Univ of Brighton research paper - bunchof lies !

I had forgotten this so called research paper but an article in the Economic Times prompted me to seek answers from the "researchers" at the Univ of Brighton.

These guys have a shallow paper based on heresy, misplaced / racist perceptions of the developing world and they pass judgement.

Then they do not have the decency to respond to any objection to their "paper" ... is it a problem to face up to your mistakes!

Phishing study: Bunch of lies

Kamlesh Bajaj / November 05, 2009, 0:46 IST

A team of researchers including professors of University of Brighton published a report in July 2009 titled “Crime online — Cybercrime and illegal innovation”. It was picked up by online news channels and quoted in news items to propagate lies about so-called cybercrimes in the business process outsourcing (BPO) industry of India. The report tries to present data from the annual reports of the Indian Computer Emergency Team, and Symantec in a way that suits its story, of India being a centre of cybercrimes and in general being a weak state. We want to set the record straight............... Read More

Now this is Dr Bajaj blasting them above and they deserve it.

I had written to them in August but they did not bother to reply, so now I am forced to put my email in the public domain:

Dear Messrs Howard Rush, Chris Smith, Erika Kraemer-Mbula and Puay Tang I am writing to you with reference to your research report "Crime Online - Cybercrime and Illegal Innovation" This report has been quoted as the source that states "India emerging as major cybercrime centre" and has obviously raised many doubts about the veracity of your study. A very alarming statement in your report says that cyber crime has increased 50 fold in India during the period three year period from 2004 - 07 and this is pure conjecture since you are referring to statistics for security incidents and not cyber crime and there is a BIG difference between these two. A small search would have brought you to the Natoinal Criminal Record Bureau of the Government of India and you can easily get the cyber crime statistics. While you are publishing your report in 2009 you are relying on news articles that date back to 2005 and your report uses these isolated incidents to irresponsibly pronounce judgement ! Sad, to say the least. Especially when you folks are living in the UK which is a "cybercrime-incident-a-day" country. As I write to you I have this window open http://www.out-law.com/page-10309 which is not something to be proud about. I am also taking the liberty of forwarding a digest of discussions (# 1171 of Aug 21) between people on the India Infosec mailing list relating to this report. Brickbats all around for you, sadly, for trashing the BRIC countries. Do join this list to know more about the opinions of the security community. Your papes has been quoted here : http://timesofindia.indiatimes.com/news/india/India-emerging-as-major-cybercrime-centre-UK-study/articleshow/4911097.cms http://www.livemint.com/2009/08/20000730/India-emerging-as-centre-for-c.html?h=B http://www.ndtv.com/news/world/india_emerging_as_major_centre_for_cybercrime_uk_study.php My final word here is that there are so many "experts" sitting in their lofty citadels who are driven by the need to generate copy. Information Security trends, issues etc cannot be judged on the basis of old articles and researchers must first understand the subtle differences in the jargon used in the business. For example, as every IS professional knows there is a big difference between problem management or incident management ! In any case, with the large number of white papers, content, research on the net it is important that one is cautious about what to accept as true :)

Monster follows Heartland...

A monstrous data leak at Monster.com has been announced.

It's customer databases has been hacked for the second time in six months. They have lost user information which includes IDs, passwords, e-mail addresses, names, phone numbers, birth dates, etc. How many records are compromised is not known except that this affects monster.com users in America and Europe.

So just take it easy if your name and personal information is used by someone you do not know.

The reason is simple - Heartland happened and now Monster and both maintain that your personal information is compromised and that they have a challenge to come up with any definite numbers. So you may be in it or may not be in the hole.

The New Year begins with a bang ! Break My Heart....

What a start to the New Year ! And they told me 2008 was a bad one.

January '09 and we brought in memories of a tragic 26/11 here in Mumbai. And we did not celebrate the passing of the old year so was this due to the baggage we carried from the last year or a foreboding of the times to come.

Seems to be the latter... when we take stock on this 21st day of the year 2009 AD. (And when I think about the 344 odd days ahead a shiver runs through me)

First Satyam lives down it's name. Raju confessed that he was lying for the past 7 years and more. So a billion dollar behemoth shows it had no pants (maybe no underwear too) and all the good men running along with it also may be in the buff. That was a $ 1.2 b shocker and for those of you who do not know this, the word Satyam means "truth" in Hindi / Sanskrit.

Now Heartland breaks my heart by announcing the mother-of-all breaches. They say they have been compromised. Heatrland processes about 100 millin transactions every month and we can well imagine how bad this is going to be. TJX now may seem like small change because Heartland has beaten them to the tape.
It seems that they have a backdoor running on their systems for quite some time and that they have foind 'multiple' instances of malicious software on the network. Now they will work to make things better by bringing in "a next-generation program designed to flag network anomalies in real time".
Cute.

Confickr a.k.a. Downadup is a big bad worm spread to over 3.5 million PCs worldwide and has the potential to create "one badass botnet" according to F-Secure. So users be warned about using your convenient USB sticks. Read more about this online before using your USB drives any more, or any autorun device.

So this is it, in three weeks we have three major events one in the east, one in the west and one worldwide. That's a nice number once a week.

And I am not yet talking about the seesawing markets or the billions that are still being handed out to the big banks and corporations to help them stay alive or afloat.

There it goes... the mantra for success : Incorporate and employ thousands, since the numbers are so big some fools will pay you for nothing (the numbers will impress and so will window dressing like sub-prime). In a few years go tell the Government (whisper to them) that you are going under and they will give you a billion or a trillion, then they will lower interest rates and generously fill your begging bowl.

We shall soon see a new elective - the art of becoming a C-level beggar.

Governance... whats that ! Happy New Year !!

The New Year has got off with a bang. India's Big-4 IT company has shown that it does not have underwear - the king without clothes and all along we believed that they were the best. Satyam Computers is a billion dollar plus company doing great business, employing 50,000 people across the globe....... and living a fraud.

The boss man at Satyam confessed that he has been cooking the books of accounts since the past 7 years or more. And this fudging has snowballed into a huge $ 1.2 billion hole in the company's statement of cash in hand and bank deposits. If this was not enough, Raju also said that revenue figures had been and margin statements for the quarter were inflated !

Satyam board had approved the purchase of companies owned by Raju's sons and the shareholders smelt a rat and Satyam's stock tumbled 55% on NYSE. The decision was withdrawn in an hour but this action brought greater scrutiny and the house of cards collapsed within a few days.

Governance norms were thrown to the wind by this company which was recently recognized by an award for good Governance (Golden Peacock).

What is surprising is that the directors, auditors, accountants and managers all say that they did not know about this. And this fraud has been going on for so many years now. So we must assume that Raju is super human and a super-genius to be able to put a mask on so many players at the same time and be able to successfully cloak numbers in the account statements repeatedly.

According to Raju he could not get off the tiger he was riding. It is common knowledge that you sleep with the devil and you get burned. He started a con job and the con grew bigger and bigger and there was no way he (or his cronies) could handle it.

And all these cronies are crying out loud claiming innocence. The auditors say that they relied on documents provided by the management ! The CFO says he did not check the balance sheet and that it was prepared by his VP !! The Directors say they accepted what was presented to them - ta face value !!! It is highly irresponsible to sign on public documents asserting they are correct and then not being able to stand by the same documents. All these people were busy being wined, dined and rewarded with cash and gifts and never gave a thought to their responsibility towards the shareholders.

Hope they are brought to book too, and get to see a jail from the inside. The reason is that this is a typical line of thought - nothing will happen it is India. Our investors association hardly has any teeth to fight for rights and bring these large corporations to closure. Well for once they were wrong because they did not factor shareholder anger in the US.

And thank God for this wake up call. Companies must embrace the practices of good governance not for complying with public sentiment and regulatory requirement. Any corporate leader with a decent amount of common sense can reap benefits of good governance by way of efficient processes and increased brand value which will provide ROI in the form of savings and stakeholder / customer confidence. The trick is in implementing governance initiatives in the spirit and do not worry you are not exposing yourself but you will be cleaning your act.

Squatting does not pay

Cyber squatting followed by a ransom demand in full public view does not pay. International laws have converged into the norms set by ICANN and WIPO and these do not support any form of cyber squatting. Add a ransom and you have trouble while you squat.

Way back in 1995/96 in the early days of the Internet in India, I remember being asked by a client to book domain names of various established firms in India. I spent a few hours explaining to how it did not make sense and the problems he could face ahead for playing around with an established trade-mark. Cyber squatting was very much on the mind of the such people and some people must have made a killing but I would like to believe that a majority have been evicted without any gains.

This recent case should provide some guidance for deterrence to wannabe squatters and in-the-act squatters should vacate the domain names and garner some goodwill from their victims. The goodwill may generate rewards too, like any good deed brings some good by itself.

-------

World's second richest man gets Web name back for free
Wed Jan 14, 2009 12:21pm EST
GENEVA (Reuters) - The world's second richest man, Mexican telecommunications tycoon Carlos Slim Helu, won control for free on Wednesday of a Web address in his name that an Indonesian had tried to sell him for $55 million.

----------

Aligarh police crack cyber crime

This a good news and shows the increasing awareness among the law enforcement fraternity in the country. Mind you Aligarh is not a Bombay or Delhi. It is pretty far away from the hustle and bustle of a big town and is a growing city.



http://in.news.yahoo.com/32/20081126/1053/tnl-aligarh-police-crack-cyber-crime.html?printer=1

HT
Wed, Nov 26 02:05 AM

THE ALIGARH police have cracked the case of cyber crime clipping on the google and youtube websites under the title 'Save Aligarh Save Aligarh', propagating employment of child labourers for manufacturing of hardware and locks in five biggest export players homes, including prominent exporter Prashant Enterprises, in Aligarh. On the basis of an FIR lodged by Managing Director of Prashant Enterprises, Aligarh, Ramesh Chand Singhal charging the google clip - which propagated the name of his export home - with mischief by showing Prashant Enterprises using child labourers in its video clip, the Aligarh police raided the office of one news channel based in Sector 6, Noida and arrested Ram Nagina Yadav, an Information technical head of the news channel and detained its other two employees Rudra Pratap and Gaurav Garg for interrogation in the matter. Superintendent of Police (City) Man Singh Chauhan told HT that Singhal had lodged the FIR on October 20 under IT Act that some unidentified person had uploaded a video clipping showing child labours were working in his unit and that the video clip was being posted on google.com and brought to the notice of major importers of the Western countries with whom Prashant Enterprises has export ties. Singhal stated in his FIR that the said clip was fabricated to defame his concern at the national and international levels due to which Prashant Enterprise had not only suffered a substantial loss in its export business but it also received threats, Chauhan added. He further said during the investigation, the police also cracked the e-mail identity which had uploaded the said video clip on Google website. This exposed that the clip was uploaded by the office of a news channel situated in Sector 6 in Noida, he said. Thereafter, the Aligarh police raided the office of the news channel on Sunday, he said. Chauhan further added during the interrogation the three employees of the channel disclosed that their employer Surendra Gupta and his sons Abhishek and Sunil Gupta had directed them to upload the clip on the google website through Rudra Pratap's e-mail address. Efforts are on to nab Surendra Gupta and his sons, who also run an export business, he added. Meanwhile, the news channel's owner Surendra Gupta told journalists here over phone that he had received this video clip from one television reporter of Aligarh but he refused to telecast the video clip, as his channel was not functioning in Aligarh. "I have no knowledge as to who had uploaded this video clip on the internet," he said.

Compliance is the fuel for InfoSec initiatives ?

The law is a strong whip to crack when you need to get people in line and the need to comply with the law of the land where you are from and the law of the land where you work increases the stress levels of individuals and organizations.

It is a known fact that IT, IS, Governance, IT Risk Mgt are always short changed in terms of funding. However, it is also known that Compliance requirements are disposed off with no thought of expense. Consider the billions spent on SOX compliance which could have been saved substantially if these very corporations had a semblance of Security / Governance / Risk Management best practices in place !!

But no ! They all had to build it all from scratch and in doing so they spent millions, nay they spent billions.

Having spent this money, they sat back and waited for the next compliance need since the 'SOX project' was over. Well we now see that they did not learn anything from SOXing their corporations since everything was done just for the sake of doing it and not for the spirit. Else they would have been able to discover the fact that the banking system was rotten within and would not be able to survive another few years.

Dear reader, you know all about Enron and WorldCom. Well they just screwed a few pension funds and a few thousand employees. They did not bring the financial system to collapse point. They did not bring G-8 and G-x government heads together to pump billions into the system. Their collapse did not bring about a global meltdown. Their collapse did not screw investors worldwide, it did not butcher governments, trade, manufacturing, support etc etc.

I think a few thousand billions have already been poured into this black hole and they are still crying for more.

Well coming back to Compliance - it is time to take advantage of this whip and turn the whiplash into a pat on the back. Time to move ahead of the pack and turn this "requirement" into a strength and extract a pound for every penny spent.

Welcome to the thought of Unified Compliance or Integrated Compliance or whatever you may call it.

I had made a presentation ICAI in India, and at iSAFE in Dubai last month in October. Follow the link to download these, if you are interested.