How A Student Hacked Teachers WhatsApp

How A Student Hacked into Teachers WHATSAPP Account?

A teacher from Kerala noticed that her WhatsApp account was logged out soon after an online class. Knowing this, she lodged a complaint with cyberpolice. Police cracked the case and found out that the culprit was her student, studying in high school, who logged into the teacher’s account.

The technique used by the student was simple. The teacher was using a screen-share app in her phone during the class. So the students were able to see the screen and also the pop-up notification alerts coming into the phone. The ‘culprit’ student then tried to login WhatsApp with teacher’s number in his phone. And the OTP for verification came as pop-up alert in the teacher’s phone which was visible for all the students. Thus the student easily logged in to the account. The teacher did not have two-step verification on the phone and did not have a password.

The account in teacher’s phone got logged out as WhatsApp does not allow simultaneous use on two different devices. After the police cracked the case and found out the culprit is the student, the teacher withdrew the complaint.

PRECAUTIONS to avoid hacking

With some simple steps, one can avoid getting hacked during screen-sharing. Disable the notification alerts when sharing the screen with others.

Also enable two-step verification for WhatsApp login, so that an additional password is required to login to WhatsApp through other devices.

Soon after screen-sharing, make sure that OTPs or verification messages were not received during the time.

Adv (Dr.) Prashant Mali

Cyber & Privacy Lawyer & Author

Strategic Cybersecurity Thinking

Strategic Cybersecurity Thinking

The ability to come up with effective plans in line with an organization's objectives within a particular cybersecurity situation. Strategic thinking helps cybersecurity managers review policy issues, perform long term planning, set goals and determine priorities, and identify potential risks and opportunities.

Clearly, there needs to be a clear strategy as to what needs to be done with respect to security. Such a strategy should determine the policies and procedures. However in practice rarely a strategy for security is created. Most emphasis is placed on policies, implementation of which is generally relegated to the lowest levels. Rather it is assumed that most people will follow the policy that is created. 

A strategic cybersecurity programme does not begin with tools and tactics, but with an articulation of one or more programme goals. Sun Tzu once said in The Art of War: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Essentially this means that before you start with strategic planning you have to know what you are and what you are not because the way you operate can either make or break a successful execution. First, the strategy-minded CISO gets executive buy-in to those goals. To that end, the CISO must incorporate all levels of strategic thought, starting with the board and CEO – everyone must feel ownership and participation. 

The smart CISO recognises that security is a journey, not a destination, and that relationship building requires an ability to translate between technical and non-technical vocabularies. The CISO ensures that the programme goals accurately govern the objectives of the enterprise’s digital security programme. In our scenario, the CISO, board, and CEO all agree that, with respect to intellectual property, trade secrets, and sensitive data, the new policy goal is to minimise loss due to intrusion. 

This statement implies that everyone understands that stopping all adversaries and all attacks is simply not possible, especially when dealing with nation-state actors and some advanced criminal groups. The primary objective of this exercise is to achieve consensus on a simply stated, non-technical programme goal. No in-depth technical discussion is needed to achieve consensus, although the CISO must ensure that all goals, policies, and strategies are technically feasible. With a mandate in hand, the CISO can confidently work with his or her security team to plan the necessary operations and campaigns and, if necessary, acquire new tools and tactics to facilitate them. Together, they decide to implement a network security monitoring (NSM) operation, defined as the collection and escalation of indications and warnings to detect and respond to intruders. 

The security team begins the long-term, strategic process of hunting for hostile cyberattack campaigns, encompassing both known and unknown intrusion patterns. The CISO, board, and CEO all agree that a second programme goal is a rapid detection, response, and containment of cyber threats. This goal helps to ensure that when intruders breach the perimeter defences, the game is far from over. 

Defenders can still win, so long as they contain the threat before the attacker can accomplish his or her ultimate mission. Therefore, the security team will develop strategies to identify compromises quickly, determine their nature, give them some level of attribution, and above all develop a plan to stop the attacker from accomplishing his or her mission. At the tactical level of individual engagements with the adversary – the equivalent of battles in war – the security team will have myriad decisions to make, including whether to dislodge the intruder immediately or whether to watch the intruder for a time in order to collect valuable intelligence.

Some tactics govern how specific tools or techniques can be used, such as when Star Trek personnel switch their hand phasers between ‘stun’ and ‘kill’. As always, the adversary gets a say in what happens, but from the enterprise’s point of view, programme goals, policies, and guidelines should be written to govern this entire process.

Cyber Insurance paid to pay Ransomeware: Case Study & Case Law

A Canadian insurance company infected by ransomware virus paid off the cybercriminals using its cyber insurance policy. Their British reinsurers, having to disburse 109.25 Bitcoins, wanted it back from the blackmailing cybercriminals.

After infection, the unnamed Canadian company suffered a total lockdown of all of its systems and asked its reinsurance firm to pay the ransom so it could get back on its feet.

Paying off blackmailers holding a company to ransom is never advisable, many a time it is against the local law. Despite a negotiation that made criminals bring down their initial demand of $1.2m to $950k, the decryption tool provided had to be run on each and every affected device on the company's network.

It took five days to decrypt 20 servers and "10 business days" to unlock 1,000 desktop computers.

Neither company was going to pay out and forget the incident. The English reinsurer hired Chainalysis Inc, a "blockchain investigations firm", which eventually pinpointed the people responsible.

In the AA Versus Unknown Persons and Ors. [2019] EWHC 3556 (Comm) Case No: CL-2019-000746

The Unknowns were arraigned as below:

(1) PERSONS UNKNOWN WHO DEMANDED BITCOIN ON 10TH AND 11TH OCTOBER 2019

(2) PERSONS UNKNOWN WHO OWN/CONTROL SPECIFIED BITCOIN

(3) iFINEX trading as BITFINEX

(4) BFXWW INC trading as BITFINEX

IN THE HIGH COURT OF JUSTICE BUSINESS & PROPERTY COURTS OF ENGLAND AND WALES COMMERCIAL COURT (QBD)

Hon. Justice Bryan said: "Whilst some of the Bitcoin was transferred into 'fiat currency' as it is known, a substantial proportion of the Bitcoin, namely, 96 Bitcoins, were transferred to a specified address. In the present instance, the address where the 96 Bitcoins were sent is linked to the exchange known as Bitfinex operated by the third and fourth defendants."

Bitfinex is a cryptocurrency exchange headquartered in the British Virgin Islands, though the court noted that one email address associated with the exchange was seemingly traced to China.

Justice Bryan said: "At the present time there is no evidence that [Bitfinex] are themselves, perpetrators of the wrongdoing, rather, it is said, they have found themselves the holder of someone else's property."

Hon. Justice ruled that Bitfinex probably knew who the two alleged ransom receivers were, saying: "I have no doubt that Bitfinex has the ability to access its records and its KYC [know your customer, finance sector ID rules] material to identify the information that is sought" about the two alleged blackmailers.

A Scottish MSP was caught red-handed promising ransomware decryption services when in reality all they were doing was paying off the cybercriminals and adding a windfall high margin. At least one study has found that less than half of companies paying off ransomware actually get their files back.

Meanwhile, A US federal judge has ruled that an insurer providing a "business owner's insurance policy" to National Ink & Stitch, which sustained a ransomware attack in 2016 and was forced to replace most of its IT infrastructure, must pay for the damages the security incident caused.

In her recent ruling, Judge Stephanie Gallagher of the U.S. District Court of Maryland wrote that the damage to Nation Ink & Stitch's computer infrastructure from a ransomware attack constituted "physical loss or damage" covered by the insurance policy and that the insurer must pay the costs to recover and rebuild the network. National Ink & Stitch is an Owings, Maryland-based embroidery and screen printing firm.

The insurer, Columbus, Ohio-based State Auto Property and Casualty Insurance Co., had denied coverage for the cost of replacing National Ink & Stitch's computer system, arguing that that the company had not experienced "direct physical loss of or damage to" its computer system, the judge noted in the ruling.

The ruling did not set a specific dollar figure, although National Ink & Stitch previously argued for a settlement of $310,000 in recovery costs, according to court documents. National Ink & Stitch and State Auto could be reached for comment.

Advocate (Dr.) Prashant Mali
Cyber & Privacy Expert

Cyber Security Questions for Board of Directors

Cyber Security Questions for Board of Directors.

Although Board of directors have added cybersecurity risk to their agendas, there is no standard way for boards to think about cybersecurity, much less time-tested guidelines to help them navigate the issue.

For boards, cybersecurity is an issue of enterprise risk. As with all enterprise risks, the key focus is mitigation, not prevention. This universally understood enterprise risk guideline is especially helpful in the context of cybersecurity because no one can prevent all cyber breaches. Every company is a target, and a sufficiently motivated and well-resourced adversary can and will get into a company’s network.
Consequently, terms like “cyber defense” are insufficient descriptors of an effective posture because they evoke the image that corporations can establish an invincible perimeter around their networks to prevent access by bad actors. Today, it’s more accurate to think of the board-level cybersecurity review goal as “cyber resilience.” The idea behind the cyber resilience mindset is that, because you know network breaches will happen, it is more important to focus on preparing to meet cyberthreats as rapidly as possible and on mitigating the associated risks.

1. How do we integrate Cybersecurity with the current business direction and planning? 

2. What are our main Cybersecurity risks? 

3. Is the right amount of Cybersecurity risk accepted? 

4. Is our process for identifying, assessing and managing Cybersecurity risks effective? 

5. Do we have Cybersecurity culture in our organisation ? Do people in this organisation have a common understanding of the term "Cybersecurity"? 

6. How do we ensure that Cybersecurity risk management is an integral part of the planning and day-to-day operations of individual business units? 

7. How do we ensure that the Board’s expectations for Cybersecurity risk management are communicated to and followed by the employees in the company? 

8. Do we have process to manage Electronic evidence? How do we ensure that our executives and employees act in the best interests of this organisation's Cybersecurity posture? 

9. How is Cybersecurity risk management coordinated across the organisation and vendors?

10. How do we ensure that the organisation is performing according to the business plan and within appropriate Cybersecurity risk tolerance limits? 

11. How do we monitor and evaluate changes in the external environment and their impact on the organisation's strategy and Cybersecurity risk management practices? 

12. What information about the Cybersecurity risks targeting the organisation does the Board get to help it fulfil its stewardship and governance responsibilities? 

13. How do we know that the information the Board gets on Cybersecurity risks or threats and vulnerabilities is timely, accurate and reliable? 

14. How do we decide what information on Cybersecurity risks we should publish? 

15. How do we take advantage of the organisational learning that results from the Cybersecurity risk management corrective actions and/or preventive action plans? 

16. What are our priorities as a Board in the oversight of Cybersecurity risks? 

17. How does the Board handle its responsibility for the oversight of opportunities that introduce Cybersecurity risks to the organisation? 

18. How does the Board ensure that at least some of its members have the requisite knowledge and experience to address Cybersecurity risks and one of the member serves as an expert ?

19. How do we, as a Board, help establish the "tone at the top" that reinforces the organisation's values and promotes a "Cybersecurity culture"? 

20. How many grades the Board wish to give itself for overseeing Cybersecurity risk? 
The board is accountable for the organisation’s investment strategy. In years past, information security spending was part of a larger IT-related budget. Not anymore. Gartner estimates that by 2020, IT security spending will grow from $75 billion to $170 billion. With such levels of spending, boards will be more apt to scrutinize investments and actively manage budgets. 
To manage the risk associated with a cyber attack, leadership must bring together key components of an organisation to develop joint ownership of risks and a comprehensive approach to cybersecurity. Having a policy isn’t enough. Companies also need tools, processes, and up-to-date information on the ever changing threats to their enterprises. 

The Author is Chevening Cyber Security Fellow (UK) and participant of IVLP (USA) on Linking Digital Policy Cyber Crime Law Enforcement Program. He is a Practising Lawyer of Bombay High court. 

He regularly Advices Top Corporate Companies and Government Agencies on Cybersecurity Technical and Legal Issues.

IoT Malware and its Types 2017

IoT Malware Types Revealed 

The Internet of Things (IoT) is creating a new environment where malware can be used to create powerful botnets. Recently, IoT devices have been used to create large-scale botnets—networks of devices infected with self-propagating malware—that can execute crippling distributed denial-of-service (DDoS) attacks. IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks.

Linux.Darlloz

The Linux.Darlloz was discovered in late 2013. The worm exploited an old PHP vulnerability (CVE-2012-1823) to access a system, it escalated privileges through default and common credential lists, it propagated through the network, and it established a backdoor on the system. While the original malware only infected computers running Intel x86 chip architectures, other versions were designed to target ARM, PPC, MIPS and MIPSEL chip architectures commonly used in IoT devices. The worm also scanned systems for Linux.Aidra and attempted to remove any files related to the threat and to block any ports used by Aidra for communication [1].

Aidra

Aidra was discovered after the publication of the 2013 research paper that described the results of the 2012 Internet Census. The malware was designed to search for open telnet ports that could be accessed using known default credentials [2]. According to its author, Federico Fazzi, the malware was introduced in early 2012 as an IRC-based mass scanning and exploitation tool. The code can be compiled for MIPS, MIPSEL, ARM, PPC, x86/x86-64 and SuperH. Aidra is designed to target IoT devices that run embedded forms of Linux with active Telnet connectivity and default or no password. Some variants of Aidra can retrieve router passwords through the /cgi-bin/firmwarecfg bug found on some outdated D-Link and Netgear devices.

The malware attempts to connect to a telnet port using default credentials and if it succeeds, it downloads and executes a script called getbinaries.sh, which removes other malware binaries and prevents the device from being compromised by other competing malware. Some variants attempt to change the device credentials. Malware binaries are downloaded to /var/run, /var/tmp, /var/etc. Consequently, the malware can be removed by rebooting the device because the directories are stored in RAM. Then the infected device connects to an IRC server, joins a channel, reads a topic, and follows the instructions. Aidra is capable of scanning, flooding, and spoofing targets randomly or recursively. Further, its code can be easily tailored to a threat actor’s needs [3].

Qbot/ Qakbot

Qbot is a network-aware worm capable of harvesting credentials and creating backdoors [4]. The Qbot malware, first discovered around 2009, continues to be adapted and employed by script kiddies and cybercriminals [5]. Qbot leverages the Rig exploit kit against vulnerable websites to gain write access on the backend and to inject malicious JavaScript onto the site. To avoid suspicion, the malicious JavaScript may be appended onto the beginning or end of a legitimate JavaScript. The Rig exploit kit is a two-tier model consisting of a gate and a landing page. While a new set of domains are used for each IP address, the dense population of each IP address with many subdomains allows for a degree of undesired visibility into the botnet structure. The majority of the gate and landing page domains are registered through GoDaddy accounts; many of which are believed to be exploited compromised accounts. The Rig Gate URL returns the main_color_handle variable is returned. It contains a large string of characters that are used to determine the Rig exploit kit landing page. The string is passed through a function that replaces all illegal characters in HEX notation (0-9 and a-f) and then translates the result to ASCII and embeds the current page with an i frame with the landing page loaded with the exploit. Random variable names, dynamically generated from the Rig Gate URL contained in the kit, are used in the malicious script to obfuscate the functionality.

Users’ Windows sessions are injected with the malware via a watering-hole attack or a drive-by download; alternately, modified Qbot derivatives deliver the malware through malicious emails. Once installed on the system, the malware runs a network speed test and it sends an initial beacon, containing a list of installed software, user privileges, and the infected network external IP address, to the FTP server. The malware injects itself into a running explorer.exe process and it infects processes as they start up. The bot injects a DLL into processes that will extract its strings, configuration, APIs, and critical strings block into heap-allocated buffers, when run. Qbot contains its configuration parameters, such as FTP credentials, C2 settings, and timestamps, in an internal table. The malware places system-wide inline hooks to intercept or modify network traffic, to modify or redirect browser queries, to infect new processes, and to hide its presence. Qbot uses a domain generation algorithm for all C2 communications [31].

Upon installation, modern variants contact the C2 infrastructure to receive instructions, to update, and to mutate the appearance of the malware by self-recompiling or self-re-encrypting the malware as a server-based polymorphism, an obfuscation mechanism meant to confound anti-malware application and research efforts. The server-based polymorphism enables Qbot to avoid most anti-virus products because the malware updates itself to a new version every few days, and re-encrypts itself to remain undetectable for long periods of time. The malware can detect whether it is running in a Virtual Machine sandbox and it can alter its behavior to avoid detection [32].

Once Qbot has infected a system, it begins harvesting credentials contained in Windows Credential Store (Outlook, Windows Live Messenger, Remote Desktop, Gmail Messenger) and password stored by the Internet Explorer credential manager. Further credentials are sniffed from network traffic. The attackers can use the stolen credentials and system information to access FTP servers or to infect vulnerable websites to further spread the malware [32]. Qbot attempts to spread to open shares across the network through brute force password attempts or through attempts to access the Windows Credential Store. Qbot is also capable of intercepting browser information, such as banking information, and writing the data into named pipes and then sending it to a remote server [31].

Over a two-week investigation, BAE Systems discovered over 54,517 machines infected in a Qbot botnet. Most these systems (85%) were located in the United States. The explosive popularity of Mirai and subsequent oversaturation of the IoT threat landscape has led to a decline in Qbot botnets. 

BASHLITE/ Lizkebab/ Torlus/ gafgyt

BASHLITE botnets are responsible for enslaving over 1 million devices. One security firm estimates that of compromised devices, 95 percent were IP cameras or DVR units, 4 percent were home routers, and less than 1 percent were Linux servers. DVRs are high value bots because the devices are configured with open telnet and other web interfaces, often rely on default credentials, and are able to process high bandwidth, as is required to stream video. The majority of the infected devices were located in Taiwan, Brazil, and Columbia. Due to compartmentalization, the size of a monitored botnets is often difficult for security researchers to estimate. Oppositely, the C2 IPs associated with campaigns are often hardcoded into the malware and are easier to monitor [33].

The BASHLITE source code was leaked in early 2015 and has since been adapted into over a dozen variants. The malware conducts two scans to discover vulnerable devices to infect. The first attack vector utilizes the bots to port scan IP ranges for telnet servers and then it instructs them to brute force credentials in order to access and infect the device. The second attack vector employs external scanners to detect vulnerable devices and then infects those devices by using brute force on the credentials, by exploiting known security vulnerabilities, or by leveraging another attack vector [8]. Once the attacker has compromised a device, the malware tools execute the “busybox wget” and “wget” commands to retrieve the DDoS payloads. The malware does not identify the architecture of the compromised device; instead, it attempts to run different versions that have been compiled for different architectures, until one executes. Most BASHLITE attacks are simple UDP and TCP floods, though the malware does support a less used feature to spoof source addresses and some variants support HTTP attacks [6]. BASHLITE is a predecessor to Mirai, and the botnets are now in direct competition for a diminishing pool of vulnerable IoT devices

 [7].

Mirai

Mirai’s (Japanese for "the future") name comes from the discovered binaries having the name “mirai.()” and was initially discovered in August. It arrives as an ELF Linux executable and focuses mainly on DVRs, routers, web IP cameras, Linux servers, and other devices that are running Busybox a common tool for IoT embedded devices.

Mirai uses the default password for the telnet or SSH accounts to gain shell access. Once it’s able to get access to this account, it installs malware on the system. This malware creates delayed processes and then deletes files that might alert antivirus software to its presence. Because of this, it’s difficult to identify an infected system without doing a memory analysis.

Mirai opens ports and creates a connection with bot masters and then starts looking for other devices it can infect. After that, it waits for more instructions. Since it has no activity while it waits and no files left on the system, it is difficult to detect.

The low detection ratio can also be explained by the Mirai feature to delete all malware files once it successfully sets the backdoor port into the system. It leaves only the delayed process where the malware is running after being executed.

Mirai is a piece of malware that infects IoT devices and is used as a launch platform for DDoS attacks. Mirai’s C&C (command and control) code is coded in Go, while its bots are coded in C.

Like most malware in this category, Mirai is built for two core purposes:

• Locate and compromise IoT devices to further grow the botnet.
• Launch DDoS attacks based on instructions received from a remote C&C.

To fulfill its recruitment function, Mirai performs wide-ranging scans of IP addresses. The purpose of these scans is to locate under-secured IoT devices that could be remotely accessed via easily guessable login credentials—usually factory default usernames and passwords (e.g., admin/admin).

Mirai uses a brute force technique for guessing passwords a.k.a. dictionary attacks.

On September 30, 2016, a script kiddie using the moniker “Anna-senpai” posted the Mirai source code on Hack Forums, in a claimed attempt to “retire” due to acquired wealth and due to a dissolving botnet base resulting from ISP intervention. 

Investigation of the attack uncovered 49,657 unique IPs which hosted Mirai-infected devices. these were mostly CCTV cameras—a common exploit of DDoS botnet herders. Other victimized devices included DVRs and routers.

Overall, IP addresses of Mirai-infected devices were spotted in 164 countries, appearing even in such remote locations as Montenegro, Tajikistan and Somalia

How to Prevent Infection

To prevent infection:

• Stop the telnet service and block TCP port 48101 if you’re not currently using it
• Set Busybox execution to be run only for a specific user
• Scan for open telnet connections on your network

Mitigation

In order to remove the Mirai malware from an infected IoT device, users and administrators should take the following actions:

• Disconnect device from the network.
• While disconnected from the network and Internet, perform a reboot. Because Mirai malware exists in dynamic memory, rebooting the device clears the malware.
• Ensure that the password for accessing the device has been changed from the default password to a strong password. 
• You should reconnect to the network only after rebooting and changing the password. If you reconnect before changing the password, the device could be quickly reinfected with the Mirai malware.

Preventive Steps

In order to prevent a malware infection on an IoT device, users and administrators should take following precautions:

• Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
• Update IoT devices with security patches as soon as patches become available.
• Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
• Purchase IoT devices from companies with a reputation for providing secure devices.
• Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
• Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected.
• Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.(link is external)
• Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.

References :

[1] "The Internet of Things: New Threats Emerge in a Connected World," in Symantec, Symantec, 2014. [Online]. Available: https://www.symantec.com/connect/blogs/internet-things-new-threats-emerge- connected-world-0. Accessed: Oct. 25, 2016.

[2] M. Mimoso, C. Brook, and T. Spring, "New IoT Botnet Malware borrows from Mirai," Threatpost, 2016. [Online]. Available: https://threatpost.com/new-iot-botnet-malware-borrows-from- mirai/121705/. Accessed: Nov. 1, 2016.

[3] "Lightaidra 0x2012," in House of Vierko, 2012. [Online]. Available: http://vierko.org/tech/lightaidra- 0x2012/. Accessed: Nov. 10, 2016.

[4] "The Return of Qbot," in BAE Systems, 2016. [Online]. Available: https://resources.baesystems.com/pages/view.php?ref=39115&k=46713a20f9. Accessed: Oct. 26, 2016.

[5] G. Cluley, "Mutating Qbot worm Infects over 54, 000 PCs at organizations worldwide," in Tripwire, Tripwire, 2016. [Online]. Available: https://www.tripwire.com/state-of-security/featured/qbot- malware/. Accessed: Oct. 26, 2016.

[6] T. Spring, K. Carpenter, and M. Mimoso, "BASHLITE family of Malware Infects 1 Million IoT devices," in Threat Post, Threatpost, 2016. [Online]. Available: https://threatpost.com/bashlite-family-of- malware-infects-1-million-iot-devices/120230/. Accessed: Oct. 25, 2016.

[7] B. Krebs, "Source code for IoT Botnet ‘Mirai’ released," in KrebsonSecurity, 2016. [Online]. Available: https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/. Accessed: Oct. 23, 2016. 

[8] B. Krebs, "KrebsOnSecurity hit with record DDoS," in KrebsonSecurity, 2016. [Online]. Available: https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/. Accessed: Oct. 23, 2016.

Compiled Version by Author

What is SIPRnet?

What is SIPRnet?

SIPRNet, or Secret Internet Protocol Router Network, is a global United States military network system used for transmitting classified information, intelligence, targets, and messages at the secret level.

SIPRnet support the various system such as the Global command systems and defense messaging system and also some other important planning documents over the secure path. it is based on the some method that are use for ordinary internet access but the main difference is that it has some dedicated path lines that are not seen in other communication systems. These lines are responsible for managing the secure communication with highly authenticated user access. 
In other words, SIPRNet is completely parallel Internet, uses the same communications procedures and has been kept separate from the ordinary civilian Internet.

Approximately 3 Million people with secret clearances have access to SIPRNet, which includes Pentagon and military officials, Intelligence agencies, FBI, as well as diplomats in US embassies all around the World.

Registration procedure applied is quite lengthy. all the linked users need to be properly registered with full fledged records in internal data sheets and all the passwords must be changed and must be updated after every 150 days otherwise access will be not granted to the users. password less than 10 characters are to acceptable d they must be the combination of alphanumeric sequences and Capital sequences but now more strict rules  are applied which include passwords of 10 characters with at least two numbers, two letters in lower case., tow letters in upper case and two specials characters. Although special characters are not allowed to be a password in of the systems other than SIPRnet. During the consistent access users are not allowed to leave the system at once or unattended.Some other strict habits involved the use of fixed secondary stage media in which a hard rives can’t be removed to make sure the Secrecy level of data by assuring the single location storage. this require proper marking of the hardware storage during the registration procedure. Use of the improper storage media such as floppy, compact disks and memory stacks results in violation of the strict rules that may cause 5 month prison. Improved technologies have made it easier for the SIPRnet to locate the safest form of data storage devices fro instance device like PDA personal digital assistants, Memory watches sand key chain drives, these device can’t be the classified type by h SIPRnet. This is the main reason that these device are not allowed din the section with infra red detection o classified items. For the computer systems that are installed for processing the classified information it is recommended that they should not use port beaming capability.

Electronic Evidence / Digital Evidence Case Laws and Cyber Law in India

Electronic Evidence/Digital Evidence & Cyber Law with case laws in India                                            By Adv. Prashant Mali [MSc.(Computer Science),LLB, LLM], Cyber Law & Cyber Security Expert. Email :prashant.mali@cyberlawconsulting.com

The proliferation of computers and the influence of information technology on society as whole, coupled with the ability to store and amass information in digital form have all necessitated amendments in Indian law, to incorporate the provisions on the appreciation of digital evidence. The Information Technology Act, 2000 and its amendment is based on the United Nations Commission on International Trade Law (UNCITRAL) model Law on Electronic Commerce. The Information Technology (IT) Act 2000, was amended to allow for the admissibility of digital evidence. An amendment to the Indian Evidence Act 1872, the Indian Penal Code 1860 and the Banker's Book Evidence Act 1891 provides the legislative framework for transactions in electronic world. Digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. Before accepting digital evidence it is vital that the determination of its relevance, veracity and authenticity be ascertained by the court and to establish if the fact is hearsay or a copy is preferred to the original. Digital Evidence is “information of probative value that is stored or transmitted in binary form”. Evidence is not only limited to that found on computers but may also extend to include evidence on digital devices such as telecommunication or electronic multimedia devices. The e-EVIDENCE can be found in e-mails, digital photographs, ATM transaction logs, word processing, documents, instant message histories, files saved from accounting programs, spreadsheets, internet browser histories databases, Contents of computer memory, Computer backups, Computer printouts, Global Positioning System tracks, Logs from a hotel’s electronic door locks, Digital video or audio files. Digital Evidence tends to be more voluminous, more difficult to destroy, easily modified, easily duplicated, potentially more expressive and more readily available.

Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums. Computer forensics is also known as digital forensics. The goal of computer forensics is to explain the current state of a digital artifact. The term digital artifact can include: A computer system storage medium (hard disk or CD-ROM) an electronic document (e.g. an email message or JPEG image) or even a sequence of packets moving over a computer network.

The definition of 'evidence' has been amended to include electronic records. The definition of 'documentary evidence' has been amended to include all documents, including electronic records produced for inspection by the court. Section 3 of the Evidence Act, 1872 defines evidence as under: "Evidence" - Evidence means and includes:- 1) all statements which the court permits or requires to be made before it by witnesses, in relation to matters of fact under inquiry; such statements are called oral evidence; 2) all documents including electronic records produced for the inspection of the court. Such documents are called documentary evidence.

The term 'electronic records' has been given the same meaning as that assigned to it under the IT Act. IT Act provides for "data, record or data generated, image or sound stored, received or sent in an electronic form or microfilm or computer-generated microfiche". The definition of 'admission' (Section 17 of the Evidence Act) has been changed to include a statement in oral, documentary or electronic form which suggests an inference to any fact at issue or of relevance. New Section 22-A has been inserted into Evidence Act, to provide for the relevancy of oral evidence regarding the contents of electronic records. It provides that oral admissions regarding the contents of electronic records are not relevant unless the genuineness of the electronic records produced is in question. The definition of 'evidence' has been amended to include electronic records. The definition of 'documentary evidence' has been amended to include all documents, including electronic records produced for inspection by the court. New sections 65-A and 65-B are introduced to the Evidence Act, under the Second Schedule to the IT Act. Section 65-A provides that the contents of electronic records may be proved in accordance with the provisions of Section 65-B. Section 65-B provides that notwithstanding anything contained in the Evidence Act, any information contained in an electronic, is deemed to be a document and is admissible in evidence without further proof of the original's production, provided that the conditions set out in Section 65-B are satisfied. The conditions specified in Section 65-B (2) are:

1. Firstly, the computer output containing the information should have been produced by the computer during the period over which the computer was used regularly to store or process information for the purpose of any activities regularly carried on over that period by the person having lawful control over the use of the computer.
2. The second requirement is that it must be shown that during the said period the information of the kind contained in electronic record or of the kind from which the information contained is derived was 'regularly fed into the computer in the ordinary course of the said activity'.
3. A third requirement is that during the material part of the said period, the computer was operating properly and that even if it was not operating properly for some time that break did not affect either the record or the accuracy of its contents.
4. The fourth requirement is that the information contained in the record should be a reproduction or derived from the information fed into the computer in the ordinary course of the said activity.

Under Section 65-B(4) the certificate which identifies the electronic record containing the statement and describes the manner in which it was produced giving the particulars of the device involved in the production of that record and deals with the conditions mentioned in Section 65-B(2) and is signed by a person occupying a responsible official position in relation to the operation of the relevant device 'shall be evidence of any matter stated in the certificate’.

Section 65-B(1) states that if any information contained in an electronic record produced from a computer (known as computer output) has been copied on to a optical or magnetic media, then such electronic record that has been copied 'shall be deemed to be also a document' subject to conditions set out in Section 65-B(2) being satisfied. Both in relation to the information as well as the computer in question such document 'shall be admissible in any proceedings when further proof or production of the original as evidence of any contents of the original or of any fact stated therein of which direct evidence would be admissible.'

ELECTRONIC EVIDENCE - CASE LAW

1. Ignatius Topy Pereira Vs. Travel Corporation (India) Pvt. Ltd and another, 2016 SCC Online Bom 97 (Hon. Shri Justice S.B. Shukre). Fresh Certificate S.65B, Evidence Act: If the certificate under S.65B, Evidence Act which was produced was rejected as not compliance with the Section, fresh certificate may be produced.
   
   
2. Rajesh Dhannalal Daware Vs. State of Maharashtra {Bombay High Court, 5 May 2016}Evidence Act, 1872 - Section 65-B - Footage of CCTV Camera - Under S. 65B(4) if it is desired to give a statement in any proceedings pertaining to an electronic record, it is permissible provided the following conditions are satisfied: (a) There must be a certificate which identifies the electronic record containing the statement; (b) The certificate must describe the manner in which the electronic record was produced; (c) The certificate must furnish the particulars of the device involved in the production of that record; (d) The certificate must deal with the applicable conditions mentioned under Section 65B(2) of the Evidence Act; and (e) The certificate must be signed by a person occupying a responsible official position in relation to the operation of the relevant device.
3. Raj Kumar v. State, CRL.A. 232/16, 19.4.16 DHC
   S.65-B of Evidence Act, 1872: Mobile Phone- Since the mobile phone of witness (containing the photograph) itself was produced in the Court and exhibited, there was no need of a certificate under Section 65-B Indian Evidence Act- The evidence is admissible. 
4. Amitabh Bagchi Vs. Ena Bagchi (AIR 2005 Cal 11) [Sections 65-A and 65-B of Evidence Act, 1872 were analyzed.] The court held that the physical presence of person in Court may not be required for purpose of adducing evidence and the same can be done through medium like video conferencing. Sections 65-A and 65-B provide provisions for evidences relating to electronic records and admissibility of electronic records, and that definition of electronic records includes video conferencing.
5. State of Maharashtra vs. Dr Praful B Desai (AIR 2003 SC 2053) [The question involved whether a witness can be examined by means of a video conference.] The Supreme Court observed that video conferencing is an advancement of science and technology which permits seeing, hearing and talking with someone who is not physically present with the same facility and ease as if they were physically present. The legal requirement for the presence of the witness does not mean actual physical presence. The court allowed the examination of a witness through video conferencing and concluded that there is no reason why the examination of a witness by video conferencing should not be an essential part of electronic evidence.
6. BODALA MURALI KRISHNA VS. SMT. BODALA PRATHIMA (2007 (2) ALD 72) The court held that, “…the amendments carried to the Evidence Act by introduction of Sections 65-A and 65-B are in relation to the electronic record. Sections 67-A and 73-A were introduced as regards proof and verification of digital signatures. As regards presumption to be drawn about such records, Sections 85-A, 85-B, 85-C, 88-A and 90-A were added. These provisions are referred only to demonstrate that the emphasis, at present, is to recognize the electronic records and digital signatures, as admissible pieces of evidence.”
7. DHARAMBIR Vs. CENTRAL BUREAU OF INVESTIGATION (148 (2008) DLT 289).The court arrived at the conclusion that when Section 65-B talks of an electronic record produced by a computer referred to as the computer output) it would also include a hard disc in which information was stored or was earlier stored or continues to be stored. It distinguished as there being two levels of an electronic record. One is the hard disc which once used itself becomes an electronic record in relation to the information regarding the changes the hard disc has been subject to and which information is retrievable from the hard disc by using a software program. The other level of electronic record is the active accessible information recorded in the hard disc in the form of a text file, or sound file or a video file etc. Such information that is accessible can be converted or copied as such to another magnetic or electronic device like a CD, pen drive etc. Even a blank hard disc which contains no information but was once used for recording information can also be copied by producing a cloned had or a mirror image.
8. STATE (NCT OF DELHI) Vs. NAVJOT SANDHU (AIR 2005 SC 3820) There was an appeal against conviction following the attack on Parliament on December 13 2001. This case dealt with the proof and admissibility of mobile telephone call records. While considering the appeal against the accused for attacking Parliament, a submission was made on behalf of the accused that no reliance could be placed on the mobile telephone call records, because the prosecution had failed to produce the relevant certificate under Section 65-B(4) of the Evidence Act. The Supreme Court concluded that a cross-examination of the competent witness acquainted with the functioning of the computer during the relevant time and the manner in which the printouts of the call records were taken was sufficient to prove the call records.
9. JAGJIT SINGH Vs. STATE OF HARYANA ((2006) 11 SCC 1) The speaker of the Legislative Assembly of the State of Haryana disqualified a member for defection. When hearing the matter, the Supreme Court considered the digital evidence in the form of interview transcripts from the Zee News television channel, the Aaj Tak television channel and the Haryana News of Punjab Today television channel. The court determined that the electronic evidence placed on record was admissible and upheld the reliance placed by the speaker on the recorded interview when reaching the conclusion that the voices recorded on the CD were those of the persons taking action. The Supreme Court found no infirmity in the speaker's reliance on the digital evidence and the conclusions reached by him. The comments in this case indicate a trend emerging in Indian courts: judges are beginning to recognize and appreciate the importance of digital evidence in legal proceedings.
10. TWENTIETH CENTURY FOX FILM CORPORATION Vs. NRI FILM PRODUCTION ASSOCIATES (P) LTD. (AIR 2003 KANT 148) In this case certain conditions have been laid down for video-recording of evidence:

• Before a witness is examined in terms of the Audio-Video Link, witness is to file an affidavit or an undertaking duly verified before a notary or a Judge that the person who is shown as the witness is the same person as who is going to depose on the screen. A copy is to be made available to the other side. (Identification Affidavit).
• The person who examines the witness on the screen is also to file an affidavit/undertaking before examining the witness with a copy to the other side with regard to identification.
• The witness has to be examined during working hours of Indian Courts. Oath is to be administered through the media.
• The witness should not plead any inconvenience on account of time different between India and USA.
• Before examination of the witness, a set of plaint, written statement and other documents must be sent to the witness so that the witness has acquaintance with the documents and an acknowledgement is to be filed before the Court in this regard.
• Learned Judge is to record such remarks as is material regarding the demur of the witness while on the screen.
• Learned Judge must note the objections raised during recording of witness and to decide the same at the time of arguments.
• After recording the evidence, the same is to be sent to the witness and his signature is to be obtained in the presence of a Notary Public and thereafter it forms part of the record of the suit proceedings.
• The visual is to be recorded and the record would be at both ends. The witness also is to be alone at the time of visual conference and notary is to certificate to this effect.
• The learned Judge may also impose such other conditions as are necessary in a given set of facts.
• The expenses and the arrangements are to be borne by the applicant who wants this facility. 

9.  ANVAR P.V. VERSUS, P.K. BASHEER AND OTHERS, in CIVIL APPEAL NO. 4226 OF 2012 decided on Sept., 18, 2014, That Computer Output is not admissible without Compliance of 65B,EA overrules the judgment laid down in the State (NCT of Delhi) v. Navjot Sandhu alias Afzal Guru[(2005) 11 SCC 600 by the two judge Bench of the Supreme Court. The court specifically observed that the Judgment of Navjot Sandhu supra, to the extent, the statement of the law on admissibility of electronic evidence pertaining to electronic record of this court, does not lay down correct position and is required to be overruled. This judgment has put to rest the controversies arising from the various conflicting judgments and thereby provided a guideline regarding the practices being followed in the various High Courts and the Trial Court as to the admissibility of the Electronic Evidences. The legal interpretation by the court of the following Sections 22A, 45A, 59, 65A & 65B of the Evidence Act has confirmed that the stored data in CD/DVD/Pen Drive is not admissible without a certificate u/s 65 B(4) of Evidence Act and further clarified that in absence of such a certificate, the oral evidence to prove existence of such electronic evidence and the expert view under section 45A Evidence Act cannot be availed to prove authenticity thereof.

In the Judgment, the Hon’ble Supreme Court has held that Section 65B of the Evidence Act being a ‘not obstante clause’ would override the general law on secondary evidence under Section 63 and 65 of the Evidence Act. The section 63 and section 65 of the Evidence Act have no application to the secondary evidence of the electronic evidence and same shall be wholly governed by the Section 65A and 65B of the Evidence Act.

The only alternative to prove the electronic record/evidence is by producing the original electronic media as Primary Evidence to the court or it’s copy by way secondary evidence u/s 65A/65B of Evidence Act. Thus, in the case of CD, VCD, chip, etc., the same shall be accompanied by the certificate in terms of Section 65B obtained at the time of taking the document, without which, the secondary evidence pertaining to that electronic record, is inadmissible. In the present case, the court observed that:

“The appellant admittedly has not produced any certificate in terms of Section 65B in respect of the CDs, Exhibits-P4, P8, P9, P10, P12, P13, P15, P20 and P22. Therefore, the same cannot be admitted in evidence. Thus, the whole case set up regarding the corrupt practice using songs, announcements and speeches fall to the ground.”

This judgment will have severe implications in all the cases where the prosecution relies heavily on the electronic data specially those cases where the audio-video recordings are produced in the form of CD/DVD before the court. The anticorruption cases are generally based on a lot of electronic / digital evidence and the CD/DVD forwarded to the courts are without a certificate and shall therefore not be admissible as evidence u/s 65B Evidence Act, which makes it mandatory to produce a certificate u/s 65 B(4). The failure to provide the certificate u/s 65 B(4). further occludes the judicial process as the expert view in that matter cannot be availed of till the preceding condition is fulfilled. It has been specified in the judgment that Genuineness, Veracity or Reliability of the evidence is looked into by the court subsequently only after the relevance and admissibility is fulfilled. The requirement to ensure the source and authenticity, pertaining to electronic records is because it is more vulnerable to tampering, alteration, transposition, excision, etc. without such safeguards, the whole trial based on proof of electronic records can lead to mockery of justice.

The original recording in Digital Voice Recorders/mobile phones need to be preserved as they may get destroyed, in such a case the issuance of certificate under section 65B(4) of the Evidence Act cannot be given. Therefore such CD/DVD is inadmissible and cannot be exhibited as evidence, the oral testimony or expert opinion is also barred and the recording/data in the CD/DVD’s do not serve any purpose for the conviction.

CONCLUSION: The progression of the Indian evidence law is apparent as it has withstood the pressures and challenges of technology and the cyber world. The appropriate amendments in Evidence Law, incorporated by our judiciary show pro-activism. In my opinion the law enforcement agencies and investigating officers have to update themselves about the authentication process prescribed by the court regarding the admissibility of electronic/digital evidences so that impediments in trial procedures can be successfully overcome. Proper training of law enforcement agencies in handling cyber related evidence and correct application of procedure and sections of Evidence Law while presenting such evidence in court is the primary need of recent times. Common man in the role of a complainant should be now aware that while submitting evidence to police or courts, he should submit it with a certificate under section 65B(4) of The Indian Evidence Act so the court takes cognizance and reads it as a primary evidence.