Tuesday, November 6, 2012

Should India Use Cloud Computing?

Cloud computing is a profitable business model, especially in India. This is the reason why it has been literally imposed upon Indian netizens without telling them of the dangers of the same.

India has a weak cyber law, ineffective cyber security and lack of privacy, data protection and data security laws. In other words, cloud computing is a perfect breading ground for cyber criminals of India and word over.

Lack of regulatory and security support has discouraged a dominant majority of CEOs in India to use cloud computing for their business. Add to these woes the incidences of frequent leakage of sensitive information in India as well as growing unaccountable e-surveillance in India.

Imagine a situation where the cloud computing service providers have nothing to loose by intentional or unintentional leakage of sensitive information. They cannot be challenges in a court of law as they would not be violating any law.

Further, if the security agencies are accessing that information, even without a court warrant, these cloud computing service providers would be more than happy to oblige them.

India must first establish proper legal frameworks for privacy, data security, data protection, lawful interceptions and effective cyber laws. Equally important is a law on information security that is missing in India.

Till these laws are in place, cloud computing is a risky and undesirable model in India.

Cloud Computing Due Diligence In India By Perry4Law

Cloud computing around the world is thriving in recognition, but the legal control of this technology is still catching up to its requirements. Nowhere is that more true than in India, where the legal framework for regulation of the cloud computing business needs urgent formulation.

Any business that wants to explore cloud computing must know exactly what is legal and what is not. That’s where we play the decisive role. At Perry4Law, we have been managing cloud computing due diligence and make sure that you are in full compliance with the law before you offer cloud computing to your clients.

The Information Technology Act of 2000 laid the groundwork for due diligence requirements for businesses and stakeholders in the IT industry.  Many of the provisions of the act are relatively stringent, and companies that jump too quickly into cloud computing can find themselves in a jungle of legal issues if they do not perform careful due diligence.

Thus, cyber law due diligence in India cannot be ignored by cloud computing services providers of India. At Perry4Law we have been managing the cyber due diligence for Indian companies on multiple aspects.

One area in particular that has caused headaches for IT companies is privacy. More and more frequent civil proceedings are being initiated as individuals and businesses believe that their privacy rights have been violated, and as cloud computing grows, the potential for even more lawsuits has increased.

We can help your enterprise to navigate the legal framework that currently regulates cloud computing, and also assist you in establishing a best practices model that ensures a rock-solid cloud computing policy for all of your stakeholders.

At Perry4Law, we have our feet on the ground and our head in the clouds–the new practice of cloud computing that is. We can help you to successfully enter this rapidly growing area of technology and make large profits while staying on the right side of the law if you make a request in this regard.

We have also been helping various clients with dispute resolution, competitive intelligence, and recovery of assets to corporations, governments and to private clients, due diligence for Indian companies, providing unrivaled services in India market entry, corporate legal services, intellectual property protection, disputes resolutions, mergers, acquisitions and recovery actions, cyber forensics, cyber security, e-discovery services, etc.

Source: ICTPS Blog

Regulatory Framework For Cloud Computing In India

The proposal to use of cloud computing in India has raised many regulatory and security concerns. Without meeting these regulatory and security concerns, software as a service (SaaS) and cloud computing should not be used in India. In fact, cloud computing in India must be techno legal in nature and till it meets the techno legal requirements, it should not be used in India.

Before using cloud computing in India we must ask few questions to ourselves. These include what are the regulatory frameworks required for successful cloud computing, how the security concerns need to be addressed, what are the legal frameworks for multi jurisdictional cooperation, and what are the quality of service (QoS) parameters for effective cloud service.

Besides regulatory framework for cloud computing in India we must also ensure high availability levels, appropriate data erasing mechanisms, data privacy at the service provider’s level, export restrictions upon data, data handling monitoring mechanisms, jurisdictional issues, cloud computing security issues, licensing issues for cloud computing, etc.

Till now we have no cloud computing policy of India. There is no cyber security in India and even cyber security policy of India is missing. There is no privacy law in India. There is no data protection law in India. And there is no data security law in and cyber security law in India. In short, there is no legal framework for cloud computing in India at all.

Fortunately, stakeholders have openly supported the need of regulatory framework for cloud computing in India. With an increasing pressure the Indian government may consider formulating a legal framework for cloud computing in India. The sooner it is done the better it would for all the stakeholders concerned.

Source: ICTPS Blog

Cloud Computing Due Diligence In India

Cloud computing in India is still at the infancy stage. The primary reasons for this situation is absence of legal framework for cloud computing in India, missing privacy laws, absence of data protection laws in India, inadequate data security in India, etc. Even the basic level cloud computing regulations in India are missing.

Many legal experts in India have opined that India must not use software as a service (SaaS), cloud computing, m-governance, etc till proper legal frameworks and procedural safeguards are at place. Even the CEOs of many companies are apprehensive of using cloud computing for their companies businesses.

Even if a company or individual offers cloud computing services in India, it/he has to comply with many legal provisions and cyber due diligence requirements. The information technology act 2000 (IT Act 2000) has prescribed due diligence requirements for various business organisations and stakeholders. These due diligence requirements equally apply to cloud computing service providers in India.

These due diligence requirements are very stringent and cloud computing providers can find themselves in legal hassles if they ignore the same. Managing sensitive and personal data and information in India is no more a causal approach but it has become very stringent.

With the proposal to codify law of torts in India, more and more civil proceeding for violation of privacy rights may be initiated against the cloud computing service providers. It would be a wise option to establish best practices and cloud computing policy by all stakeholders in their own larger interests.

Source: ICTPS Blog

Cloud Computing Laws In India

Use of cloud computing in India is still not very liberal. There are many policy and law related issues that are responsible for slow growth and adoption of cloud computing in India. Absence of an effective cloud computing policy of India is responsible for limited utilisation of cloud computing in India. However, legal issues of cloud computing in India are the main reason for cautious adoption of cloud computing in India.

We have no dedicated regulatory framework for cloud computing in India. In fact, we have no legal framework for cloud computing in India at all. Even as per the research and studies of Perry4Law and Perry4Law Techno Legal Base (PTLB), cloud computing in India is risky and India is not ready for cloud computing. This conclusion of Perry4Law and PTLB has been endorsed by other companies and it has been reported that chief information officers (CIOs) in India are not comfortable using cloud computing in India.

In short, cloud computing in India is still not trusted. The primary reasons for this situation is absence of legal framework for cloud computing in India, missing privacy laws, absence of data protection laws in India, inadequate data security in India, etc.

Even the cloud computing due diligence in India is missing and companies and individuals are using the same in great disregard of the various laws of India. Cloud computing service providers in India are required to follow cyber law due diligence in India. The cyber law due diligence for Indian companies is now well established but cloud computing and e-commerce service providers are not taking it seriously.

We believe that India must not use software as a service (SaaS), cloud computing, m-governance, etc till proper legal frameworks and procedural safeguards are at place. This has also been accepted by the CIOs community and it is now for the Indian government to do the needful. Similarly, cloud computing security in India is also required to be strengthened. As on date, use of cloud computing in India is not a viable solution as we are ignoring legal and security concerns. Cloud computing in India must be techno legal in nature and till it meets the techno legal requirements, it should not be used in India.

Besides regulatory framework for cloud computing in India we must also ensure high availability levels, appropriate data erasing mechanisms, data privacy at the service provider’s level, export restrictions upon data, data handling monitoring mechanisms, jurisdictional issues, cloud computing security issues, licensing issues for cloud computing, etc.

Privacy violations, data breaches, data thefts, cyber crimes, etc would definitely arise in cases of use of cloud computing in India. Even if a company or individual offers cloud computing services in India, it/he has to comply with many legal provisions and cyber due diligence requirements. The information technology act 2000 (IT Act 2000) has prescribed due diligence requirements for various business organisations and stakeholders. These due diligence requirements equally apply to cloud computing service providers in India.

These due diligence requirements are very stringent and cloud computing providers can find themselves in legal hassles if they ignore the same. Managing sensitive and personal data and information in India is no more a causal approach but it has become very stringent.

With the proposal to codify law of torts in India, more and more civil proceeding for violation of privacy rights may be initiated against the cloud computing service providers. It would be a wise option to establish best practices and cloud computing policy by all stakeholders in their own larger interests.

Source: Corporate Laws In India

Computer Forensics Courses In India

The importance of information and communication technology (ICT) related research, education and training is self explanatory. This is more so when this is techno legal in nature where both technical as well as legal issues are involved.

This is the reason that the Lok Sabha passed a bill to provide status of IIT to eight new institutes and upgrade BHU's institute of technology into IIT. The government has also asserted that steps were being taken to address shortage of faculty and quality of higher education.

The government has also endorsed the importance of public private partnership (PPP) in imparting qualitative research, education and training in India. One area that can greatly benefit from PPP model is computer forensics research, education and training.

The word computer forensics depicts a picture of science fiction movie where cops or professionals engage in the same with great ease and style. However, in real life things are not as easy and glamorous as they are shown in movies.

Computer forensics is not an easy task. Rather it is a complicated procedure that requires great cyber skills development. Computer forensics requires practical scientific knowledge about computers and associated accessories. The evidence acquired through computer forensics must be legally admissible hence every precaution must be taken to acquire evidence in a legally acceptable manner.

Computer forensics in India is still at its youth stage. This is so because there is a general lack of legal enablement of ICT systems in India that can strengthen computer forensics research, education and training in India. In the absence of adequate legal enablement of ICT systems in India, computer forensics has also not developed much.

Another reason for lack of computer forensics in India is absence of adequate and qualitative techno legal computer forensics institutions. There are very few institutions that provide computer forensics educations and training in India. However, computer forensics is techno legal in nature that must cater both technical and legal requirements of the learners.

India has a single techno legal cyber forensics research, training and educational institution. It is managed by Perry4Law Techno Legal Base (PTLB). The centre is providing techno legal computer forensics education, trainings and course in India.

PTLB is providing its computer forensics courses and other techno legal course and trainings through the use of e-learning and online education models. Registration for online education and trainings in the field of cyber forensics and other techno legal courses of PTLB can be done through its online platform.

The present course is a basic level course and highly specialised courses would also be provided in future. The same would be managed by Perry4Law Techno Legal ICT Training Centre (PTLITC).

Some of the topics covered by the basic level computer forensics course include basic introduction about applicable law, cyber law of India, digital evidencing in India, e-mail tracing, data recovery, etc. The students or professionals undergoing the basic level trainings and education from PTLB would be given preference for courses and trainings undertaken by PTLITC.

Application form for the enrollment to various courses, internships and trainings can be downloaded from here and more details about the courses of PTLB can be found here.

PTLITC is also in the process of providing highly specialised and domain specific techno legal trainings, courses and educations in the fields like cyber law, cyber security, cyber forensics, anti cyber terrorism, anti cyber warfare, human rights protection in cyberspace, lawful interceptions and self defence against unlawful interceptions, etc. If you have a temperament for techno legal course, get yourself a seat as techno legal profession is going to be one of the most remunerative and in demand profession in future.

Source: Cjnews India

The Future Of Indian Cyber Law And Cyber Forensics

Cyber law of India is an essential part of legal enablement of ICT systems in India. The same must be strengthened by good cyber forensics capabilities in India. The present cyber law of India is not only a weak piece of legislation but also ineffective against the contemporary cyber crimes. Similarly, it is also violating human rights of Indian in the cyberspace. The bottom line is that Indian needs a good techno-legal expertise to tackle the growing menace of cyber crimes.

The information technology is a double edge sword, which can be used for destructive as well as constructive work. Thus, the fate of many ventures depends upon the benign or vice intentions, as the case may be, of the person dealing with and using the technology. For instance, a malicious intention forwarded in the form of hacking, data theft, virus attack, etc can bring only destructive results unless and until these methods have been used for checking the authenticity, safety and security of the technological device which has been primarily relied upon and trusted for providing the security to a particular organization. For instance, the creator of the “Sasser worm” has been hired as a “security software programmer” by a German firm, so that he can make firewalls, which will stop suspected files from entering computer systems.

These methods may also be used for checking the authenticity, safety and security of one’s technological device, which has been primarily relied upon and trusted for providing the security to a particular organization. In fact, a society without protection in the form of “self help” cannot be visualized in the present electronic era.

Thus, we must concentrate upon securing our ICT and e-governance bases before we start encashing their benefits. The same can be effectively achieved if we give due importance to this fact while discussing, drafting and adopting policies decisions pertaining to ICT in general and e-governance in particular. The same is also important for an effective e-commerce base and an insecure and unsafe ICT base can be the biggest discouraging factor for a flourishing e-commerce business. The factors relevant for this situation are too numerous to be discussed in a single work. Thus, it would be better if we concentrate on each factor in a separate but coherent and holistic manner. The need of the hour is to set priority for a secure and safe electronic environment so that its benefits can be reaped to the maximum possible extent.

Prevalence of Cyber Crime

The prevalence of Cyber crime throughout the world has frustrated law enforcement agents and legislators alike. According to an article published in the American Criminal Law Review, at least half of all businesses in the United States alone have been the victims of cyber crime or some sort of security breach. Cyber Crime is such a detrimental type of offense not only because of the type of damage that it can do to individuals and businesses but also because of the costs involved in cyber crime. These costs are most often associated with the repair of a computer system or network. There are also costs associated with the compromise of data that often occurs. This is particularly costly because of the damage that it can do to the reputation of a business and organizations. Customers can become more apprehensive about shopping at a franchise that has experienced computer security problems or going to a bank that has been the victim of cyber crime. For this very reason, the article points out that some businesses and organizations that have been affected by Cyber Crime do not report breaches in security.

Cyber Crimes in India

India is on the verge of a technology revolution and the driving force behind the same is the acceptance and adoption of Information and Communication Technology (ICT) and its benefits. This technology revolution may, however, fail to bring the desired and much needed result if we do not adopt a sound and country oriented e-governance policy. A sound e-governance policy presupposes the existence of a sound and secure e-governance base as well. The security and safety of various ICT platforms and projects in India must be considered on a priority basis before any e-governance base is made fully functional. This presupposes the adoption and use of security measures more particularly empowering judiciary and law enforcement manpower with the knowledge and use of cyber forensics and digital evidencing.

Cyber Forensics and Its Need

The concepts of cyber security and cyber forensics are not only interrelated but also indispensably required for the success of each other. The former secures the ICT and e-governance base whereas the latter indicates the loopholes and limitations of the adopted measures to secure the base. The latter also becomes essential to punish the deviants so that a deterrent example can be set. There is, however, a problem regarding acquiring expertise in the latter aspect. This is so because though a computer can be secured even by a person with simple technical knowledge the ascertainment and preservation of the evidence is a tough task. For instance, one can install an anti-virus software, firewall, adjust security settings of the browser, etc but the same cannot be said about making a mirror copy of hard disk, extracting deleted files and documents, preserving logs of activities over internet, etc. Further one can understand the difficulty involved in the prosecution and presentation of a case before a court of law because it is very difficult to explain the evidence acquired to a not so techno savvy judge. The problem becomes more complicated in the absence of sufficient numbers of trained lawyers in this crucial field.

The Cyber Forensics has given new dimensions to the Criminal laws, especially the Evidence law. Electronic evidence and their collection and presentation have posed a challenge to the investigation agencies, prosecution agencies and judiciary. The scope of Cyber Forensics is no more confined to the investigation regime only but is expanding to other segments of justice administration system as well. The justice delivery system cannot afford to take the IT revolution lightly. The significance of cyber forensics emanates from this interface of justice delivery system with the Information Technology.

The growing use of IT has posed certain challenges before the justice delivery system that have to be met keeping in mind the contemporary IT revolution. The contemporary need of Cyber Forensics is essential for the following reasons:

(a) The traditional methods are inadequate: The law may be categorized as substantive and procedural. The substantive law fixes the liability whereas the procedural law provides the means and methods by which the substantive liability has to contended, analyzed and proved. The procedural aspects providing for the guilt establishment provisions were always there but their interface with the IT has almost created a deadlock in investigative and adjudicative mechanisms. The challenges posed by IT are peculiar to contemporary society and so must be their solution. The traditional procedural mechanisms, including forensic science methods, are neither applicable nor appropriate for this situation. Thus, “cyber forensics” is the need of the hour. India is the 12th country in the world that has its own “Cyber law” (IT Act, 2000). However, most of the people of India, including lawyers, judges, professors, etc, are not aware about its existence and use. The traditional forensic methods like finger impressions, DNA testing, blood and other tests, etc play a limited role in this arena.

(b) The changing face of crimes and criminals: The use of Internet has changed the entire platform of crime, criminal and their prosecution. This process involves crimes like hacking, pornography, privacy violations, spamming, phishing, pharming, identity theft, cyber terrorisms, etc. The modus operendi is different that makes it very difficult to trace the culprits. This is because of the anonymous nature of Internet. Besides, certain sites are available that provides sufficient technological measures to maintain secrecy. Similarly, various sites openly provide hacking and other tools to assist commission of various cyber crimes. The Internet is boundary less and that makes the investigation and punishment very difficult. These objects of criminal law will become a distant reality till we have cyber forensics to tackle them.

(c) The need of comparison: There is a dire need to compare the traditional crimes and criminals with the crimes and criminal in the IT environment. More specifically, the following must be the parameters of this comparison:

a. Nature of the crime
b. Manner/Methods of commission of the crime,
c. Purpose of the crime,
d. Players involves in these crimes, etc.

Thus, Cyber Forensics is required to be used by the following players of criminal justice system:

a. Investigation machinery- Statutory as well as non-statutory
b. Prosecution machinery, and
c. Adjudication machinery- Judicial, quasi-judicial or administrative.
d. Jurisdictional dilemma: The Internet is not subject to any territorial limits and none can claim any jurisdiction over a particular incidence. Thus, at times there is conflict of laws. The best way is to use the tool of Cyber Forensics as a “preventive measure” rather than using it for “curative purposes”.

The growing use of ICT for administration of all the spheres of our daily life cannot be ignored. Further, we also cannot ignore the need to secure the ICT infrastructures used for meeting these social functions. The threat from “malware” is not only apparent but also very worrisome. There cannot be a single solution to counter such threats. We need a techno-legal “harmonized law”. Neither pure law nor pure technology will be of any use. Firstly, a good combination of law and technology must be established and then an effort must be made to harmonies the laws of various countries keeping in mind common security standards. In the era of e-governance and e-commerce a lack of common security standards can create havoc for the global trade in goods and services. The tool of Cyber Forensics, which is not only preventive but also curative, can help a lot in establishing a much needed judicial administration system and security base.

Cost of Computer Security Breach

Many CEOs and CIOs are slow to invest in computer security because they do not know how to measure their Return on Investment (ROI). No one has shown them the actual costs associated with not investing in computer security. The objective of this paper is to provide the information security officer with objective data about the actual cost of computer security breaches to commercial companies. The information presented herein can be used as input into the ROI analyses to support security procurements.

How Cost Is Measured

In the commercial world, the cost of a cyber security breach is measured by both “tangibles” and “intangibles.” The tangibles can be calculated based on estimates of:

(a) Lost business, due to unavailability of the breached information resources
(b) Lost business, that can be traced directly to accounts fleeing to a “safer” environment
(c) Lost productivity of the non-IT staff, who have to work in a degraded mode, or not work at all, while the IT staff tries to contain and repair the breach
(d) Labor and material costs associated with the IT staff’s detection, containment, repair and reconstitution of the breached resources
(e) Labor costs of the IT staff and legal costs associated with the collection of forensic evidence and the prosecution of an attacker
(f) Public relations consulting costs, to prepare statements for the press, and answer customer questions
(g) Increases in insurance premiums
(h) Costs of defending the company in any liability suits resulting from the breached company’s failure to deliver assured information and services.

Not all of these tangible costs will occur with each breach; some will only occur with major, well-publicized breaches. The intangibles refer to costs that are difficult to calculate because they are not directly measurable, but are nevertheless very important for business. Many of these intangibles are related to a “loss of competitive advantage” that results from the breach. For example, a breach can affect an organization’s competitive edge through:
(a) Customers’ loss of trust in the organization
(b) Failure to win new accounts due to bad press associated with the breach
(c) Competitor’s access to confidential or proprietary information.

Even the military environment has similar cost issues. In the military, the tangible costs are measured in human lives, replacement costs of equipment, and prolonged military operations. The intangibles would include loss of tactical advantage, loss of international prestige, and impaired negotiating positions.

Hypothetical Examples of the Cost Impact of Security Breaches

Forrester Research1 estimated the tangible and intangible costs of computer security breaches in three hypothetical situations. Their analysis indicated that, if thieves were to illegally wire $1 million from an on-line bank, the cost impact to the bank would be $106 million. They also estimated that, in the hypothetical situation that cyber techniques are used to divert a week’s worth of tires from an auto manufacturer; the auto manufacturer would sustain losses of $21 million. Finally, they estimated that if a law firm were to lose significant confidential information, the impact would be almost $35 million. Does this sound unrealistic? Remember, that Forrester used both tangibles and intangibles in their estimates, including the loss of confidential information and reputation. The sections below present the results of analyses of real world cost impacts of cyber events, using largely tangible costs as the means of estimating impact.

Real World Examples of Cost Impacts
Cost Impacts on Individual Companies

In December, 1998 Ingram Micro, a PC wholesaler, had to shut down its main data center in Tucson, Arizona due to an electrical short. While the reason for the shutdown was not a security breach, the loss of Ingram’s Internet business and electronic transactions from 8:00 AM to 4:00 PM mimicked what could happen with a Distributed Denial of Service (DDOS) attack or a major intrusion. As a result of its one day of lost sales and system repairs, Ingram estimates that it lost a staggering $3.2 million. This figure is comparable to Forrester’s projection of a $21 million loss for an auto manufacturer who is unable to get tires for a week. To estimate the cost impact of the types of breaches that happen daily to companies, one can turn to the annual surveys of the Computer Security Institute (CSI) and the FBI. For the past five years, the CSI-FBI “Computer Crime and Security Survey” has been a major source of information on the frequency and impact of computer security breaches, through their polling of commercial, non-profit, and government organizations. Their Year 2000 report was based on a survey of 643 information security professionals from organizations throughout the United States. Typically, the respondents represent organizations that have already made some commitment to computer security. In the 1999 survey, 91% of the respondents had firewalls, 42% had intrusion detection systems, and 34% were using digital certificates in their companies. Of the 643 respondents in the year 2000, 90% had detected cyber attacks on their organizations; and 74% reported financial losses associated with those attacks. Of the total sample of respondents, 42% (273 people) were able to quantify their exact losses, which totaled $265,589,940, or $972,857 cost impact per organization across all types of breaches.


The highest impact came from theft of proprietary information, reported by 66 people. Their total losses came to $66,708,000 or $1,010,727 cost impact per organization for theft of proprietary information. While this may seem like a lot, the average cost impact of theft of proprietary information in their 1999 survey was even greater -- $1,847,652. The sabotage of data or networks was reported by 61 respondents, for a total loss of $27,148,000 or an average loss of $445,049 per organization. This loss was significantly higher than the 1999 average loss of $163,740 associated with sabotage. While these estimates are presumably based on tangible costs to the company, one can infer that the respondents are very aware of and sensitive to the intangible costs of a tarnished reputation that could result from media treatment of security breaches. I base this conclusion, on some interesting data in the 1999 survey. In 1999, 48% of those respondents who had been subjected to an intrusion did not report it. Among the most important reasons cited for their decision not to report those breaches were the fear of negative publicity and the use of the information by competitors.

Cost Impacts across Industries

Some research and consulting firms such as Computer Economics (www.computereconomics.com) measure the impact of computer breaches across several companies or industries. Computer Economics5 has estimated that in 1999 businesses around the globe spent $12.1 billion to combat the effect of computer viruses. Their estimate was based on tangibles such as lost productivity, network down time, and expenses incurred to get rid of the virus infections. The ILOVEYOU virus and its copycats have also been studied for their financial impacts across industries. According to Computer Economics the ILOVEYOU virus and its variants caused $6.7 billion in damage in the first five days.

The FBI, in their testimony before the Senate Subcommittee on Technology, Terrorism and Government Information, cites the Yankee Group’s estimate that industries around the world lost $1.2 billion to the DDOS attacks on e-commerce in February 2000. Their estimate was based on lost capitalization, lost revenues and the costs of security upgrades.

The Cost of Piracy

A different form of security breach – software piracy – also has a cost impact across the software industry. International Planning and Research, an independent research firm, estimated that software vendors lost $12.2 billion 1999 due to software piracy. They estimate that one out of three pieces of software used by businesses around the world is pirated copies.

The financial impact of computer security breaches has been quantified by several sources. The best estimate of the impact of security breaches on a single organization can be found in the CSI-FBI survey of over 600 organizations. They concluded that the average cost impact of security breaches on each organization is over $972,000 per year.

Hacking Technique, How Hackers Do It

Every day, hackers compromise systems using these attacks. Being aware of how these attacks are performed, you can raise awareness within your organization for the importance of building and maintaining secure systems.

Many organizations make the mistake of addressing security only during installation, and then never revisit it. Maintaining security is an ongoing process, and it is something that must be reviewed and revisited periodically. Using the information in this article, you can try hacking into your organization’s datacenter, high-end server, or other system to determine where basic attacks would succeed. Then, you can address security weaknesses to prevent unauthorized users from attacking the system.

Tricks

A trick is a “mean crafty procedure or practice...designed to deceive, delude, or defraud.” Hackers use tricks to find short cuts for gaining unauthorized access to systems. They may use their access for illegal or destructive purposes, or they may simply be testing their own skills to see if they can perform a task. Given that most hackers are motivated by curiosity and have time to try endless attacks, the probability is high that eventually they do find a sophisticated method to gain access to just about any environment. However, these aren’t the types of attacks we address in this article, because most successful intrusions are accomplished through well-known and well-documented security vulnerabilities that either haven’t been patched, disabled, or otherwise dealt with. These vulnerabilities are exploited every day and shouldn’t be.

Finding Access Vulnerabilities

What generally happens is that an advanced or elite hacker writes a scanning tool that looks for well-known vulnerabilities, and the elite hacker makes it available over the Internet. Less experienced hackers, commonly called “script kiddies,” then run the scanning tool 24 x 7, scanning large numbers of systems and finding many systems that are vulnerable. They typically run the tool against the name-spaces associated with companies they would like to get into.

The script kiddies use a list of vulnerable IP addresses to launch attacks, based on the vulnerabilities advertised by a machine, to gain access to systems. Depending on the vulnerability, an attacker may be able to create either a privileged or non privileged account. Regardless, the attacker uses this initial entry (also referred to as a “toe-hold”) in the system to gain additional privileges and exploit the systems the penetrated system has trust relationships with, shares information with, is on the same network with, and so on.
Once a toe-hold is established on a system, the attacker can run scanning tools against all the systems connected to the penetrated system. Depending on the system compromised, these scans can run inside an organization’s network.

Finding Operating System Vulnerabilities

As mentioned previously, hackers first look for vulnerabilities to gain access. Then they look for operating system (OS) vulnerabilities and for scanning tools that report on those vulnerabilities.

Finding vulnerabilities specific to an OS is as easy as typing in a URL address and clicking on the appropriate link. There are many organizations that provide “full disclosure” information. Full disclosure is the practice of providing all information to the public domain so that it isn’t known only to the hacker community.

Attacking Solaris OE Vulnerabilities

Let’s use Solaris 2.6 OE as an example. A well-known vulnerability, for which patches are available, is the sadmind exploit. Hackers frequently use this vulnerability to gain root access on Solaris 2.6 OE systems. Using only a search engine and the CVE number, found by searching through the Mitre site listed previously, it is possible to find the source code and detailed instructions on how to use it. The entire process takes only a few minutes. The hacker finds the source code on the Security Focus web site and finds detailed instructions on the SANS site.

Tools

Hackers use a variety of tools to attack a system. Each of the tools we cover in this article has distinct capabilities. We describe the most popular tools from each of the following categories:
(a) Port scanners
(b) Vulnerability scanners
(c) Rootkits
(d) Sniffers

Port scanners are probably the most commonly used scanning tools on the Internet. These tools scan large IP spaces and report on the systems they encounter, the ports available and other information, such as OS types. The most popular port scanner is Network Mapper (Nmap).The Nmap port scanner is described as follows on the Nmap web site:


Nmap (“Network Mapper”) is an open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (ports) they are offering, what operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers, and both console and graphical versions are available. Nmap is free software, available with full source code under the terms of the GNU GPL3.


Nmap is an excellent security tool because it allows you to determine which services are being offered by a system. Because Nmap is optimized to scan large IP ranges, it can be run against all IP addresses used by an organization, or all cable modem IP addresses provided by an organization. After using Nmap to find machines and identify their services, you can run the Nessus vulnerability scanner against the vulnerable machines.


Nmap supports an impressive array of scan types that permit everything from TCP SYN (half open) to Null scan sweeps. Additional options include OS fingerprinting, parallel scan, and decoy scanning, to name a few. Nmap supports a graphical version through xnmap. For more information about Nmap,

Vulnerability Scanners

This section describes tools available for scanning vulnerable systems. Vulnerability scanners look for a specific vulnerability or scan a system for all potential vulnerabilities. Vulnerability tools are freely available. We focus on the most popular and best-maintained vulnerability scanner available, Nessus. The Nessus vulnerability tool is described on the Nessus web site:
The “Nessus” Project aims to provide to the Internet community a free, powerful, up-to-date and easy to use remote security scanner. A security scanner is a software which will remotely audit a given network and determine whether bad guys (aka ‘crackers’) may break into it, or misuse it in some way. Unlike many other security scanners, Nessus does not take anything for granted. That is, it will not consider that a given service is running on a fixed port—that is, if you run your web server on port 1234, Nessus will detect it and test its security. It will not make its security tests regarding the version number of the remote services, but will really attempt to exploit the vulnerability. Nessus is very fast, reliable and has a modular architecture that allows you to fit it to your needs.

Nessus provides administrators and hackers alike with a tool to scan systems and evaluate vulnerabilities present in services offered by that system. Through both its command line and GUI-based client, Nessus provides capabilities that are invaluable. Running Nessus is much more convenient in its GUI mode. For more information about Nessus, refer to their web site.

Rootkits

The term rootkit describes a set of scripts and executables packaged together that allow intruders to hide any evidence that they gained root access to a system. Some of the tasks performed by a rootkit are as follows:


(a) Modify system log files to remove evidence of an intruder’s activities.
(b) Modify system tools to make detection of an intruder’s modifications more difficult.
(c) Create hidden back-door access points in the system.
(d) Use the system as a launch point for attacks against other networked systems.

Sniffers

Network sniffing, or just “sniffing,” is using a computer to read all network traffic, of which some may not be destined for that system. To perform sniffing, a network interface must be put into promiscuous mode so that it forwards, to the application layer, all network traffic, not just network traffic destined for it.

The Solaris OE includes a tool called snoop that can capture and display all network traffic seen by a network interface on the system. While being relatively primitive, this tool can quite effectively gather clear-text user IDs and passwords passing over a network. Many popular protocols in use today such as Telnet, FTP, IMAP, and POP-3 do not encrypt their user authentication and identification information. Once a system is accessed, an intruder typically installs a network sniffer on the system to gain additional user ID and password information, to gather information about how the network is constructed, and to learn.

Techniques

In this section, we describe two different attack scenarios to demonstrate how easily a hacker can gain access to an unsecured system. These successful attacks simulate the following scenarios:
(a) Attacks from the Internet
(b) Attacks from employees

In both attack scenarios, after the hacker establishes a root account, the hacker wants to maintain access to the system and establish additional privileges to access the rest of the environment. We correlate the tools that the hacker uses to find vulnerabilities, gain access, and establish additional privileges.

Attacks From the Internet

In this scenario, a hacker uses the Nessus vulnerability scanner to locate a system running Solaris 2.6 OE that has not been protected from the sadmind remote procedure call (RPC) service vulnerability. Let’s see how the sadmind exploit works against the victim system. After the hacker gains access, the hacker uses a rootkit to gain and maintain root access. The header of the sadminindex.c program provides the following information on its usage: The author of the sadmindex program made things even easier by providing example stack pointer values. Some tinkering with the sp value was necessary in this example to get the exploit to work; however, it didn’t take much trial and error because the next offset tried was 0xefff9588.

Attacks From Employees

In this scenario, an employee has user access privileges to the system, however, the employee is not authorized to have root access privileges. This scenario is very common. It usually occurs when accounts are left logged on and systems are insecure, thus providing an intruding employee the opportunity to perform unauthorized actions. The ability of malicious internal users to gain additional privileges on Solaris OE systems is a very real security issue. Unfortunately, it is frequently overlooked or ignored by administrators and managers who say, “That could never happen here” or “We have to trust all of our employees.” Serious security incidents occur in situations like these.

Most systems have different types of users. Authorized individuals are systems administrators, operators, database administrators, hardware technicians, and so forth. Each class of user has permissions and privileges defined by user ID and group IDs on the system. Most of these users do not have a root password or permission to use it.

Once on a system, malicious users and intruders can use buffer overflow attacks to gain root privileges. For example, on August 10th, 2001, a buffer overflow against xlock was released. (The xlock executable is a utility for locking X-windows displays.) This utility is useful to attack because it is installed with the setuid root command, due to its need to authorize access to the display when it is locked. A quick search through a few web sites provides the sample source code, which only has 131 lines of code.

Now that the attacker has root privileges on the system, it is easy to use a sniffer, install back doors, maintain and gain additional access privileges using rootkits, and perform tricks and subsequent attacks.

Future of Cyber Crime and Conclusion

What's in the future for Internet Crime and Punishment? With every new avenue opening up on the Internet, comes more possibilities for criminal intent. The difference now and in the future is, technology and human services are now in place or coming into place, to make these individuals or organizations accountable for their actions. Laws and punishments for even the smallest Internet crimes are now on the books, or in the process of being created. Make no mistake; once something is on the Internet, it is fact. It is traceable and punishable. No matter how hard someone tries to cover it up, erase it or disassociate from their actions, once the footprint is made, it can't be unmade. Somewhere there is a way to track that footprint. Law enforcement across the globe will enforce it.

The Internet has not only drawn people together, it has drawn international crime fighting agencies together in a common purpose. The Internet is not a free playground anymore. It is a global arena. Internet crime will take the punch.

Source: Cyber Laws In India

International Commercial Arbitration And Dispute Resolution In India

The scope of International Commercial Dispute Resolution (ICDR) Services in India is increasing day by day. ICDR can be availed of for disputes arising out of contracts on sales of goods, distributorship, agency and intermediary contracts, construction, engineering and infrastructure contracts, intellectual property contracts, domain name dispute resolutions, joint venture agreements, maritime contracts, employment contracts, etc. The list is just illustrative as the business transactions are too many to categorised here.

The traditional litigation methods of dispute resolution are not very helpful for such high staked commercial disputes. This has necessitated the requirement for Alternative Dispute Resolution (ADR) mechanisms like Arbitration, Mediation, Conciliation, etc. India provides world class “ADR Services” for various fields including those for ICDR.

ICDR in India can be conducted either as “Ad hoc arbitration” or as “Institutional Arbitration”. India has tremendous capabilities for both these forms of dispute resolution. However, India is lacking on the front of use of information and communication technology (ICT) for dispute resolution. This has resulted in a limited growth of Online Dispute Resolution (ODR) in India.

ICDR can be greatly benefited by the use of ODR in India. All we need to do is to strengthen Techno-Legal Services in India.

Source: Cyber Laws In India

International Commercial Arbitration In India And Commercial Transactions

Information and communication technology (ICT) has given a new meaning to international commercial transactions and business. E-commerce has now become an indispensable part of our day to day commercial activities. This has also given rise to both traditional as well as contemporary international commercial disputes all over the world. E-commerce dispute resolution in India is also the need of the hour.

So much so that the previous Law Minister Veerappa Moily has said that a commercial court would be set up in each high court and all cases with an investment exceeding a certain sum will be tried in the commercial court.

At the same time alternative dispute resolution (ADR) mechanism in India is also under the process of rejuvenation. Though online dispute resolution (ODR) and e-courts in India are still a distant dream yet the procedure of bringing suitable amendments in the existing arbitration law of India is in pipeline. There are many reasons for failure of e-courts in India.

Thus scope of International Commercial Dispute Resolution (ICDR) Services in India is increasing day by day. ICDR can be availed of for disputes arising out of contracts on sales of goods, distributorship, agency and intermediary contracts, construction, engineering and infrastructure contracts, intellectual property contracts, domain name dispute resolutions, joint venture agreements, maritime contracts, employment contracts, etc. The list is just illustrative as the business transactions are too many to categorised here.

The traditional litigation methods of dispute resolution are not very helpful for such high staked commercial disputes. This has necessitated the requirement for ADR mechanisms like Arbitration, Mediation, Conciliation, etc.

India has tremendous capabilities for both ADR and ODR. However, India is lacking on the front of a good law in this regard. The Arbitration and Conciliation Act, 1996 has proved more to be a burden than a relief. There is an emergent need of reformulating Indian laws in this regard.

Source: Cyber Laws In India

Technical Skills Development In India

India is facing a mammoth task of imparting skills to its young generation so that unemployed youths can be accommodated in various segments of the employment system of India. With the educational system of India on the verge of collapse, skills development in India is needed as soon as possible.

Skills development in India and the vocational education and training system of India must be strengthened. Wherever Indian government lacks the necessary expertise, help of private sector must be taken. Further, online skills development in India must be encouraged to impart skills and trainings to maximum number of candidates.

Perry4Law and Perry4Law Techno Legal Base (PTLB) are the leading techno legal skills and trainings providers of India. Perry4Law and PTLB are providing exclusive techno legal skills development in India and world wide. The techno legal trainings of Perry4Law and PTLB are provided in an online environment and through distance learning mode so that both national and international students can be accommodated there.

Perry4Law and PTLB are world renowned for ensuring skill development in India for technical education. They provide the most extensive technical and technological skills development In India.  

If you are interested in technical education and skill development in India in general and any techno legal courses of PTLB in particular, you can fill the application form that can be downloaded from here. Additional information in this regard can be found here.

Source: Cyber Laws In India