another example of the Credit Card industry's deceptive advertising targeting children
cartoon of the month

Thursday, May 26, 2005

SEBI slaps Birla wrist

Only in India can you do massive IT fraud in millions of dollars and be fined a piddling fine of US$ 1,200. Its sick man.

SEBI fines Birla MF for non compliance
Sebi has slapped a Rs 75,000 penalty on Birla Mutual Fund for non-compliance with the take-over code regulations.

Sebi has slapped a Rs 75,000 penalty on Birla Mutual Fund, MF, for non-compliance with the take-over code regulations, reports The Economic Times.

The action has been taken for non-disclosure by the AMC when the holding of its various schemes in Bangalore-based IT company Subex System crossed the 5% limit in 1999.

The fund house was required to disclose under Regulation 7(1) and (2) of the Sebi take-over code, their aggregate shareholding in the company, within 4 working days of October 18, 1999 ie the date on which it crossed the threshold limit of 5% of the voting rights, Sebi order said.

Advertisment: Ornamental iron gates

Sebi had issued a showcause notice on March 7, 2005 to the fund house. Sebi order also said that it has conducted an investigation into the phenomenal rise in share price of Subex since its listing in September 1999 at Rs 80 which rose to Rs 1,908 in December 1999.

The board’s order said that in an analysis of the trading patterns of the various entities including the brokers/clients who had traded in the said scrip, it was found that Birla MF was the single-largest buyer of the shares of Subex System at Bangalore and Hyderabad stock exchanges.

The fund house was also found to have made the maximum purchase in the said scrip (around 78%) in September 1999, the first month of its IPO listing, when the price was between Rs 80-300. Apart from the market purchases, the MF also got shares through preferential allotment.

CERT-IN proposes mandatory IT security audit

In February 2005, noted Cyber Law expert Sarbajit Roy whose Hacking Complaint under section 66 of the Information Technolgy Act 2000 is ongoing, charged during hearings that CIBIL (Credit Information Bureau India Limited.) and several Foreign Banks like Standard Chartered Bank had not bothered to get their secure Financial Computer networks audited by approved auditors and that CERT-IN and the Controller's Office were fully aware of the numerous hacking incidents in India's Banking and Finacial BPO sector. The swift response of CERT-IN to Roy's allegations is before you below:

India raises the security bar to rein in e-crime


by SUDHA NAGARAJ (of the Economic Times New Delhi)

NEW DELHI: Are you the head of a government-run entity or the chief information officer at a public or private sector organisation in the “critical infrastructure” (power and telecom) arena?

If so, you had better secure your information technology systems and network. Not only would they be audited, but annual reports on compliance with security norms would have to be filed with the National Information Bureau under the National Security Adviser through the Computer Emergency Response Team-India (CERT-In).

In the face of increasing cyber crimes, the government plans to announce a National Security Compliance Assurance Framework that would require implementation of security controls and reporting of incidents that breach IT security. This was revealed by BJ Srinath, scientist, CERT-In, at a cyber security seminar organised by the department of information technology (DIT) under the auspices of the Indo-US Security Forum.

The development assumes greater significance in the light of the cyber drug racket that has just been unearthed and was traced back to Agra. All countries are forming their own CERTs to tackle cyber crimes which know no borders. And unless these CERTs provide norms for security compliance and ensure implementation, there would be “weak links” in the global effort, says Mr Srinath.

According to the security compliance guidelines that have been drafted by CERT-In under the DIT, all government and critical infrastructure organisations — both public and private — must have a security policy, implement it and be subject to annual security audits.

To conduct the audits, a team of 18 auditors has been finalised by the government, including Tata Consultancy Services, Sify, PricewaterhouseCoopers, Mahindra-British Telecom, Satyam Computer Services, Secure Synergy, Network Security Solutions, STQC Directorate, Ramco Systems, CyberQ Consulting, Haribhakti & Co, Paladion Networks, Information Systems Auditors & Consultants, Indusface Consulting, AUDITime Information Systems, Network Solutions, AAA Technologies and Sysman Computers.

KK Bajaj, director, CERT-In told ET, “the list of to-be-empanelled auditors will be announced shortly for third-party audits.” Draft guidelines are ready and IT self-assessment tools, security products and parameters would be in consonance with ISMS standards like ISO 15408, IS 15150 and BS 1799.

The security assurance initiative is very much on the lines of the Federal Information Security Management Act ‘02 of the US. While this is a law and fixes ultimate responsibility for information security on the CIO or the agency head, India has opted to stipulate guidelines and may ask organisations to identify one person responsible for IT security.

As a source in the DIT put it, ”The US has increased its cyber space so much that it has to take extreme security measures. In India, within organisations, some systems are identified for internet connectivity while some are protected from cyber space. So the risks are not as great and there is no need to raise the bar on security features.”

Accordingly, organisations would be categorised as low-risk (where awareness of security norms would suffice), medium risk (where awareness and action is required) and high-risk (where awareness, action and assurance is mandated).

Hyderabad hotbed of Credit Card fraud

Is Hyderabad India the new hotbed for Credit Card fraud ? As cyber law expert Sarbajit Roy's Hacking complaint reveals, this city in Southern India was placed on the international cyber crime map when VISA revealed the inner most security features of their credit cards to a local manufacturer of Public Call Office (PCO) booths.

HYDERABAD: The Internet-based railway reservation racket that was busted on Monday may be just the tip of the iceberg. With websites lacking foolproof security features, cases relating to credit card frauds are on the rise. One can e-shop by just entering the credit card details as most sites do not ask any more questions to verify the genuineness of the person punching in the details.

As many as 60 cases of credit card fraud have come to the notice of the city police in the past few years. In one case, an IRS officer working with the customs and central excise department in the city received a bill from SBI Cards for Rs 13,493 in May 2004 for purchasing books online from WP-Service Wrap, Ampthill, Great Britain. She complained to the police that she had never placed an order for the books and that someone could have used her credit card details and bought the books online.

Similarly, an unknown person purchased e-Dating software by logging onto www.leopay.com in the name of A R Kulkarni, a resident of Dilsukhnagar. Kulkarni was shocked to get a bill for $199 for "purchasing the software.’’ He lodged a complaint with the police in June 2004 that someone had stolen his credit card details and made the purchase.

Though some websites ask for a few other details such as the validity period of the card, these are available on the credit card itself.

"To purchase even air tickets online, only credit card details have to be fed into the website," Cyber Crime Wing SP M Sivananda Reddy said. Only on a few e-shopping websites is additional information like one’s date of birth and address are sought.

Weak cyber laws in India BS7799

"The Indian IT Industry lobbies hard for unfair amendments to the Information Technology ACT 2000 to allow Indian IT firms to prosecute PC users whilst simultaneously protecting themselves from prosecution. Meanwhile India's weak cyber laws and poor police enforcement coupled with long delays in the judicial system allow cyber criminals to go scot free" says cyber law expert Sarbajit Roy

As the concern for information security rises so does the need to pin ownership for electronic actions. In view of the weak cyber laws in India, the Indian Merchants' Chamber held a session to discuss the 'Controversies in Cyber Law', on March 2, 2005.

Nanik Rupani, President IMC, opened the discussion with the remark that India is now accepted as the knowledge centre of the world. With large amounts of data in the country, it is important to have a sound law to protect it, he said.

Ownership issues

The issue of ownership began with the Julian Greene case, in which the pornographic visuals stored on Greene's PC were excused because they were attributed to a Trojan. Courts have also heard cases where the Trojan self destructs once it finishes its task.

P K Jain, Joint Commissioner of Police, Mumbai, said, "It will take time for the law to evolve, even though the police cyber cell, with the help of specialists from the IT industry, is working towards solving such crime."

To that Vijay Mukhi, Chairman IT, IMC, added, "This gathering to identify the loopholes in cyber law ought to be conducted every month so that the Indian law can benefit from it and evolve into foolproof regulations."

E-transactions

A significant point brought up in the discussion was that the IT Act 2000 was a means to bring e-transactions on the records and not to regulate electronic actions.

Both N S Nappinai, Advocate and Tushar Ajinkya, Manager, DSK Legal pointed out that the definitions in the IT Act were too convoluted and ambiguous. "A person who physically dismantles a floppy drive can be termed a hacker according to the current definitions," explained Nappinai.

The slow judicial process too was deemed as a cause for concern in the forum. To solve it, Satish Maneshinde, Advocate suggested that there should be a separate court to settle Cyber crime cases.

Compliance

Enforcement agencies and the Indian industry are now aligning their processes in accordance with international standards. The Mumbai Police has a BS7799 certified call centre that gives security-related information.

When questioned about the need for security laws, Mukhi said, "The lack of a law puts an aggrieved company without a recourse to a remedy. Complying with regulations is a preventive step, but the industry needs a law that it can lean on in case there is a problem."