India InfoSec Gallery..

India in the news for cyber espionage

2012-01-16T08:54:00.000-08:00

Update Jan 18, 2012
Symantec has announced that they were hacked and the source code has been stolen. This brings a new story within the story.

http://www.reuters.com/article/2012/01/17/us-symantec-hackers-idUSTRE80G1DX20120117

Is this for real ? Is there much more to this story ?? First Yama made huge noises about the hack and all the other stuff at which point Symantec was quiet and all of a sudden Yama is quiet. What happened to the Norton source code which was to be revealed and all the documents which were to compromise India.

What I find intriguing is the rant against Sunil Mittal, the Chairman of Bharti Airtel - I mean why him ! Of all the people in the world. And the fact that Symantec may have been hacked way back in 2006 and the disclosure is happening now.

Is this Yama some one who has a problem with Bharti ? Is this a social engineering charade ? Whatever be the case someone somewhere must be laughing, someone somewhere must have been booted out of a job and a lot of people somewhere are working hard trying to unravel this mystery .. identify Yama and Co, talk to the US folks, re-establish the identity of a non-aligned nation :) and more...

The last two weeks have seen a lot of media coverage in India and overseas about the disclosure that Indian intelligence agencies had hacked a US-Chinese business association and that major phone manufacturers had been arm twisted to create backdoors in their devices that allowed the hack-espionage activities to take place.

We read this and similar articles
China Not The U.S.'s Only Cyber-Adversary
Reports of cyberespionage out of India are a wake-up call for U.S. businesses, government agencies

Then this ...

Fake memo but real code? India-U.S. hacking mystery deepens
(Reuters) - A memo that triggered a U.S. investigation into a possible cyber-attack by Indian military intelligence is probably a fake, but it is clear from leaked documents that serious security breaches did take place.

followed up by
An interview with Yama Tough a member of the Lords of Dharmaraja on Infosec Island.

All I can say is that the information / misinformation brought about a lot of confusion (who is this LofD and so many people saying so much and nothing), disbelief (India !) and surprise (don't tell me some Indian did this !)

To add to all the information, misinformation, confusion, disbelief and surprise were my own thoughts about this report which I want to articulate here - first there was a categorical denial by one of the topmost Government officials on one of the groups I am subscribed to. This set my mind to rest until the reports got blown up and there was much more on the internet.

Symantec acknowledged that their source code was compromised but then I have a question - how many places do you hand over source code ? a handful, right ...and then if you are handing over source code to anyone you will have some agreements in place and you will always know where it is and how safe it is. It seems Sym is clueless - yes code is compromised; but where did these guys get their hands on it ? They do not know!

Now we read that NAV is also being released - the source code I mean. We will need more space to hide embarrassed CxO's.

About India unleashing a major cyber espionage initiative, I seriously have my doubts. Ethical hackers, malware specialists, technology gurus are in real short supply for the Govt of India (GoI). The major issue is that government salaries suck and these guys can make more in a day than in a month. Of course there is a small number of geeks and geniuses but they have their hands full trying to keep the enemies out so where will they find time to launch an attack ! Wishful thinking and we are still far far away.

From the interview with YamaTough it is obvious he does not have a very high opinion about security in the GoI environment. Some stuff he says about the Government setup is true so how does one believe that these cloak and dagger organizations have the skills to carry out such an attack.

In any case, lets wait to see the next tranche of documents that are due for release...

Changing Gears

2012-01-14T06:07:00.000-08:00

A new year and a change in my approach to blogging.

I have been commenting on incidents and events reported in the media and I believe it is time to move on to sharing my thoughts, my experiences and observations in the InfoSec domain.

I call it a change of gears and hope that this will give rise to opportunities for interaction with visitors.

Launching the Tihar Jail Club

2011-07-01T23:10:00.000-07:00

Shockingly ministers, murderers and convicts roam around freely in the Tihar jail. Mr Kalmadi who is in jail for the CWG scam is having tea with the Jail Superintendent ! How good is life inside a jail and is this punishment ? Well foggetaboutit ! This is an exclusive club and you have to be a big time scamster to be able to get in. If you are sure you are going to be in trouble, apply soon....

===================== TIHAR JAIL CLUB ======================
hum (ne) mara India (we screwed India)
============================================================
high tea, hospitals, toilet training for the superscamsters
============================================================

Members have the privilege to meet and hobnob with the high and mighty, participate in big money scam methodology workshops. Opportunities of high tea with jail superintendent and other officials. Develop friendships with people from different professions like murder, rape, cheating etc. You will have a lot of free time in hand to develop these skills too and contribute more crap to society. Non negotiable participation in daily squat yoga sessions where you learn new toilet skills. High profile TV and media coverage assured (even when visitors come).

Pre-qualification requirement: You must have cheated your country in the interest of national security or development. The more the better and the higher you were in society the higher you are placed in the Club totem pole.
NOTE: Please do not apply if your scam is less than 10,000 cr

Membership fees: none - just meet the pre-qualification requirement.

Associate Members: These are members who will be inducted by 'association' - murderers, rapists, charlatans, gun runners, mafia types and such who will teach this elite new skills and provide insights.

BREAKING NEWS: A preview of the Club was launched and you can see the power - 24 hours live coverage and dismissal of Jail Supdt.

-------- EARLY JAIL_BIRD OFFER NOW OPEN -------

--- PRE-LAUNCH MEMBERSHIP OFFER ---

--- APPLY BEFORE YOU ARE CAUGHT !! ----

===================== TIHAR JAIL CLUB ======================
hum (ne) mara India (we screwed India)
============================================================
high tea, hospitals, toilet training for the superscamsters
============================================================

A CEO's bad dream coming true.. haped

2011-05-06T19:47:00.000-07:00

You are a business leader and a tech savvy company so whats your worst nightmare ? Is it webserver or email outage or software glitches, data theft, mass attrition, virus attack, connectivity breakdown, laptop crash etc or a security incident like a defacement or iframe attack ?

Whatever may have been the answer I believe that being hacked will be the one nightmare you did not have because it is the mother-of-all-nightmares. The reason is simple - someone you do not know, comes out of nowhere, screws you by copying all the data that you have (including your personal collection of dirty pics) , and this guy does not even have a proper name !

d3hydr8 is not even a proper nickname - if your parents had named you d3hydr8 you can imagine the horrible time you would have had when growing up

OK so just when you were cruising along the business superhighway, having a good time, this cracker, this nameless guy, this low member of the human species messes your chaste self and goes and tells the world.

Imagine the gall of this guy who has committed a crime by haping you and then going and telling the world how much fun he/she had making it through the holes in your environment. And just when you were going to keep quiet about it because who (in his / her right mind) will go about telling people "I got 'r...d' or 'ha...d' "

Now that you have lost your jewels and are no longer chaste you have to face the humiliation of being branded promiscuous. What !!! Oh yea, my dear Mr CEO welcome to the real world. You remember all those nice moral policemen who say that if you wear tight clothes (or revealing ones) you are inviting assault. So now that you are a "hapee", you have to prove to the world that you had proper stuff in place to defend yourself and you may have to pay the people who had entrusted their data with you.

Your reputation mirror now is cracked and blackened as you are no longer chaste, the word is out on the internet and it is impossible to erase anything, you will have a nice amount of legal expenses coming up, you have to find scapegoats (your mistress, gf, enemy, Pakistan, LeT... someone, anyone who talks or writes about your hape).

While you should be happy you have made it to the history books, this is one book you did not want to be mentioned in !

Yes this is the worst nightmare you were scared to dream and kept living in a fools paradise telling yourself "it can't happen to me", "we are too small to be attractive", "what will the haper find to be of value". Beauty lies in the eyes of the beholder and maybe it is the guy next door seeing you everyday who finds you attractive enough to hape .

So your worst dream (the nightmare you were too scared to have) comes true and you must first go to the only private place in the world (a.k.a. loo) and cry. Yes shed as many tears as you can because in the next few days and weeks your life will not belong to you and you will be so lonely you may go nuts.

Many discoveries will be made - the world is against you; every bit of news on the net is about you; people do not have any work to do and are just spending their time gossiping about your hape (it hurts bad, and the hurt will stay forever); for every site you curse, there are 100 tweets and new sites that come up ! Oh God, if only I could just blast everyone. Life was so cool I had everything under control (PCI, IT, ST, CC, ISMS whatever alphabet) and now life has, all of a sudden, become a bitch.

All I can say - take it easy. Don't start raving and ranting at everyone who talks about you. It is not possible to stop websites quoting other websites and you cannot send emails to every registrar in the world complaining like "Uncle, uncle - he is repeating what that world is saying about me. Please take him down because he is not repeating my words, only theirs ! "

The internet is the big humbler in today's age. Hundreds and thousand unknowns will join up in a just cause so if you are haped don't show your muscle online, try truth and humility and you will win friends and helpers by the thousands

Then All the kings friends will help put Humpty Dumpty together again.

Unfortunately I have just seen evidence of some post-haping vindictive action and am shocked at their lack of knowledge (and acceptance) of the online world (inspite of being a 'leader' in this domain). The 'complaint' is funny and shows a badly hurt ego looking for a scapegoat. A dignified response may have earned them many supporters and sympathizers but that is least expected when you consider that the corporate statement about the hape was totally in denial.

So now, as I write this there are 1000's of tweets and sites that are carrying this information so are they going to take down each and every one of them ! Fundamental Incident Management is missing too.

The Theory of Hape

2011-05-06T12:57:00.000-07:00

Earlier today, in conversation with a friend we jokingly talked about the situation arising out of the hacking news and the gobbledy gook dished out as an explanation by the hackee CEO.

Having a drink later, I had an Eureka moment and conceived the theory of Haped.

Haped, my friends, is a new cyber term for being hacked - the reason why it is "haped" is because the site (or organization) has been raped.

Once haped, life is never the same. Your hidden fruit has been tasted and a million explanations will not bring back your innocence, your original configuration, your OEM feel, or your default settings... that virgin state. It's like the crack in a mirror which is always there when you are looking at yourself and you will keep telling the world how the hape did not disclose the holes .

The Theory of Hape (abridged):

   Every system or technology environment is built with known or unknown holes all over waiting to be penetrated an exploited.
   After a hape, weak controls and dirty data is exposed to the world and management has to run around trying to save their reputation, jobs and more.
   Hape is inevitable if one thinks that having devices, AV and certifications means total security ! Anyone living in such a fool's paradise must be prepared with red faced excuses followed by ulcers, resignations and silly accusations aimed at all and sundry.

Corollary 1:
When buying security services with an L-1 mentality you are bound to get the feeling of The Emperor's New Clothes (http://en.wikipedia.org/wiki/The_Emperor's_New_Clothes) - sooner or later you will be hapee (no pun intended).

Corollary 2:
If haped, talk and walk straight. Jalebi (Gobbledy gook) stories drive away sympathy or help and bring ridicule.

Explanations:
HAPE: a cyberworld term coined to mean a site or system that has been hacked. It is a combination of the words hacked and raped which (sort of) mean the same thing in their respective worlds.

THE EMPEROR'S NEW CLOTHES: A story about an egoistic king believes he was wearing a robe that was invisible to the lower class whereas he wasn't wearing anything.

MAJOR OR MINOR HAPE: Small incidents like a Website defacement, iframe attack, or a large scale incident like a DOS attack, data theft etc.

'Cyber Cowboys' ! 'If you are a pirate I shall DoS you' and such silly acts...

2010-10-25T02:01:00.000-07:00

By Suseela N and Dinesh Bareja

The game has just begun. Hollywood and Bollywood production houses have tied up with anti piracy outfits to try to secure their movies and profit from the naughty junta.

But the question is – is the modus operandi justified? This is how these anti-piracy work . they send a copyright infringement notice to the IP address owner who hosts pirated movies. If the owner does not take down the movies, another notice is sent. If the owner still shows no response, they launch a cyber attack! These sites face denial of service (DoS) attacks. In simple words, the site is flooded with millions of automated requests to download the files. With the site (usually) being unable to handle such huge load of requests, it crashes.

Read this: Cyber attacks are illegal in most countries including India. International law prohibits cyber attacks.

So what does one make of Girish Kumar, the managing director of Aiplex Software? He is not a law maker, he is hacking someone’s private domain. in the real world one sees criminals using muscle power and in the cyber world, Mr Kumar is trying to use cyber power. Unfortunately, he does not seem to have a clue about the business and comes across as a sabre rattling script kiddie. His business is SEO and maybe he should stay in that domain.

What this company has done or proposes is illegal and I am surprised he has not yet been paid a visit by someone from the law enforcement team. In the meanwhile he has been hit by the pirates after which he stopped making silly claims about ridding the world of piracy !

Going deeper into the issue.

Will DoSing resolve anti-piracy?
Has the pirated Microsoft software affected the status of Microsoft giant?
What causes piracy?

Attacking with denial of service will hardly affect cyber piracy because there are many torrents that cannot be detected. Also, note that pre DVD copies are made using the downloads and sold in the market. SO HOW IS THE DATA SECURE? Interestingly, anti pirate outfits like Aiplex are paid good money per movie by naïve movie producers who should understand this as an unnecessary overhead cost, a scam and an illegal act. Probably, something they can save for their next movie!

What the producers should also realize is that they can also be held under the IT Act for abetting illegal online activities!

Lets talk about Microsoft and let us be honest about the software. While a small portion of the population in the world uses genuine version, the rest uses pirated copies. Inspite of the widespread piracy Microsoft is still a giant in the software industry. They did pull up their sleeves on cyber pirates like launching an anti-piracy campaign in China (Oct 21, 2008) but today they too have accepted the existence of pirates. This is what Microsoft’s Paul Cooke says in his blog – Pirated Windows 7 will get updates.

Microsoft is not supporting piracy but they are dealing with the situation logically. For example, pirated software will not be able to access necessary updates from the website.

A better way to handle cyber piracy is to put the vulnerable data under strict security, right from the origin.

The greater the number of hands exchange this data, the greater the chances of leaks. Keep the data to a closed trusted group.
Use encryption technology. Use it such that the encrypted form is unable to run on unwanted machines.
On a lighter note, theatres can show movies that can only be viewed using special glasses. This can make the con man’s recording device useless.

Anti-piracy outfits like Aiplex should stop pulling such scams and stay away from mafia style acts of DoSing. First, this is an illegal activity so they are illegally trying to wipe out another illegal activity. Its like you do not go killing criminals just because they are criminals. Second, don’t enter a personal domain without RIGHTS! Cyber Police exists to take the necessary action. Stop treating yourself a messiah, God, or fake Tom Cruise of Mission Impossible. YOU CANNOT WIPE OUT CYBER PIRACY! Not by DoSing a handful of sites because there is no way you can reach every site on the net.

Finally, this guy seems to have started trouble for other outfits like the RIAA, Australian Motion Picture Association etc since they all came under attack by this hacker outfit ‘n4chan’. Another self styled cyber vigilante is this law firm in USA that was also under attack.

Interestingly, Mr Kumar, at one time was offering his services and awesome knowledge to the Australians on telephonic interviews and after being attacked he has been saying that he never did any of these things and has been misquoted by the media.

Well sir, you got your X minutes of fame and now you have also got yourself a place in the hall of whatever where your ‘naïve claims and exploits’ will be preserved for eternity !

Wipro among top 10 Security firms - Forrester Wave report

2010-10-19T07:04:00.000-07:00

This is great ... we do have world class services in Information Security !

The Forrester Wave™: Information Security And Risk Consulting Services, Q3 2010

EXECUTIVE SUMMARY

In Forrester's 75-criteria evaluation of information security and risk consulting service providers, we found that Deloitte led the pack because of its maniacal customer focus and deep technical expertise. PricewaterhouseCoopers (PwC), Ernst & Young, and Accenture are market leaders due to their security expertise, breadth of services, and global reach. KPMG provides excellent strategic work and boasts great client feedback. Verizon Business has been quickly catching up to the Leaders due to its focused strategy around security services and flawless execution. Wipro now offers a viable offshore alternative, while HP and IBM have renewed their focus on security consulting services by integrating security competencies from different parts of their business into a coherent unit. BT Global Services continues to provide pragmatic risk-focused consulting services across the globe, and AT&T's recent acquisition of VeriSign's security consulting practice will make it a formidable competitor in this space. Protiviti may not have the same breadth of services, but it delivers excellent customer-focused risk- and compliance-driven services.

The above is an excerpt quoted from the Forrester website.

Pre-purchase Security Testing for Telecom industry - DoT_MHA_PMO playing tag

2010-08-14T09:55:00.000-07:00

Another day another fiasco and we are witness to some governmental “jaana tha Rangoon pahunch gaye cheen...“ (a ditty from an old Bollywood movie meaning I wanted to go to Rangoon but reached China) sort of action.

Am quoting three articles that are referred and show the uni-directional forces that are acting in this multi zillion rupee valued domain.

Aug 10, 2010 (DNA, Mumbai)

Tele-equipment imports delayed on security reasons

Aug 11, 2010 (Times of India, Mumbai)

Home ministry tells DoT to put 3G on hold

Aug 13, 2010 (Times of India, Mumbai)

PMO reverses DoT steps on equipment

For sometime there has been a lot of ‘noise’ about hardware and software used in the telecom sector and the risk this poses to national security. Reports have surfaced about Trojans, spyware and cyber espionage and a lot of sabre rattling ensued.

Then as per the news report of Aug 10, 2010 the Department of Telecommunications (DoT) asked the suppliers to be ISO 27001 compliant and then goes on to state obvious ISMS goals. Hello Mr TRAI – how does this resolve the national security issue? I mean you are asking the company to be ISO compliant and that will just make their internal processes secure and efficient etc but it does not provide the remediation to your risk.

Reminder... your risk is national security and not the lack of security in the supplier’s organization. You seem to have lost focus.

The good thing is that they have also said quote "...submission of test reports, equipment configuration requirements, report on susceptibility to the attacks on GSM and CDMA networks, security from malware, cryptography related security issues." Unquote.

Well the Home Ministry then said that 3G cannot happen if the telecom vendors do not meet the security requirements expected by government. Why didn’t government think about this pre-condition earlier but more about this later....

Today (Aug 14, 2010) it is reported that the PMO (Prime Minister’s Office) has, for all practical purposes, reversed the DOT’s stand by saying that operators are free to either go with the “earlier security vetting regime” or with the “new agreement base regime”. Good for the operators and their vendors and for the PMO.

I am not against security - but reactive and flip-flop positions by a responsible government body is not good for business or for the country. The same media report quotes 'babus' going on record saying that they are “mere postmen”. The government and concerned departments do deserve a wake-up call with respect to arbitrariness.

National security is not something to be trifled with – whether in the conventional sense or in respect of technology. Telecom companies have security knowledge and expertise and their internal controls are pretty good. They could have easily provided inputs to government to build strong requirements in the first instance - when they were conceptualizing the policies for telecom rollout, bidding etc.

On investigating DoT directives I find that they have been thinking about this since 2005 when they proposed to set up a Telecom Testing and Security Certification Centre (TETC) (Outcome Budget 2006-2007).

Then why have they started making these demands since Feb 2010 - demands for pre-approval of companies and products that want to supply to Indian telcos. Sorry! They did not even think about it (the need for national infrastructure security) until we read a media report about the malicious activities of hackers uncovered by foreign universities.

Since 2005, the TETC has been handed over by DoT to C-DoT and the 2010 - 2011 report says that they have developed testing guidelines. Unfortunately the C-DoT site does not mention TETC so there is nothing about the testing business.

For the security clearance, DoT has a simple form where the vendor has only got to give some information about the product and company and they will give a clearance in 30 days, else it can be assumed certified. On what grounds will DoT provide assurance to the public that this is secure ... this is a mystery.

India is considered to be a super power in the realm of Information Technology and we continuously fail to demonstrate our leadership. So may reasons and incidents but I do not want to digress. In any case, it seems that we, as a country, are unable to define essential security baselines for capital assets meant to run our critical infrastructure.

What is needed is a firm set of security guidelines and standards that define the expectations of the government in respect of hardware and software. The government cannot expect EVERY company to provide it with their source code and this is a ridiculous demand. If the company does provide them with source code, does the government have the guts to provide adequate assurance and insurance against loss or leakage? It dare not!

What is needed is to develop adequate capability for hardware and software testing at various government labs at NIC, STQC, NTH etc., or, to recognize / authorize private institutions. These labs would undertake the testing of hardware and software, in accordance with the requirements defined in the security guidelines. The TETC lab that is proposed is a great thing, but it does not seem to be happening... and how long will be the wait.. and can we expect an incident in this interim?

Companies wanting to supply hardware / software to telcos, defence establishments and other areas can put their products through the testing procedure at approved labs and obtain version level certification from a designated authority (CERT can easily take care of this and it is well within their mandate).

The methodology is easy to set up and can be made applicable to installed and proposed infrastructure - whether Indian or foreign. The government can allow the companies to register the list of assets and provide them with a time frame to comply. Change is not easy and the government did not take the opportunity to build security in - now it is bound to be a difficult task and all along the way there will be many more instances of different orders from different ministers !

High time, a proper security framework was developed and DSCI can help since they have done a pretty big and good job in developing the Data and Privacy frameworks. Whatever is done and who ever does it - DoT, TRAI, C-DOT, MHA, PMO... please do this quick before some new reports crop up about malicious attacks and espionage.

Dangerous corporate relationships - what an idea sirji

2010-08-12T06:20:00.000-07:00

Update: Aug 14, 2010
People just don't have the patience to read and are getting personal. So I have removed names involved... infer what you may!

I woke today to see headlines about the newest victim of sexual harassment in the workplace...

Aug 12 - Resignation of Idea Cellular's Chief Marketing Officer
http://www.mumbaimirror.com/article/15/2010081220100812025557903a5a89ba8/Top-idea-executive-charged-with-sex-harassment-quits.html

Reading through the article I could not help but feel sorry for [a] CMO and his family; [b] Chairman and the Company; [c] the telecom industry and [c] the lady who has charged misconduct and her family.

My opinion - Shooting straight from the hip (as usual) is based on this one article in the Mumbai Mirror, and I will refer to it extensively because I am going to read between the lines and you may find my digressions interspersed in italics -

[a] The accused - he is called one of the 'brightest sparks' and has been with the group for over 8 years. Inspite of the 'brightness' with reputed institutions behind him, he chose quit and not make a statement before the committee that was investigating the charges. And that too when he could have easily shot down the charges.

Why quit for something that is not proven and not fight back for your honor - get them to fire you ! Then he could have claimed wrongful dismissal !!

That he lived with the charges for two years is another black spot - why did he not actively pursue for closure when the first charges were leveled two years earlier. Obviously a lot of legal advice has been provided and this formed the basis of action (or lack of it) - so now he will be pronounced anecdotally guilty !

Read the report of the investigating committee and you find that it has gone to great lengths to state he is not guilty so why quit so why did he not lodge a complaint and allow the cops to take this incident to a logical conclusion.

It is always tough on the family and this one will be no different, and neither will life be different for him.

[My opinion] The newspaper report does not mention any closure. No complaint has been filed; no settlement is made. Nothing at all to suggest that animosities have been locked up and the keys are at the bottom of the sea. Of course both parties must have had to sign a hundred pages of legal documents and I am doubly sure they may not have read it.

[b] The firer - the investigation committee seems to have been constituted to fulfill a policy requirement but the decision seems to have been based on PR considerations. "Out dammed spot !" - is the only dialog I remember from Lady Macbeth but I also remember that dammed spots do not go away easily.

The committee accepted printouts of the SMS messages but did they get cellphone records too. Since they are a telecom provider themselves it is easy to access the records of their own people. Their findings are :

- the harassment charge and non-promotion are not linked so they do not accept her argument here!
- they cannot establish if the evidence (SMS messages) was genuine since she has submitted printouts.
- late night messages between someone your junior is inappropriate ! (hello ! So do u have a policy which says that you should be attracted only to people who are three rungs your senior or three places removed. A new fatwa on appropriate corporate behavior)

The harassment charge was leveled first two years earlier and that was not closed, and now again last year - so why did the company sleep on a potential workplace conflict situation ? If only a shareholder can file an RTI request there will be a lot of interesting papers to read. One more question that comes to my mind is that if there was this two year old charge why was the accused on the team that carried out her appraisal... how come she continued on his team and HR did not do anything to change her reporting authority.

Whoops .. sorry Idea ... ek aur question - are the SMSes one year old or two years old or fresh ? Obviously if the SMS is like two years old, we have a different motive to look at now. If they are new then I am sorry to say that he did not learn his lesson when trouble brushed past him during the first instance. I shall never know but may be some newshound will sniff out more information and share.

My curiosity is only to add to my learning and this is not a gossip or I-wat-to-gloat-on-your-misfortune request.

Finally there is an "overwhelming feeling in the company" that his "conduct did not amount to sexual harassment" - time for another hello ! are you being contrite just to assuage your guilt ! If this was NOT sexual harassment then why is the newspaper screaming SH ?? who is responsible for this ??

[My opinion] The company seem to have a weak incident response, incident management and remediation process. They have not resolved potential conflicts leading to the loss of a high performer. If there is truth in the charges and this had been closed two years earlier there may have been more "bright" ideas sirji in time to come! Now they have to search for a successor and this has to be done pronto since the CMO seat is now vacant.

Eight years is a long time and I am sure many other seniors/peers in the organization felt very bad about letting him go but that does not absolve them of the error of inaction or early action.

Surprisingly, when the investigation committee has given a clean chit the press is talking about sexual harassment - so who has created this PR bungle ?

On July 22, MediaNama reported that he is leaving the company to pursue personal interests and on Aug 12 Mumbai Mirror is screaming sexual harassment ! There is an obvious leak somewhere or is there more here than can be seen... rivalry, revenge etc

I don't think this is going to go easy - I am sure a non-poaching clause was inserted it the F & F with him but is there an I-will-not-leave clause with the people whom he mentored or worked with ? And there will be a date when the non-poaching clause will die - besides, how does one prove that some who joined him was poached and in any case there are a zillion ways to get around this.

"Employee Churn", "Attrition", "Head Hunting", "Poachers"... combine these words with morale et al and a picture emerges which may not be very pleasant.

In any case,sir this is your baby and my purpose is to comment on incidents and I am going to also write about sexual harassment so you may want to keep a watch on my blog.

[c] The accuser - about two years earlier she wrote to HR accusing him of sexual harassment but did not provide any evidence to substantiate her charges. HR withheld his increment based on the accusation.

Last year she accused him again and wrote to the chairman asking him to intervene and a committee was set up which I have written about. Now she has provided evidence in the form of printouts of SMS messages. The committee says that they cannot infer whether these are genuine and that there is no case for harassment and the company says that this was not a case of SH ... whatever .... he resigns and she has conveyed her "delight" to the senior management at Idea.

End of story.

However, my point of view must be made since this is my blog and I want to have the last word -

[My opinion] It is not easy to live in a man's world and to carry on a fight for sexual harassment for a woman. And when the woman is in sales it will be a bigger challenge because you are constantly engaged in inter-personal professional relationships.

You have to admire her confidence in her case because she withheld her mobile (prime evidence) and presented hard copies of the SMS messages and got the committee to accept this - now that is good legal advice and negotiating skills which seem to be missing elsewhere.

And I am curious to know why did she not present any evidence when she first reported the harassment by registered mail maybe someone will enlighten me someday ! If she continued in the company for a year after the first compliant she must be interacting with him all along so how come no one knows about the relationship ... good, close, only friends, enemies, hate etc. Certainly HR needs to come up with some sort of explanation.

And if this did not affect the work it is awesome ! Then what will ?

Finally a tongue in the cheek comment - is this the reason why we see Abhishek Bachhan morphed into a tree with wiry branches in the later day ads after the hugely successful Sirji campaign. The one where he whacks someone for cracking a sick one... post pedh or pre .. whats up sirji. (for the non-Hindi speakers - this is a take on the words post-paid and pre-paid as used in cellular phone schemes ask me to explain a sick joke and i wont like it)

Mark Hurd from HP, David Davidar from Penguin, Phaneesh Murthy from Infosys were achievers and lost a lot when they were ousted on charges of sexual harassment. A lot of money and more - so stay clued in for my next blog on women :) I surely have developed a new point of view.

This link will take you to my blog about women in the workplace....

Part 2 - Indian Embassy ... old domain is a porn site !

2010-07-09T03:08:00.000-07:00

Recap : Indian Embassy in Bahrain had a domain name indianembassy-bah.com and they seem to have had a fallout with the website development company so they moved to a new one and took up a new domain name indianembassybahrain.com

You must note that they did not take their domain name - maybe they thought that it is provided by the "admin" of the site !

My earlier blog post is here...

Now they are proud of their new website - indianembassybahrain.com and they still do not know that their domain name does not belong to them.

A whois query shows neither the Embassy nor the Ambassador or any officer of the Government of India named as Registrant, Administrative Contact or Technical Contact. The domain is owned and controlled by the same company that has developed the website for the Embassy, albeit in a different name !

The Website is developed by a company named Elite International and the Domain Registrant is a person using his yahoo email address.

So where does this leave the Indian Embassy in Bahrain with respect to their so called 'gateway' ? Simply put - it does not belong to them and another domain is waiting to host XXX sites the day they fall out with their service provider.

My observations are based on the statements usually carried in the news article that I quote and when I read the original media report I am sadly shocked to see the Embassy officials saying that they are trying to contact their website admin to get the old domain name back.

These guys have (obviously) not learnt their lesson and continue to play with the reputation of the country. A domain name for the Embassy is as sacrosanct as the embassy premises and this internet address is MORE permanent than the physical location. A physical location will be visited only when the person is in the country but the internet location can be visited from anywhere in the world and there is no "chaprasi" at the gate to ask silly security questions or to make sillier frisking gestures.

Then the embassy officials have email addresses which are on batelco.com.bh. They might as well have gmail or yahoo or hotmail addresses. Sensitive positions in the mission (for example the consular officer can get emails relating to visa applications) must have email addresses which are allocated on Government of India servers. In simple words the email address must be @mea.gov.in or @nic.in

As I make this statement against the use of non-official domain based email addresses, I do so without the knowledge of the security on these servers. However, basing my assumption on the savvy shown in their interactions in the domain name issue, I expect the passwords to be simple to crack or they may be shared too.

The Whois result for the domain name indianembassybahrain.com is here.

It is time for the MEA to really set some policies. Over the years one has seen a number of security breaches happening and these minor issues add to the recipe for disaster. Lax policies in respect of communication channels are bad. One does not expect the staff members at the Embassy to be tech savvy but the IT administrator or the security guys must know the risks.

Sometime back the Government had issued a directive to all departments to stop using public email addresses for official work and public email addresses musty include emails provided by ISPs.

It is common knowledge that ISPs have to monitor traffic and most governments mandate this. Here we have a diplomatic mission in a foreign country using local ISP provided email addresses for communication sensitive or not, damn the thought.

Before I close, I must share another thought - why should anyone be excused for not being tech savvy ? In this day and age every one is using or has to use computers and other devices. So he / she must know about technology risks and security. In the same vein one cannot excuse someone for walking in the middle of the road just because that person does not know what traffic looks like and that a vehicle can knock him/her down.

Domain names and the Government

2010-06-26T07:41:00.000-07:00

Update July 09, 2010
The Indian Embassy, Israel has acted swiftly to close this issue and the email addresses for the admin and registrant are changed to an mea.gov.in email address.
Great work and one hopes that there will be a standard policy soon !

Just discovered that the Indian Embassy, Bahrain does not have any rights over their domain name. I shall be writing in more detail about this and hope some people in power read it and take some action. An earlier blog post about the Indian Embassy, Bahrain fiasco is to be read in this context.

Why cant there be a standard policy for Embassy domain names ! Yesterday I wrote about the fiasco with the Indian Embassy domain name in Bahrain and today I checked the domain names for various Indian Embassies across the world.

I checked on 10 missions and got the information for six. The results are as follows

ISRAEL

Domain Name: indembassy.co.il

Registrant Email: hoc@indembassy.co.il

Admin Email:indembtel2@indembassy.co.il

Technical Contact: hostmaster@bezeqint.net

- their admin rights point to an email set up on the same domain so there is no way they can get their rights back without providing a lot of proof ! Same as New Zealand below.

AFGHANISTAN

Domain Name: meakabul.nic.in

- I wonder how come this is NIC dot IN and then there are GOV dot IN.

UAE

Domain Name: indembassyuae.org

Registrant Email:domains@cyber-gear.com

Admin Email:domains@cyber-gear.com

- another Middle East mess waiting to happen. I am sure the Embassy does not realize they do not have any control on their domain (as on date)

MOROCCO

Domain Name: indianembassyrabat.com

amb.rabat@mea.gov.in

- thank God this is a good one ! the address is gov.in

MEXICO

Domain Name: indembassy.org

Registrant Email:ekotulsi@hotmail.com

Admin Email: - none-

Technical Contact: - none-

- this is a great one - no admin or tech contact and only one email address which belongs to someone with a hotmail account.

NEW ZEALAND

Domain Name: hicomind.org.nz

Registrant Email:hicomind@hicomind.org.nz

Admin Email: hicomind@hicomind.org.nz

Technical Contact:support@telecombusinesshub.co.nz

- their admin rights point to an email set up on the same domain so there is no way they can get their rights back without providing a lot of proof ! Same as Israel above.

To ensure domain name protection the MEA can issue standard guidelines for the Embassies and I am taking the liberty of listing a few action items

1. The role of sysadmin / IT head at the embassy should have an email address on GOV.IN or NIC.IN - any one should be standardized. This address can be "admin_indemb@xxx dot INI"

2. Every mission must have a GOV dot IN domain name and the name can show the location country name.

3. The embassy must make the web hosting / developer to sign a contract in which they recognize that they are not the owners of the domain.

4. All domain name to be standardized - for example we can use indianembassy,com

5. Embassy must take back all creative materials like logos, content etc from the web development company.

6. If there is a need to change the web dev company or the hosting provided we have to be able to use our own ID to do the same and must always retain control.

Losing a domain name to unscrupulous elements results in a loss of reputation for the country and this is shameful. If the ministry has standardized policies relating to website content and presentation and there are guidelines for all other issues then why not ownership of small property items.

Indian Embassy ... old domain is a porn site !

2010-06-25T11:18:00.000-07:00

I keep telling myself that I shall stop writing about the bad things but then something like this comes along and I just get hassled.

Indian Embassy site becomes porn site

PTI, Jun 25, 2010, 05.05pm IST

DUBAI: A web portal which once belonged to the Indian Embassy in Bahrain has now turned into a porn site with a local telecom services provider blaming the mission for the lapse.

The Teen Porn website, located at www.indianembassy-bah.com, was used by the Indian Embassy before they moved to www.indianembassybahrain.com last year.

read the article online at the TOI site ..

It is obvious that the Embassy did not have the admin rights for the domain because they say that they dropped the domain because they changed administrators. I mean don't they have a clue about how domain names are purchased and how their ownership is managed.

The Embassy does not hold ownership to their own address and theey don't have a clue about this. The new domain name was taken in Feb 2010 and the old domain moved to the new owners (in Cyprus) in March 2010.

Now they have gone back to the company who did their website earlier and (obviously) they are told that the person who was looking after their site has moved to India. Well I do know about some people in that company and I don't think anyone moved back.

The first mistake is that of the web developer whom these Embassy walas are calling administrators. The development company must make sure that domain admin rights are with the owner and must educate that person about the value of the name.

The second mistake is of the Embassy folks who let go of a name they have been using for so many years just because they changed addresses. Did they not think for once that they have been using the domain name since 2002 and the web address is so old that it will still show up everywhere and can be misused.

Now a porn site is using the domain and it serves them right to be in this mess - both - the service provider and the Embassy officials.

Data theft from job sites in Pune -will it be only the thieves who will pay !

2010-05-11T02:08:00.000-07:00

Another case of data theft and we move on. In this case these guys have stolen the data base of job seekers on timesjobs.com and naukri.com and were happily selling and must have been making good money.

I have learned that they charged Rs. 10000 (about $250) for the Mumbai database from naukri.com

Pune seems to be the capital for such data theft cases and in any case it is a hyperactive techie city with a great community of startups. Cases like this don't help the reputation that the city is building up and citizens must come forward to report anyone they find engaged in digital / cyber crime.

There is a learning for the affected site owners too - it is obvious there is a gap in the security infrastructure. If someone has been able to get their user database then there is a lot of work that seems to remain to be done. Thank God there are no privacy and data disclosure laws. Thank God once again that the Indian public is not so hyper about their personal information.

Else, there is a clear case for anyone to launch a case against these portals and they would have to pay up a tidy sum to settle some sort of a class action lawsuit. Both companies have privacy policies and terms of use on their websites so I went to take a look at them, and this is what I found:

naukri.com - Privacy Policy
Quote
Information security
We take appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of data.
We restrict access to your personally identifying information to employees who need to know that information in order to operate, develop or improve our services.
Unquote

Timesjobs.com - Privacy Policy
Quote
TimesJobs.com respects the privacy of its users and is committed to its protection
Unquote
It does provide information about use of the data. A Security Advice page tells users to be careful about protecting their passwords.

This is the story published on Times Of India ....

2 Pune youths held for cyber data piracy
Pune May 07, 2010: Two youths, who allegedly ran a syndicate which stole data from major job websites and other IT companies and sold them to clients, have been arrested by the city’s cyber crime cell.

Child Porn - Armyman caught redhanded - shameful !

2010-05-09T02:00:00.000-07:00

The armed forces are in the news for the wrong reasons over the past few days. First it was a Major who carried classified documents home and his computer was hacked.

Now a Lt.Colonel, based in Mumbai, has been arrested for child porn. He is 42, and has been at it for a long time so he obviously sick and needs mental treatment. His family has distanced themselves from him - obviously who would like to be associated with someone engaged in such sick activities. Shameful to the extreme !

He is going to be cooling his heels once convicted under the IT Act and if the Germans succeed in getting him then he can be sure of more punishment.

Child porn is sicker than the sickest and there can be no mercy for anyone who peddles, accesses or creates this form of material. One also sees media reports from time to time about rapists and molesters who have been caught with minors and then there are other reports of sexual abuse of minors. Sad, to day the least that there are such sickos who indulge in such activities.

This guy was caught when the Mumbai police received a report from the German authorities via Interpol, and he was caught red-handed while engaged in uploading files.

Good to know that one sick human has been removed from our midst.

Media coverage...

Army officer held for child pornography
Press Trust Of India
Posted on May 07, 2010 at 16:14
Mumbai: An Army officer has been arrested for child pornography after he allegedly uploaded objectionable pictures on the Internet, police said on Friday.....

Army officer held in city for child porn
Mateen Hafeez & S Ahmed Ali, TNN, May 8, 2010, 01.59am IST
MUMBAI: A 42-year-old lieutenant colonel of the Indian Army was arrested by the cyber crime investigation cell (CCIC) of the Mumbai police on Thursday for allegedly posting obscene pictures of children on an international web site. ....

Timeline of Slippages in National Cyber Security

2010-05-07T02:00:00.000-07:00

There was this article about the computer of an armyman being hacked - on reading it I said to myself - this is old hat ! We do not seem to learn and continue to keep ourselves vulnerable.

Major’s comp hacked, info leak feared
TNN, May 07, 2010
Flouting Norms, He Kept Secrets In PC; Army Denies Spying

As we look at what has been happening in the past few years one cannot but ask - is this not enough to wake us up ? If not then are we waiting for the sky to fall.

I have put together a chronological list of hacking incidents over the past few years and (thankfully) there aren't many of them. However this does not mean that we do not put safeguards in place and this has obviously not happened because the same targets have been attacked time and again.

2010	May 07	Major’s comp hacked, info leak feared	Flouting Norms, he was carrying secret documents in his PC; Army Denies Spying.
2010	May 07	Chinese ‘son of ghost net’ grabs Indian secrets Rajeev Deshpande \| TNN	The list is big ! Indian Missions at Kabul, Moscow,Dubai, UK etc; a machine in the National Security Council Secretariat; Military Engg Services ... so much more!
2010	April 27	Woman diplomat accused of passing secrets to Pakistan, arrestedTimes Now	She was sending information to her handlers by email ! Her laptop is seized and being examined.
2010	April 28	India arrests diplomat for spying for Pakistan AP, Washington Post	same as above...She was sending information using email ! Her laptop is seized and being examined.
2010	April 06	China's cyber espionage - tip of a very large iceberg: InvestigatorSandeep Unnithan, India Today	This is about the Shadownet exposure. I am just linking to one media article, there is a lot of more about the research published on Shadownet and Ghostnet.
2009	Dec 00	Attack on PMO and other high ranking minister offices	The attack included other targets like the National Security Agency etc.
2009	March	Ghostnet disclosure	Researchers at Munk Univ, Canada announced their finding about Ghostnet and comprmised Indian assets.
2009	Jan 27	Embassy of India in Spain Serving Malware	iframe injection and the Embassy website starts serving malware.
2008	Dec24	Eastern Railways Web portal is hacked	Whackerz-Pakistan hacked the website and put up a message saying that cyberwar had been declared.
2008	after 26/11	Various portals attacked by a group named Pakistan Cyber Army	Indian Institute of Remote Sensing, ONGC, Kendriya Vidyalaya (Ratlam) among others that were attacked.
1999	x x	www.armyinkashmir.com hacked	The site was hacked and misleading photographs were posted.
1998	Oct	Zee News, India Today hacked by Pakistani groups	GForce Pakistan and Pakistani Hackerz Club make their claim to fame and call for a stop to nuclear tests

Another avoidable breach :(

2010-05-07T00:26:00.000-07:00

I read this report today and was feeling sad. Sad not about compromised national secrets but about the seeming lack of training provided in the basics of safeguarding data. Doubly sad that this should happen in a defense establishment and that too at the hands of someone who is a high ranking officer. An officer who has to set and lead by example but has failed in his duty.

Major’s comp hacked, info leak feared
TNN, May 07, 2010
Flouting Norms, He Kept Secrets In PC; Army Denies Spying

Another disconcerting observation is the seemingly casual attitude of the establishment towards this officer. They are going to take action "after" completion of their investigation to establish if there was any sensitive data on his machine and that he is back on duty ! This is a just great incident response.

Adult estore breach can bring about a larger risk...

2010-03-29T02:48:00.000-07:00

Sometime back it was reported that the estore selling condoms online could be compromised. The incident seems to have resolved itself since there were no further reports in the news about the same. Of course, the company has not issued any statement providing assurance that there was no other compromise / breach.

A malicious cracker will use such information to extract ransom from the site's users using the threat of public disclosure. Recently this happened in Japan where user information of an adult website was compromised. The criminals then contacted the users asking them to pay a "ransom" so as to protect their identities from being released online.

People pay up ! Yes they do... and pronto when faced with this situation. The problem is that you can very well use a assumed identity when registering with the adult website but you cannot use an assumed name on your credit card and the card billing address. This means that when the thief steals information he/she got all your data unless the site owner has put in some safeguards.

The only piece of advise here is - practice safe ... :) proceed with caution and make sure you are protected. All this sounds good but then there is nothing like 100% risk free and everything that tastes good is usually not good for the health. Besides, sometimes condoms are said to have holes too .. now that's what I call more dangerous than the holes in the network.

For your reading....

Durex India eStore spills customers' personal details • The Register
By John Leyden
Posted in ID, 26th March 2010 13:04 GMT
A site that sold Durex condoms in India has threatened a whistleblower with a legal nastygram in the wake of an admitted security breach involving leaked client details.

And about the ransom con..

New 'name to shame' extortion scam targets porn users
By Gregg Keizer
April 16, 2010 12:36 PM ET

Hentai anime fans' IE bookmarks posted online -- unless they pay $16 to remove proof of porn use

Critical Infrastructure Protection.. does anyone care

2010-03-11T22:53:00.000-08:00

And then there were floods - and they went to clean the Mithi River.

And then there was a terror attack - and they went to purchase bullet proof jackets and more.

Well we are waiting for an accident to happen at Mumbai airport to put in a back up test plan. Based on the news item in the Times of India today it is shocking to see that there are no tests of back up lighting systems !

The question that arises is - if this is the state of affairs in terms of critical infrastructure protection, then one shudders to think about how bad (good ! no way !!) it is at the airports in other cities.

Sadly the trend is clear - build stuff that shows how cool / developed you are. Build atop all the filth and grime and just cover up.

Crying foul after being caught !

2010-03-10T23:26:00.000-08:00

We did it when we were kids, and now, our kids do it - making excuses when caught with the hand i the cookie jar, or with the pants down .... !

And a lot of grown ups do it too. First they just overlook all norms of ethics and governance and then when they are caught in their web of lies and deceit they cry foul, blaming the establishment, politics, police, tax-man, competition, media and their executives (scapegoats)... whatever, but they never own up to their faults or say 'sorry'.

India now has it's fair track record - good enough to make it to the Hall of Shame / Fame with Satyam (the mother of all frauds - I mean if your parent screws you where do u complain), PwC (their complicity in the Satyam episode) and then PwC again (lying about their status about CMM certification to obtain a contract), then there was Wipro ($ 4 m embezzled due to lack of what? systems / governance etc) and now Bank of Rajasthan (Tayal family milking the bank).

I mention these incidents since they are top of my mind and may be missing some others for sure .. will appreciate any memory jogs.

A while earlier we had the classic example of PwC crying foul because they got caught telling lies - they did not have valid CMMi Level 5 certification which they did not disclose this or for that matter. Rather than apologize they went about trying to justify the non-disclosure of by them find fault in the clients process and saying that they had used this status to get other orders. Can't they learn ? When the Satyam scam broke they went about town saying their guys were clean, and now they say what they say.

Cry baby !

Well Bank of Rajasthan has the Tayal family who promoted it and the Reserve Bank of India has asked Deloitte to audit the lending policy and also the information security systems. Why should RBI direct this if something is not "very" wrong. And Mr Tayal seems to hold the MD (Mr Padmanabhan) responsible for all thats wrong with the bank just because he was appointed by RBI. Wrongdoings or losses do not happen overnight - to make a loss of Rs 44 cr there is a lot of effort needed, and it is as tough as making a rs. 44 cr profit. So now the Tayal family and friends hurt because the bank is no longer responding to their directions. Governance is nowhere in sight and another case of crying out foul... and when !! Read more about this here.

Wipro has got a good amount of flak from analyst firms who also mention about India being perceived as a fraud haven. Now that's not a reputation I would like to live up to ! Wipro's episode with the World Bank is yet to be wiped from analyst memory. And I shall reiterate my respect for Wipro having met good people who work there and knowing the have good systems in place. Apparently someone is goofing up and even small incidents can be blown out of proportion making damage control an expensive chore. Embarrassing too !

PwC .. more lies and misrepresentation - they need an lesson in ethics !

2010-02-22T01:32:00.000-08:00

I am amazed at the way people think they can get away with murder, again and again. Okay, admittedly we have some systemic weaknesses it the country but does it mean that I should just go on and on in abusing the system. Can't I learn and make amends.

Here I am talking about Pricewaterhouse Coopers (PwC) - Big 4, decorated Audit firm in 2009 (clearly this is a joke) and what not. These people are supposed to be providing advisory services in audit, ethics, governance etc and seems they need a big lesson in this themselves.

That was the tom-tom part. Now comes the stink - infamous Satyam audit firm. Yes the same firm that could not find any errors in Satyam's accounts for so many years.

Now they play games like - if-I-did-not-say-it-I-did-not-lie :).

PwC has been disqualified by CPWD (Central Public Works Department) for misrepresentation of facts relating to their qualifications. In simple words, CPWD called for bids for their eGovernance project... the terms mandate that the bidders to be CMMi Level5 certified... PwC says they hold the certification... but it seems their certificate expired in 2005 !

To cover up they respond saying that the CMMi appraisal is going on, and in any case, since the contract is for "software consulting" and not for "software development" so CMMi is not needed !!

Well if PwC can tell lies about their qualifications then I can imagine the standard of ethics that the can currently offer. If they had gracefully withdrawn calling it an oversight I could have lived with the statement but when they are out to justify the lies in true traditional form then all I would like to do is say a lot of uncomplimentary stuff.

Like I said at the beginning of this piece, yes we have systemic problems we live and struggle with (in India) but then do you think you are a BIG name you can get away with such criminal acts. There is something called ethics, morals, good business practices etc - will be good if PwC cleans their house before offering governance and risk services to clients.

http://epaper.mailtoday.in/epaperhome.aspx?issue=2222010
(Page 30)

PwC caught on wrong foot
again and denied deal
By S. P. S. Pannu in New Delhi
CPWD bars firm from getting e- governance job
IN YET another major embarrassment for leading consultants PricewaterhouseCoopers ( PwC), the Central Public Works Department ( CPWD) has disqualified the company from an egovernance consultancy contract for “ misrepresentation” of facts while bidding for the tender.
The controversy comes at a time when PwC is striving to revive its image after the battering it received in the Rs 7,800- crore Satyam scandal.
PwC had emerged as the frontrunner for the CPWD contract but has now been disqualified as it has been found that the document which it had furnished to meet the CMMi level- 5 appraisal requirement for qualification had expired a year earlier and was not valid any more.
The CMMi level- 5 appraisal represents proof that a company has the highest level of maturity in software development.
Possession of this appraisal certificate was a mandatory requirement for the CPWD contract.
According to sources, the PwC document did not mention the date of expiry of its CMMi level- 5 appraisal certificate and hence misled the CPWD authorities into believing that the company was eligible for the bidding process. The other companies in the race had mentioned the date till which their CMMi appraisal certificate was valid.
CPWD had shortlisted three companies in the pre- qualification round, which included Wipro and VAM Systems, apart from PwC. When the financial bids of the three companies were opened, it was found that PwC had offered the lowest bid.
CPWD was on the verge of issuing the formal approval for the contract when it received a complaint from a rival company that PwC had been disqualified earlier from a contract in Maharashtra as it did not possess a valid CMMi appraisal certificate.
CPWD investigated the matter and on cross- checking with Software Engineering Institute ( SEI) in the US found to their horror that CMMi appraisal to PwC had been issued in 2005. It was valid only for three years and thus, had expired in 2008.
CPWD then sent a show- cause notice to PwC. The company could not come up with a satisfactory answer and hence, was informed in January, 2009 that it had been disqualified.
PWC evaded replying to specific queries raised by CPWD and maintained that the CMMi appraisal was currently on.
However, PWC did not take this lying down and shot back a missive to the CPWD saying the organisation had acted after the tender had been opened.
PWC asserted that the CMMi appraisal was currently on. The company also claimed that since the contract was for “ software consultancy” and not “ software development” the CMMi appraisal was not required.
However, this argument did not cut any ice with CPWD officials, who have curtly informed PwC that the decision to disqualify the company holds good.
Rival firms allege that the renewal of PwC’s CMMi appraisal certificate may have been held up due to the Satyam scandal, which had fallout in the US stock market as well.
However, PwC has denied this.
“ We would like to state on record that the Satyam case has nothing to do with certification. Our application for the CMMi level- 5 certificate renewal is currently under process. Moreover, we would like to emphasise that in the recent past, the company has bagged several contracts of a similar nature,” the company told MAIL TODAY . The controversy has led to a good three to four months delay in launching the CPWD e- governance exercise, which was initially scheduled for November but will now have to wait until February to get under way.
The contract involved the drawing up of a roadmap for egovernance in CPWD. The exercise is aimed at bringing in more efficiency in the organisation.

Embezzlement at Wipro

2010-02-17T01:28:00.000-08:00

Wipro is a company I strongly admire and (unfortunately) has been hit by an insider. This is the second most admired company of mine I have to write about. Had written about TCS's web defacement earlier and now Wipro's loss. Both companies with strong Security and Risk practices, hit by that known unknown - a insider and a hacker!

Just read about a $ 4 m embezzlement carried out by a Wipro employee working in their finance department Apparently this person was a three year old employee and was in the 'controllership' division of the finance department which is a pretty powerful cell. They hold books of accounts and have the powers to authorize payments.

According to the report the fraud was perpetrated using a stolen password and using it to transfer funds to his account which he then splurged. Apparently the amount siphoned out ranged from Rs. 100,000 (~$ 2100) to Rs. 12,000,000 (~$ 250,000)

And I must make my observations here ! So here goes....

- Kudos to Wipro to make a disclosure ! We do not see this happening and this is a break. Of course there are regulatory requirements which they have to adhere to. However, whatever may be the driver, I am glad they made the disclosure.

(I do feel sorry for their InfoSec team)

- What I do not understand is how can one person use a stolen password to siphon out money from the company account. Does this mean that only one password was sufficient to authorize transfers ? Or maybe it was this guy's password plus the stolen one that did the trick ? Still, is there no balancing done at the end of a week or by the persons who are authorizing transactions.

- There must be a limit set for each person who is authorized to transfer money - did it range from $ 2K to $ 200 K !

- Apparently this gent did not do the transfers in one day and has been at it for quite some time since he has invested in property too which is not something you buy off-the-shelf. So all this time while he has been dipping into the pot, no one sees good things happening to him and there is no change in his lifestyle to raise any alarm bells in the department ?

- The article quoted below does ask about security policies and has no answers to provide.

- They have been able to recover half the money and the statement tries to make it look like a small amount. Folks a million is not small change :)

...... wish the folks in their InfoSec team the very best and hope they get on top of the few controls that are missed out.

I plan to write about old world and new world habits and how things are different and how we can make systems more robust by just leaning on our heritage. Keep a look out for this !

ET covered this incident....

http://economictimes.indiatimes.com/infotech/software/Wipro-rushes-to-plug-gap-after-4-m-fraud/articleshow/5582173.cms

Update 2/19/2010

PC World
http://www.pcworld.com/article/189545/wipro_investigates_alleged_us4_million_fraud_by_employee.html

The PC World article says the fraud had been going on for a year, Excuse me ! So this guy had a stolen password and was using it for a year and the password owner did not know and the password did not change in this year and no one did any reconciliation or account balancing.... hello .... is there something more than meets the eye here ?

A small oversight at TCS ... a big reputation loss !

2010-02-09T11:13:00.000-08:00

TCS is one company I admire among the other 'bellweathers' in the IT industry. And then when a small incident takes down it's website it is a matter of concern.

Yesterday, (Feb 08, 2010) their DNS was compromised and visitors to tcs.com were greeted by a message that said the domain was for sale.

It seems that this was rectified by the TCS team but the attack happened a second time (however this statement is based on the flurry of mails that hit the groups and no way for me to authenticate).

The media has picked up the story (of course) and I am sure TCS team has a lot of explaining to do to their internal and external customers. Unfortunately it is these small things that can cause damage to a spotless reputation and I am sure the business managers will have a lot of work on hand as they go about assuring their customers that the fault was not on their network !

Yes the breach (or compromise) was on the DNS server, but then there are questions which will need to be answered, as the Incident response teams do their analysis of the event. Questions like ...

1. How come a Tata company is using external DNS hosting and not working with their own VSNL or Tata Comm !

2. tcs.com has 5 name servers, of which 2 are from the external agency (tracom) and the other three are on TCS.COM ! Whoops.... so if tracom goes down then tcs.com goes down which means that you take down NS1 and NS2 and then 3, 4, 5 are automatically gone. Now what does this mean ?

Well. alls well that ends well and TCS is up and running again. I am happy about this ! And wish the company, the managers and the IT/IS teams all the best.

One thing saddens me is that tcs.co.in and tcs.in are unresponsive domains. The name servers are unresponsive too. This leads me to my friend's comment that companies do not give much importance to their websites. The general thought is that it is up and there are no transactions so why spend money; it is not a critical resource !

When some idiot goes and messes up your service provider (for kicks) and it leads to compromised website which is noticed by the world at large, a big reputation takes a hit. In case there is no hit, then there is a lot of egg on the face to wipe off !!

Media References....

http://searchsecurity.techtarget.in/news/article/0,289142,sid204_gci1381061,00.html
http://www.business-standard.com/india/news/tcs-website-hacked/385099/

When you shy away from doing a good security implementation

2010-01-30T08:24:00.000-08:00

Companies losing data when executives move or when insiders facilitate copying (or transfer) is a common occurrence. Corporate espionage is old school and new school practices include social engineering, hacking, trojans, key loggers etc etc. Unfortunately, it is due to lax security practices that data leaks occur.

Now we are seeing data leaks which show the lack of a Data Leak Prevention (DLP) or an Information Rights Management (IRM) security solution. Any company that has invested in building up intellectual property must use such solutions to effectively manage the risk of data leaks or breaches.

Just Dial, a company engaged in providing local information on phone across the country, has sued their competitor, AskMe.

http://news.oneindia.in/2010/01/30/data-theft-hc-asks-askme-in-to-shut-down.html

Then there is the Travelocity - Cleartrip where TC has filed a compliant against CT for data theft etc. Seems a particular Excel file was sent to CT by the ex-Managing Director of Desiya which was acquired by TC.

An IRM solution can easily make such sensitive documents unavailable to the person(s) once he/she leaves the organization and is not part of the user group.

http://www.medianama.com/2010/01/223-travelocity-accuses-cleartrip-ceo-former-desiya-md-of-data-theft/

Effective security must address people, process and technology and every security implementation does this. However, industry experience and studies show that security standards are implemented "in the letter and not in the spirit" - and sometime back this was a concern expressed by the President Obama's CIO too.

Another problem is the lack of acceptance of the risks that any organization faces due to weak implementation or waning support for continued security expenditure. For example, the budget covered the ISMS but did not provide for automation, or a solution, for security necessities like Access Management, Asset Management, Data Leak Management, Information Rights Management etc .

Decision makers and stakeholders must ensure that security is embedded into the organization DNA and that industry tools and solutions are adopted that will address risks and vulnerabilities at the fundamental or design level.

Mumbai - Nigerian held in 419 scam

2009-01-30T21:02:00.000-08:00

Location : Mumbai .. Jan 29, 2009

Caught: Mmereole a Nigerian resident using the alias of Dr Wada Nass

Incident:
Nigerian email Scam a.k.a. 419 Scam

Kudos to Mumbai Police Cyber Crime cell for their success in arresting a Nigerian national on charges of fraud.

A Mumbai resident reported the scam offer to the cops and they trapped Mmereole accepting an advance against the "shipping and processing fees" that were to be paid.

As we all know the Nigerian or the 419 Scam is the oldest one running on the Net and this has been followed by many more sophisticated scamming schemes. However, this one does not seem to die or go away. According to the report India is a favorite hunting ground for the scamsters which is not surprising considering our strong belief in destiny / fate / God's will :)

Lucky Mr Arvind who smelt something fishy and went to the cops.

Comment:
On a lighter note the name used by this Nigerian was Dr Wada Nass and in Punjabi this can read "बड़ा नास " which means 'big loss" .......... I wonder if the Nigerian knew this and was having an additional secret laugh while running he scam :)

Media reports:
DNA, Mumbai : Nigerian held for lottery fraud

Indian IT professional at Fannie Mae - planting malicious software

2009-01-29T23:07:00.001-08:00

PS: This has not happened in India but a person and company of Indian Origin is involved.

Location: USA
Jan 29, 2009

Perpetrator: Rajendrasinh Babubhai Makwana

Amount : x

Incident:
Planting malicious software, unauthorized access, delayed termination of user account

Mr Makwana was on contract at Fannie Mae and his employers are / were Omnitech. He was terminated on Jan 24, 2009 and after he left his ID was not disabled until late in the evening.

Update October 10, 2010

Makwana was convicted of "computer intrusion arising from the transmission of malicious script to Fannie Mae's computer servers" and now faces sentencing on December 08, 2010 which can be upto to 10 years.

related news...

Computerworld

Information Week

Update Feb 04, 2009....... As per statements from FBI there is a goof up in naming Makwana's employer - it is not OmniTech but another company Ionlabs. And Ionlabs have said that he is not their employee but belongs to Marlabs, NJ.

Now this is what I term surprising ! I mean it is so simple - FBI checks this guy's passport and the H-1 papers and it has to have his sponsoring employer's name ?? Duh !! Why are we having this runaround with different companies being named.

Or, for God's sake - ask Makwana ! One guy says I placed him, the other says I paid him the the guy who brought him in is not traceable. Bet there is another black hole here.

And yes......... Makwana has pleaded 'not guilty' ! Hello am I hearing this right ? I mean you have the deck stacked against you with incriminating evidence and you are not guilty. Cool.

Well Makwana accessed the system when he was not supposed to be doing this, created a directory, wrote and parked a few scripts which would wake up at 9 am to check the date. And if the date was Jan 31, 2009 - all hell was to break loose.

Unfortunately for Makwana, and fortunately for Fannie Mae, another engineer 'accidentally' discovered the logic bomb and reported this and they brought the systems down and avoided a disaster waiting to happen.

So here we have another Indian IT professional in the news for the wrong reasons :( and thank God again that he is not from Satyam else one can imagine the additional big stink.

Fannie Mae erred in not revoking his access immediately since he seems to have indulged in all the malicious activity after he was terminated. He should not have logged in to the systems after being terminated, and I must say that most people try to use the official credentials after leaving the organization. And many a time, it works !

On a lighter note.... a number of responses to the articles mentioned below felt bad that the records / systems were not decimated by Makwana's bomb as it would have wiped out the records of a lot of defaulters ! .... maybe this would have cleared the backup too !!

Media Coverage:

DC Examiner: Ex-Fannie Mae worker charged with planting computer virus

eWeek: Fired Engineer at Fannie Mae Accused of Planting Malware Time Bomb

WIRED: Fannie Mae Logic Bomb Would Have Caused Weeklong Shutdown

ZD Net : Fannie Mae IT contractor indicted for planting malware; Mortgage giant didn’t revoke server privileges

Himachal Pradesh (HP) - Email fraud

2009-01-29T22:55:00.000-08:00

Location: Hamirpur (HP)
Jan 2009
Perpetrator: Unknown

Amount: Rs. 200,000 (US 40K)

Incident:
Email Fraud / Lottery / Nigerian Scam

I came to know that a case of email fraud has been registered with the Police in HP. From the details I got, it seems this is a Lottery / Nigerian 419 scam and someone fell for it and has lost money.

The cops have been able to identify the bank accounts and cellphones. The criminals used fake information for all accounts and are yet to be identified or arrested. The victim deposited money into multiple accounts and this leads me to believe that this was a Lottery or a 419 scam.

BTW I am a member of Open Security Alliance and we plan to have a repository of scam emails and guidance on how to spot / avoid / report this.

Comment:
It is true .. a sucker is born every minute ! and the world of the internet gets more than one newbie user every second.

Media: ! ? !

Mumbai - Fraudulent email using Nasscom name

2009-01-29T22:18:00.000-08:00

Update : July 29, 2010
The gentleman in question has advised that this case is closed as it is baseless and I have no reason to disbelieve him. He has advised that he is no longer with his previous employer and that he has a graceful termination of employment which (naturally) means there is no basis for the case. However, he has to send me an update showing the withdrawal or dropping of the case from the complainant point of view and I hope he gets this asap so that this 'blot' is removed from his name.

My professional opinion to him is to obtain a formal closure from NASSCOM (complainant) as the case may still be on the record, even if NASSCOM is not interested to follow up and has realized that what happened was an error. The reason is that unless the case is closed at the police station it will remain live and can rear it's ugly head at any time in the future.

I am told that my blog is an impediment to his job search and am distressed that anyone who is doing a background check is not following up with a double check.

I have also removed his name from the blog to reduce the distress to the max extent possible, however, I shall make my own verification with NASSCOM to establish the current status.

----dinesh-------

Location: Mumbai (Thane) Jan 24, 2009
Perpetrator : An employee of Ma Foi Consultants

Incident:
Fraudulently using the Nasscom name in an email.

He set up an email account on Yahoo! India (rohit.nasscom@yahoo.co.in) and used this address to send mails to IT companies asking them to share company information to include in a Manager's directory being prepared by Nasscom. In the emails he used the name Rohit Chopra introducing himself as an event director at Nasscom.

One of the companies he approached was Kale Consultants. They suspected the email to be a fraud and contacted Nasscom. A quick investigation identified the IP address and traced the email to Singh who was arrested by the Thane Police Cyber Cell.

Comment:
Singh and so many such users are not aware of the fact that the internet 'tags' you and what you do. People think that because they are in the comfort / privacy of their home or in a dark corner in a cybercafe no one can see them while they indulge in such criminal activities.

Unfortunately they forget the 'footprints' any communication picks up along the way from their keyboard(s) to the destination. And then there are so many telltale signs that evolve from any such act.

People like Singh are like petty thieves - first timers who indulge in shoplifting just for a lark. And then they cry "sorry" when caught. Unfortunately, a crime is a crime - small or big and the law then takes it's own course.

Cybercrimes are new additions to the world of crime and criminology so the treatment is different since the law enforcement establishment is also learning the ropes. Unfortunately petty cyber criminals will face stricter reactions than regular petty thieves so it is better to desist !

Better go shoplifting or pick a pocket :)

Media Coverage:
Hindustan Times Jan 25, 2009

Satyam Computers... tracking the muck.......

2009-01-23T02:20:00.001-08:00

Yes, I have decided to start tracking the lies and deceit. There is a lot happening here...

Update Jan 31, 2009
- The Enforcement Directorate is going to look at Satyam / Raju and they seem to have swung into action based on the media reports. They are to investigate money laundering and foreign exchange regulation violations. Surely

- SEBI and SFIO are yet to get to speak to Raju ! Is this surprising ? I mean like why does any company have to listen to SEBI etc if they don't even have the power to question a self confessed CEO of a listed company. And the Government does not show any will to face up to the state government either. I shall write about this in a separate blog sometime and am waiting for my blood to boil some more.

- The CID is questioning Raju and his gang. At the same time they say that the CID is not equipped (or does not have the expertise) for investigating financial frauds. Of course ! They are not financial guys so how do we expect them to get a proper act in place or how can we expect them to keep evidence that will stand up in court.

- Satyam employees are grappling with the fear of losing the money they have put up as employment bonds with the company.

- The board has yet to announce their selection of a CEO and CFO. The Board meets and the Chairman's position is rotated amongst all present.

- Maytas, run by Raju's sons is also in trouble so let's keep watching.

Jan 24, 2009
- PwC Auditors are arrested. ... Gopalakrishnan and Talluri were taken into custody. About time PwC came clean on the dubious role in the Satyam affair. I am at a loss to understand how (or why) PwC continued with Gopalakrishnan - I read about his role in Global Trust Bank and DSQ which were two big accounts that messed with public trust and money. In both cases he was censured and he is in the eye of the storm here too.

Does not look good at all for decision makers at PwC. In fact things really do not look good for PwC (?) and if it turns out well for them, we shall be looking at a system which has "well meaning" window dressing. Don't we all know it and live with it !!

- Raju continues to languish in jail and his intentions are dissected by all. All his family are being investigated and they must all be hopping mad.
Like I said earlier, it remains to be seen how far this goes and how strong is the political will to carry out the will of the law.

The score remains at 7000 odd crores and the share meltdown contributed to a loss in market cap of about 23,000 crores. Figure that out for yourself in dollars.

- L & T is running hard to get it's hands on Satyam. I don't like it because I am a marginal investor and have always liked this company. Now, as a result of their race to take over Satyam their current market price is around 690 which is bad :(

Guys you want to buy it, then identify the chunk you want. Stay away from it as a whole please.

Yes, there is iGate too and they have identified their interest in the BPO operations. That's wise and good. It's their core business and makes sense.

Jan 23, 2009
- The prosecution presented their case in court opposing Raju's bail - one of the startling disclosures they made is that the Satyam head count is not 53,000 and is overstated by about 13,000 as per the confessions they have from Raju and his ex_CFO.

Of course Raju's attorney went to town saying this is untrue and that his client has not made any confession wich is also correct since this was something disclosed by the ex-CFO Srinivas.

That gets Raju a cool Rs. 20 cr ($ 4 m) every month.

And it remains to be seen how much more is disclosed.

The fact is that Raju siphoned tons of money to buy land across the state and country. Lots of it is "benami" which means that the transaction is done by someone who is a front for the actual owner.

- I saw a some stuff where people are coming out in the media with their support for Raju saying that they owed their life to him. Well you are right in acknowledging your debt to someone, and it is your bad luck that this person is a criminal.

And please do not say that he did not kill anyone and a murderer is worse than a petty thief but remember both are criminals. And Mr R is not a petty thief, he has gypped 1.2 billion dollars (7000 crore rupees) and that is not a small number.

People in this country make 7000 rupees a month !!! and they ge by with that type of wage !

If Satyamites or Rajuites or his villagers are so highly indebted to Mr R I would not trust them in any company and they will be well placed to continue to work in the sinking / floating Satyam. And they can wait for the rising of R.

Well there are people who worship Jack the Ripper too, so this is a small deal ! What ?

- Raju's confession was a fishy one - read it closely and he is just telling you how helpless he was in the face of the tiger he spawned. When I read it I remember I had a big laugh. He glibly mentions how nice he was not to take any money and now we know he did not need to take it legitimately since he was anyway raping and milking the company at the same time.

He sounds oh so noble when he talks about not profiting but what about the land he bought and the money he gave his sons and villagers and his political / business benefactors.

Well he was a very strong force in the state and even got a Golden Peacock to prove it so does the world really believe him.

- Jail in India is a cakewalk for him and his connections seem to be helping keep him away from the Serious Fraud office. If only he can be sent to the US - "maloom padhega aatey daal ka bhav" which means he will realize the cost of cheating.

Email Threats .... various incidents

2009-01-19T00:43:00.000-08:00

Jan 12, 2009
Mumbai

Hotel Leela Kempinski received two emails threatening to blow it up. The sender made a ransom demand of $ 130,000.

The email gave no details of the sender or the drop place for the amount and is believed to be a hoax !

Media Report:

Press Trust of India: Five star hotel gets threatening emails; security increased

Spear Fishing.... from Ghana to Kochi with Love but unsuccessful !

2009-01-19T00:26:00.000-08:00

Location: Kochi, Kerala
Victim: The Metro Film Society (M Gopinathan)
Perpetrators: Unknown from Ghana

Amount: $ 1600 - was demanded but not paid

Incident:
The email account and blog of the Metro Film Society was hacked. A mail sent out purportedly by M Gopinathan saying that he was stuck in Ghana and appealing for $ 1600 to meet immediate expenses with the request that this be sent through MoneyGram / Western Union.

Of course, this was a hoax and (thankfully) no one sent any money.

The Film Society is recreating their blog and setting up a new email address.

Comments:
Organizations tend to use free public email services like gmail / hotmail without any thought about the security of their (official) communication and the security of the same. In addition to the safety / security of the data and the account they have no traceability of the mails sent through the accounts.

Either they must operate mails through their own server (best practice) where they have control or they must go in for paid accounts on the free mail services.

The primary objective is to have control on your data and to ensure the sanctity and security of the same.

Media Reports:

Ghana Business News : Indian Film Society's e-mail hacked in Ghana

Hoax bomb threat at tech company in Powai, Mumbai

2009-01-19T00:16:00.000-08:00

Location: Powai, Mumbai
Victim: Accenture
Perpetrator: Ravindra Patil, a Security Guard

Amount: ....

Incident:
Patil made a phone call to the security office saying that a bomb had been planted on the premises. The police was called in and during investigation they checked incoming call records and found there were no inbound calls in the 1030 - 1100 hrs period. The investigation was narrowed to search internal calls.

Eventually, Patil confessed saying that he made the call to check if the security team was alert to respond to such events.

Comment:
He should know better than play such pranks. Now he has been arrested and will pay a big price for the fun he was seeking.

Citizens should realize that any such hoax call brings a lot of pressure on the system and causes unnecessary losses.

Media:
Planet Powai : Call Centre Security Guard Raises Bomb Hoax Call, Arrested

Hubli (Karnataka) : Credit Cards misued online by ex call center employee

2009-01-18T09:21:00.001-08:00

Location: Hubli (Karnataka)
Victim: Credit card owners in USA etc
Perpetrator: Sahil Sharma (son of a senior Haryana Govt official)

Amount involved: Rs. 3 lacs ( US $ 6000)

Incident : Sharma worked at a call center sometime in 2006 and was selling mobile phones to international customers. He would note the credit card numbers and used one of the cards to purchase cellphones for about Rs.1.5 lacs from a Hubli based e-commerce site.
The phones were shipped to the Gurgaon (Haryana) address but credit card charge was disputed and the site owner suffered a loss.

Simple - this guy used a card belonging to someone in USA and this person disputed the charge on the card.

However, Mr Sahil Sharma thought he had a good thing going and ordered more phones using two other cards of UK and US origin. The order was placed at the same portal and the site owners identified this as another fraud coming their way by identifying the IP address for the transaction.

A complaint was made to the police and the Dharwad department worked with Chandigarh police to trap Sharma receiving the shipment from a decoy courier.

Police are investigating if this guy has any more crimes to his credit !

My Comments:
Police is sure to find more fraudulent transactions done by him in the past. He has this 'unlimited bank account' which he has been milking since the past two years and small successes would have made him bold enough to make larger transactions.

However, he is obviously a foolish novice because he did not know that his IP address is traceable and that he was engaging in a crime and providing his real address to drop ship the goods. And then he was there in Chandigarh to receive goods purchased with stolen cards !

It was good on the part of the e-commerce site to identify the IP and realize that this was another fraudulent transaction. I do not know the average size of each transaction on the e-commerce website and I am assuming that it is not in the range of 1 - 2 lacs. So I would say that when the first order came in it should have raised a flag - and they should have investigated with a phone call / IP check to confirm this was a genuine high value order.

Or they could have pinched themselves to know it was real :)

I do hope they got back all the phones from the first shipment and Sharma's career is on skid row. His criminal career has ended before it started and he has joined others in the history books of cyber crime in India.

Media / News Coverage:

Deccan Herald (Jan 18, 2009) : Cyber criminal trapped in Hubli

NOIDA - Call center fraud .. BPO employee manipulates data

2009-01-18T08:47:00.000-08:00

Location: NOIDA (New Delhi)
Victim: EXL Services a BPO / Aviva as client of EXL
Perpetrator: Edward Burns, Team Lead at EXL Services

Amount Swindled : GBP 50.5K (Rs. 41.5 lacs) but he got only Rs. 3 L (that's about GBP 5000) since 2007 which is no big deal in terms of income. I wonder why he has wasted his life for small change !

Incident:
Burns was Team Lead at EXL handling Insurance claims. Along with associates based in UK he started the scam sometime in 2007 and seems to have done about 12 such transactions.

As Team Lead he had access to all insurance related data and using this knowledge he started to manipulate insurance claims. He identified 'dead' Insurance accounts and would process / file claims using these accounts but would change the bank information for payout and these bank coordinates would belong to his associates.

Three associates have been identified in the UK and their bank accounts were used as the drop accounts. These associates would travel to India and Mr Burns got his share.

Well Mr. Burns can forget his share of the booty, and will have to start working on manipulating his own figure to fit in whichever jail he is lodged.

My Comments / Observations :

While it is necessary for leads / managers etc to have access to information, it is also necessary to have checks on transactions carried out. This is the fundamental requirement in any transaction based process and that is why we have the concept of SOD. In this case it seems that Burns did not have any supervisor checking the transactions / claims filed by him, and if there was a check on this, there is a system error in allowing client data to be changed at this level.

The client data would have been provided by Aviva, as is submitted by their client. How can the BPO employee get to change this (bank account information) without authorization and that too when a monetary claim is being processed.

If the change was made only on the payment form then the person who does the final process of printing the check should be doing a cross check on the payee name and bank info.

The problem is that my reliability is only on the print and online media or TV to report these incidents. With time I shall try to connect with people in these organizations to get more first-hand information.

News Media Online:

Times of India :
BPO executive held for fraud

Hindusta Times, Delhi : One more fraud @ the call centre

Pune - credit card fraud ring broken

2009-01-17T20:18:00.000-08:00

Location: Pune
Victim: Multiple high network individual
Perpetrator: Many people ...

My source: Case study presented at CyberSafe Pune by the Cyber Crime cell.

Incident:
One of more employees at Marriott Pune would swipe credit cards on a mag reader and then clone the cards. A carrier was involved who would carry the input to Bombay and a techie who was part of the ring would clone the cards.
These cloned cards wold be used at certain stores where these guys had arrangements and they would either pick up the merchandise and resell it or they would take cash against the card swipe transactions.

The police cracked the case arresting the people involved, identifying about 100 card holders who had been defrauded with high value transactions. They got their hands on the mag stripe reader which is now crucial evidence.

Observation:
One must keep a check on the transactions billed in the card account even if the person is a high networth individual. Admitted that this person has oodles of money to spend but it is good to recheck what the bank has charged. Besides, if using a company credit card it is good governance to make sure that you are charging the correct amount to your company.

It will also be a good practice to mask the CVV number at the back of the card since this is one critical element in the card fraud game. Besides one must be vigilant when the card is being swiped and where it is being swiped. Try not to let the card out of sight.

Note: I shall put up more information about this following up on getting names and details about the incident in terms of total amount defrauded and other numbers.

Technology News... fandling and funching

2009-01-17T20:05:00.000-08:00

Location: NOIDA / New Delhi
Victim: Mayank Bhatnagar at Tech Mahindra
Perpetretor: his wife Neha

Incident: She punched him and broke his nose ! He was fandled (womanhandled / femalehandled as in manhandled) or funched (female punch) :) and had to call the cops. Well they are husband and wife and things seem to have gone too far in the fighting department.

My observation:
First you may want to know how this is a security incident - well clearly TM has to take care of the security of their personnel. HR policies, all over the world, say that employee security and safety will be taken care of.
In this case, if the cover did not protect Manyank outside his office then TM has a learning here - they should include domestic violence and protect the employee. What if the employee is on a critical project and now he / she cannot attend to work which will suffer and cause grave harm to the company :)

And even the Police say that it is a "sensitive matter" yes it is sensitive for sure - his nose is going to hurt for a few weeks. And she will have a sore fist.

Who says that the security or the tech world is bland and geeky. These instances serve to break the myth. Here Mayank has clearly been "nehaed" and he should thank his stars that bobitization has not yet arrived in the tech world.

Media:
I had read this in Indian Express, Pune sometime in the second week of Jan.

ATM Card ... Con swipes card in Pune

2009-01-17T19:49:00.000-08:00

Place : Pune
Victim: J G Kantikar of Connection Systems
Perpetrator: Unknown

Amount of Loss: Rs. 7.18 lac (US $ 15,000)

Incident: Kantikar's has an account with ICICI Bank and last used his ATM card for a 5K withdrawal at the bank machine. A week later when he tried to use the card it did not work and he followed up with the bank's call center. Another couple of interactions followed with the bank and he finally got a new ATM card etc.... but in the interim he was informed that his account had been cleaned with a 7.18 lac broom !

The police is investigating and assume that the card was cloned and is used.

My observation: If we assume that the card was cloned what how did the criminal get his ATM PIN. Obviously the bank machine location was compromised if this was the last place where he used his card. Else, the sequence of events reported may be incorrect. This post is based on newspaper / media reports.

Media reports:
Indian Express

Pune Mirror - Jan 16, 2009

Pune Incident : Insider Threat - loss of IP and revenue

2009-01-15T03:42:00.000-08:00

Place : Pune
Victim: Senate Technologies
Perpetrator: Dinesh Dattatray Kedare

Amount of Loss: Rs. 29 cr (US $ 5.8 m)

Incident: The company posted their employee in UK and he opens his own company and starts his own business. He sells software belonging to the company and pockets the money !

This guy Dinesh Dattatray Kedar was quite ingenious ... he tells his company that he has a deal with a buyer for software developed by Senate Technologies and that they have to part with the source code. Senate does this and this guy delivers the source code and takes the payment into his own company - a cool $ 5.8 m

My observation: A system of check and balances seems to be missing. With time our trust level in any employee will go up (as it should) but this becomes a problem when the trust is blind. Every deal (large or small) must be reported and followed through to closure and every lost deal must be analyzed for failure.

This may not be sufficient to stop the type of fraud perpetrated here (one may say) but then I am basing my opinion on the newspaper reports quoted below. And if you note both reports carry a different version. I shall call the company and if I can get more info I shall post this tomm..... they are in the next building on my street.

This is not a crime in the sense of cybercrime and is more a case of cheating. He worked for a few months and became a trusted employee and then cleared out with the company asset.

A few questions - did this guy have a bad history; any information about his background which is questionable. And what has Senate done after this incident, as a reactive measure to avoid future incidents ? (Maybe they will allow a case study)

Media Report:
Times of India

Indian Express
(It was in the print edition today 1/15 but I cannot find the article online)

-db

Pune - e-elearning IP Theft Incident ... another insider doing.

2009-01-15T03:27:00.000-08:00

Location: Pune
Victim: Brainvisa Technologies
Accused: Sameer Inamdar, Enthhuse Technologies, Pune

Loss estimated / claimed: Rs. 47 cr (US $ 9.5 m) as per reports in case study presentation and newspapers whereas The Learning Man site reports this at Rs 200 cr. The management did say that they still have to calculate the total tangible and opportunity loss.

Incident:
Pune based elearning company Brainvisa lost a big chunk of business to a competitor. Unknown to them, they had been losing money for over 2 years which they realized recently sometime in late 2008 so the loss may be higher.

The weakest link is the insider and this was proven in this case too - one of their VPs left the company to start his own venture in the same e-learning space.

This person left Brainvisa to start Enthuse technologies and the company grew fast and quick. They used a lot of materials (designs, code, technology) which the founder (ex-employee of Brainvisa) carried with him. Of course, this person was a senior at Brainvisa and was privy to a lot of IPR in the form of concepts, source code, designs, learning programs etc. besides customer, sales and vendor information.

In addition to the theft of IPR, Brainvisa suffered due to the collusion of their employee with this company while in active employment. Their Marketing / Customer Accounts Manager, a lady who was based in USA would pass on leads and information to Enthuse while she was employed with Brainvisa !

The undoing of Enthuse came about when they started posting materials which were blatantly plagiarized versions of Brainvisa IP. That's when Brainvisa management realized that these guys had their assets and closer investigations led them to discover the nexus with the internal staff.

Finally, when they discovered the fraud, they reported the matter to the cops in Pune and a raid was carried out and the owner of Enthuse was arrested. A lot has happened and there have been a lot of changes at Brainvisa, since.

I was at an event in Pune where the Cyber Crime team and the Brainvisa management presented the facts of the case. They have brought in a lot of changes in their organization in terms of processes and procedures and I am sure these efforts will be good for the organization. The heartbreaking fact is that the incident has happened and caused loss and one can blame lax controls.

Takeaway: It is not just large corporations which are expected to implement Quality and Security standards like 6-Sigma, ISO 9001, 27001 etc. Mid sized and small companies must also look at implementing best practices - after all they are also in the business to make profits and they too have regulatory obligations. However such companies must ask hard questions about the value benefits they will derive from any implementation and must ask the implementing agency for assurance / guarantees for the same.

The reason is simple - every best practice brings ROI and if this it not visible in terms of increased efficiency and productivity then something is wrong. Simple - make sure your investment does not bring you a piece of paper to frame and hang on your wall because even if you do not take the certification you can still benefit from the implemntation.

I shall update this post if I get to know more about the progress in the case.

Media reports:
The Learned man!

Indian Express

Sakaal Times

Pune Mirror

Mother of all Incidents... SATYAM COMPUTERS

2009-01-15T02:04:00.000-08:00

Satyam Computers happened to India and this is the mother of all technology industry scams in the history of the country.

A lot has already been exposed and I may be late on the reporting scene but nevertheless, I shall have my say ! The CEO of the company B R Raju confessed to swindling the company and that he has been doing this for many years now. Some observations and opinions.....
- Raju gypped the company of about Rs.7000 crores (about $ 1.2 b) not bad in a company which has processes certified to CMM-5, ISO 27K1 etc and was awarded an award named "Golden Peacock" for best Corporate Governance

so the joke is on whom ? is it only the company that has been swindled ?
- Raju has been mis-reporting accounts for he past 7 years.
And he says that no one knows and that he is the only person responsible ! I mean are we wet-behind-the-ears kids ? What about the auditors, the CFO, the directors the accounts people, the senior managers !!!
- He was riding Tiger and could not get off !
Oh my dear shareholders please forgive my trespasses. I was trying to retain control of the company and to keep the corrupt people around me happy. I fudged accounts so I could keep corporate raiders away from hostile takeover. I created a tiger and rode it to scare everyone and fed him "fudged figures" and he wanted more and more and I had to keep buying land to keep this on.

But I did not do any wrong. I only fudged some figures to make my balance sheet look good.

- Raju's auditors cannot speak due to client confidentiality and they did their job according to international auditing standards.
Big 4 company digs deep hole for itself and then says that client gave them statements. Hah - so what does the word "auditor" mean ? What does an auditor do ? Seems that they are so big they have forgotten the basics of the profession.

Just because you are Big-4 does not mean you are God's gift to auditkind. We know what happened to A_Andersen.

What a gigantic fraud carried out by an insider and the insider is the big boss himself. Governance and ethics begin at the top and this is a case where the top boss (management) is just giving lip service to these principles while engaged in fraud.

While this incident is bringing up calls for more stringent laws / regulations for governance and oversight, the age of ethical business is still far off in our dear land. Family owned and promoted entities hold their employees to ransom in collusion with political leaders and government officials. Unions are usually promoted by political parties and seem to operate for power and money without a thought for the worker.

If we factor 7000 cr for the past 7 years it may mean that 1000cr was siphoned off every year. That means higher reporting for each geography. It means higher (fudged) figures for bank deposits, employees et al. No one caught on to the scam ... not a single analyst, investor, banker, auditor, regulator, shareholder, C-level executive, employee, accountant, VP (Marketing, HR, Admin)

The investigations are bound to prove the complicity of many others in the top hierarchy and Directors and Auditors cannot claim immunity under the guise of statements like "I signed what was given to me and did not check the documents" or "I believed what was given to me in good faith".

The world is witness to the "good faith" displayed when Raju walked out of the board-room to leave the directors to discuss and approve the Maytas acquisition. He did it in the interest of good governance as required in view of his 'conflict of interest' .... now we know that Raju went to the washroom and was ROTFL> And his band of directors blindly said a "Yay" without any thought about doing any due diligence .... did they discuss their paycheck or next vacation too < ? >

Lets hope the world is a cleaner place once the dust settles. As of now, corporate India and the auditors are all walking on hot coals. The Big audit firms are already taking a second look at their work .

Oh so much is happening in my world ... ever since I returned to my dear motherland.

India centric information security incidents to be tracked

2009-01-15T01:59:00.000-08:00

I changed the name of the blog from InfoSec Incidents Gallery to India InfoSec Incidents Hall of Shame / Fame Gallery just to make this section more India centric.

Fact is that I have been back home in India for a few months and there is a lot happening (all of a sudden) and there is a need to capture history (!! evil!!) in the making. And also the good stuff.

Besides, I guess the world is too big a crucible for me to look at from my ground level so I shall find happiness in covering the India scene.

Drop me a comment if you come across any incident - big or small. in the past or in the present. hidden or public..... where ever.

Societe Generale....

2008-01-30T19:45:00.000-08:00

When I got new of this incident I thought I had had enough... a BIG one a day is just too much. And I felt too lazy to get to post this in the gallery immediately. This laziness continued and today the adrenalin started flowing when I read more about what is being said and claimed by the bank and the accused.

My other post is about my thoughts on the Societe Generale fiasco
Check securambling,blogspot.com - Societe Generale ... lies, lies and more lies and the second article about the security controls they seem to be missing among others.

The incident was reported on Jan 24, 2008 early in the morning and Reuters gives the timeline to the events leading to it............ (note that as on the day of publishing this article the amount 'defrauded' is 7 bn)

Timeline of events in SocGen fraud case
Mon Jan 28, 2008 2:15pm EST
PARIS (Reuters) - The following is a timeline of events concerning the alleged fraud at Societe Generale (SocGen) that caused $7 billion of losses at the French bank.

........... read the article...

Did he "defraud" the bank ?

Defraud (verb) : Deprive of by deceit; "He swindled me out of my inheritance"; "She defrauded the customers who trusted her"; "the cashier gypped me when he gave me too little change".
(Webster's Online Dictionary)

He was doing his job, but the control systems were not doing theirs. There is a gross failure of the controls they seem to have in place. I have a few observations in my security blog. And according to the statements they have

SocGen style fraud could strike again, but bigger
Thu Jan 24, 2008 11:13am EST
By Andrew Hurst, European Banking Correspondent

ZURICH (Reuters) - French bank Societe Generale's 4.9 billion euro ($7.1 billion) loss, blamed on a single employee, is a stark reminder that rogue traders can elude the most sophisticated security systems until it is too late

"We have a hyper-sophisticated system of checks and controls. It's very hard to understand," said a senior employee at the bank who asked not to be identified. "But there are always holes in any system."

The statements from the bank are changing and will be worth following. As of today 1/30 the amount has been changed from 7.1bn to 5.1 bn. The trader is no longer a 'rouge' because he has been at this job for too long to be in the rogue category. More needs to come out in the open because it is impossible to believe that this one guy could do so much without ANYONE in the bank having a clue about what he did and how he did what he did.

He (the trader Kerviel) is in custody and is charged with breach of confidence etc. and could face imprisonment of upto 3 years. (Reuters - BoF's Noyer says told SocGen to improve controls
Wed Jan 30, 2008 1:28pm EST) The charge of fraud has been thrown out ! I believe there will be some stuff about misuse of bank computing systems, trust, falsification of records.

Check out Reuters for all the latest !
Search Societe Generale on Reuters for the latest.

Well thats another incident for the history books and we can look forward to M Kerveil making money with a cool consulting business and an autobiography once he is out of prison.

GE Money loses Credit Card data !

2008-01-21T14:09:00.000-08:00

Another case of media being lost. This time it is GE Money and they seem to have lost the backup tape which was 'supposed' to be at the backup storage facility. So much for record keeping in the age of PCI compliance. The tape is encrypted (Thank God !) and has the Social Security Numbers of 150,000 people (My God !)

Read the full story at IDG.....

230 retailers affected by data breach after tape lost
The tape contained Social Security numbers of 150,000 customers
Robert McMillan

January 20, 2008 (IDG News Service) -- A backup tape containing credit card information from hundreds of U.S. retailers is missing, forcing the company responsible for the data to warn customers that they may become the targets of data fraud.

The question is whether this is the norm ? Should the consumer expect this to happen and live with the fear of identity theft or unauthorized access to his/her bank accounts. With this sort of stuff being reported in the media every so often, is it too small an expectation that an organization handling large amounts of sensitive data will do a self assessment / self-check.

Just to make sure that things are okay at home !

Or do the security officers believe that their systems are the best and safest and that the crap is in the other guys house. Where fools tread we find foolhardiness.

The Lists of 2007

2008-01-16T10:34:00.001-08:00

At the start of the year everyone has one (or many) resolutions and at the end of the year thought leaders in the InfoSec space provide their List .... ! So we have announcements of the best and worst of the past year and whats going to be hot and whats not-not-going-to-be-hot.

I do not profess to have more than a few items on my list so I shall refrain from publishing a "Rambler's List" but yes I am going to try to get all the lists here together into a mother lode of all Lists. Maybe at the end of the exercise, I shall publish my own list and it will become the most awaited event in the industry :)

Before I move ahead, I cannot help but say that Wireless will pervade our lives, (the iPod has to go (nay, will go) wireless too) so it is the threat bed of criminal thought. Oh I thought I shall refrain from pushing my opinion, and this will be a neutral presentation of Lists. If I miss any list, it will not be intentional but can be due to oversight, and the reader is encouraged to send me the link and I shall gladly update this post. The Listing is no particular order !

SANS Top-20 2007 Security Risks (2007 Annual Update)
Seven years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations relied on that list, and on the expanded Top-20 lists that followed in succeeding years, to prioritize their efforts so they could close the most dangerous holes first.

The Executive Summary can be read here
SANS Top 20 Internet Security Risks of 2007 Point to Two Major Transformations in Attacker Targets

[dinesh] The 2007 list mentions Client-side Vulnerabilities, Server-side Vulnerabilities, Security Policy and Personnel, Application Abuse, Network Devices, Zero Day Attacks with a listing in each area along with best practices for prevention.

---------------------------------------------

The worst IT security incidents of 2007
Tom Espiner ZDNet.co.uk
Published: 14 Nov 2007 17:19 GMT
Despite the message being driven home by governments, consumer groups and industry bodies that IT security is paramount, this year has thrown up a worrying number of serious breaches.

[My two cents ] I like the fact that HMG just made it to the list ! And they got top billing for putting millions of children and their families at risk for identity theft. The one about the DHS mail snafu is hilarious because the least one can expect is that people employed in such a Security organization will know about secure email exchanges and how NOT to send email address lists in the open world. Of course they would not make it to the list if they did have some training :)

------------------

Ten threat predictions for 2008
ZD Net : December 4th, 2007
Posted by Richard Stiennon @ 3:29 pm

[dinesh] this lists threats in the social networking area, DDOs, crime, gaming ... and as I write this one of the predictions has come true. Richard is watching and I am sure he hopes he is proven wrong because no one wants bad stuff to happen. However ...... que sera sera !

----------------------

Check back frequently and I shall keep updating. If this mother of lists grows too big I shall split into a new list !!

Dinesh O Bareja

The cyber criminal is getting younger....

2008-01-15T12:27:00.000-08:00

I am amazed at the audacity of intelligent persons when they indulge in crime. These guys are the super duper intelligent people who can make computers talk their walk (or walk their talk)

And they are the same people who indulge in criminal activities, they bring grief to people and then land up in a prison cell. Just because they were too drunk with the thought they were too damn smart? Or they were downright foolish. I would say that they are foolish idiots.

So another incident which ranks somewhat high on the totem pole of incident infamy ........

Polish teen derails tram after hacking train network
By John Leyden
Published Friday 11th January 2008 11:56 GMT

A Polish teenager allegedly turned the tram system in the city of Lodz into his own personal train set, triggering chaos and derailing four vehicles in the process. Twelve people were injured in one of the incidents.

What was the kid thinking when he was playing with his new toy ! And now he has obviously messed up his future.

It is difficult to raise a child who is below average in grades and it seems that it is a bigger challenge when the child is a genius. Like all strengths genius has to be identified and channeled and the best persons to do this are the parents and school teachers. High time this was recognized (yes there is surely an awakening...... check out the statement by the MP in UK)

Just as the children are growing up with computers and gizmos in their hands we can get them to understand how it works to be the 'good guy' and that this can turn out to be as bad as anything else.

Dinesh O Bareja

Data loss episodes....

2008-01-09T09:12:00.001-08:00

'No cover-up' on lost driver data
http://news.bbc.co.uk/2/hi/uk_news/politics/7149271.stm
The minister who knew that millions of drivers' records had gone missing in the US said he assumed his successor would hear about a probe into the loss.
Stephen Ladyman was transport minister in May when the details, including names, addresses and phone numbers on a computer hard drive disappeared.

Sadly this minister "assumed" that his successor knew about the discs lost by their contractor - this is an indication of his understanding of the criticality of the incident. Then the department contractor lost the discs in their "secure facility" Then the loss was reported to the police seven months after the loss was discovered (was this a PR afterthought)

Note: It is apparent they do not have a communication plan in event of an incident of this magnitude, so am I convinced that they have a "secure" facility ! Apparently the facility is so secure that anything secured within it is so strongly secured that even the keepers cannot find it.

Check the related stories to this incident....

Millions of L-driver details lost
http://news.bbc.co.uk/2/hi/uk_news/politics/7147715.stm

Thousands of driver details lost
http://news.bbc.co.uk/2/hi/uk_news/northern_ireland/7138408.stm

We will not know what has happened with these companies or departments as part of post-incident analysis (excluding the damage control efforts by the PR people) it will be interesting to know about the learning from these incidents and the measures they have put in place (measures for training users, controls to prevent incidents, encryption and daa classification)

And have they communicated this leak to the affected people !

Confessions of the "I-also-lost-data" kind

2008-01-09T08:51:00.000-08:00

I had to put this in a separate post since this is so typical of business / government.

Quoting BBC

More firms "admit disc failings"
Several firms have admitted security failings in the wake of the loss of two discs containing 25 million people's details, MPs have been told.

Information Commissioner Richard Thomas told the Commons justice committee that public and private sector bodies had come forward "on a confessional basis".

He said they were not on the scale of the HM Revenue and Customs mistake, but more would "come out in the wash".

Wash ! What is this ? Some laundromat type "samudra manthan" which will churn out the evil. And then there are private and public companies and government departments talking here and there is no indication where these leaks are. So all you have to do is keep a watch on your account.

Talking about leaks and washing and all the evil creeping out of the woodwork - Check out my next post about the Drivers License information leak.

Finally - the question is - do these people care ? I mean the guys who are the 'leaders' in these companies or departments and are responsible for the budgets etc. Every IS engagement is strapped down for money and dollars just trickle down.

More later.... after we check out the next "leak" and confession.

LOST .... data ! A naive UK Rev & Customs Dept.

2008-01-09T08:25:00.000-08:00

This is coming quite late on the blog but I find that there are follow up incidents. Is anyone surprised with other Governments trying to out-do the UK HM Revenue and Custom Department's loss of 25 m personal records ?

Well among the top 10 screw-ups in 2007 was the loss of CD's by this hallowed department responsible for handling the child welfare payments. The naive department folks are not aware of encryption or secure handling systems.

Prime Minster Gordon Brown had apologized for the lapse. And so has the Chancellor after underplaying the loss. It seems that this booty is worth more than a BILLION Pounds in the wrong hands.

One Billion !!

"Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy." - Jeremy Clarkson (TV Host)

He (Jeremy Clarkson) tried to show that it was no big deal and got burnt. Read what happened to him when he published his bank information....

Well as in any storm - there is a lot of flotsam which gets carried in it's wake and this is no different. Many "confessions" of data losses have come up and these confessors are in the line up to the office of the UK Information Commissioner Richard Thomas. So are there any names ? Is anyone talking and doing something about safeguarding the identity (or information) about the people who are at risk.