Cyber Law

India gets affected by Bomb blasts almost every month. Hundreds of Innocent people die for no reason. While it is difficult to stop all such attacks, it is fairly possible to prevent such attacks by improvising and using the existing resources effectively.

Let's look at some of the problems we face:

1. ATS: Wrong focus?

While it's a common knowledge that terrorists use the Internet for communication, and target Indian websites to highlight their cause, The Anti-terrorist Squd seems to focus more on tapping mobiles, Intercepting GSM networks and voice-privacy solutions. The reality is, even though these do help, they are ineffective means of tracking terrorists. Talk about Internet / Web security or Digital Forensics, they give you an odd look. Techies are still insignificant people in front of their "real" world of guns and bullets. Besides we always have the Cyber Crime Cell in Mumbai to put the blame on.

2- Cyber Crime Cell, Mumbai: Cyber What?

I don't mean to be rude, but it's practically a glorified department. Even tracing an email is a challenge. But more than the technical incompetency, the larger issue is attitude. A few intelligent people who know a few technical things prefer to keep mum. Their reason - Why open your mouth and invite more work? The complex unsaid ego and divide between "senior" and "junior" officers ensure that sensible work or process never get's implemented.

3 - NTRO: Making the right moves

NTRO is one organization i personally respect a lot. They have made decent efforts to bridge the gap between various agencies over time. With a strong technical team, i feel they are quite equipped to handle Cyber Crime related issues. But again, they are not directly involved or are responsible to tackle it.

4 - CERT India: A big joke

I don't know why we have CERT India. What is it's role? let's see what they say about it:

http://www.cert.org.in/incidentreporting.htm

"CERT-In will then analyse the information provided by the reporting authority and identify the existence of an incident. In case it is found that an incident has occurred, a tracking number will be assigned to the incident. Accordingly, the report will be acknowledged and the reporting authority will be informed of the assigned tracking number. CERT-In will designate a team as needed." ... and Blah Blah Blah.

Here's the truth. CERT does not have any system for Incident Reporting. Even if you report an Incident, they won't respond back to you. In August 2006, we reported close to 40+ Government related websites (Including the president's) that were vulnerable to hacking. We gave exact links, documented proof, video's (yes, even recorded videos!) and screenshots. This report was also sent to major news channels. What happened? Nothing! With anguish, we could only watch our Indian websites being hacked over time.

NIC : Helping Hackers?

Almost all government related websites are developed and maintained by NIC. And almost every website has a host of vulnerabilities that a defacer can take advantage of. I wonder why NIC does not have a decent security training with all that money from the Government? With e-governance on the rise, it will be dangerous if Indian Government does not take a serious look at lack of Information Security awareness.

So what can be done?

I think the Government must move fast towards gearing for Cyber warfare. This is where the real battle lies. With the vast confusing mesh of departments, it's best for the Government to seek some professional advice. Here are some suggestions:

1. Acknowledge Hackers and work WITH them. Encourage Open Disclosure.

2. Support Indian Hacker groups and community.

3. Facilitate Cyber Crime awareness in Academics. Utilize local youths as volunteers for solving cyber crime cases.

4. Make it mandatory for all lawyers to upgrade their technical skills and awareness of Cyber Crime.

5. Consult the corporate before drafting or making further amendments in the IT Act Law

6. Understand the importance of Training and impart the same to the right people. And not expect it to be delivered free by some company.

7. Establish cooperation between different agencies for faster resolution of problems.

Open Disclosure - Hacked Websites (Not in NEWS yet)

Here is a small list of websites.. that were hacked / compromized by the team and notified to the Cyber Crime Cell / Government but nothing has been done to rectify it:

Working example of a Vulnerable website: Maharashtra State Police Website

Others:

Passport Office Chandigarh

Tata Memorial Hospital

Ministry of Information and Broadcasting

Dept. Of Education - Govt. of Rajasthan

official website for Eastern Railway

BSNL - Dotsoft Development Center

Ministry of Defence

Prime Minister of India - PMOs Office

Directorate of Public Grievances

Central Information Commission - CIC

Central Vigilance Commission - CVC

Election Commission of India

Directorate of Technical Education Maharashtra

Mumbai Police

The Singareni Collieries Company Ltd

State Information Commission - Himachal Pradesh

NIC - Project Progress Monitoring System

Public Health Engineering Department

Tea Board of India

This is only a partial list of vulnerable sites. Feel free to reach us for further information (concerned webmasters can contact for free resolution / technical support of the issues).