Consumer Dispute resolution under the Telecom Act 2023

The Telecommunications Act of 2023 has strengthened the dispute resolution framework by introducing an online grievance redressal system. The aim is to expedite the resolution of conflicts between telecommunications companies and consumers while ensuring transparency in the redressal process. Following an inquiry, a telecom company found violating license or service terms may incur severe penalties, spectrum holdings cancellation, service restrictions, or even be prohibited from providing telecom services, depending on the seriousness of the breach. 

How does the online grievance redressal system operate, and who plays key roles? 

An Adjudicating Officer (AO), appointed by the Centre and not below the rank of joint secretary, will conduct inquiries to resolve disputes between telecom service providers and consumers. Additionally, a separate Designated Appeals Committee (DAC) will be formed, consisting of officers at the rank of additional secretaries. Individuals dissatisfied with an AO’s decision can appeal to the DAC, and those unhappy with the DAC's ruling can escalate the matter to the telecom tribunal, TDSAT. Both the AO and DAC will function digitally, conducting their operations entirely online, and any telecom company involved in a dispute must actively engage in the grievance redressal process.

What is the role of an Adjudicating Officer (AO)?

If a telecom company is found to violate the licence or service terms as per the Telecommunications Act, the AO initiates an inquiry by issuing a notice. Following the inquiry, the AO has the authority to issue a written order, requiring corrective actions. Additionally, the AO can impose specific civil penalties based on the severity of the breach. Moreover, the AO has the power to request the Centre to impose restrictions, halt services, or even cancel spectrum allotment for the concerned telecom company.

What types of penalties might telecom companies potentially encounter? 

For violations of conditions outlined in Sections 32 and 34 of the Telecom Act, penalties can vary, ranging from Rs 1 lakh for minor offenses to Rs 1-5 crore for more significant and severe breaches. The Adjudicating Officer (AO) determines the penalty amount by considering factors such as the gravity of the contravention, the number of affected individuals, whether it led to disproportionate gains, and if it was repetitive, negligent, intentional, or caused government revenue losses. Additionally, the AO examines whether the errant telecom company took any measures to mitigate the violation before determining the penalty.

What authority do the AO and DAC hold in the new grievance redressal system?

Both the Adjudicating Officer (AO) and the Designated Appeals Committee (DAC) possess the powers of a civil court, and the adjudication processes conducted by them will be considered judicial proceedings.

Are there mechanisms for voluntary disclosure, and how do they operate?

Telecom companies have the option to proactively disclose a contravention of licence or service terms to the AO before an inquiry begins. They can also provide a voluntary undertaking, detailing the steps already taken or proposed measures to address the contravention within a specified timeframe. If the AO accepts this voluntary undertaking, it will be considered a mitigation measure, and the AO must take it into account when determining the penalty.

https://tccms.trai.gov.in/

https://trai.gov.in/

बॅंकेतून ऑनलाइन पैसे गेलयास १५५२६० हा हेल्पलाइन क्रमांक करा डायल

बॅंकेतून ऑनलाइन पैसे गेलयास १५५२६० हा हेल्पलाइन क्रमांक करा डायल

तंत्रज्ञान जेवढे प्रगत होत जाते तेवढेच त्याच्यामागे धोकेही चालत येतात. ऑनलाइन चोरी हा त्यातलाच एक प्रकार! विशेष म्हणजे शिक्षित, अनुभवी असलेले व्यक्ती याला बळी (Online fraud) पडतात. तुमचे क्रेडिट कार्ड अपडेट करायचे आहे, तुमच्या पिन नंबरची मुदत संपली, तुमच्या खात्यात अमुक रक्कम जमा करायची आहे, अशा एक ना अनेक क्लूप्त्या वापरत सायबर गुन्हेगार नागरिकांना फसवत असतात.

अशा सायबर गुन्हेगारांवर आळा घालण्यासाठी केंद्र सरकारने आता पाऊल उचलले आहे. केंद्रीय गृहमंत्रालय आणि दिल्ली पोलिसांच्या सायबर सेलने अशी यंत्रणा विकसित केली की ज्या माध्यमातून लोकांना दिलासा मिळणार आहे. केंद्रीय गृहमंत्रालयाने १५५२६० हा क्रमांक हेल्पलाइन म्हणून जारी केला आहे. ज्यांचे पैसे खात्यातून उडाले असतील त्यांनी त्वरित या क्रमांकावर कॉल करावा. कारण, सायबर गुन्ह्यांमध्ये वेळेला फार महत्त्व असते. जेवढ्या लवकर हेल्पलाइनवर कॉल कराल तेवढे गुन्हेगार शोधून काढण्यास आणि रक्कम परत मिळण्यास मदत होते.

इंटरनेटला कुठलीही भौगोलिक मर्यादा नसल्याने अगदी विदेशात बसलेला हॅकरही तुमच्या खात्यातील पैसे लंपास करू शकतो. अर्थात त्याला तुम्हीही मदत करीत असता ते ओटीपी सांगून अथवा एखादे ॲप डाउनलोड करून! कारण, हॅकर कितीही तरबेज असला तरी त्याला एकतर्फी हात साफ करताच येत नाही. आतापर्यंत देशात लाखो लोकांना याचा फटका बसला.

सात ते आठ मिनिटांत रक्कम होल्ड

सायबर गुन्हेगाराने चुना लावल्याचे कळताच त्वरित १५५२६० या क्रमांकावर कॉल केल्यास सायबर यंत्रणा कामाला लागते आणि अवघ्या सात ते आठ मिनिटांत ट्रान्सफर झालेली रक्कम होल्ड केली जाते. कारण, गुन्हेगार पैसे चोरी करण्यासाठी अनेक खात्यांचा वापर करीत असतात. कॉल येताच संबंधित बॅंक अथवा ई-साइटला अलर्ट केले जाते. त्यामुळे ट्रान्सफर सुरू असतानाच पैसे होल्ड केले जातात.

यंत्रणा काम कशी करते?

हेल्पलाइन क्रमांकावर कॉल येताच नाव, मोबाईल, खाते क्रमांक, पैसे वजा झाल्याची वेळ ही महत्त्वाची माहिती विचारली जाते. त्यानंतर सर्व माहिती http://cybercrime.gov.in/ या गृहमंत्रालयाच्या संकेतस्थळावरील डॅशबोर्डवर शेअर केली जाते. याकामी आरबीआयचेही सहकार्य मिळत आहे. क्राईम झाल्यानंतर पहिले दोन ते तीन तास अत्यंत महत्त्वपूर्ण असतात. आतापर्यंत अनेक नागरिकांना त्यांचे पैसे परत मिळाले आहेत.

एकप्रकारचे सुरक्षा कवच

http://cybercrime.gov.in/ हे संकेतस्थळ आणि १५५२६० हा हेल्पलाइन क्रमांक म्हणजे एकप्रकारे सुरक्षा कवच आहे. याला ‘इंडियन सायबर क्राईम कोऑर्डिनेशन प्लॅटफार्म’ असेही म्हणतात. याच्याशी जवळपास ५५ बॅंका, ई-वॉलेटस् ,पेमेंट गेटवेज, ई-कॉमर्स संकेतस्थळ आणि अन्य वित्तीय सेवा देणाऱ्या संस्था जुळलेल्या आहेत.

Cyber Insurance paid to pay Ransomeware: Case Study & Case Law

A Canadian insurance company infected by ransomware virus paid off the cybercriminals using its cyber insurance policy. Their British reinsurers, having to disburse 109.25 Bitcoins, wanted it back from the blackmailing cybercriminals.

After infection, the unnamed Canadian company suffered a total lockdown of all of its systems and asked its reinsurance firm to pay the ransom so it could get back on its feet.

Paying off blackmailers holding a company to ransom is never advisable, many a time it is against the local law. Despite a negotiation that made criminals bring down their initial demand of $1.2m to $950k, the decryption tool provided had to be run on each and every affected device on the company's network.

It took five days to decrypt 20 servers and "10 business days" to unlock 1,000 desktop computers.

Neither company was going to pay out and forget the incident. The English reinsurer hired Chainalysis Inc, a "blockchain investigations firm", which eventually pinpointed the people responsible.

In the AA Versus Unknown Persons and Ors. [2019] EWHC 3556 (Comm) Case No: CL-2019-000746

The Unknowns were arraigned as below:

(1) PERSONS UNKNOWN WHO DEMANDED BITCOIN ON 10TH AND 11TH OCTOBER 2019

(2) PERSONS UNKNOWN WHO OWN/CONTROL SPECIFIED BITCOIN

(3) iFINEX trading as BITFINEX

(4) BFXWW INC trading as BITFINEX

IN THE HIGH COURT OF JUSTICE BUSINESS & PROPERTY COURTS OF ENGLAND AND WALES COMMERCIAL COURT (QBD)

Hon. Justice Bryan said: "Whilst some of the Bitcoin was transferred into 'fiat currency' as it is known, a substantial proportion of the Bitcoin, namely, 96 Bitcoins, were transferred to a specified address. In the present instance, the address where the 96 Bitcoins were sent is linked to the exchange known as Bitfinex operated by the third and fourth defendants."

Bitfinex is a cryptocurrency exchange headquartered in the British Virgin Islands, though the court noted that one email address associated with the exchange was seemingly traced to China.

Justice Bryan said: "At the present time there is no evidence that [Bitfinex] are themselves, perpetrators of the wrongdoing, rather, it is said, they have found themselves the holder of someone else's property."

Hon. Justice ruled that Bitfinex probably knew who the two alleged ransom receivers were, saying: "I have no doubt that Bitfinex has the ability to access its records and its KYC [know your customer, finance sector ID rules] material to identify the information that is sought" about the two alleged blackmailers.

A Scottish MSP was caught red-handed promising ransomware decryption services when in reality all they were doing was paying off the cybercriminals and adding a windfall high margin. At least one study has found that less than half of companies paying off ransomware actually get their files back.

Meanwhile, A US federal judge has ruled that an insurer providing a "business owner's insurance policy" to National Ink & Stitch, which sustained a ransomware attack in 2016 and was forced to replace most of its IT infrastructure, must pay for the damages the security incident caused.

In her recent ruling, Judge Stephanie Gallagher of the U.S. District Court of Maryland wrote that the damage to Nation Ink & Stitch's computer infrastructure from a ransomware attack constituted "physical loss or damage" covered by the insurance policy and that the insurer must pay the costs to recover and rebuild the network. National Ink & Stitch is an Owings, Maryland-based embroidery and screen printing firm.

The insurer, Columbus, Ohio-based State Auto Property and Casualty Insurance Co., had denied coverage for the cost of replacing National Ink & Stitch's computer system, arguing that that the company had not experienced "direct physical loss of or damage to" its computer system, the judge noted in the ruling.

The ruling did not set a specific dollar figure, although National Ink & Stitch previously argued for a settlement of $310,000 in recovery costs, according to court documents. National Ink & Stitch and State Auto could be reached for comment.

Advocate (Dr.) Prashant Mali
Cyber & Privacy Expert

Prashant Mali Interview in Business Standard Newpaper

Ransom-payers are also the cause of ransomware proliferation: Prashant Mali

The ransom to retrieve files was reportedly $300, to be paid in virtual currency bitcoins

Nikita Puri July 1, 2017 Last Updated at 21:20 IST

Operations at a terminal of the country’s largest container port, Jawaharlal Nehru Port Trust in Mumbai, came to a standstill earlier this week. The process of loading and unloading containers was halted as the port’s computers shut down after a major cyber attack that swept across the globe. The aggressiveness of the malware showed that such attacks were capable of bringing both corporate and government networks to a sudden halt. The ransom to retrieve files was reportedly $300, to be paid in virtual currency bitcoins. Cyber law expert Prashant Mali, also an advocate at the Bombay High Court, tells Nikita Puri how to prevent mass-scale civil disruptions that future cyber attacks can result in. Edited excerpts:
 
First we had individual companies and high-networth individuals who were targets of ransomware, then WannaCry hit servers across the globe. Now another malware, which some are identifying as Petya, has sent corporations into a tizzy. Do you foresee more such threats?

 
To date, financial cyber crime has only grown and it is yet to peak, so I would say it’s written on the wall that many more such attacks are expected in the near future. Such threats loom large as the ransom is paid in bitcoins, so the criminals aren’t caught. One thing the police and the government can do is to ensure that citizens make compulsory declarations of purchase of bitcoins and other cryptocurrencies (like ethereum) when they file their income tax returns. This can help the government see who pays and how much because, I feel, ransom-payers are also the cause of ransomware proliferation.
 
Security experts confirm that the malware isn't really a ransomware, but a wiper designed to destroy data. Reportedly, because of “ its aggressive features,” the malware makes it impossible to retrieve certain files leading many to believe that this attack may not have been for money. Can this be seen as an attempt to test how far companies will go to protect data?
 
Even if cyber attacks don’t cause financial damage, they definitely throw open defences. Identifying fortresses that have holes in their system can be of interest to the state and non-state actors. This data of the number of loopholes is in demand and is sold at a premium price. There are different types of people involved in the dark world: many a time those who look for such holes, those who attack, and those who intend to get ransoms are all different.
 
Companies are often wary of making such attacks public. Security firm Symantec has said that India is the worst hit in Asia, but we have confirmation only from Mumbai’sJawaharlal Nehru Port Trust. Do you think information sharing could actually help build a better defence against such attacks?
 
By not reporting such attacks, companies are depriving the nation of a knowledge database that can help other companies develop better defences. Symantec and other (security) vendors also cannot be fully relied upon because fear is what they harp on. The more fear they put in Indians, the more they sell security products. The Insurance Regulatory and Development Authority of India and insurance companies should make it compulsory for clients to file a First Information Report (FIR) before claiming cyber insurance. Once reporting to some government agency becomes mandatory to claim insurance, companies would be motivated.
 
What are the security measures that one must take to avoid such attacks? 
 
No one can be immune in cyber space and that's the reality. Only cyber awareness in organisations can bring in cyber resilience. I would advise organisations to have multi-prong policies to establish a cyber security culture. I feel the highest level of cyber safety can be achieved by establishing a cyber security culture in the company, and a country can be cyber resilient by cultivating a culture of cyber security in society. Government should quadruple its budget for digital literacy programmes. For the government to be ahead of hackers, we need cyber spies: our law and enforcement agencies should implant cyber spies among cyber criminals. The chatter within their group helps the state to be ready for what is coming: we need cyber intelligence. 
 
Do you think companies should have ethical hackers on their pay rolls? 
 
I have an issue with the term “ethical hackers” because legally this isn’t right: those are two contradictory terms put together. People who use these terms are either doing it for branding purpose or are students. Companies should opt for services by cyber security researchers. 
 
Are India’s cyber laws equipped to handle such large-scale attacks?
 
No. Laws can be invoked when prima facie evidence is found against criminals and investigation can be completed if attribution to a criminal is possible. The legal framework to help enforcement agencies in India has serious flaws. Large-scale cyber attacks need multiple law and enforcement agencies to work together along with CERT-In (Indian Computer Emergency Response Team), but the protocol for this is yet to be developed. 
 
In the future, cyber attacks are going to affect government facilities meant for citizens: like centres for health, water etcetera. Even municipalities should coordinate with the aforementioned agencies to avoid mass scale civil disruption from cyber attacks.

Petya Ransomeware Attack : What to Do immediately

Petya/Petwrap ransomware

What is Petya Ransomeware do?

Ans: 

Ransomware, Petya does not encrypt files on a targeted system one by one.

Instead, Petya reboots victims computers and encrypts the hard drive's master file table (MFT) and rendering the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

Petya replaces the computer's MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.

Why it spreads fast?

Ans : Petya ransomware successful in spreading because it combines both a client-side attack (CVE-2017-0199) and a network based threat (MS17-010)

So patch both first!

Affected countries: UK, Ukraine, India, the Netherlands, Spain, Denmark, and others

Behavior:

Encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.

Actions to be taken:

1. Block source E-mail address

wowsmith123456@posteo.net

2. Block domains:

http://mischapuk6hyrn72.onion/

http://petya3jxfp2f7g3i.onion/

http://petya3sen7dyko2n.onion/

http://mischa5xyix2mrhd.onion/MZ2MMJ

http://mischapuk6hyrn72.onion/MZ2MMJ

http://petya3jxfp2f7g3i.onion/MZ2MMJ

http://petya3sen7dyko2n.onion/MZ2MMJ

3. Block IPs:

95.141.115.108

185.165.29.78

84.200.16.242

111.90.139.247

4. Apply patches:

Refer(in Russian): https://habrahabr.ru/post/331762/

5. Disable SMBv1

6. Update Anti-Virus hashes

a809a63bc5e31670ff117d838522dec433f74bee

bec678164cedea578a7aff4589018fa41551c27f

d5bf3f100e7dbcc434d7c58ebf64052329a60fc2

aba7aa41057c8a6b184ba5776c20f7e8fc97c657

0ff07caedad54c9b65e5873ac2d81b3126754aac

51eafbb626103765d3aedfd098b94d0e77de1196

078de2dc59ce59f503c63bd61f1ef8353dc7cf5f

7ca37b86f4acc702f108449c391dd2485b5ca18c

2bc182f04b935c7e358ed9c9e6df09ae6af47168

1b83c00143a1bb2bf16b46c01f36d53fb66f82b5

82920a2ad0138a2a8efc744ae5849c6dde6b435d

myguy.xls EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6

BCA9D6.exe 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD

As of a Kill-switch can be used for #Petya Ransomware. 

i.e. Just create a file "C:\Windows\perfc"

Does this affect you?* 

Though this attack is largely targeting companies, it's important you stay vigilant and take following precautionary measures.

- Always make sure your anti-virus is up-to-date to maximize the protection available to you.

- Don't click too quickly. This attack may be spreading through phishing or spam emails, so make sure you check an email's content for legitimacy. Hover over a link and see if it's going to a reliable URL. Or, if you're unsure about an email's content or the source it came from, do a quick search and look for other instances of this campaign, and what those instances could tell you about the email's legitimacy.

- Do a complete back up. Back up all your PCs immediately. If your machine becomes infected with Petya ransomware, your data could become completely inaccessible. Make sure you cover all your bases and have your data stored on an external hard drive or elsewhere.

- Apply system and application updates.Making sure your operating system is up to date will help contain the spread of this malware.

In Cyber Crime Matters How to SERVE SUMMONS TO PARTY RESIDING ABROAD

Cybercrime :
HOW TO SERVE SUMMONS, PROCESS, WARRANT TO PARTY RESIDING ABROAD-

Comprehensive guidelines referred to in Letter No. 55019/17/2017-Legal Cell, dated ______ of Internal security Division, Ministry of Home Affairs regarding service of summons/notices/judicial process on persons residing abroad. --

1. Section 105 of Criminal Procedure Code (CrPC) speaks of reciprocal arrangements to be made by Central Government with the Foreign Governments with regard to the service of summons / warrants / judicial processes. The Ministry of Home Affairs has entered into Mutual Legal Assistance treaty/Agreements with 22 countries which provide for serving of documents. These countries are Switzerland, Turkey, United Kingdom, Canada, Kazakhastan, United Arab Emirates, Russia, Uzbekistan, Tajikistan, Ukraine, Mongolia, Thailand, France, Bahrain, South Korea, United States of America, Singapore, South Africa, Mauritius, Belarus, Spain and Kuwait. In other cases the ministry makes a request on the basis of assurance of reciprocity to the concerned foreign government through the mission / Embassy. The difference between the two categories of the countries is that the country having MLAT has obligation to consider serving the documents whereas the non-MLAT countries does not have any obligation to consider such a request.Summons/notices/judicial processes issued by the Indian Courts.

2. The summons/warrants/judicial processes received by MHA are forwarded to the concerned Indian Missions/Embassies which in turn, takes up the matter with the designated authority in that country. In case of MLAT countries, the manner of communication is as laid down in MLAT and can be either directly between MHA and the Central Authority or can be through the diplomatic channel. The designated authority after considering the request directs its agency to serve the document on the concerned person and the report of the service, if any is also received through the same chain. This is broadly the system in majority of the countries. However, in some countries private companies/NGOs have also been entrusted with the service of judicial papers.

3. Based on the experience gained, some guidelines are given below which may be followed while making a request to MHA for service of judicial processes. It may, however, be noted that it is the discretion of the requested country to serve the documents and any time frame for a positive response cannot be predicted.

a) All requests for service of summons / notices / judicial processes on persons residing abroad shall be addressed to the Under Secretary(Legal), IS-II Division, Ministry of Home Affairs, 9th Floor, Lok Nayak Bhawan, New Delhi- 110003. 
All requests shall be forwarded through post only with a covering letter from the  Court official giving the following information: 
a) Material facts of the criminal matter including purpose of the request and the nature of the assistance sought. 
b) The offences alleged to have been committed, a copy of the applicable laws and maximum penalties for these offence. 
c) Name, designation, telephone and fax number of the person/officer who will be able to give any clarification, if required. 
d) The complete address of the issuing authority to which the judicial papers/service reports may be returned. 
e) Approval of the competent authority to bear any expenditure, which they be charged by the foreign government/agency for the service of the documents. 
f) Degree of confidentiality required and the reasons therefore(in case of confidentiality requirement). g) Any time limit within which the request should be executed. 
This will be subject to allowance of sufficient margin of time by the requesting agency, as indicated in para 3(iv) of the guidelines b) MHA, on receipt of request, will examine it in view of the provisions of treaty, if exists, with the requested country and as per the provision of CrPC in case of non-treaty country. 
c) MHA requires at least a period of 12 weeks times for service of such notices in the concerned countries. It is, therefore imperative that a date of hearing/appearance may be decided accordingly. 
d) In the case of non English speaking countries, the notices should be accompanied with the certified/authenticated translation(in duplicate) in the official language of the country where the notice is proposed to be served. 
e) Name and address of the individual/organization should be complete in all respect and PO BOX no. and Passport no. will not suffice as address of the individual. 
f) Ministry of Home Affairs responsibility to service the summons is only in Criminal Matters. Hence, summons in Criminal matters only may be sent to the Ministry for service abroad. 
g) MHA does not undertake service of the non-bailable warrants of arrest. The service of non-bailable arrest warrents amounts to the extradition of the individual. 
The request for extradition are based on certain legal procedures contained in applicable treaties negotiated on the basis of the International Principle of Extradition. 
Such requests are to be forwarded to the Ministry of External Affairs, CPV Division, Patiala House Annexe, Tilak Marg, New Delhi – 110001."

Cyber Security Questions for Board of Directors

Cyber Security Questions for Board of Directors.

Although Board of directors have added cybersecurity risk to their agendas, there is no standard way for boards to think about cybersecurity, much less time-tested guidelines to help them navigate the issue.

For boards, cybersecurity is an issue of enterprise risk. As with all enterprise risks, the key focus is mitigation, not prevention. This universally understood enterprise risk guideline is especially helpful in the context of cybersecurity because no one can prevent all cyber breaches. Every company is a target, and a sufficiently motivated and well-resourced adversary can and will get into a company’s network.
Consequently, terms like “cyber defense” are insufficient descriptors of an effective posture because they evoke the image that corporations can establish an invincible perimeter around their networks to prevent access by bad actors. Today, it’s more accurate to think of the board-level cybersecurity review goal as “cyber resilience.” The idea behind the cyber resilience mindset is that, because you know network breaches will happen, it is more important to focus on preparing to meet cyberthreats as rapidly as possible and on mitigating the associated risks.

1. How do we integrate Cybersecurity with the current business direction and planning? 

2. What are our main Cybersecurity risks? 

3. Is the right amount of Cybersecurity risk accepted? 

4. Is our process for identifying, assessing and managing Cybersecurity risks effective? 

5. Do we have Cybersecurity culture in our organisation ? Do people in this organisation have a common understanding of the term "Cybersecurity"? 

6. How do we ensure that Cybersecurity risk management is an integral part of the planning and day-to-day operations of individual business units? 

7. How do we ensure that the Board’s expectations for Cybersecurity risk management are communicated to and followed by the employees in the company? 

8. Do we have process to manage Electronic evidence? How do we ensure that our executives and employees act in the best interests of this organisation's Cybersecurity posture? 

9. How is Cybersecurity risk management coordinated across the organisation and vendors?

10. How do we ensure that the organisation is performing according to the business plan and within appropriate Cybersecurity risk tolerance limits? 

11. How do we monitor and evaluate changes in the external environment and their impact on the organisation's strategy and Cybersecurity risk management practices? 

12. What information about the Cybersecurity risks targeting the organisation does the Board get to help it fulfil its stewardship and governance responsibilities? 

13. How do we know that the information the Board gets on Cybersecurity risks or threats and vulnerabilities is timely, accurate and reliable? 

14. How do we decide what information on Cybersecurity risks we should publish? 

15. How do we take advantage of the organisational learning that results from the Cybersecurity risk management corrective actions and/or preventive action plans? 

16. What are our priorities as a Board in the oversight of Cybersecurity risks? 

17. How does the Board handle its responsibility for the oversight of opportunities that introduce Cybersecurity risks to the organisation? 

18. How does the Board ensure that at least some of its members have the requisite knowledge and experience to address Cybersecurity risks and one of the member serves as an expert ?

19. How do we, as a Board, help establish the "tone at the top" that reinforces the organisation's values and promotes a "Cybersecurity culture"? 

20. How many grades the Board wish to give itself for overseeing Cybersecurity risk? 
The board is accountable for the organisation’s investment strategy. In years past, information security spending was part of a larger IT-related budget. Not anymore. Gartner estimates that by 2020, IT security spending will grow from $75 billion to $170 billion. With such levels of spending, boards will be more apt to scrutinize investments and actively manage budgets. 
To manage the risk associated with a cyber attack, leadership must bring together key components of an organisation to develop joint ownership of risks and a comprehensive approach to cybersecurity. Having a policy isn’t enough. Companies also need tools, processes, and up-to-date information on the ever changing threats to their enterprises. 

The Author is Chevening Cyber Security Fellow (UK) and participant of IVLP (USA) on Linking Digital Policy Cyber Crime Law Enforcement Program. He is a Practising Lawyer of Bombay High court. 

He regularly Advices Top Corporate Companies and Government Agencies on Cybersecurity Technical and Legal Issues.

Online impersonation and Sending bomb hoax email - Section 66D Cybercrime

Section 66(D) Cyber Crime - THE MYSTERY BEHIND HOAX MAIL SOLVED –ONE HELD

                         On 20-04-2017, the sleuths of Commissioner’s Task Force, West Zone team with the assistance of S.R Nagar police, on credible information made sustained efforts and solved the mystery behind hoax mail which was generated from Hyderabad.

  Details of apprehended Accused :-

Motaparthi Vamshi Krishna @ vamshi chowdary S/o. M.A.sV. Prasad, age. 32 yrs, Occ. Transport agent  R/o. Flat no.G-1, TP Sanjana  Amrutha Residency, Miyapur, R.R.Dist, N/o.  Dendullur (village & Mandal), West Godavari Dist, A.P.

 Brief facts

On 15-04-2017 at 1647 hours commissioner of police,Mumbai received a mail from a mail ID ununn0801@gmail.com  claimed to be woman in the email and stated that she overheard six men chating in a hotel and stating that all 23 people have to split from here and board flights in three cities i.e Hyderabad, Chennai and Mumbai to hijack planes at a time tomorrow. 

On the tip of Mumbai Police alerted and sent the information to the concerned Airport Security agencies about a gang planning to hijack flights from three Airports.

  Basing on the information CISF pressed into service and quick reaction commando teams under taken sanitisation drill at Airport and Airlines have been asked to remain extra vigilant. Extra care has been given to passenger checks, baggage scanning, pre embarkation checks and started special patrols to thwart any bid to storm the Airport.    

As a mail generated from Hyderabad, considering the seriousness and sensitivity of the issue, the Commissioner of Police, Hyderabad instructed the Task Force team to   check the veracity of the mail. 

During the enquiry traced the IP address and found it is a net cafe at Madhura Nagar, S.R.Nagar styled as “E netzone” and enquired with the owner of net cafe and found the register of the visitors and filtered eight persons at the time of generating mail. Since the net cafe did not have CCTV footages and there were no proper records maintained at net cafe centre, The Task Force Police made sustained efforts based on the available of CC footage nearby net cafe and lead to the identification of   accused by name Vamsi Krishna.

During the interrogation the accused revealed that he used to chat with his girlfriend who stays at Chennai. Few days back she proposed a trip to Mumbai & Goa. As he is facing financial problems, he unable to bare expanses for their tour,  he requested her to withdraw the trip proposal, but she denied his request, forced him to go to trip to Mumbai & Goa.   In this process to cancel the trip, he hatched a plan to make her believe that flights have been cancelled because of High Alert at airports.

                            In this connection he created a fake flight booking Ticket on her name dt. 16-04-2017 from Chennai to Mumbai, sent the fake ticket to his girl friend through his mail Id my3softcreations@gmail.com to her mail id on 15-04-2017 to believe her.  If she knows about the fake ticket, she will avoid him.  On that he went to one internet centre styled as “E Net zone” at Madhura Nagar, SR.Nagar on 15-04-2017 at about 1600 hrs. In this net zone he created a fake mail id “ununn0801@gamil.com”  and secured the Mail Ids of Mumbai police commissioner and others and prepared fake message as ‘’hi sir am female here am doing this mail frim Hyderabad as i don’t want to revel my details couse am a female and scared of issues, and mailing u this couse in the after noon around 2pm while having lunch there were 6 guys talking those guys are musclims, they were talking abt plane hijack tommarrow in Hyderabad chennai and Mumbai airport they were talking very slowly but unfortunately i heard few conversations abt this, they were saying all us 23 people have to split from here and have to board flights in 3 cities and hijack them at a time. They spoke some other things also but i couls not hear them as i heard only these few sentences from them, i dont know do am i doing correct or not and they are true or not but heard this so kindly go through this and as i informed this as a duty and a citizen of india and pls dont make me to get into issues’’

On further questioning he revealed that   previously he  was involved in two cases Cr.No. 411/2010, U/s. 420, 458,506 R/w. 34 IPC of S.R.Nagar PS & Cr.No. 32/2013, U/s. 66(D) of ITA Act-2008 & 420 IPC of CCS, Cyber crimes.

The apprehended accused along with seized material being handover to SHO, S.R.Nagar PS for taking further action under 66D of IT act and sec 419, 182 IPC.

Prashant Mali Authored Book Released by Hon. Chief Justice Dr. Manjula Chellur, Bombay High Court

PRASHANT MALI BOOK RELEASED BY HON CHIEF JUSTICE DR MANJULA CHELLUR

Prashant Mali Authored Third Edition of Book "Cyber Law & Cyber Crimes Simplified " Released by Hon'ble Chief Justice, Dr. (Mrs.) Manjula Chellur, Bombay High Court . this book is Fore worded by Hon. Justice Madan Lokur, Supreme Court of India. Book is now available in High Court and with Aarti Publications, Fort

Prashant mali addressing judges in cyber crime investigation training

Prashant Mali Then addressed around 400 judges and public prosecutors ahead in the training program held at Maharashtra Judicial Academy

Sextortion and Laws in India

What is SEXTORTION?

A form of sexual exploitation that employs non-physical forms of coercion by threatening to release sexual images or information to extort monetary or sexual favors from the victim.
Modus Operandi
1) The scammers persuade the dater to send sexually explicit photos. Once they get the photos, the scammers identify themselves as law enforcement, telling the dater they sent the pictures to a minor.
They then tell the person to pay up in order to avoid arrest.
The scammers are not only identifying themselves as law enforcement, they are also using actual names of officers.
“These people are being contacted by Detective Don Peterson and it isn’t me,” Peterson told the paper.
More than 100 people have paid between $500 to $1,500 to try to avoid arrest.
2) The groups is to create online accounts of females and post pictures of attractive ladies to draw clients. They would then post pornographic images and entice their victims to have video chats with them, usually with lewd content and conversation.
Once they obtain the incriminating videos, the groups would threaten to send the video chats to the victim's friends or relatives unless they send money.
The victims are allegedly forced to send $500 to $2,000 – or P20,000 to P90,000 – through Western Union in exchange for the removal of the online video chat.

How to prevent sextortion?
Talk about sextortion
Sextortion thrives on silence; spread knowledge. Talk to two people and ask them to spread the word to two more. Keep the chain going.
Spread the word
Without a name – SEXTORTION – it is difficult to lift an abuse out of the realm of bad things we know happen and passively accept as the way of the world, and into the realm of things we will no longer tolerate and actively seek to change.
Learn more about sextortion
Once you become aware of sextortion, you see how pervasive it is. Gather and share information about sextortion.

Laws in INDIA:
1) Section 66E of Information Technology Act,2000
Violation of Privacy - Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person
2) Section 67 of Information Technology Act
Punishment for publishing or transmitting obscene material in electronic form
3) Section 67A of Information Technology Act
Punishment for publishing or transmitting of material containing sexually explicit act, etc. in electronic form
4) Section 67B of Information Technology Act
Punishment for Child Pornography in electronic form
Interpol investigation
5) Section 387 of Indian Penal Code,1860  for Extortion is also applicable

6) Section 506 of The IPC,1860 2nd Para is applicable if the extortionist is imputing the chastity of the girl. 

India case law for sextortion [ Bail Stayed]

The Supreme Court on 01/02/2016 stayed the anticipatory bail given to sextortion case accused M. Satyanandam, suspended APSPDCL, Divisional Engineer. Satyanandam, who was working as DE in electricity department was booked for active involvement in the gang that sexually exploited women and resorted to extortion. 

He was fourth accused in the case registered at Machavaram on December 11, 2015 following a complaint given by a woman to the commissioner of police.  

An INTERPOL-coordinated operation targeting organized crime networks behind ‘sextortion’ cases around the world has resulted in the arrest of 58 individuals, including three men linked to the group which harassed Scottish teenager Daniel Perry.
Perry, a 17-year-old victim of an online blackmail attempt, died after jumping off the Forth Road Bridge near Edinburgh in July last year.

In the first operation of its kind, information shared between the INTERPOL Digital Crime Centre (IDCC), Hong Kong Police Force, Singapore Police Force and the Philippines National Police (PNP) Anti-Cybercrime Group led to the identification of between 190 and 195 individuals working for organized crime groups operating out of the Philippines.

New age Cyber Crimes : 2016

New Age Cyber Crimes : 2016

New trends in cybercrime are emerging all the time, with estimated costs to the global economy running to billions of dollars.

In the past, cybercrime was committed mainly by individuals or small groups. Today, we are seeing highly complex cybercriminal networks bring together individuals from across the globe in real time to commit crimes on an unprecedented scale.

Criminal organizations turning increasingly to the Internet to facilitate their activities and maximize their profit in the shortest time. The crimes themselves are not necessarily new – such as theft, fraud, illegal gambling, sale of fake medicines – but they are evolving in line with the opportunities presented online and therefore becoming more widespread and damaging.

Identity theft

Identity theft and fraud is one of the most common types of cybercrime. The term Identity Theft is used, when a person purports to be some other person, with a view to creating a fraud for financial gains. When this is done online on the Internet, its is called Online Identity Theft. The most common source to steal identity information of others, are data breaches affecting government or federal websites. It can be data breaches of private websites too, that contain important information such as – credit card information, address, email ID’s, etc.

Ransomware

Ransomware enters your computer network and encrypts your files using public-key encryption, and unlike other malware this encryption key remains on the cyber criminals server. Attacked users are then asked to pay huge ransoms to receive this private key via Bit Coins.

DDoS attacks

DDoS attacks are used to make an online service unavailable and bring it down, by bombarding or overwhelming it with traffic from multiple locations and sources. Large networks of infected computers, called Botnets are developed by planting malware on the victim computers. The idea is normally to draw attention to the DDOS attack, and allow the hacker to hack into a system. Extortion and blackmail could be the other motivations.

Botnets

Botnets are networks of compromised computers, controlled by remote attackers in order to perform such illicit tasks as sending spam or attacking other computers.  Computer Bots can also be used act like malware and carry out malicious tasks. Then can be used to assemble a network of computers and then compromise them.

Up to now, most botnets have been assembled by constantly roaming the internet probing for PCs that are unprotected. When a vulnerable machine is discovered, it is infected with malware that lies there undetected, awaiting the command to start pinging the site that has been chosen for an attack. For the more sophisticated cybercriminal, though, this way of doing things is beginning to look obsolete. The PC market has peaked, so zombie machines will become rarer and existing PCs tend to be better managed and protected from intrusion than they used to be. We are getting to the point, in other words, where PC-based botnets are soyesterday.

So where is the smart online criminal going to go next? Obligingly, the tech industry has provided him with the capability to assemble even bigger botnets with much less effort. The new magic ingredient is the IOT internet of things – small, networked devices that are wide open to penetration. The attacks will come from large numbers of enslaved devices – routers, cameras, networked TVs and the like. 

Spam and Phishing

Spamming and phishing are two very common forms of cybercrimes. There is not much you can do to control them. Spam is basically unwanted emails and messages. They use Spambots.  Phishing is a method where cyber criminals offer a bait so that you take it and give out the information they want. The bait can be in form of a business proposal, announcement of a lottery to which you never subscribed, and anything that promises you money for nothing or a small favor. There are online loans companies too, making claims that you can get insecure loans irrespective of your location. Doing business with such claims, you are sure to suffer both financially and mentally. 

Phishing has its variants too – notably among them are Tabnapping, Tabjacking, Vishing & Smishing.   Such spamming and phishing attempts are mostly emails sent by random people whom you did not ever hear of. You should stay away from any such offers especially when you feel that the offer is too good. Do not get into any kind of agreements that promise something too good to be true. In most cases, they are fake offers aiming to get your information and to get your money directly or indirectly.

Social Engineering

Social engineering is a method where the cyber criminals make a direct contact with you using emails or phones – mostly the latter. They try to gain your confidence and once they succeed at it, they get the information they need. This information can be about you, your money, your company where you work or anything that can be of interest to the cyber criminals.

It is easy to find out basic information about people from the Internet. Using this information as the base, the cyber criminals try to befriend you and once they succeed, they will disappear, leaving you prone to different financial injuries directly and indirectly. They can sell the information obtained by you or use it to secure things like loans in your name. The latter case is of Identity theft. You should be very careful when dealing with strangers – both on phone and on the Internet.

Malvertising

Malvertising is a method whereby users download malicious code by simply clicking at some advertisement on any website that is infected. In most cases, the websites are innocent. It is the cyber criminals who insert malicious advertisements on the websites without the knowledge of the latter. It is the work of advert companies to check out if an advertisement is malicious but given the number of advertisements they have to deal with, the malverts easily pass off as genuine ads.

In other cases, the cyber criminals show clean ads for a period of time and then replace it with malverts so that the websites and advertisements do not suspect. They display the malverts for a while and remove it from the site after meeting their targets. All this is so fast that the website does not even know they were used as a tool for cybercrime. Malvertising is one of the fastest, increasing types of cybercrime.

PUPs

PUPs, commonly known as  Potentially Unwanted Programs are less harmful but more annoying malware. It installs unwanted software in your system including search agents and toolbars. They include spyware, adware, as well as dialers. Bitcoin miner was one of the most commonly noticed PUPs in 2013.

Drive-By-Downloads

Drive By Downloads too, come close to malvertising. You visit a website and it triggers a download of malicious code to your computer. These computers are then used to aggregate data and to manipulate other computers as well.

The websites may or may not know that they have been compromised. Mostly, the cyber criminals use vulnerable software such as Java and Adobe Flash and Microsoft Silverlight to inject malicious codes as soon as a browser visits the infected website. The user does not even know that there is a download in progress.

Remote Administration Tools

Remote Administration Tools are used to carry out illegal activities. It can be used to control the computer using shell commands, steal files/data, send location of the computer to a remote controlling device and more.

Exploit Kits

A vulnerability means some problem in the coding of a software that enables cyber criminals to gain control of your computer. There are ready to use tools (exploit kits) in the Internet market which people can buy and use it against you. These exploit kits are upgraded just like normal software. Only difference is these are illegal. They are available mostly in hacking forums as well as on the Darknet.

Scams

Notable among Internet scams are (IRS Scams, Insurance Scams, Matrimonial website scams, Techsupport Scams), scams which misuse the Microsoft name and other general tech support scams. Scamsters phone computer users randomly and offer to fix their computer for a fee. Every single day, scores of innocent people are trapped by scam artists into Online Tech Support Scams and forced to shell out hundreds of dollars for non-existent computer problems. 

People should note that employees involved in call centre scams are prosecutable under Section 66(C) & (D) of The IT Act,2000 as well sections of IPC involving Extortion and Cheating are also applied which are non-bailable offences, currently employees working in Mira Road IRS call centre Scam fraud are in jail without bail from last 15 days.