Trans Border Hacking And Search Activities Of FBI Would Violate Civil Liberties And Cyber Laws Of Different Nations

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBInternet is full of news and discussions about the recent expansion of the Rule 41 of the Federal Rules of Criminal Procedure by US Supreme Court. While the Department of Justice of US is trying to pass the amendment as a simple modification yet its ramifications are global in nature. To put it straight, the proposed Rule would allow the FBI to access, search and hack any computer, device or equipment remotely while sitting at the home.

Even worst, FBI can hire the services of hackers who can get the job done on behalf of FBI or any other law enforcement agency. State sponsored hacking is not a new concept and almost all the countries are engaging in such activities. Not only this the hackers who work on behalf of a country are also granted legal immunity against cyber deterrent acts by these countries. Even the intelligence agencies of India have demanded such legal immunity in the past and the result of such demand is still not clear.

In these circumstances, it would be naive to suggest that the proposed amended Rule would not violate privacy and cyber laws of different jurisdictions where FBI would use its newly acquired hacking power under the proposed Rule.

All individuals have a right to privacy and this right includes their digital properties, computers and information stored in these computers. Just like you cannot enter into my home without a justified reason and court warrant similarly there is no reason why FBI should intrude into my privacy by some self assumed powers under a US Rule. Further, it is very difficult to understand how can a search warrant issued by a US court empowers the FBI or US law enforcement agencies to access my computer in an unauthorised, illegal and unconstitutional manner? When even Indian government cannot do so how can a foreign government commit such an act?

Clearly, privacy is at grave danger with such attitude and Rules and this would also affect the cloud computing industry as well. Who would like to store their sensitive documents on clouds managed by US companies in such disturbing circumstances? Similarly, the proposed Rule would also flare up the cyber espionage and cyber warfare race among the nations. All this because a vague and unconstitutional US rule empowers FBI and other law enforcement agencies of US to violate civil liberties and digital rights of netizens around the world.

This is a situation where even the self defence would not sufficient and nations and individuals would try their hands upon aggressive defence. There would be a sudden change from the defensive cyber security strategy to an offensive cyber security strategy around the world. The limits to legitimate exercise of self defence would ceases to exist. In the absence of international cyber law treaty and international cyber security treaty (PDF), this limit has to be judged and guided by the principle of private international law.

The proposed Rule would further increase the conflict of laws in cyberspace and negate civil liberties protection in cyberspace. Use of malware would further increase that would make the Internet and cyberspace a more insecure place. Malware are already defeating the cyber security safeguards and this global cyber espionage, cyber warfare and hacking power of FBI is only going to make the scenario more complicated.

Civil liberty activists need to come up with innovative ideas and products to safeguard privacy of netizens. When the Tor system is already been compromised, even the Tor community need to have a relook at their product. Similarly, smart phones encryption is widely targeted these days and the same can be cracked by the law enforcement agencies. Smart phone companies are also required to make their encryption protection stronger otherwise consumer would loose faith in their products and services. Telecom companies are also required to fight against illegal e-surveillance activities of governments around the world.

It is imperative on the part of Indian government to clarify its stand on the proposed Rule and ask its US counterpart for an explanation in this regard. Similarly, other countries should also ask US by what authority they can access the computers and devices located in foreign jurisdictions? As on date, the trans border hacking and search activities of FBI would violate civil liberties and cyber laws of different nations.

Contemporary Malware Are Defeating Cyber Security Products And Services

Perry4Law-Organisation-P4LOInfection and compromise of systems and devices is not a recent phenomenon. However, malware in the contemporary times are highly sophisticated in nature. In fact, as per a report, malware nuisance would significantly increase in the year 2016.

Malware writers are no more script kiddies who hack for the sake of fun. Now the motive of these hackers ranges from cyber espionage, financial gains to cyber warfare. Naturally, malware play a key role in achieving these objectives.

Malware are a big cyber security nuisance for long. Cyber security vendors have been trying to contain various sophisticated malware that come up from time to time. As the nations and state actors have become interested in these malware and some of them are even funding their development and exploitation, cyber security products and services are finding it difficult to match their capabilities.

Till the time a cyber security product or service is launched to contain a sophisticated malware, the havoc and damage is already done. In this article titled “Malware Are Defeating Cyber Security Safeguards With Ease“, this fight between malware and cyber security products has been aptly described.

Presently malware are clearly winning the fight between security and system infections as security products are inherently incapable of tackling zero day vulnerabilities and state sponsored cyber attacks.

In the research article titled “Prospective Cyber Security Trends In India 2015“, Perry4Law Organisation (P4LO) predicted that state sponsored cyber attacks would increase. This actually happened and even Twitter and Google issued warnings that state sponsored cyber attacks may be there for their products and services. The “Cyber Security Trends In India 2016” have also predicted the rise of botnet, malware and cyber attacks against critical infrastructures around the world.

It is a wake up call for the cyber security vendors to either improve their security products and services or become redundant and ready to be exiled. What is the purpose of an anti virus that cannot detect and remove a malware?

At the same time there is a need to change the attitude towards cyber security by individuals, companies and governments. At the organisation level, there must be a techno legal policy for cyber security that should be religiously followed. Any lapse in the policy may be lethal for the financial and brand value of the organisation.

As far as India is concerned, India is still struggling to establish the Chief Information Security Officer (CISO) culture. Even at the government level, CISO culture is still missing. For instance, recently the Prime Minister Office (PMO) of India appointed Dr. Gulshan Rai as the first CISO of India. Although this is a very good and pro active move yet we have seen little development in this regard so far. Similarly, appointing the Chief Information Officers (CIOs) was made mandatory for all banks in India in 2012 yet till 2016 banks have not done so. In fact, cyber security of banks in India is in a very poor condition.

Even the government projects like National Critical Information Infrastructure Protection Centre (NCIIPC), National Cyber Coordination Centre (NCCC), etc have failed to achieve for what they were contemplated. There are no cyber breach disclosure norms in India as well. As a result we have almost missing cyber security infrastructure in India that needs to be revamped and strengthened immediately. This is more so when India has introduced the “Digital India” project that would make Indian infrastructure vulnerable to sophisticated cyber attacks from around the world. When everybody is passing the buck who is going to bell the cat named malware.

Smart Cities Cyber Security In India: The Problems And Solutions

Smart cities are the future of urbanisation and population sustainability. The aim of smart cities is to provide a conductive environment for living, commercial activities, healthcare and overall development. Smart cities also predominantly rely upon use of information and communication technologies (ICT) to render public services. Wherever applicable, Internet of Things (IoT) (PDF), cloud computing and virtualisation and machine to machine (M2M) system usage is also there. However, this omnipresent usage of ICT, IoT, M2M, cloud computing, etc has a potential drawback as well in the form of indifference towards smart cities cyber security.

It is not difficult to visualise a scenario of cyber attacks against the critical infrastructures of the smart cities that are run by ICT and technology. Such a cyber attack can cripple the entire smart city if properly executed. Critical infrastructure protection in India (PDF) is still at nascent stage. The national cyber security policy of India 2013 is also very weak and even that has not been implemented by Indian government so far. The much awaited cyber security policy of India 2015 is also missing so far.

A strong cyber security infrastructure of India is need of the hour especially when there is no well settled international legal issues of cyber attacks that can be invoked in the case of a cyber incidence. It is very important that international legal issues of cyber attacks must be resolved by various government and non government stakeholders. There is no globally acceptable cyber law treaty and cyber security treaty (PDF) that can govern the relationships between various countries.  Even the Tallinn Manual on the International Law Applicable to Cyber Warfare  (PDF) is just an academic document with no legal binding obligations. The truth is that Tallinn Manual is not applicable to international cyber warfare attacks and defence and countries are free to take measures as per their own choices.

This has necessitated that cyber security related projects in India must be not only expedited but they must also be successfully implemented as soon as possible. Unfortunately, cyber projects like National Cyber Coordination Centre (NCCC) of India, National Critical Information Infrastructure Protection Centre (NCIPC) of India, Grid Security Expert System (GSES) of India, National Counter Terrorism Centre (NCTC) of India, Cyber Attacks Crisis Management Plan of India, Crisis Management Plan Of India For Cyber Attacks And Cyber Terrorism, Cyber Command For Armed Forces Of India, Tri Service Cyber Command for Armed Forces of India, Central Monitoring System (CMS) Project of India, National Intelligence Grid (Natgrid) Project of India, Internet Spy System Network And Traffic Analysis System (NETRA) of India, Crime and Criminal Tracking Network and Systems (CCTNS) Project of India, etc have still not been implemented successfully by Indian government.

This raises the pertinent question as to how Indian government would ensure cyber security of smart cities in India. We at Centre of Excellence for Cyber Security Research and Development in India (CECSRDI) believe that Modi government must take cyber security seriously. The cyber security challenges in India would increase further and India must be cyber prepared to protect its cyberspace. CECSRDI believes that the starting point is to draft the cyber security policy of India 2015 as the 2013 policy is highly defective and of little significance. We also believe that a dedicated cyber security law of India is need of the hour. The same must be a techno legal framework keeping in mind contemporary cyber security threats. Further cyber security disclosure norms in India must be formulated by Modi government. The cyber security awareness in India must be further improved so that various stakeholders can contribute significantly to the growth and implementation of cyber security initiatives of Indian government.

International Legal Issues Of Cyber Attacks Must Be Resolved

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBInternet has become a necessity for all Countries of the World. Internet has also connected the virtual territories of different Countries to a collective area known as Cyberspace. This connectivity element has provided many opportunities and benefits to Cyberspace Netizens and stakeholders at large. However, this connectivity has also given rise to the possibilities and opportunities for committing wrongs and crimes by various criminal elements.

Newer concepts like Cyber Terrorism, Cyber Warfare, Cyber Espionage, etc have also emerged that have disastrous effects if not properly safeguarded and tackled. As on date there is no globally acceptable Cyber Law or Cyber Security Treaty.  Similarly, there is also no full proof and absolutely certain way to ascertain Authorship Attribution for Cyber Crimes and Cyber Attacks. Presence of Conflict of Laws in Cyberspace and absence of Civil Liberties Protection in Cyberspace has further complicated the international Cyber Law and Cyber Security related issues. Privacy Protection in the Information Era has also become an invincible task for Governments around the world.

In these circumstances, International Legal Issues of Cyber Attacks are not easy to manage. This is more so for India that is still not Cyber Prepared for International Cyber Attacks. Take the example of recent episode of hacking of Sony’s systems. Despite the strong statements of United States and its Agencies, it is very difficult to accept that North Korea was behind the hack. This is because United States has failed to prove authorship Attribution in a “Convincing and Proper Manner”. Thus, despite all allegations, counter allegations and other materials, it may not be possible to trace back the true attacker.

There is no “Neutral Authority” that can analyse the claims of both United States and North Korea in this regard. Both Countries may stick to their respective stands but in the end not much could be achieved through the same. Of course, this episode may give impetus to revive the lapsed or suspended Laws in United States that would have serious Civil Liberties Issues.

At a time when “Net Neutrality” is in grave danger, imposing own Standards and Measures against Potential, Actual and Invented Cyber Attacks by any Country should be sternly discouraged. It is also high time to resolve International Legal Issues of Cyber Attacks at a global scale

Cyber Crimes And Cyber Attacks Insurance In India: A Techno Legal Perspective

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBInsurance business is well structured and well established in India. Even the regulatory framework in the traditional insurance sector is well managed by Indian government. With the passage of time, new avenues are now available for the insurance business. One such avenue comes from the adoption of information and communication technology (ICT) in our daily lives and the misuse of the same by criminal elements.

Perry4Law has been advocating use of cyber insurance since 2004 and from that year onwards we have been keeping a close watch upon the developments in this field at both national and international levels. Cyber insurance was adopted by developed nations earlier than India as it is only now that Indian insurance companies and Indian companies and other individuals have realised the importance of cyber insurance.

Information Technology Act, 2000 (IT Act 2000) prescribes adoption of adequate cyber security practices and cyber law due diligence (PDF) by Indian companies and individuals. Even technology companies, financial institutions and e-commerce websites are required to observe cyber due diligence in India and this requirement cannot be ignored anymore. A special attention must be given to the Information Technology (Intermediaries Guidelines) Rules 2011 (PDF) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (PDF) by those engaged in technology related business in India.

Regulatory compliance requirements under the Indian Companies Act 2013 (PDF) have added many legal obligations on the part of Indian companies and their directors. These include the liability of directors for cyber law and cyber security breaches and a liability for not following cyber law and cyber security legal obligations while conducting the functions of their respective companies.

Foreign companies and e-commerce websites having a business presence in India would now be required to register in India. This would also make them amendable to Indian laws and to face legal obligations for their non compliances. For instance, the recent cyber breach at Target Corporation has exposed it to litigation in multiple jurisdictions around the world.

Cyber breaches in India would raise complicated cyber law issues in the near future. For instance, cyber security issues of e-commerce business in India need to be discussed and implemented by Indian government and insurance companies. Similarly, cyber due diligence must also be outlined and implemented for online payment makers. Maintenance and inspection of document in digital form under corporate laws of India would also raise privacy, data protection (PDF) and cyber security issues.

All these aspects need a dedicated techno legal framework that is presently missing in India. Similarly, corporate frauds investigations in India would need scientific technologies and methods like e-discovery, cyber forensics, etc. If cyber security (PDF) and cyber forensics (PDF) trends in India are considered, this is a big challenge for Indian government, insurance companies and other corporate stakeholders. If cyber insurance has to be considered to be a potential source of revenue by insurance companies and adequate protection by Indian company ies, they have to work hard in their respective fields.

Merely entering into an insurance agreement for cyber insurance purposes would create more trouble than solutions as complicated techno legal issues are involved in international cyber crime and cyber attack cases. For instance, insurance companies and affected companies may also face and have to tackle conflict of laws in cyberspace, authorship attribution for cyber crime and cyber attacks, refusal and non cooperation by foreign governments and companies in cyber crimes investigations, etc.

In these circumstances, not only the cyber insurance agreements must be properly drafted by insurance companies but techno legal investigation skills must also be used for investigating cyber crimes and cyber attacks cases by both the affected companies and insurance companies.

India Opposes Proposal To Include Cyber Security Technologies Under The Wassenaar Arrangement

India Opposes Proposal To Include Cyber Security Technologies Under The Wassenaar ArrangementOne of the ways to prevent technologies and weapons from falling into wrong hands is to restrict and regulate their export out of the jurisdictions possessing the same. By putting export restrictions, weapons and technologies can be exported according to set norms and under scrutiny.  The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (Wassenaar Arrangement) is one such arrangement between many western countries.

The Wassenaar Arrangement has been established in order to contribute to regional and international security and stability. Participating States seek, through their national policies, to ensure that transfers of restricted items do not contribute to the development or enhancement of military capabilities. The decision to transfer or deny transfer of any item is the sole responsibility of each Participating State. All measures with respect to the Arrangement are taken in accordance with national legislation and policies and are implemented on the basis of national discretion.

The Wassenaar Arrangement is focusing primarily on the transparency of national export control regimes and not granting veto power to individual members over organisational decisions. It is not a treaty, and therefore is not legally binding. However, through its collective decision making process, it can prohibit the transfer of a particular technology to non member nation(s). India is one such non member Nation and she has keen interests in import of technologies like cyber security software and hardware.

UK, France have now proposed amendments to Wassenaar Arrangement to include cyber security technologies. Naturally, India has expressed her concerns regarding this attempt as India is primarily dependent upon foreign nations for her cyber security related requirements. Changes were made to the Wassenaar Arrangement in December 2013 at a plenary meeting held at Vienna following the Snowden revelations.

”These changes could have severe impact on India’s cyber security programme — both software and hardware — as these would come under export control regime, the entire inventory of high-end cyber technology is with the Western countries like the US and they may deny products to Indian organisation,” said a senior Government official.

A high level meeting of the National Security Council was recently held to discuss the next course of action. The problem is that the products included in the control list have not yet been made public and the next round of plenary meeting to be held at the end of this month is expected to see the formal adoption of this agreement.  Since India is not part of the agreement, it does not have access to the decisions or means to influence the proceedings. Therefore, Indian may seek membership to the exclusive club.

“The best way to deal with this would be to have our own technologies and invest in R&D but that would take time. We would like to engage with countries like US and UK to take our view on board before listing out products under export control,” said a Government official directly dealing with the issue.

The official also said that as a pre-emptive move India was looking to purchase critical technology before the new arrangement is finalised. An expert committee has been set up to figure out the future course of action, including negotiating with six countries — the US, the UK, Israel, Germany, France and Canada.

CERT-In has claimed that some softwares supplied to India are tweaked which become prone to hacking. India was given a solution of the “Heart Bleed” malware, which impacted security of softwares, by vendors after a year of its discovery. Software companies under the product sale agreement are bound to provide solution of any vulnerability found in their product(s) immediately after detection.

Sources said Ministry of External Affairs was of the view that high technology items are always an issue for the US but India could influence the decision by seeking membership of the Wassenaar Arrangement.

Intelligence Agencies Reforms In India Are Urgently Needed

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBIntelligence Agencies play an important role in protecting National Security of a country. They help in maintaining Internal and External Security of a Nation. The very nature of their functioning and work requires some degree of Anonymity, Secrecy and Confidentiality. However, this must not be confused with “Non Accountability” and “Lack of Transparency”. Unfortunately, Indian Intelligence Agencies have become synonymous to Non Accountability and Lack of Transparency.

World over it has been accepted that there must be a balance between National Security and Civil Liberties Protection. The United Nations (UN) Third Committee has also approved a text titled Right to Privacy in the Digital Age. This is in recognition of the Privacy Right in the Information Era that has gained prominence off late. It also means that the Big Brother must not “Exceed its Limits” as prescribed by the Human Rights and Civil Liberties Protection in Cyberspace.

India is clearly inclined to become an “Endemic E-Surveillance State” with no respect for Constitutional Rights and Civil Liberties. The journey of India “From Welfare State to E-Police State” began in 2009 with the notification of Information Technology Amendment Act, 2008 and it became complete in the year 2014 with the introduction of E-Surveillance Projects like Central Monitoring System (CMS) and Internet Spy System Network And Traffic Analysis System (NETRA) of India. I even suggested in May 2013 that Indian CMS must be subject to Prime Minister Office (PMO) “Scrutiny and Intervention”.

Nevertheless, the Big Brother Initiatives in India remained unaffected. In fact, the Congress Government made it “Absolutely Sure” that various E-Surveillance Projects are not only “Kept Alive” but they should also be “Made Immune from Judicial Scrutiny”. Our Constitutional Courts also did not consider it necessary to interfere and take appropriate actions.

To make the matter worst, we have no E-Surveillance Policy of India. It is now well known that Indian Government forced Telecom Companies like Vodafone to install “Secret Wires” to indulge in Unconstitutional E-Surveillance and Phone Tapping. Similarly, Indian Telecom Infrastructures have been constantly used for indulging in Unconstitutional E-Surveillance Practices as we have no implementable Telecom Security Policy in India.

In other jurisdictions, new methods of E-Surveillance are devised on regular basis. For instance, use of Radio Waves and Malware United State’s NSA for World Wide E-Surveillance is well known. The Department of Justice (DOJ) has recently announced a New Reporting Methods for National Security Orders. India on the other hand, is not at all interested in making its Intelligence Agencies and E-Surveillance Projects “Accountable to the Parliament”. This is a situation that needs to be urgently changed as it “Undermining the Constitution” and “Rule of Law” has no meaning and significance in these circumstances.

Indian Government does not understand and accept that Law Enforcement and Intelligence Work is “Not an Excuse for Non Accountability”. For some strange reasons Intelligence Infrastructure of India has become synonymous to Unaccountability and Mess. There is neither any Parliamentary Oversight nor and Transparency and Accountability of the working of Intelligence Agencies of India.

Perry4Law has already provided a “10 Point Legal Framework for Law Enforcement and Intelligence Agencies in India” (PDF) to the Government of India in September 2009. However, the Indian Government failed to act upon the same and to formulate a Techno Legal Framework accordingly.

In a Recent Landmark Judgment (PDF), the constitution of CBI was held Unconstitutional by Gauhati High Court. In my personal opinion, the decision of Gauhati High Court declaring CBI unconstitutional is “Legally Sustainable”. Although almost all have criticised this decision of Gauhati High Court yet it is “Neither Absurd nor an Uncalled One”. Parliamentary Oversight of any Law Enforcement Agency is the “Core Requirement” under Indian Constitution. However, our Intelligence Agencies and many Law Enforcement Agencies, including CBI, are not governed by any sort of Parliamentary Oversight.

Unfortunately, the Supreme Court of India stayed this decision. This may be for a good cause if the Modi Government utilises this opportunity to formulate suitable Law for CBI and other Intelligence Agencies of India. However, this exercise of Supreme Court would be the “Most Unfortunate One” if there is no action in this regard by the Modi Government. So what should be the Modi Government’s next step?

Firstly, there is an urgent need to repeal draconian laws like Telegraph Law and Indian Cyber Law. Secondly, there is a dire need to formulate dedicated Telephone Tapping Law of India as soon as possible. Thirdly, India “Must Reconcile” the Civil Liberties and National Security Requirements but the same is presently missing. Indian Government is also “Not Serious” about formulating a dedicated Privacy Law for India. Data Protection and Privacy Rights in India are in real bad shape.

Fourthly, India’s own Projects like Aadhar, National Intelligence Grid (NATGRID), Crime and Criminal Tracking Network and Systems (CCTNS), National Counter Terrorism Centre (NCTC), Central Monitoring System (CMS), Centre for Communication Security Research and Monitoring (CCSRM), NETRA, etc are violative of Civil Liberties Protection in Cyberspace. None of them are governed by any Legal Framework and none of them are under Parliamentary Scrutiny. In short, Intelligence Infrastructure of India needs Transparency and Strengthening to make it “Effective and Accountable”.

With the new Government some action in this regard is expected but only time would tell whether Modi Government would “simply step into the shoes of Congress” or actually protect the Constitutional Rights of Indian Citizens.

Cyber Security Of Banks In India Needs Strengthening

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBIndian Cyber Security has been ignored for many years by the previous Governments making Indian computer systems and critical infrastructures vulnerable to sophisticated cyber attacks. One of the critical infrastructures is banking sector of India that has miserable cyber security infrastructure. The Cyber Security Trends and Developments in India (PDF) have proved this point very well.

We have no dedicated cyber security laws in India and this is creating numerous troubles for various stakeholders. The banking sector of India is also neglecting cyber security in the absence of stern and effective cyber security regulatory norms in India. Some basic level guidelines and recommendations have been issued by Reserve Bank of India (RBI) but they are far from satisfactory and being effective. These include Internet banking guidelines, formation of a RBI Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, RBI Recommendation on Information Security and its implementation in India, etc.

RBI has also mandated establishment of Steering Committees on Information Security by Banks in India and appointment of Chief Information Officers (CIOs) for all banks in India.  However, banks in India have failed to comply with the directions of RBI so far and even RBI has allowed them to take this liberty. In effect, this means that there is neither a legal framework nor any compulsion to ensure cyber security of banks in India. Naturally, the online banking system of India is not at all cyber secure and banks in India are not following cyber security due diligence and cyber law due diligence (PDF) at all.

Sophisticated malware are targeting banking industry around the world. For instance, Malware Dump Memory Grabber has been targeting Indian banks and POS Terminals. Similarly, the Gameover Zeus or GOZ botnet is also capable of stealing sensitive banking and financial information and details. Recently, the US Justice Department even charged a Russian national for creation of Gameover Zeus (GOZ) Botnet.

India is considering wide scale adoption of mobile banking, Internet banking and other online banking and financial transactions methods. However, India has not considered the issues of mobile banking cyber security, internet banking cyber security, legal aspects of Internet banking, cyber security of e-governance services, etc.

There is no doubt that Indian online banking transactions are vulnerable to cyber attacks. The cyber security for banking and financial sectors of India must be ensured as soon as possible. Online payment market of India and e-commerce and online business legal compliances have further increased the requirements of banking cyber security in India. Similarly, cyber due diligence for Paypal and online payment transferors of India must also be ensured by these stakeholders. The sooner this is done the better it would be for the larger interest of banking sector of India.

Techno Legal Analysis Of Gameover Zeus Or GOZ Botnet And P2P Malware

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBThe present era belongs to highly sophisticated and accurately targeting malware that are compromising computer systems at will. Not only they have the capabilities to infect even the most secured and sophisticated systems, they are also designed to remain under the radar and work in a stealth mode. Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc just few examples that we are aware of and there are many more still operating that we are not aware of at all. Some of them are operating in the hidden Internet or deep web using encryption and anonymous systems.

Financial institutions and financial credentials are widely targeted by Malware for obvious reasons. Besides targeting financial organisation, botnet are used for all sorts of illegal activities over the Internet. For instance, for online advertisement industry alone, botnet are causing losses upto the extent of $6 million a month.

One such Malware is known as Zeus that is well known for stealing banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads, spam and phishing techniques. Infected systems can also be used to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks. The latest variant of Zeus is known as Gameover Zeus, or GOZ botnet.

According to a good research analysis (PDF) of GOZ botnet, Zeus is a family of credential-stealing trojans which originally appeared in 2007. The first two variants of Zeus are based on centralized command servers. These command servers are now routinely tracked and blocked by the security community. In an apparent effort to withstand these routine countermeasures, the second version of Zeus was forked into a peer-to-peer variant in September 2011. Compared to earlier versions of Zeus, this peer-to-peer variant is fundamentally more difficult to disable.

Due to its lack of centralized C2 servers, P2P Zeus is not susceptible to traditional anti-Zeus countermeasures, and is much more resilient against takedown efforts than centralized Zeus variants. The main P2P network is divided into several virtual sub-botnets by a hardcoded sub-botnet identifier in each bot binary. While the Zeus P2P network is maintained and periodically updated as a whole, the sub-botnets are independently controlled by several botmasters.

The Zeus P2P network serves two main purposes. These are: (1) Bots exchange binary and configuration updates with each other and (2) Bots exchange lists of proxy bots, which are designated bots where stolen data can be dropped and commands can be retrieved. Additionally, bots exchange neighbor lists (peer lists) with each other to maintain a coherent network. As a backup channel, P2P Zeus also uses a Domain Name Generation Algorithm (DGA), in case contact with the regular P2P network is lost.

According to researchers, P2P Zeus has evolved into a complex bot with attack capabilities that go beyond typical banking trojans. They believe that P2P Zeus is used for activities as diverse as DDoS attacks, malware dropping, Bitcoin theft, and theft of Skype and banking credentials. Researchers have also found that till recently bot traffic was encrypted using a rolling XOR algorithm, known as “visual encryption” from centralized Zeus, which encrypts each byte by XORing it with the preceding byte. Since June 2013, Zeus uses RC4 instead of the XOR algorithm, using the recipient’s bot identifier as the key. Rogue bots used by analysts to infiltrate the network typically use continuously changing bot identifiers to avoid detection. The new RC4 encryption is a problem, because a rogue bot may not always know under which identifier it is known to other bots, thus preventing it from decrypting messages it receives. In addition, RC4 increases the load on botnet detection systems which rely on decrypting C2 traffic.

Zeus uses RSA-2048 to sign sensitive messages originating from the botmasters, such as updates and proxy announcements. In all P2P Zeus variants researchers studied, update exchanges and C2 messages feature RC4 encryption over an XOR encryption layer. For these messages, either the identifier of the receiving bot or a hardcoded value is used as the RC4 key, depending on the message type. Each Zeus bot runs a passive thread, which listens for incoming requests, as well as an active thread, which periodically generates requests to keep the bot up-to-date and well-connected.

The researchers have concluded (PDF) that P2P Zeus is a significant evolution of earlier Zeus variants. Compared to traditional centralized versions of Zeus, P2P Zeus is much more resilient against takedown attempts. Potential countermeasures against P2P Zeus are complicated by its application of RSA-2048 signatures to mission critical messages, and rogue bot insertion is complicated by the Zeus message encryption mechanism which makes the use of random bot identifiers impossible. Poisoning attempts are forced to use widely distributed IPs due to a per-bot IP filter which only allows a single IP per /20 subnet. The network’s resilience against takedown efforts is further increased by its use of a Domain Generation Algorithm backup channel, and by an automatic blacklisting mechanism. P2P Zeus demonstrates that modern P2P botnets represent a new level of botnet resilience, previously unseen in centralized botnets.

On the legal side, the creator and users of Gameover Zeus are difficult to prosecute. This is because the cyber attack scenario has shifted its nature and territorial scope from being fun and regional to become a potential tool of cyber warfare and cyber espionage. We have no globally acceptable international legal regimes for cyber attacks as on date. Thus, international legal issues of cyber attacks are yet to be resolved.

Cyberspace also put forward complex problems of authorship attribution for cyber attacks and anonymity. Cyberspace also gives rise to conflict of laws in cyberspace where multiple laws of different jurisdictions may be applicable at the same time. Thus, cyber security and international cooperation cannot be separated in these circumstances. Nevertheless international cooperation among law enforcement agencies of different Nations and entering of extradition treaty among themselves can be a good beginning. Some success has already been achieved in this regard and more international cooperation is expected very soon in the cyber law and cyber security fields.

Intelligence Community, Social Media And Open Source Intelligence

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW AND CEO OF PTLBIntelligence Community has been engaged in “Intelligence Gathering Activities” for long. This may be covert or overt, technological or non technological, legal or illegal and so on. But this gathering exercise was there and it is going to be there in future as well.

However, modern practice of Intelligence Gathering is crucially different from traditional practices. Traditional Intelligence Gathering was more on the side of Human Intelligence (HUMINT) whereas the contemporary one is based more upon Information and Communication Technology (ICT).

As far as Technological Intelligence Gathering is concerned, Social Media is a “Favourite Destination” for Intelligence and Security Agencies. Social Media is a favourite destination because it is a “Gold Mine” of valuable and voluntary information available for ready reference. Social Media also provides the best platform for Open Source Intelligence (OSINT).

Social Media also, in majority of cases, provides a “Legally Obtainable” and “Legally Relevant” Evidence. Since the “Information” or “Evidence” is available “Openly” and to “Public at Large” and in a “Non Confidential” manner, generally any such acquired Information or Evidence can be “Relied Upon” in a Court of Law. However, “Admissibility” of such Evidence is subject to the “Discretion” of the Court and well established “Legal Principles”.

Besides Intelligence Agencies, Military Forces are also using Social Media to gain Information relevant to their uses. Military and Intelligence Agencies have been using “Fake Profiles” to get such Information. The aim may be to get a “Predictive Behaviour or Trend” or to obtain any other Information that is of “Strategic Importance”.

Getting Information from Social Media requires good Communication and Data Mining Skills. However, while doing so, one must not violate any Civil Liberties or Laws Protecting such Information. Although many countries have Social Media Laws, we have no dedicated Social Media Laws in India. Even we do not have any Social Media Policy of India.

Social Networking Laws in India are urgently required. To start with, we must have a Social Networking Policy of India. Open Source Intelligence through Social Media Platforms would raise a number of Techno Legal Issues, especially Civil Liberty Issues. For instance, questions like what constitutes “Public Data”, how can a Person Legally obtains Data, what is the “Relevancy” of such Information/Data, how the “Admissibility” of such Information/Data would be decided, etc would be asked.

Similarly, Privacy Issues, Speech and Expression Issues, scope and nature of E-Surveillance, etc would also be required to be resolved in future. This is a new field for both Law makers and Law Enforcers and needs an “Urgent Attention” of Parliament of India.