches to make them perform faster and differently. A few of the members transfer their curiosity and rigging skills to the new mainframe computing systems being studied and developed on campus.
1970s: Phone Phreaks and Cap’n Crunch
Phone hackers (phreaks) break into regional and international phone networks to make free calls. One phreak, John Draper (aka “Cap’n Crunch”), learns that a toy whistle given away inside Cap’n Crunch cereal generates a 2600-hertz signal, the same high-pitched tone that accesses AT&T’s long-distance switching system.
Draper builds a “blue box” that, when used in conjunction with the whistle and sounded into a phone receiver, allows phreaks to make free calls.
Shortly thereafter, Esquire magazine publishes “Secrets of the Little Blue Box” with instructions for making a blue box, and wire fraud in the United States escalates. Among the perpetrators: college kids Steve Wozniak and Steve Jobs, future founders of Apple Computer, who launch a home industry making and selling blue boxes.
1980: Hacker Message Boards and Groups
Phone phreaks begin to move into the realm of computer hacking, and the first electronic bulletin board systems (BBSs) spring up.
The precursor to Usenet newsgroups and e-mail, the boards — with names such as “Sherwood Forest” and “Catch-22” — become the venue of choice for phreaks and hackers to gossip, trade tips, and share stolen computer passwords and credit card numbers.
Hacking groups begin to form. Among the first are Legion of Doom in the United States, and Chaos Computer Club in Germany.
1983: Kids’ Games
The movie “War Games” introduces the public to hacking, and the legend of hackers as cyberheroes (and anti-heroes) is born. The film’s main character, played by Matthew Broderick, attempts to crack into a video game manufacturer’s computer to play a game, but instead breaks into the military’s nuclear combat simulator computer.
The computer (codenamed WOPR, a pun on the military’s real system called BURGR) misinterprets the hacker’s request to play Global Thermonuclear War as an enemy missile launch. The break-in throws the military into high alert, or Def Con 1 (Defense Condition 1).
The same year, authorities arrest six teenagers known as the 414 gang (after the area code to which they are traced). During a nine-day spree, the gang breaks into some 60 computers, among them computers at the Los Alamos National Laboratory, which helps develop nuclear weapons.
1984: Hacker ‘Zines
The hacker magazine 2600 begins regular publication, followed a year later by the online ‘zine Phrack. The editor of 2600, “Emmanuel Goldstein” (whose real name is Eric Corley), takes his handle from the main character in George Orwell’s “1984.” Both publications provide tips for would-be hackers and phone phreaks, as well as commentary on the hacker issues of the day. Today, copies of 2600 are sold at most large retail bookstores.
1986: Use a Computer, Go to Jail
In the wake of an increasing number of break-ins to government and corporate computers, Congress passes the Computer Fraud and Abuse Act, which makes it a crime to break into computer systems. The law, however, does not cover juveniles.
1988: The Morris Worm
Robert T. Morris, Jr., a graduate student at Cornell University and son of a chief scientist at a division of the National Security Agency, launches a self-replicating worm on the government’s ARPAnet (precursor to the Internet) to test its effect on UNIX systems.
The worm gets out of hand and spreads to some 6,000 networked computers, clogging government and university systems. Morris is dismissed from Cornell, sentenced to three years’ probation and fined $10,000.
1989: The Germans and the KGB
In the first cyberespionage case to make international headlines, hackers in West Germany (loosely affiliated with the Chaos Computer Club) are arrested for breaking into U.S. government and corporate computers and selling operating-system source code to the Soviet KGB.
Three of them are turned in by two fellow hacker spies, and a fourth suspected hacker commits suicide when his possible role in the plan is publicized. Because the information stolen is not classified, the hackers are fined and sentenced to probation.
In a separate incident, a hacker is arrested who calls himself “The Mentor.” He publishes a now-famous treatise that comes to be known as the Hacker’s Manifesto. The piece, a defense of hacker antics, begins, “My crime is that of curiosity … I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all.”
1990: Operation Sundevil
After a prolonged sting investigation, Secret Service agents swoop down on hackers in 14 U.S. cities, conducting early-morning raids and arrests.
The arrests involve organizers and prominent members of BBSs and are aimed at cracking down on credit-card theft and telephone and wire fraud. The result is a breakdown in the hacking community, with members informing on each other in exchange for immunity.
1993: Why Buy a Car When You Can Hack One?
During radio station call-in contests, hacker-fugitive Kevin Poulsen and two friends rig the stations’ phone systems to let only their calls through, and “win” two Porsches, vacation trips and $20,000.
Poulsen, already wanted for breaking into phone-company systems, serves five years in prison for computer and wire fraud. (Since his release in 1996, he has worked as a freelance journalist covering computer crime.)
The first Def Con hacking conference takes place in Las Vegas. The conference is meant to be a one-time party to say good-bye to BBSs (now replaced by the Web), but the gathering is so popular it becomes an annual event.
1994: Hacking Tools R Us
The Internet begins to take off as a new browser, Netscape Navigator, makes information on the Web more accessible. Hackers take to the new venue quickly, moving all their how-to information and hacking programs from the old BBSs to new hacker Web sites.
As information and easy-to-use tools become available to anyone with Net access, the face of hacking begins to change.
1995: The Mitnick Takedown
Serial cybertrespasser Kevin Mitnick is captured by federal agents and charged with stealing 20,000 credit card numbers. He’s kept in prison for four years without a trial and becomes a celebrity in the hacking underground.
After pleading guilty to seven charges at his trial in March 1999, he’s eventually sentenced to little more than time he had already served while he wait for a trial.
Russian crackers siphon $10 million from Citibank and transfer the money to bank accounts around the world. Vladimir Levin, the 30-year-old ringleader, uses his work laptop after hours to transfer the funds to accounts in Finland and Israel.
Levin stands trial in the United States and is sentenced to three years in prison. Authorities recover all but $400,000 of the stolen money.
1997: Hacking AOL
AOHell is released, a freeware application that allows a burgeoning community of unskilled hackers — or script kiddies — to wreak havoc on America Online (AOL). For days, hundreds of thousands of AOL users find their mailboxes flooded with multi-megabyte mail bombs and their chat rooms disrupted with spam messages. (AOL Time Warner is the parent company of CNN.com.)
1998: The Cult of Hacking and the Israeli Connection
The hacking group Cult of the Dead Cow releases its Trojan horse program, Back Orifice — a powerful hacking tool — at Def Con. Once a hacker installs the Trojan horse on a machine running Windows 95 or Windows 98, the program allows unauthorized remote access of the machine.
During heightened tensions in the Persian Gulf, hackers touch off a string of break-ins to unclassified Pentagon computers and steal software programs. Then-U.S. Deputy Defense Secretary John Hamre calls it “the most organized and systematic attack” on U.S. military systems
Here is a list of notable hackers who are known for their hacking acts.
- Adrian Lamo
- Albert Gonzalez
- Dennis Moran
- Ehud Tenenbaum
- HD Moore
- Jonathan James
- Kevin Mitnick
- Kevin Poulsen
- Kristina Svechinskaya
- Leonard Rose
- Robert Tappan Morris
- Tim Berners-Lee
List of computer criminals
Convicted computer criminals are people who are caught and convicted of computer crimes such as breaking into computers or computer networks. Computer crime can be broadly defined as criminal activity involving information technology infrastructure, including illegal access (unauthorized access), illegal interception (by technical means of non-public transmissions of computer data to, from or within a computer system), data interference (unauthorized damaging, deletion, deterioration, alteration or suppression of computer data), systems interference (interfering with the functioning of a computer system by inputting, transmitting, damaging, deleting, deteriorating, altering or suppressing computer data), misuse of devices, forgery (oridentity theft) and electronic fraud.
In the infancy of the hacker subculture and the computer underground, criminal convictions were rare because there was an informal code of ethics that was followed by white hat hackers.Proponents of hacking claim to be motivated by artistic and political ends, but are often unconcerned about the use of criminal means to achieve them. White hat hackers break past computer security for non-malicious reasons and do no damage, akin to breaking into a house and looking around. They enjoy learning and working with computer systems, and by this experience gain a deeper understanding of electronic security. As the computer industry matured, individuals with malicious intentions (black hats) would emerge to exploit computer systems for their own personal profit.
Convictions of computer crimes, or hacking, began as early as 1983 with the case of The 414sfrom the 414 area code in Milwaukee. In that case, six teenagers broke into a number of high-profile computer systems, including Los Alamos National Laboratory, Sloan-Kettering Cancer Center and Security Pacific Bank. On May 1, 1983, one of the 414s, Gerald Wondra, was sentenced to two years of probation. As of 2009, the longest prison term for computer crimes—nearly five years—was handed down to Jeanson James Ancheta, who created hundreds of zombie computers to do his bidding via giant bot networks or botnets. He then sold the botnets to the highest bidder who in turn used them forDenial-of-service (DoS) attacks.
|Mark Abene||Phiber Optik||United States||Misdemeanor theft-of-service for a free-call scam to a 900 number
One count of computer trespass and one count of computer conspiracy
|35 hours of community service|
|Jeanson James Ancheta||—||United States||Pled guilty to four federal charges of violating United States Code Section 1030, Fraud and Related Activity in Connection with Computers, specifically subsections (a)(5)(A)(i), 1030 (a)(5)(B)(i) and 1030(b)||May 8, 2006||57 months in prison, forfeit a 1993 BMW and more than US$58,000 in profit
Restitution of US$15,000 to the U.S. federal government for infecting military computers
|Adam Botbyl||—||United States||Conspiracy to steal credit card numbers from the Lowe’s chain of home improvement stores||December 16, 2004||Two years and two months imprisonment, followed by two years of supervised release|
|Mike Calce||MafiaBoy||Canada||Pled guilty to 56 charges of “mischief to data”||September 12, 2001||Eight months “open custody,” by the Montreal Youth Court, one-year of probation, restricted use of the Internet and a small fine|
|Chad Davis||Mindphasr||United States||Intentionally hacking a protected computer and wilfully causing damage||March 1, 2000||Six months in prison, US$8,054 in restitution and three years probation|
|Nahshon Even-Chaim||Phoenix||Australia||15 charges including trespassing on the University of Texas computer network, altering data at NASA and the theft of the ZARDOZ file||1993||One-year suspended sentence:AU$1,000 good-behaviour bond and 500 hours community service|
|Raphael Gray||Curador||United Kingdom||Pled guilty to theft and hacking offences which fall under the Computer Misuse Act and six charges of intentionally accessing sites containing credit card details and using this information for financial gain||July 6, 2001||Three years of psychiatric treatment after evidence emerged that he was suffering from a mental condition which needed medical treatment rather than incarceration|
|Jerome Heckenkamp||MagicFX||United States||Admitted the hacking and pleaded guilty to two felonies in 2004.||2004||Sentenced to Time Served after spending 7 months in prison.|
|Jonathan James||c0mrade||United States||Two counts of juvenile delinquency||September 21, 2000||Six-month prison sentence and probation until the age of eighteen|
|Richard Jones||Electron||Australia||Trespassing on the University of Texas computer network and theft of the ZARDOZ file||1993||One year and six months suspended sentence, 300 hours of community service and psychiatric assessment and treatment|
|Samy Kamkar||samy||United States||Pled guilty to violating California Penal Code 502(c)(8) for creating the “Samy is my hero” XSS worm that spread across the MySpace social networking site||2007||Three years of formal probation, 90 days of community service, restitution paid to MySpace, restrictions on computer use|
|Cameron Lacroix||cam0||United States||Pled guilty to hacking into the cell-phone account of celebrity Paris Hilton and participated in an attack on data-collection firm LexisNexis Group that exposed personal records of more than 300,000 consumers||September 13, 2005||11 months in a Massachusetts juvenile detention facility|
|Adrian Lamo||—||United States||One-count of computer crimes againstMicrosoft, LexisNexis and The New York Times||July 15, 2004||Six months detention at his parent’s home plus two years probation and roughly US$65,000 in restitution|
|Kevin Mitnick||Condor||United States||Four counts of wire fraud, two counts of computer fraud and one count of illegally intercepting a wire communication||August 9, 1999||46 months in federal prison|
|Dennis Moran||Coolio||United States||Misdemeanor charges of hacking||March 9, 2001||Nine months in jail and US$5,000 in restitution to each victim|
|Robert Tappan Morris||rtm||United States||Intentional access of federal interest computers without authorization thereby preventing authorized access and causing a loss in excess of US$1,000||May 16, 1990||Three years probation and 400 hours of community service in a manner determined by the Probation Office and approved by the Court|
|Jeffrey Lee Parson||T33kid||United States||Pled guilty on August 11, 2004 to one count of intentionally causing or attempting to cause damage to a protected computer via his version of the Blaster computer worm||January 1, 2005||18 months in prison and 100 hours of community service|
|Kevin Poulsen||Dark Dante||United States||Pled guilty to seven counts of mail, wire and computer fraud, money laundering and obstruction of justice||June 1, 1994||51 months in prison and ordered to pay US$56,000 in restitution|
|Leonard Rose||Terminus||United States||Illicit use of proprietary software (UNIX 3.2 code) owned by AT&T and 2 counts of computer fraud and three counts of interstate transportation of stolen property.||June 12, 1991||One-year jail sentence|
|David L. Smith||Kwyjibo||United States||Pled guilty to knowingly spreading a computer virus, the Melissa virus, with the intent to cause damage||May 1, 2002||20 months in federal prison, US$5,000 fine and 100 hours of community service upon release|
|Ehud Tenenbaum||Analyzer||Israel||Admitted to cracking US and Israeli computers, and pled guilty to conspiracy, wrongful infiltration of computerized material, disruption of computer use and destroying evidence||June 15, 2001||Six months of community service, one-year of probation, a two-year suspended prison sentence and fined about US$18,000|
|William Reed||ServerCancer||United States||Pled guilty to hacking into several city emails, sending illegal messages, and is also known as the Facebook hacker||July 5, 2009||Five years of probation and ten-thousand dollars in fines and court costs|
|Simon Vallor||Gobo||United Kingdom||Writing and distributing threecomputer viruses||January 21, 2003||Two-year jail sentence|
|Gerald Wondra||The 414s||United States||Unauthorized access to computers at the Sloan-Kettering Cancer Center in New York and a Los Angeles bankand two counts of “making harassing telephone calls”||May 1, 1983||Two years probation|
|Jan de Wit||OnTheFly||Netherlands||Spreading data into a computer network with the intention of causing damage as the creator of the Anna Kournikova virus||September 27, 2001||150 hours community service|
Well, it looks like ‘anonymous‘ is not the only one resorting to DDOS attacks these days. Futuregroup’s FutureBazaar.com has been down for nearly 3 days now. And given the time of the year, I cant think of a worse time for it to be non functional. Except, maybe Diwali.
Consumers aren’t able to access the website and for a site that has an alexa rank(Indian) of 309, this could translate into huge losses. Though the company isn’t commenting on the magnitude of the perceived losses just yet. Just to give you an idea, Ebay.in has a traffic rank of 55.
Several papers have quoted FutureBazaar chief executive officer Rajiv Prakash as saying that they have filed a complaint with the Cyber Crime Branch in Mumbai. If you go to website now – this what you see.
My System? Never mind! Hopefully they’ll have it back online soon.
Update : It seems to be back up now, with this message :
CBI Website Still Down? But Why?
We had reported that the Pakistan Cyber Army had defaced the website of the Central Bureau of Investigation – cbi.gov.in. Nearly 3 weeks after this. It is still down. But why it is down, is another story.
Some reports in mid-december suggested that this was down to infighting between NIC – National Informatics Centre and CERT – Computer ‘Emergency’ Response Team. Neither can decide whose responsibility it is to set things right.
Meanwhile, India’s ‘IT prowess’ is being mocked across the border. With several blogs crediting the delay to the ‘elaborate web’ that the Pakistan Cyber Army spun.
Elaborate Web or not! The fact that the Website is down even 3 weeks after the incident is, well, pathetic. And to think we’re trying to move to something like Aadhar, filing our financial statements online etc. I shudder to think what will happen to the UID project when it is left solely in the hands of bureaucrats.
With reports of increasing cyber attacks and our growing vulnerability to information theft etc India’s Cyber security laws really need an overhaul, and fast. A recent report by Symantec suggested that India’s critical infrastructure providers are often vicitms of cyber attacks. The article quoted the Director General of CERT “This reaffirms that cyber attacks have evolved to extremely sophisticated activities capable of compromising utilities, Government and private infrastructure, and corporate intellectual property” – And what are we doing about it exactly?
AIFF website hacked by Pak supporters
MUMBAI: Hackers supporting the jehadis in Pakistan have again damaged an Indian website, this time the All India Football Federation (AIFF).
The cyber outlaws, identifying themselves as ‘ZCompany Hacking Crew’, struck on Thursday evening and turned the entire homepage into a propaganda message board, targeting the governments of India andIsrael for a few hours before the AIFF officials got in touch with the Canadian company hosting the website and blocked the offensive content.
“Our website was hacked today evening and we soon got in touch with the Canadian company hosting our site. They have already blocked the site and we expect them to restore it by Friday,” AIFF general secretary Kushal Das told TOI. “We are trying to find out the persons behind this (attack) and are hoping to get a report on the culprits by tomorrow,” Das added.
It is the second such attack on the AIFF website in a month after a Pakistani hacker mutilated the homepage towards the end of December weeks after the a group called Pakistan Cyber Army hacked the website of Central Bureau of Investigation (CBI). “That time the hackers struck early morning and we could block them immediately,” a top AIFF official said.
He also expressed confidence that none of the data would be lost. “We have got back-ups for all our data and hence we will be able to restore it without any damage.”
The AIIF website, which was launched after private individuals — including NRIs — demonstrated the popularity of Indian football sites, was suffered problems all through. “This is their second URL (website address) and the fourth reconstruction after the first URL was shut down due to lack of proper maintenance,” an informed source said.
The revamped website was launched by AIFF in August 2009 coinciding with India’s participation in the Nehru Cup.
someone rightly said that the third World War would be fought online. Last week, a group of Indian hackers called Indian Cyber Army ’ hacked ‘ more than 50 Pakistani government websites and succeeded in provoking hackers across the border. In retaliation, Pakistani hackers have now hacked Central Bureau of Investigation’s official website.
Lamo was born in Boston, Massachusetts to Mario Lamo and Mary Lamo-Atwood in 1981.He spent his early childhood in Arlington, Virginia, until moving to Bogotá, Colombia around the age of 10. When his family moved back to the United States two years later, they settled in San Francisco, where Adrian lived until he tested out of high school a year early. Popularly called the “homeless hacker” for his transient lifestyle, Lamo spent most of his travels couch-surfing, squatting in abandoned buildings and traveling to Internet cafes, libraries and universities to investigate networks, and sometimes exploiting security holes. Despite performing authorized and unauthorized vulnerability assessments for several large, high-profile entities, Lamo refused to accept payment for his services.
In the mid-1990s, Lamo became a volunteer for the gay and lesbian media firmPlanetOut.com. In 1998, Lamo was appointed to the Lesbian, Gay, Bisexual, Transgender, Queer and Questioning Youth Task Force by the San Francisco Board of Supervisors.
During this period, in 2001, he overdosed on prescription amphetamines.
In a 2004 interview with Wired, an ex-girlfriend of Lamo’s described him as “very controlling,” stating, “He carried a stun gun, which he used on me.” According to the same article, a court issued a restraining order against Lamo.[ Lamo disputed the accuracy of the article and wrote, “I have never been subject to a restraining order in my life”.
In May 2010 Lamo reported his backpack stolen. The investigating officer noted unusual behavior by Lamo and detained him. He was diagnosed with Asperger’s syndrome after having been placed on a 72-hour involuntary psychiatric hold, which was extended to a total of nine days.
As of March 2011 he is in hiding, stating that his “life was under threat” after turning in Bradley Manning.
In February 2002 he broke into the internal computer network of The New York Times, adding his name to the internal database of expert sources, and using the paper’s LexisNexis account to conduct research on high-profile subjects. The New York Times filed a complaint, and a warrant for Lamo’s arrest was issued in August 2003 following a 15 month investigation by federal prosecutors in New York. At 10:15 AM on September 9, after spending a few days in hiding, he surrendered to the US Marshals in Sacramento, California. He re-surrendered to the FBIin New York City on September 11, and pled guilty to one felony count of computer crimes against Microsoft, LexisNexis and The New York Times on January 8, 2004.
Later in 2004, Lamo was sentenced to six months detention at his parents’ home plus two years probation, and was ordered to pay roughly $65,000 in restitution. He was convicted of compromising security at The New York Times and Microsoft,Yahoo![and MCI WorldCom.
When challenged for a response to allegations that he was glamorizing crime for the sake of publicity, his response was “Anything I could say about my person or my actions would only cheapen what they have to say for themselves”. When approached for comment during his criminal case, Lamo frustrated reporters with non sequiturs such as “Faith manages”, (probably a reference to science fiction television show Babylon 5) and “It’s a beautiful day.”At his sentencing, Lamo expressed remorse for harm he had caused through his intrusions, with the court record quoting him as adding “I want to answer for what I have done and do better with my life.”[
On May 9, 2006, while 18 months into a two year probation sentence, Adrian Lamo refused to give the United States government a blood sample they demanded so as to record his DNA in their CODIS system.According to his attorney, Adrian Lamo has a religious objection to giving blood, but is willing to give his DNA in another form. On June 15, 2007, lawyers for Lamo filed a motion citing the Book of Genesisas one basis for Lamo’s religious opposition to the frivolous spilling of blood.
On June 21, 2007, it was reported that Lamo’s legal counsel had reached a settlement agreement with the U.S. Department of Justicegranting Lamo’s original request. According to Kevin Poulsen‘s blog, “the Justice Department formally settled the case, filing a joint stipulation along with Lamo’s federal public defender dropping the demand for blood, and accepting cheek swabs instead.” Reached for comment, Lamo reportedly affirmed to Poulsen his intention to “comply vigorously” with the order.WikiLeaks and Bradley Manning
In February 2009, a partial list of the anonymous donors to the WikiLeaks not-for-profit website was leaked and published on the WikiLeaks website. Some media sources indicated at the time that hacker Adrian Lamo was among the donors on the list. Wired reported that Adrian Lamo commented on his Twitter page, “Thanks WikiLeaks, for leaking your donor list… That’s dedication.”
In June 2010, Adrian Lamo reported to U.S. Army authorities that Specialist Bradley Manning had claimed to have leaked a large body of classified documents, including 260,000 classified United States diplomatic cables.[Lamo stated that Manning also “took credit for leaking” the controversial, classified video footage of the July 12, 2007 Baghdad airstrike, which has since come to be known as the “Collateral Murder” video.
Lamo has stated that he would not have turned Manning in “if lives weren’t in danger… [Manning] was in a war zone and basically trying to vacuum up as much classified information as he could, and just throwing it up into the air.” WikiLeaks responded by denouncing Lamo and Wired Magazine reporter Kevin Poulsen as “notorious felons, informers & manipulators” and said that “journalists should take care.”
According to Andy Greenberg of Forbes,Adrian Lamo may have worked as a “security specialist” with Project Vigilant, a private security institution that works with the FBI and the NSA. Chet Uber, the head of Project Vigilant, has claimed, “I’m the one who called the U.S. government… All the people who say that Adrian is a narc, he did a patriotic thing. He sees all kinds of hacks, and he was seriously worried about people dying.”
Lamo has been criticized by fellow hackers such as at Hackers on Planet Earth 2010, who called him a “snitch“. Another commented to Lamo following his speech during a panel discussion saying: “From my perspective, I see what you have done as treason.”
Julian Assange calls Adrian Lamo “a very disreputable character”, and says that Lamo’s monetary support for WikiLeaks amounted to only 20 U.S. dollars on one occasion. Assange says that it is “not right to call [Lamo] a contributor to WikiLeaks”, and questions the electronic record associated with the Manning-Lamo chats, because, according to Assange, Lamo has “strange motivations” and “had been in a mental hospital three weeks beforehand”.
Greenwald, Lamo, Wired Magazine
Lamo’s role in the Manning case drew the ire of Glenn Greenwald, of Salon Magazine. An ardent supporter of WikiLeaks, Greenwald has been a passionate critic of Lamo, suggesting that Lamo lied to Manning by turning him in, and also lied after the fact to cover up the circumstances of Manning’s confessions. Greenwald places the incident in the context of what he calls “the Obama administration’s unprecedented war on whistle-blowers”. Greenwald’s critique of Wired Magazine has drawn a response from that magazine which suggests that Greenwald is writing disingenuously: “At his most reasonable, Greenwald impugns our motives, attacks the character of our staff and carefully selects his facts and sources to misrepresent the truth and generate outrage in his readership.” In an article about the Bradley Manning case, Greenwald mentions Wired reporter Kevin Poulsen‘s 1994 felony conviction for computer hacking, suggesting that “over the years, Poulsen has served more or less as Lamo’s personal media voice.” Greenwald is skeptical of an earlier story written by Poulsen about Lamo’s institutionalization on psychiatric grounds, writing: “Lamo claimed he was diagnosed with Asperger’s Syndrome, a somewhat fashionable autism diagnosis which many stars in the computer world have also claimed.” In his response, Poulsen accused Greenwald of “name-calling, bizarre conspiracy theories and ad hominem attacks”.
Greenwald has called for Wired to release more of the chat logs in its possession that pertain to a conversation between Bradley Manning and Adrian Lamo: “there are clearly relevant parts of those chats which Wired continues to conceal”. Wired’s editor-in-chief has reiterated that “the logs include sensitive personal information with no bearing on WikiLeaks, and it would serve no purpose to publish them at this time.” In an article entitled “The Worsening Journalistic Disgrace at Wired”, Greenwald claimed that Wired was “actively conceal[ing] from the public, for months on end, the key evidence in a political story that has generated headlines around the world.”[
Film and television
Lamo was removed from a segment of NBC Nightly News when, after being asked to demonstrate his skills for the camera, he gained access to NBC’s internal network. NBC was concerned that they broke the law by taping Lamo while he (possibly) broke the law. Lamo was a guest on The Screen Savers five times beginning in 2002.Hackers Wanted, a documentary film focusing on Lamo’s life as a hacker, was produced by Trigger Street Productions, and narrated byKevin Spacey. Focusing on the 2003 hacking scene, the film features interviews with Kevin Rose and Steve Wozniak.The film has not been conventionally released. In May 2009, a video purporting to be a trailer for Hackers Wanted was allegedly leaked to or by Internet film site Eye Crave. In May 2010, an earlier cut of the film was leaked on Bittorrent.According to an insider, what was leaked on the Internet was a very different film from the newer version which includes additional footage. On June 12, 2010, a director’s cut version of the film was also leaked onto torrent sites
If you own a Nokia Symbian S60 phone, you will most likely be aware of the fact that it is not possible to install applications on it unless they are signed using a valid certificate. Have you been trying to install applications on your S60 3rd or 5th edition phone but ending up getting a certificate error? At times, this can be really annoying; but here is a smart solution to this problem!
Here in this post, I will show you how to hack your Symbian S60 3rd or 5th edition smartphone, so as to modify the phone’s firmware and completely bypass the mandatory signing requirement. So, once you are done with this one time hack, you should be able to install any compatible application including unsigned and those with an expired certificate.
What is the Need for Signing Applications?
From the 3rd edition onwards, all the Symbian S60 applications need to be signed in order to ensure their integrity, so that it would not be possible for a third party to tamper with the application. Also, signing ensures that you always install applications from a trusted source.
However, there are many freeware and beta applications that come unsigned as the developers cannot afford to buy a symbian certificate. Hence, it can be a real nightmare for the users who need to install such applications on their phones. So, here is a step-by-step procedure to hack your phone and permanently disable this security feature.
HelloOX2 is an excellent tool to hack Symbian S60 3rd, 5th and Symbian^3 smartphones which makes it possible to install a root certificate by gaining full access to the phone’s system files. With this capability, you can install anything you want on your phones without the need to worry about the annoying certificate error!
2. The signed version of HelloOX2 demands for a donation and hence, only the unsigned version is available for free download. So, if you have the unsigned version, you need to sign it before installing on your phone. In order to sign any application, you need to have the certificate and the […] Read the full story »
“Hacking” ..In India, It’s Different..Let is Retain it
IRCTC Fraud. One Ticket Agent Arrested
June7: Naavi.org has been pointing out that online IRCTC booking through Tatkal is being fraudulently taken over by agents. Complaints have even been lodged with IRCTC on this account. We have also exposed one software professional who had posted a client side script which could be used for overriding others in booking the tatkal tickets. This software professional removed the contents of his site but there are others who are also posting hacking guidelines for IRCTC site. In our complaint to IRCTC we have been suggesting IRCTC that they whould conduct a CBI enquiry on an analysis of tatkal bookings to prevent this fraud. We have also suggested that agents should be disabled from Tatkal booking for the first 15 or 30 minutes. Similar views are also held by others.
We are glad to note that one such agent has been arrested in Mumbai for such fraudulent booking. He is reported to have made 44 bookings under Tatkal on a single day.
There is a clear indication that IRCTC officials must be involved in this fraud. a good analysis has beengiven by Mr Amish to estimate that the fraud may be valued at around Rs 10000 crores. IRCTC has also modified its rules to accommodate the agents. When online booking was started, agents were not allowed the use of the facility. Later they were included. Then IRCTC also made a change regarding the ID card details to be provided. Earlier the full details of the ID card including the serial number had to be provided at the time of booking. Now this is not required. Passenger can give any ID. While this appears to be a move to help customers, it is actually meant to help the agents who may not have proper ID documents of the passengers.
Cyber Bullying by Vodafone?
June7: The attitude of Vodafone in filing a defamation suit (Refer article in FE) against a dissatisfied customer expressing his complaint on the Internet smacks of “Corporate Arrogance” and needs to be opposed by all consumer oriented organizations. Differences do arise between a customer and a consumer oriented business entity. Most matured business houses follow the axiom “Customer is always right” and go out of the way to placate a complaint. When the company is not responsive the customer is forced to post his complaints in various consumer fora as well as his personal web space.
In the event the facts presented are false there is a legal right to file a defamation suit. However in most cases the money rich company files a case only to harass the individual. Unfortunately our unfriendly legal system is a night mare for most individuals. Often petitions which ought to be thrown out in the first place are admitted by Courts making the respondent spend time and money to respond to an unsustainable legal dispute. The case then drags on and on and the proceedings become a punishment to the consumer hurting him more than the original dispute.
It has been my personal experience that Vodafone service is bad and I discontinued the service for the same reason. I donot know the details of the current dispute but it appears that the person is so agitated that he has contacted the higher officials and also posted their contact numbers for others to see. It is ridiculous that the Company claims that the customer can go through only the customer care facility and should not contact other officials. We all know that customer care is only one of the contact points for the customer and it often is not able to solve all the issues. In such cases, since the consumer’s contract is with the company and any service charges paid by him go to fund the salary of all the officers of the company it is the prerogative of the customer to contact any official including the CEO or even the Board of Directors to seek resolution of his complaint. Each such person has a duty to the consumers and are vicariously liable for the warranties made on the service either through advertisements or otherwise. Hence writing to them or publishing their contact numbers for others to contact them cannnot be considered as an illegal activity. If they feel inconvenient, it is the price they pay for being the officials of such a company.
Hence the stand taken by the Company is clearly anti consumer. This bullying attitude of Vodafone needs to be condemned. It is preposterous to suggest that ITA 2008 should be applied against a consumer who posts his complaint in his facebook profile whether it is private or public. The remedy for such arrogant behaviour of a Company is a consumer movement against such a company. Now that there is MNP, I think people should express their dissatisfaction by severing their relationship with the company. A Consumer company which is anti consumer is not a company to be associated with. Perhaps we require a Cyber Anna or a Cyber Baba Ramdev to take up the cause of such cyber bullying.
Bangalore losing status as IT Capital of India?
June6: It is reported that the ASSOCHAM has said that Bangalore is set to lose the prestigious tag as the IT City. Results of a survey of 800 CXOs is said to indicate that nearly 30% of the Bangalore based CXOs were keen to shift to Gurugaon and 25% to Noida. Naavi has been trying to persuade the State Government to take up measures to ensure that Bangalore remains the destination for IT industry. When a hard core an IT professional was elected as an MP of BJP it was hoped that he would take steps to promote IT industry in Karnataka. However the Government has its priorities set elsewhere. Judging by the lukewarm response to some of the initiatives of Naavi to make Bangalore the focus of IT Security from the Government, it appears that ASSOCHAM survey conclusion may become a reality sooner than expected. With the change of Government in Tamil Nadu and Mrs Jayalalitha assuming the Chief Minister’s role, it is expected that Chennai and Tamil Nadu will also initiate steps to wean away IT investments. Recently a group of North Eastern States chose to headquarter their IT promotion initiatives from Hyderabad instead of Bangalore or any other place. This indicates that outside Karnataka, the perception is growing that Bangalore is no longer a recognized IT hub. Unless Dr V.S. Acharya, the IT Minister and Mr M.N.Vidyashankar the Principal Secretary, IT and BT recognize the threat and initiate immediate remedial measures, before the end of the current BJP Government’s tenure, Bangalore would have lost its identity as the IT capital of the country. I invite the attention of the National IT Cell of BJP and Mr Janardhan, the Chitradurga MP who was a former IT professional to take interest in devising strategies to change the disturbing. trend.
“Vinaashakaale Vipareeta Buddhihi”
5th June, 2011: When Jaya Prakash Narayan (JP) was arrested in June 25, 1975, it was stated that he commented “Vinaashakaale Vipareeta Buddhihi”. I am reminded of that development today. After the arrest of JP and other political leaders and declaration of “Emergency”, on 26th June, 1975, a few publications protested the Emergency measures by printing blank editorials. It was the beginning of a two year dark period in the history of India when dictatorship ruled the Country. It is 36 years since that event and we have history repeating itself with the midnight swoop on Ramlila Grounds and arrest of Baba Ramdev who was protesting against Corruption. By its action, the Government has indicated that it is better to suspend democracy rather than take steps to prevent corruption. I am now reliving the days of June 26, 1975 and reminded of the famous words spoken by JP which was then headlined by Indian Express. Yesterday I speculated on “Emergency” measures. Unfortunately it has become a reality today. . Let’s wait and see how media and other political parties react to the current situation. At the point of time when this is being posted, there is still no “Emergency”. I hope that 2011 is not 1975 and hence the situation may not worsen into an “Emergency” situation. However, It is a sad day for India.
History is being created in India
4th June 2011: A globally historic event has just begun in India in the form of the Anti Corruption Movement mobilized by Baba Ramdev. After the Non Cooperation movement of Mahatma Gandhi, this could turn out to be the biggest mobilization of people in India for a cause and perhaps may outscore even the anti emergency movement of Jayaprakash Narayan. What is unique about this event is that non political forces have come together to root out corruption which is the biggest menace in the country.
There are very few persons left in the country who are still swearing by non corrupt practices and they are often ridiculed as impractical. Many politicians who were expected to be honest have came around to the view that today it is not possible to avoid corruption in public life. But now there is a renewed hope. Ramdev’s movement has gained support across the country and along with Anna Hazare’s team has become a formidable force which the Government cannot ignore.
We may recall that BJP had in fact included in its last election manifesto that black money abroad will be brought back to India. Dr Manmohan Singh also promised after Congress came to power that they will bring back black money within 100 days. We may therefore say that both political parties are in principle supportive of Baba Ramdev’s demand.
While the Government was effectively killing the Lok Pal movement of Anna Hazare, it is unlikely to succeed killing the Baba Ramdev’s movement. It is however possible that the Government may resort to an “Emergency” like action of arresting of Baba Ramdev and crushing the movement. Hopefully Government will see reason and accept Baba Ramdev’s demands without much delay.
Whatever turn the movement takes, it is clear that 4th June 2011 will be a historic day in the history of not only India but the entire world.
October 31, 2011 is the first deadline for Bankers under GGWG
June 3: The April 29th circular of RBI advising implementation of the recommendations of G Gopalakrishna Working Group recommendations has set a specific timeline for implementation of the recommendations. One of the principle deadline would be October 31, 2011 by which time Banks must put in place policies and procedures which donot require extensive investment. This may include the setting up of the IT Strategy Committee, Risk Management Committee and the IT Steering Committee as well as designation of a CISO.
The circular suggests a Quarterly review process and the first calendar quarter after the issue of the guideline falls on 30th June 2011. It is recommended that the Board meeting within this quarter may take on record the receipt of the RBI guidelines and initiation of the first steps towards implementation of the recommendations. The second quarterly review by September 30 may discuss steps taken during the first 4-5 months so that the Bank will be ready with the compliance requirements for October 31, 2011 including a quick “Gap Analysis”.
As an experienced past Banker and a techno legal information security practitioner, Naavi offers GGWG Gap Analysis” service for Banks to enable them comply with GGWG recommendations. Interested Banks may contact naavi at email@example.com (+919343554943) for further details.
Six year Imprisonment for HIPAA Violation
June2: An Alabama Court sentenced Mr Isaac Earl Smith, to six years in prison for his role in a prescription fraud scheme that included crimes of healthcare fraud, aggravated identity theft and violations of HIPAA. Related Article
US Postal Services Introduce “Adult Signatures”
June 1: Naavi.org had in the past made suggestions regarding introduction of “Adult Passes” in the Cyber Space for receipt of adult content. In the meantime it is interesting to note that US Postal authorities have introduced a service called “Adult Signatures” where the mail is delivered to adults above 21 years of age upon verification of age. It should be a forerunner to the concept of “Adult Pass” suggested by naavi.org. Related notification
HHS Includes “Disclosure” as part of Privacy Rights
June1: In a conceptually significant development, HHS has proposed a change in the Privacy laws related to HITECH Act according to which the data subject would be entitled to know who has accessed his information. In the light of the powers which the Indian Government is likely to exercise under the new rules under ITA 2008 on Privacy, this is an important disclosure requirement that should become part of every privacy law. HHS notification for public comments : related Article
Directory of Mobile Numbers
June1: Mobile numbers are considered “Personal information” and are protected by privacy. However we should debate if there is a need to reconsider the issue of privacy of mobile numbers. When a person receives a call or SMS from a mobile number, his privacy is disturbed. When he receives multiple calls or multiple SMS numbers, it annoys a person and it may invoke Section 66A of ITA 2008 as an offence. In such a case the recipient of the anonymous call has a genuine right to know the identity of the person making the call.
It is therefore necessary for all mobile service providers to introduce a mechanism where by if a person receives more than 3 calls from a mobile number during a period of one month, he is entitled to demand the identity of the caller from a repository of mobile directory. This is the privacy right of the call receiver pitted against the privacy right of the caller.
This provision of disclosure on demand should be introduced as part of the “Due Diligence” of the intermediaries since identity of the caller is the first essential step for the call receiver to invoke the protection of ITA 2008.
The exact procedure of how a demand can be made, what evidence need to be submitted etc can be decided.
In order to implement the same it is also necessary for every Mobile Service provider to provide a free online copy of billing details so that the call receiver can extract the statement as a proof of having received multiple calls from a given number within a particular time. DIT has the power to issue such guidelines under Section 79/Section 67C /Sec 85 of ITA 2008. Reactions are welcome.
UID Data Stolen
May 30: It is reported that two laptops containing UID data were stolen from a school in Pune. Naavi.org had suggested earlier that UID should follow a techno legal information security plan under IISF 309 framework. In case they have followed the principles of IISF 309 (Version 3), they might be able to counter the data loss suffered through the theft. Otherwise it indicates that UID system will continue to suffer in future also from security issues and may get abandoned as a project midstream.Article in TOI
Call Records to be stored for 5 years?
May 30: The IB is reported to have demanded that call records must be kept by Mobile Service Providers for a minimum period of 5 years. This has been opposed by the Telcos on grounds of cost. The requirement can be specified both under Sec 67C of ITA 2008 as well as under the recent rules released by DIT under Sec 79. Related Story in ET
May30: US President has created a controversy involving Cyber Laws by using “Autopen” to sign an important constitutional document from afar. It is reported that the “PATRIOT Act” was due for renewal and required the President’s signature which could not be physically obtained within the stipulated time since Mr Obama was abroad. He authorized the use of “Autopen” to sign the Bill. Report in NDTV :NewYorkTimes.
The decision opens up a Pandora’s box as to the legality of “Signatures”. ... More
Corporate AGM online
May 29: Ministry of Company Affairs has been one of the most ardent promoters of ITA2000/8. It was MCA which made digital signatures mandatory and gave a lease of new life to Certifying authorities in India. Now MCA has also clarified that it is possible to conduct shareholder’s meetings virtually. Naavi’s CEAC in conjunction with Arbitration. in provides a cyber law compliant virtual meeting solutionfor companies. Hopefully companies take advantage of the provision. Related Article
May 27: The fact that the President of India cleared a mercy petition of a victim who had been convicted 7 years ago by the highest Court of the land has naturally made news. If the Executive which has to only review the facts and circumstances based on the trials already conducted in three or four different Courts needs 7 year’s time to decide yes or no on the mercy petition, no body can blame the Judiciary which takes ages to decide on the underlying cases.
It is in this context that the role of Media in highlighting certain cases becomes useful to the society. Though we may call it as “Trial by Media”, it often quicker decisions. The need for such media intervention is therefore necessary to ensure that the judicial system is not rendered more and more inefficient due to lack of timely delivery of justice...More
Cyber Appellate Tribunal Sitting in Chennai again
May 27: In only the second such instance the Cyber Appellate Tribunal (CAT) which is the appellate authority over Adjudication of contravention of Information Technology Act 2000/8(ITA2008) will be sitting in Chennai on 1st June 2011. The CAT will hear proceedings on three pending cases of Phishing one of which is on ICICI Bank and two on Punjab National Bank.
NewYork Police Blunders in Cyber Crime Investigation
May25: In a case of a shocking blunder, the New York Police have committed a grave blunder by misreading the IP address and addressing a wrong person who happened to be arrested, handcuffed and humiliated for an offence not committed by her. On the other hand when the real culprit was later identified, it appears that he was not arrested or handcuffed. The arrested girl, Ms Krittika happened to be a daughter of an Indian diplomat and even her claims of diplomatic privilege was ignored. The offence itself was trivial and concerned sending abusive e-mails to the teacher. In the whole episode, New York Police come out as inefficient and racist. Related Article
Regional Consultation on Cyber Laws
May 23: National Legal Service Authority (NALSA) conducted a Regional Consultation meet on Cyber laws in Hyderabad on 21st and 22nd of May 2011. Honourable Justice Sri Altamas Kabir, a Judge of Supreme Court of India and Executive Chairman NALSA presided over the event. Several eminent Judicial personalities including Chief Justice of Gauhati, Honourable Sri Madan Lokkur, Chief Justice of Orissa, Honourable Sri Gopala Gowda, Chief Justice of AP and Executive Chairman AP State Legal Services Authority, Honourable Sri B.Prakash Rao, Presiding Officer of Cyber Appellate Tribunal, Hnourable Sri Rajesh Tandon and several others participated in the event. Honourable Minister of Law of the Government of AP, Sri E.Pratap Reddy was also present.
The meet represented a grand summit of the Judicial authorities in the States of Orissa, West Bengal, Jharkand, Bihar, Chattisgarh, Sikkim and Andaman and Nicobar and Hyderabad appears to have emerged as the preferred center for this group of Eastern States to deliberate on Cyber Law and Cyber Crime related issues.
Naavi participated in the program as one of the speakers during the session on “Challenges and Issues in Cyber Laws “and placed the Netizen’s perspective of the issues focussing the issues surrounding Cyber Judiciary. A summary of Naavi’s presentation made during the event is available here.
New Regulations Under ITA 2008
May23: A copy of the new notifications dated April 11, 2011 under Sec 6A, Under Sections 43A and 79 along with a notification on Cyber Cafes is now available here. All notifications under ITA 2000/8 are to be placed before the Parliament before notification. It is not clear when these notifications have been placed before the Parliament. Information on this is awaited. Copies of the Notification are available here. Sec 6A, Sec 43A and 79, Cyber Cafe:
The notifications have been a subject of criticism on several grounds. More discussions on these will follow.
New Adjudicator for Tamil Nadu
May20: With the change of Government in Tamil Nadu, there has been a shuffling of the IAS officers. In the process the Principal Secretary IT of Tamil Nadu has been replaced and Dr Sathosh Babu who was presently the Managing Director of ELCOT has been appointed as the new IT Secretary of the State. It is to be recognized that the post of IT Secretary in a State also carries the responsibility of the Adjudication under ITA 2000. In effect the IT Secretary is the Chief Civil Judge of the State for adjudicating against any contravention of ITA 2000.
Mr P W C Davidar had been an exceptional officer who held the post of Adjudicating officer with dignity and a kind of expertise which is rare. It was during his tenure that four cases of Phishing were resolved. His landmark judgment in the case of S.Umashankar Vs ICICI Bank has made it into all Cyber Law text books and will remain as the trend setter in the development of Cyber Judiciary in India. It was not surprising that after the Umashankar verdict the presence of an office of Adjudication became known and nearly 16 other cases came to be registered with him. At the time of his transfer nearly 14 cases are pending of which two cases against PNB are significant. These cases are significant since the Bank tried all tricks ethical and unethical to ensure that the case could not be completed on schedule and got adjourned on several pretexts only to ensure that the case does not get decided before the change of guard.
As a result, the new Adjudicator will need to take stock of the developments of last 6 months before proceeding with the adjudication and inevitably the poor victims of Cyber Crimes who were hoping that their cases would be decided within the statutory period of 4 months will now have to wait much longer.
We hope that the new Adjudicator would quickly get into operation and continue with the case from where it was left off. The situation is a test for Cyber Judiciary system as it would determine how the system functions when there is change of the Adjudicator midstream in an ongoing case. The advocates representing the parties would perhaps demand a fresh enquiry where has the victims feel done in by the system and the delays which are common in Civil Cases but were sought to be removed in the Cyber Judiciary system. Since the Adjudication system is an “Enquiry” process and is not bound by the Civil Procedure Code, it is open to the Adjudicator to device his own system for continuance of the pending proceedings to uphold the principle of natural justice which is the driving principle of Adjudication under ITA 2000/8
International Perspective of Rules under ITA 2008
May19: Here is an international perspective of the proposed rules under ITA 2008 draft of which were released on April 11th 2011. The rules need to be Gazetted. There are several objections raised regarding the rules and a final word has not been said as yet… Article
Will Banks take note of this flaw in their security system?
May17: Banks have been claiming that internet banking is safer with SMS alert systems being in place. RBI seems to innocently agree with the same. Now this warning from Delhi Police should open the eyes of RBI and the Banks. The Delhi Police has pointed out to the modus operandi of fraudsters to divert the SMS alerts to cloned SIM cards preventing the account holder from getting any alerts. This diversion of SMS alerts are used in conjunction with phishing to commit frauds.The so called 2F authentication through OTP also suffers from the same weakness since OTP can be obtained through the cloned SIM. RBI should therefore consider 2F authentication though SMS as inadequate security.. HT News
One More Phishing Complaint upheld in Chennai
May 17: After the Landmark judgement in April 12, 2010 in the case of S.Umashankar Vs ICICI Bank, the adjudicator of Tamil Nadu has delivered another judgement in the case of Thomas Raju Vs ICICI Bank holding the Bank liable to repay the loss sustained by the customer on account of unauthorized access to his account. Though these cases are generally termed as “Phishing” cases, it is always the Bank that claims that no body can access the account without the customer sharing his password and try to paint all cases as cases of negligence by the customer. However in the case of Thomas Raju, the customer claimed not to have received any phishing mail at all. In two other cases before the adjudicator of Tamil Nadu involving PNB, the customers have claimed not to have divulged one of the two passwords required for passing the transactions. It therefore appears that these are not strictly phishing cases but are cases where there is a prima facie failure of security in the Banking system.
It may also be noted from the website of TN Government that in the last year ICICI Bank has entered into compromise in two more cases where ICICI Bank was involved. Thus to 4 customers of ICICI Bank in the last year have found relief through adjudication. I hope that the legal community would consider making use of the adjudication system in every State in appropriate cases in future. Copy of Judgement
May 16: Legal profession has in the past been considered as a noble profession where public spirited persons may serve those who need the support of the judiciary for relief when they were victims of some contravention of law. ….It is therefore heartening to note that bright young people are showing some interest in the profession as is indicated by the response to the competitive examination, CLAT 2011 which determines the qualifiers to enter into the prestigious National Law Schools. ...More
RTI Appeal with RBI remains unanswered
May15: Naavi had filed an RTI application with RBI regarding the G Gopalakrishna Working group report. The information officer had rejected the information on grounds of national security interests. An appeal had been preferred on the same on April 1st. Even after 45 days, there is no response from the appeal authority. A reminder has been sent today. The application and the RBI reply is being made available through this site so that somebody in Mumbai can assist me in pursuing the request. RTI Application : Reply received: Appeal
Unauthorised Blocking of websites is also an offence
May10: It is observed that many websites and articles are being blocked by ISPs. It is presumed that at least some of these are done on the basis of informal orders from the DIT. If ISPs donot have a formal written order to block a website then their action can be termed as “Denial Of Service” under Section 43 and 66 of ITA 2008. ISPs should therefore clarify if the blocking of websites such as bloggernews.net have been properly authorized. Since some of the articles of Naavi which have been blocked cannot be justified under national interests, the blocking of the sites can only be termed illegal. If action is initiated, some officials of ISPs may find themselves answerable to law…provided law cannnot be bent by the influential !
The end of Naavi.org in sight?
May 10: Given the trend of website blocking resorted to by the Government of India, DIT, it will not be surprising that Naavi.org may be the next target for being blocked by the Government of India, DIT. In the recent days there have been so many objectionable happenings in the Indian Cyber space that it becomes impossible not to express opposition through the website. However this makes many in the administration unhappy. The current approach of the GOI is tending towards the “emergency day arrogance” and hence there is a reasonable expectation that Naavi.org would be forced to close down.
If this happens, the nearly 14 year old crusade on “Creating a Responsible Cyber Society” being pursued by Naavi may come to an end. In the past whenever websites are blocked, they have remained blocked for an indefinite time and hence our communication with the readers may get cut off. I therefore would like to to place this contingent obituary on the site and thank all those who were supportive of Naavi.org in the past.
Even if Naavi.org is blocked in India it is intended to continue the publication for the international audience and those who can access the site from outside India may still continue to receive the site.
Is Bloggernews.net blocked?
May10: It appears that not being satisfied with the blocking of a selective article on bloggernews.net, the Government of India has now blocked the entire URL www.bloggernews.net. It is not clear if this was a result of any Court action. There is a possibility that this could be because of this article on “Calling attention of CVC..” or it may be due to this article where a copy of the letter sent to RBI Governor is published though in such a case it is likely to be an administrative order not backed by any Court order. Related Article in Statesman. Related Article in techgoss.com
Fake EVMs in West Bengal
May10: Fake EVMs have been detected in Midnapore, West Bengal where Trinamool Congress workers have also been accused of having prevented voters from casting votes. It would be interesting to observe if cases will be booked under ITA 2008…. IE Story
Beware of Osama related Cyber Frauds
May4: With a high interest in the cyber space to know more about the killing of Osama Bin Laden and view the photographs, it is expected that Cyber Crime perpetrators will exploit this interest in enticing Netizens to visit malicious websites and implant trojans and viruses. Sympathizers may also be lured into advance free frauds in the form of donations. Netizens may therefore refrain from visiting any site not known to be an official website of a reputed agency. If a search is thrown up on Google, Netizens should verify the hyper link and check if the URL is correct. It is preferable to type the URL where known. Related article in Chicago times
G Gopalakrishna Working Group Report notified
May1:RBI has notified Banks on information security guidelines in e-Banking based on the G Gopalakrishna working group report. It would be interesting to analyze the RBI notification in comparison with the original report and its recommendations. Naavi.org would provide its views in due course. Copy of RBI Circular
April 30: I would like to bring to the notice of the Central Vigilance Commission and the Comptroller and Auditor General of India an apparent irregularity that needs investigation in the interest of the Country. The issue involves according to one estimation a decision proposed to be taken by the Ministry of communications and Information technology resulting in IT stake holders collectively spending Rs 700 crores immediately by a payment to a private party abroad just to know what is the law of Information security in India that applies to them. Stakeholders who want to comply with the law later may collectively be required to spend around Rs 30000 crores each year to follow the law as being notified and this commercial benefit is again going to private sector because of this notification.
There is a need therefore to stop the approval of the proposed notification until a national debate is undertaken in the matter and all stakeholders are convinced that there is no reason to suspect irregularity in the promotion of a commercial benefit of this magnitude….More
Draft Rules for Sec43A-79-cybercafes, finalized?
April 30: The draft rules proposed under ITA 2008 under sections 43A, 79 and for Cyber Cafes seems to have been finalized. Unfortunately the department seems to have stuck to its earlier version which was sent for public discussion and suggestions of the public seems to have been completely ignored. Naavi.org has been particularly critical about the adoption of ISO 27001 as the necessary and sufficient criteria for the compliance of “Reasonable Security Practices” which is considered incorrect since the framework is proprietary, not available in public domain without a cost and grossly inadequate. The department has accepted in a communication to Naavi that no study has been made by the department on the impact of adopting ISO 27001 as the statutorily approved framework and the financial implications of the same on the India as a country.
In the light of this admission, it is strange that the department has ignored the issues raised by Naavi (Ref:Is India selling itself out to ISO 27001?). :
Banking Ombudsman Orders payment in Bank fraud case
April27: In another instance of a bank fraud involving unauthorized debit, on the advise of Banking ombudsman in Mumbai Punjab National Bank has refunded a sum of Rs 184980/- to the customer. The letter from the Bank requests the customer to drop/delist his complaint. It is not clear if the incident will reflect in the Banking Ombudsman’s report or would be hidden from public as “Complaint withdrawn”. We also need to wait and see if Punjab National Bank has reported this incident in their annual report for the period ending March 31, 2011. If not, we need to check what is the RBI policy regarding report of such security breach incidents.
Indian Judiciary needs to Act differently
April 27: NY times has commented on the recent developments in India on Internet Censorship. The Center for Information Society, Bangalore recently published a list of 11 websites that have been blocked by the Government of India (See article). According to the report, instructions for blocking of the sites were issued by the CERT-IN based on some Court’s judgments. What the report however fails to highlight is that some of these so called judgments based on which CERT-In passed the blocking orders were “interim orders” pending hearing of a complaint. At least in one case information is available to suggest that the defendant was not given due notice to appear and still the Court passed an interim order until next hearing that the site be blocked. It is observed that many advocates misuse the provision of “Interim orders” to get favourable judgements at least in the short term. The fault however lies in the system where judicial proceedings are generally delayed and any interim order is good enough for a few months and in some cases for a few years. It is necessary for the Chief Justice of India to look into each of the 11 cases referred to in the article of CIS and determine how many of them are after a due process of law.
IBA and RBI needs to take note of MCA Advice
April27: The Circular issued by Ministry of Company Affairs on the use of e-mails for outward communication such as AGM notices etc is a matter which needs to be taken note of by Banking institutions including the regulator such as RBI and the industry forum such as IBA. The circular makes a direct reference to Section 5 of the ITA 2008 indicating the need for digital signatures to be used for authentication of e-mails. RBI initially in its Internet Banking guidelines of June 14, 2001 had clearly mentioned that PKI based authentication systems must be adopted by Banks for its e-banking operations. Though this was not specific to whether digital signature should be used for e-mails or for account transactions, it was clear that wherever electronic documents need to be authenticated, PKI system as required under ITA 2000 was to be adopted, failing which Banks should assume the legal risk. However, since June 2001 to current date, RBI has not bothered to force the Banks from adopting digital signatures. Even after MCA made digital signatures mandatory for corporate returns and Income tax department for filing of tax returns, Banks continued to ignore this important aspect of law. IBA on the other hand appear to be silent on the issue that most Banks are openly flouting the RBI regulations. From our observations of the industry, one of the Country’s leading Bankers and a leading private sector bank are stonewalling adoption of digital signatures in Banking. RBI seems to be incapable of meeting the resistance though it is illegal. IBA is part of the resistance itself since it is the body of the same Banks.
Industry observers are aware that there is a back room maneuvering going on at the highest levels to get administrative support the non compliant methods of e-banking that is prevalent in India.
Naavi.org which is in the forefront of a crusade for better security for Bank customers in e-banking era, has time and again brought to the notice of the public, RBI, IBA, SEBI Ministries involved, Some of the Banks involved as well as the Cyber judiciary system that non adoption of digital signatures for banking transactions and e-mails is a serious non compliance issue. Excepting a part of the system, others are unmoved by the pleas of Naavi.org. It appears strange that Naavi is isolated in this concern for e-banking customers and no other institution appears even remotely as concerned as Naavi.
We therefore need a Citizen led movement to make the regulatory institutions to act. Naavi.org will start a new phase of “Building an Awareness about the need for Cyber Law Compliance by Bankers” from 1st of May and would welcome any other individual or organization that would like to join hands in this campaign to liberate Bank customers from the risks of E banking arising out of negligence of the Bankers. Watch out this space for the roll out of the campaign.
MCA advises use of e-mails for notices
April 26: As a part of compliance of section 53 of Indian Companies Act, Ministry of Company affairs has issued a circular that as a “Green initiative”, e-mails can be used as a substitute for communication under certificate of positing. It is good that the government has realized the potential of e-mail at least now. It may however be necessary for the Government to clarify that e-mails are to be digitally signed.Article in CIOL :Circular
Dashworld reopens debate on Alternative Domain Name System
April 24: Alternative domain name systems that work outside the ICANN is the biggest challenge to the authority of ICANN to regulate the Internet name space. At the same time the logic of alternate domain name providers which supports a free Internet movement cannot be faulted. Alternate domain name management systems emerged way back in 2002 and earlier (See article: Is There an Alternative to ICANN?). Obviously there was a reported attempt to disable the alternate domain name systems through ISPs and US Government intervention. Afterwards there was a silence indicating that these efforts had fizzled out. Recently however dashworld.com has restarted the alternate domain movement. If this trend catches on, there will be a need to re-look at the current system of administration of domain names and particularly the law related to Cyber squatting and relevance of services such as lookalikes.in.
Clash of .xxx domains with New.net
April 24: By opening the registration of .xxx, ICANN has once again challenged Alternate domain name registration services such as New.net. Way back in 2002, the conflict started with ICANN issuing .biz TLDs which was already being used by the alternate domain name systems. Now .xxx is another clash point where all new registrants would be directly exposed to the risk of a domain name conflict with the registrants of .xxx with New.net. A serious thought has to be given to whether ICANN needs to recognize the alternate domain name operators and adopt an inclusive policy or pursue an apartheid system and keep them out.
Internet Governance Issues
April 22: Institute of Global Internet Governance & Advocacy (GIGA) is being inaugurated on 23rd instant at Hyderabad by Honourable Justice G.Raghuram, Judge, High Court of Andhra Pradesh. Dr V.C.Vivekanandan, Director of GIGA coordinates the activities of the Institute and discussing the various research and advocacy priorities of the Institute and chart out an action agenda for the Institute.
Litigation Support Or Public Service?
April 21: Naavi has been engaged as Netizen activist for over a decade now. His earlier crusade against Savita Bahbhi.com is well known. For the last few years, Naavi’s attention has been on protecting the interests of innocent Bank customers against frauds arising in the E-Banking sector. In pursuit of this, Naavi has offered consultancy for several cases. The objective of Naavi has been that innocent victims of Bank frauds are to be protected and Banks should improve their security. Unfortunately, commercial considerations always affect Information security whether in an SME or a huge Bank. It is a natural tendency of every businessmen to make profits and cut costs.When an activist opposes the establishment which is neglecting consumer interest, the establishment looks upon the activist as a trouble maker and tries its best to silence him if possible by various means. This is as much true of Shanti Bhushans involved in the Anna Hazare initiative as of Naavi in his anti phishing initiative.
Presently Naavi has a role to play as an Activist trying to protect the larger society of Netizens from victimization by commercial interests. However some of the cases in which he is presently engaged with, are hindering his freedom of expression since Banks are trying to put a rein on his public service because the matters he may raise could technically be called sub-judice. Though all matters which are sub-judice donot become a contempt of court when reported in the public, it is not always easy to convince a Court about the nuances and this could create some practical issues in Naavi discharging his role as an Activist cum representative of a victim. Though involvement in the initial cases were necessary as an inertia breaker, there is a feeling that it may restrict Naavi’s role in public service in the long run. Since each of the cases often drags for over three years before culmination despite the legal limitation of 6 months in Adjudication and 6 months in CAT, some lawyers successfully reduce the fast courts into ordinary courts by seeking frequent adjournments. Because of these delays, if Naavi is engaged in more of the litigation work, he will cease to be able to serve the society as a Netizen activist. This has raised the dilemma “Litigation support or Public service?”
RBI and IBA are two national level organizations which ought to take up the responsibility of making e-banking safer. However, one does not get the confidence that they would be capable of safeguarding the interests of the Customers of banks when there is a conflict with the interests of the Banks themselves. While IBA being a forum of Bankers and such an attitude is natural, the way RBI has so far handled the issue of security in the G Gopalakrishna working group fails to provide confidence that it will continue to be the protector of Bank customers. A reading of the industry developments at this stage indicate that a group of Bankers are actively working towards diluting the law of e-banking in India to protect the Banker’s commercial interests against the public interest of the customers. It is possible that RBI may be supporting them. Soon there will be a request made to the Ministry of Information Technology for certain amendments to ITA 2008 to protect the Banker’s interests though it may hurt the customer’s interests.
It is felt therefore that a movement against a tendency to exploit Bank customers is required in India. Naavi is reminded of the late Sri M.R.Pai who served the bank depositors during the Seventies and Eighties working for their safety of their deposits.. We donot see any such visionary leaders around at present to protect the Bank customers in the e-Banking era. But we hope that just as an Anna Hazare movement emerged from no where to shake up the country, we will see a movement emerge, to put an end to the exploitation of Bank customers.
Naavi would be happy to take active part in such a movement when it emerges. In the light of the above, Naavi is considering the ways and means of completing the current assignments on Phishing and freeing himself to take part in such a movement. All those who want to be part of such movement to protect the e-banking customers from being exploited by the profit hungry bank establishments may contact firstname.lastname@example.org. People who can take the mantle from Naavi and support phishing victims in various cities may also contact Naavi so that we can develop a network of public spirited activists all around the country who would help innocent victims of bank frauds in getting justice.
ICICI Bank settles with a Phishing victim Out of Court
April 20: It is reported that in one of the adjudication applications in Chennai, by Shri Jeevika Arasu Vs ICICI Bank, the Bank and the customer have come to an out of court settlement. A copy of the order from the Adjudicator in this regard is available here. On 20th April, ICICI Bank counsel who had to appear in the Cyber Appellate Tribunal in Delhi to argue the case against Mr S.Umashankar absented himself citing “Personal” reasons. While we donot know if there is any relation between his absence in Umashankar appeal case in Delhi and the reported compromise from the Bank in Chennai, it may be noted that after Dwarak Ethiraj case, Jeevika Arasu case is the second published compromise entered into by ICICI Bank in Chennai in respect of Phishing complaints. Hopefully the Bank is realizing the futility of fighting against its own customers. May God give them the wisdom to make it a regular practice so that the fruits of Umashankar’s fight reaches many more customers.
US takes Suomoto action against Botnets
April16: US Department of Justice in association with Mirosoft is reported to have launched a major offensive against botnets. Filing a Civil Complaint under the “John Doe” principle on unknown perpetrators, US attorney office has obtained search and seizure warrants and proceeding on an offensive.
We may note that the Adjudicators under ITA 2008 are also empowered to take such Suo Moto action when there are a large number of victims from an unknown perpetrator. This can not only apply in case of Virus and Botnet instances, but also on Phishing instances. It can also apply when there are a large number of Bank accounts known to be used for encashing Phishing proceeds.
We hope that a public spirited Adjudicator will launch such a proceeding.
Banking Ombudsman Orders payment
April 11: In another Bank fraud reported from Gurugaon where a customer had lost around Rs 6.6 lakhs by way of fraudulent withdrawal through ATM, the Banking Ombudsman has order the Bank to pay back the amount lost to the Customer. The order restores the amount lost but is silent on the interest.
Vigilance Cannot be dropped
April 9:It is good news that ultimately the Government of India has agreed to the formation of a drafting committee to draft an effective Lok Pal Bill. This is a victory for the people and could be as significant as the second independence movement. However, the stakes are so high for politicians that it is unthinkable that they would allow an easy passage of this Bill making it into a law and allow an independent person to head the Lok Pal. If appointments to key offices such as CVC and CEC could be politically influenced, the possibility of political mischief in the formation of Lokpal cannot be ruled out. It is necessary for the Civil Society to keep up the vigil and watch every movement of the Government and ensure that what has begun well also ends well.
Public Pressure Mounts on the Government
April 8: It appears that the public pressure is mounting on the Government that it should yield to the demand of the Anna Hazare lead movement to draft a Jan Lokpal bill including members of the Civil Society in the drafting committee. Hopefully by tomorrow the official notification is expected to be announced.
RTI Application on Websites blocked
April7: In a reply to an RTI application, DIT has indicated the list of websites blocked by it so far under the ITA 2000/8. We congratulate Mr Pranesh Prakash of Center for Internet Society for having taken this initiative.Details
Corruption is the biggest threat to India.. We need to join the fight
April 6: It is heartening to note that a movement is building around Mr Anna Hazare all over the country for immediate action on Lok Pal bill. After the recent internet based movements in Egypt it is time for Netizens to express their solidarity to Mr Anna Hazare in whatever manner they can. The Government will have its hesitation and we cannot expect the it to take positive action unless there is enormous public pressure.. We may require a “Non Cooperation” movement with the Government to really make it think in the direction of involving the civil society in a bill on which the politicians have a direct vested interest.
There are some intellectuals who will have their own argument why prevention of corruption is not possible and it is necessary for common men to ensure that the movement is not derailed by such pseudo intellectuals. Corruption is a decease which corrupts the society and creates inequalities where there may be none. At a time when there is a scam a day the need for a systemic infrastructure to act as deterrence to corruption is the need of the hour. If we donot support some body who has started a movement which is important for the future of India, we will be failing in our duty to the nation. Let’s therefore welcome the Anna initiative. For more information read here: Comparision of Lokpal bill drafts Govt Vs Civil Society : Also see: indiaagainstcorruption.org
Build Yourself an Anti Phishing Shield
April 4: It is observed that Phishing attacks are now appearing on many Indian Public Sector Banks which has a large population of customers who are not sufficiently net savvy. Though there is an increasing awareness of Phishing frauds, the number of frauds are expected to increase in the coming years. A Phishing crime network is under development which starts from opening Bank accounts with false ID, obtaining passwords of customers by various means, accessing accounts over internet and transferring money to fraud accounts and withdrawing through ATMs.
A new threat that emerges in this context is that some internal workers in Banks (which includes temporary workers who work in marketing as well as employees of outsource partners) may use the cover of Phishing attacks and commit frauds of their own. The modus operandi would be to send a Phishing mail to targeted customers whose passwords have already been obtained by some means and then access the account. If there is any objection from the customer he would be confronted with the fact of receiving the Phishing mail and forced to believe that he might have answered the same and therefore should bear the liability.
Though this can be challenged, it is a painful and long drawn process. Since most of the evidences that can defend the victim are available only with the Bank and not with the victim and the e-discovery process is relatively unexplored, there is a need for Bank customers who receive phishing mails to build their own shield against being unfairly held liable for an internal fraud.
In order to provide some sort of a shield for such employee assisted phishing frauds, CEAC has launched two services namely CEAC-ITN (Identity Theft Notice) which is a free service for reporting such events to a trusted third party and CEAC-VPN( Virtual Public Notice) which is a paid service. Though it is not yet clear if this would be considered by Courts as an effective alibi for the registrant, it is considered a good step towards building a legal shield against being unfairly treated by Banks in the unfortunate event of a phishing attack. Details
Data mining of Health Information leads to legal suits
April 3: A national drug-store chain Walgreen co in California has been accused of having unlawfully benefitted from the information of its customers. In what could be considered as a suit that can hurt the data mining industry in general, the dispute is over “de-identified prescription” information which the store chain has allowed to be used by medical companies. It is charged that the “information” on which the store has made a commercial gain belongs to the patients and that it cannot be commercially exploited by the store. Related Story 1 : Related Story2 : Related Story3
Cignet Fine sends HIPAA concerns soaring
April3 : The OCR’s decision to fine Cignet a total of US $4.3 million has sent alarm bells in the healthcare industry in USA on the consequences of non compliance of HIPAA. This was the first time the new HITECH Act penalty schedule was applied. It is said that Cignet violated the rights of 41 patients when it denied them access to their medical records and also not cooperated with the OCR in its investigations. It was considered as a “Wilful Neglect” not corrected within 30 days. Details
PR Syndicate honours ‘Cyber Law Guru of India’, Na.Vijayashankar
PR Syndicate, (an organization of Corporate PR Professionals in Chennai,) celebrated its First Anniversary on 20th January 2007 at Russian Cultural Centre. On the occasion, “Award of Excellence in Public Life” was presented to ‘Cyber Law Guru of India’ Na.Vijayashankar…More
What is Naavi.org?
Naavi.org is India’s premier portal on Cyber Law. It is not only an information portal containing information on several aspects concerning Information Technology Law in India but also represents the focal point of several services around Cyber Law carried on by Naavi.
The first such service is the Cyber Law College a virtual Cyber Law education center in India which provides various courses on Cyber Law.
The second key service is the Cyber Evidence Archival center which provides a key service to help administration of justice in Cyber Crime cases.
The third key service is the domain name look-alikes dispute resolution service which provides a unique solution for websites with similar looking domain names to co exist.
The fourth key service is the online mediation and arbitration service another unique global service.
The fifth key service is the CyLawCom service which represents the Cyber Law Compliance related education, audit and implementation assistance service.
Additionally, Naavi.org is in the process of development of four sub organizations namely the Digital Society Foundation, Naavi.net, International Cyber Law Research Center and Cyber Crime Complaints and Resolution Assistance Center. Digital Society Foundation is a Trust formed with the objective of representing the voice of Netizens in various fora and work like an NGO to protect their interests. Naavi.net is meant to develop a collaborative distributed network of LPO consultants. International Cyber Law Research Center would support research in Cyber Laws and Cyber Crime Complaints and Resolution Assistance Center would try to provide some support to victims of Cyber Crimes.
Together, Naavi.org represents a “Cyber Law Vision” that goes beyond being a mere portal. Started in 1997, when the concept of Cyber Law was new across the globe, consistent efforts over the last decade has brought Naavi.org to the beginning of “Phase 2” in which the services are ready to reach out to a larger section. This is recognized as the phase of collaborations and growth by association. Naavi.org will therefore be entering into a series of associations to develop each dimension of its vision with an appropriate partner. Individuals, Organizations and Commercial houses which have synergistic relationship with the activities of Naavi.org are welcome to join hands in commercial and non commercial projects of Naavi.org.
“WikiLeaks Is Not One Person…We Are All the Threat”–Hacker Magazine Editor Says WikiLeaks Is Bigger Than Julian Assange
We speak to Emmanuel Goldstein, a well-known figure in the hacker community and the editor of the magazine 2600: The Hacker Quarterly. He is also the organizer of the HOPE conference. WikiLeaks founder Julian Assange had been slated to be the keynote speaker at the most recent conference. Federal agents were there waiting for him, but Assange didn’t show. [includes rush transcript]
Vijay Mallya’s website hacked by Pak hackers
MUMBAI: Rajya Sabha member and industrialist Vijay Mallya’s personal website has been hacked allegedly by Pakistani hackers with “dire” threats that India’s cyber space was not secured being posted on it.
The liqour baron’s spokesperson Prakash Mirpuri said on Sunday that a complaint in this regard would be lodged with the city police on Monday. A Pakistani flag was also depicted on the website of the chief ofKingfisher Airlines.
“Dr Mallya’s website http://www.mallyainparliament.com has been hacked and the Pakistani flag has been placed with a dire message from an organisation known as the Pakistan Cyber Army,” the spokesperson said.
“A police complaint will be filed with the cyber crime as soon as the (cyber) cell opens on Monday,” he added.
Mallya said he was shocked at the defacement of his website.
“This morning when I went into my site, I was utterly shocked to see the Pakistani flag and the message,” he said, adding “what was more shocking to me was to see that it was done by some Pakistani outfit.”
Mallya said he will report the incident to the Union government on Monday.
The defaced site says ‘Feel the Pakistan’ with danger signs and adds that ‘we are sleeping, not dead’
“This is a payback from Pak Cyber Army in return to the defacements of Pakistani sites! You are playing with fire!, This is not a game kids. We are warning you one last time, don’t think that you are secure in this Cyber Space We will turn your Cyber Space into Hell,” the site says.
‘And make sure that you have someone to Cry Over because we gona literally throw you in the deep sea, Will revenge ! if any pakistani site Hacked by Indian’s!’ the damaged site adds.
A cyber expert says that ahead of Independence celebrations, cyber attacks on the websites of both Indiaand Pakistan are usually noticed.
“Some websites belonging to Pakistan get defaced while some sites of India get hacked. The hackers leave their mark to show their strength. Moreover, they target well known websites so that the hackers get huge publicity,” Cyber Expert Vijay Mukhi said.
Another hacking story and this time it’s not a government website, but TCS’s website, TCS.com
TCS Website Hacked
The hacker has even put up the whos.among.us widget to display how many people are on the site at any given point.
Hacker has even put up his email id, in case you want to buy the domain.
199 govt websites defaced in last 6 months: Kamat
NEW DELHI: The government said 199 government websites have been defaced by foreign hackers in the last six months.
“The website of Central Bureau of Investigation ( CBI) was defaced by a foreign hacker ” Pakistan Cyber Army” on December 3, 2010. In addition to this, a total of 198 government websites were defaced by foreign hackers in the past six months,” Minister of State for Communications and IT Gurudas Kamat said in a written reply to the Lok Sabha.
He added that several measures have been taken to detect and prevent cyber attacks. This includes audit of all new government websites and applications and engaging National Informatics Centre (NIC) to improve safety posture etc.
Replying to another query, Kamat said a total of 420 cases were registered under the IT Act 2000 in 2009.
“A total of 217, 288 and 420 cases were registered under IT Act, 2000 during 2007, 2008 and 2009 respectively, thereby showing an increasing trend. A total of 339, 176 and 276 cases were reported under cyber-crime related sections of IPC during 2007, 2008 and 2009, respectively,” he said.
A total of 2,565, 8,266 and 10,315 security incidents were reported to and handled by Indian Computer Emergency Response Team (CERT-In) in 2008, 2009 and 2010, respectively he added.
692 Government Sites Hacked
Indian government’s site getting hacked is not a news, but 692 of them? Well, that’s a news and is representative of the sad state of technology in government sector.
As per a report by ToI, 692 government websites have been hacked in September month alone, out of which 511 had .in domain (74%), 20% had .com domain.
Common hack methods include stealing admin password and entering the site via FTP or web server.
‘However, it is a technical field that needs a lot of expertise. We are not yet equipped to handle such pressure as of now. We hope that further training can help us in cracking these cases,’’ said a senior official of the economic offences wing, which handles cases for Delhi police.
692 sites in one month! – Isn’t it high time government upgrade it’s technology infrastructure (and stop talking vaporware like making government sites accessible compliant?)
CBI website hacked by ‘Pak Cyber Army’
Press Trust of India, Updated: December 04, 2010 22:51 IST
The home page of the CBI website had a message from the ‘Pakistani Cyber Army’ warning the Indian Cyber Army not to attack their websites.
The CBI website, supposed to be one of the most secure websites, is connected to the command centre of world police organisation – Interpol – 24×7.
The message from the hackers also spoke about the filtering controls provided by the National Informatics Centre (NIC), a body which mans computer servers across the country. It also claims to have hacked another 270 websites.
Intelligence agencies have been often warning the government that proper cyber security was not being ensured in government offices and that no security audit was being carried out.
The website has still not been restored. In a late night statement, the investigating agency said, “CBI is aware that its official website has been hacked and defaced. An inquiry has been launched and necessary remedial measures are underway to restore it.”
Telecom Minister Kapil Sibal has said that the cyber attack on the CBI website is serious issue and that he would look into it. “These are important issues, we will look into it,” Sibal said. (Watch)
Speaking on the issue, Supreme Court advocate and cyber law expert Pavan Duggal said the hacking of CBI website is an act of cyber war. “I think this is not a mere hacking incident. It is a step towards a cyber war,” he said.
Indian government wants to make their websites accessible compliant, i.e. making it easy for people with disabilities, especially visually-impaired ones to use government websites.
Web Accessibility Guidelines
Typically, individuals with disability use screen reader softwares which read out synthesized speech of the entire HTML (or some parts). Accessibility guidelines range from using semantically meaningful/valid HTML tags to using alt tags for images and closed captioned for videos etc.
While all this sounds ambitious for the government, we just hope that government first make it’s website usable for otherwise normal people – most of the sites have moving banners and are open for hackers (read:Cyber war between Indian and Pakistani Hackers).
Last, but not the least – we just hope that government doesn’t mandates Indian sites to be made accessibility compliant (they made Online Transaction More Difficult)– the market is too small to spend effort in such initiatives.
What’s your take on this initiative?
The state highway police’s website was allegedly hacked by an unknown person, who changed the accident figures to show a steep decline in the number of deaths for the year 2010. The changed statistics show the number of fatalities went down by almost 9,000 between 2009 and 2010. In 2009, th e number of deaths was 11,396. The records for 2010 show the number of deaths to be 1,762, even though an earlier table shows the number of deaths between January and June 2010 to be 6,588. The highway police said they are in the process of correcting the data on their website.
Superintendent of police (state highway) BG Shekhar told the Hindustan Times that the website was hacked some time ago.
“We are trying to correct the data that appears on the website right now and we hope to put everything in order by Monday,” Shekhar said.
The police said figures between 2004 and 2008 have shown a consistent rise in fatalities on state highways.
In 2004 there were 9,822 deaths reported, 12,397 deaths were reported in 2008.
Additional director general (state highway) AK Sharma refused to comment, saying he was holding additional charge.
- MIT (ILP) hacked by Cyber_Owner
- United Nations Children’s Fund (UNICEF) Hacked by ZCompany Hacking Crew
- Sony Music Brazil Gets defaced !
- THN Report : ACER hacked because of their own stupidity !
- Lulzsec Leaks Source Code of Sony Computer Entertainment Developer Network !
- Anonymous Operation India Press Release after Ramdev fiasco to fight with against corruption
- Total Exposure – The Hacker News [THN] Magazine – June 2011 | Issue 03
- National Informatics Centre (NIC INDIA) got hacked by Anonymous !
- Ani-Shell v1.0 – PHP shell with features like Mass-Mailer , Fuzzer , DDoser by lionaneesh
- CitiBank hacked & large number of customer data stolen
- Epic Games Database Hacked by Contra
- Hackers stole classified information from two Canadian ministries
- Chinese hackers having aim to Spying on U.S. Govt
- Chinese Hacker Cracks Hundreds of Gmail Accounts of U.S. & Asia