IT Management and Cyber Security

Rajnish Kumar
Professor Information Technology
National Academy of Indian Railways

Structure of Lecture
Overview of major IT projects in IR Introduction to IT Act 2000 Being secure in Cyber space

CRIS
Centre for Railway Information System, New Delhi. http://cris.org.in/CRIS/Home/Home

It is an Autonomous Organization under the Ministry of Railways. It develops and manages the Information Technology applications of the Indian Railways. CRIS also provides IT applications for non-Railway Government and Public Sector organizations.

Main Projects with CRIS

Unreserved Ticketing System Control Office Application Freight Operations Information System Integrated Coach Management System National Train Enquiry System Passenger Reservation System Software Aided Train Scheduling
http://cris.org.in/CRIS/Projects/UTS

Other Projects with CRIS

Passenger Reservation System Unreserved ticketing System PRS Data Wearhouse Hand Held Terminal Project for TTES Indian Railway Web Portal Freight operations Information System Control Office Application Crew Management System Integrated Coaching Management System E-Procurement System Freight Maintenance Management Locoshed Management System Workshop Information System ICF ERP Project Track Management System Satsang Rates Branch System Web Enabled Claims and Refunds Enhanced Coaching Refund System SMS Gateway for Indian Railway Parcel Management System Real Time Train Information System RPF Security Management System

Other Projects with CRIS

Indian Railways Projects Sanctions & Management Accounting Information Management System Geographical Information System Automatic Wagon Identification using RFID Railway Officers Information System Electrical Energy Management System Reference And File Management System CMS for OSD/PRI Integrated ICT System at RWP/BELA Implementation of Network Security Infrastructure at PRS/UTS Data Centers, RIDC at CRIS, Chanakyapuri IPSEC over UTN Information Security CRIS Financial Accounting System Computerised Resource Management System Comprehensive Payroll Processing System Employee Self Service

AFRES & PRIME

AFRES (Advance Finance Railway Earning & Expenditure System) PRIME (Pay Roll and Independent Modules)
All the modules of PRIME and AFRES, such as Pay Roll , leave account, internal check, PF, Pension, Cheque generation, Cash Book, RAR & Account Current have been implemented in HQs Other modules such as, Seniority, Bio data, Loans and advances are being implemented. Cash and Pay module

UTS - UNRESERVED TICKETING SYSTEM

Twenty million passengers travel daily on Indian Railways using the unreserved journey facility. Today more than ninety percent of the unreserved tickets are sold through this system.

The ability of the system to deliver ticketing at remote corners of the country and provide uninterrupted services everywhere has been lauded by the Government of India and the project along with the CRIS team responsible for its initial design and implementation won the Prime Ministers Award for Excellence in Public Administration.

SATSaNGSOFTWARE AIDED TRAIN SCHEDULING

Creating a time table for trains on a busy network like the Indian Railways is an extremely challenging task. Planners on the Zonal Railways work independently and then collaboratively with other Zonal level planners to design the All India time table. The two main objectives are that it should be convenient to the passenger and feasible to run on the system. Introducing new train services and augmenting older ones is an art and a select group of planners are highly skilled in this task.
Fixed Infrastructure Resources Module (FIRM) Rolling Assets Module (RoAM) Scheduling Module for Allocation of Resources to Trains (SMART) Capacity Module

Application deployed on all Zonal Railways for Data Entry of Infrastructure Data (Phase-I). Development of forms for Phase-II is in progress.

IREPS IR Electronic Procurement System

http://www.ireps.gov.in/cgi-bin/ireps/ireps/home.do Implementation of E-Procurement System on all 16 Zonal Railways, 7 Production Units (viz. RCF, ICF, DLW, CLW, DMW, RWF and RCF/RBL) and RDSO, RAILTEL, Core/ALD and Metro Railway, Kolkata completed. So far 4.07 Lakh tenders have been uploaded by different Railways. More than 17,142 vendors have been registered on the system. E-Auction module software has been implemented in CR, ER, ECR, ECoR, NR, NCR, NER, NFR, NWR, SR, SCR, SER, SECR, SWR, WR, WCR Including 4 PUs RCF, ICF, DLW, RWF.

Some good applications

RAIL RADAR
http://railradar.trainenquiry.com/ All Trains on Google map, can work on Android Smart phones.

Train enquiry
http://www.trainenquiry.com/searchtrain.aspx Mobile apps
Erail.in PNR status with maps by Vedanth Lath

 Next session . IT ACT

Information Technology Act 2000An overview

Do you recognise this photo?

Shaheen Dhadha and her friend Renu Srinivas were detained over a Facebook comment on a leaders funeral.

Cyberspace: Issues at the forefront

With the advent of the internet, transmission of information and transacting of business across borders, various issues related to cyberspace have cropped up on legal front. Following are some major issues:i. Jurisdiction ii. Cyber Crime iii. Intellectual Property iv. Cyber Forensic v. E-commerce vi. Electronic Evidence vii.Privacy viii.Contract

IT Act, 2000
Enacted on 17th May 2000- India is 12th nation in the world to adopt cyber laws IT Act is based on Model law on e-commerce adopted by UNCITRALUnited Nations Commission on International Trade Law

IT Act, 2000 - MOTTO

Creating Trust in Electronic Environment

Objectives of the IT Act

To provide legal recognition for transactions: Carried out by means of electronic data interchange, and other means of electronic communication, commonly referred to as "electronic commerce

To facilitate electronic filing of documents with Government agencies and E-Payments

To amend the Indian Penal Code, Indian Evidence Act,1872, the Bankers Books Evidence Act 1891,Reserve Bank of India Act ,1934

Extent of application
Extends to whole of India and also applies to any offence or contravention there under committed outside India by any person {section 1 (2)} read with Section 75- Act applies to offence or contravention committed outside India by any person irrespective of his nationality, if such act involves a computer, computer system or network located in India

Electronic World
Electronic document produced by a computer. Stored in digital form, and cannot be perceived without using a computer

It can be deleted, modified and rewritten without leaving a mark Integrity of an electronic document is genetically impossible to verify A copy is indistinguishable from the original It cant be sealed in the traditional way, where the author affixes his signature

The functions of identification, declaration, proof of electronic documents carried out using a digital signature based on cryptography.

Electronic World
Digital signatures created and verified using cryptography Public key System based on Asymmetric keys
An algorithm generates two different and related keys
Public key Private Key

Private key used to digitally sign. Public key used to verify. (This is a complex subject we will not focus on this in this lecture)

Electronic World Role of the Government

Government has to provide the definition of the structure of Public Key Infrastructure the number of levels of authority and their juridical form (public or private certification) which authorities are allowed to issue key pairs

Section 3 Defines Digital Signatures

The authentication to be affected by use of asymmetric crypto system and hash function The private key and the public key are unique to the subscriber and constitute functioning key pair Verification of electronic record possible

Section 4- Legal recognition of Electronic Records

If any information is required in printed or written form under any law the Information provided in electronic form, which is accessible so as to be usable for subsequent use, shall be deemed to satisfy the requirement of presenting the document in writing or printed form.

Sections 5, 6 & 7
Legal recognition of Digital Signatures Use of Electronic Records in Government & Its Agencies Publications of rules and regulations in the Electronic Gazette.

Retention of Electronic Records Accessibility of information, same format, particulars of dispatch, origin, destination, time stamp ,etc

Regulation of Certifying Authorities [Chapter IV]

The Central Government may appoint a Controller of Certifying Authority who shall exercise supervision over the activities of Certifying Authorities. Certifying Authority means a person who has been granted a licence to issue a Digital Signature Certificate. The Controller of Certifying Authority shall have powers to lay down rules, regulations, duties, responsibilities and functions of the Certifying Authority issuing Digital Signature Certificates.

Certifying Authorities in India

The Office of Controller of Certifying Authorities (CCA), issues Certificate only to Certifying Authorities.CA issue Digital Signature Certificate to end-user. Any one of the seven CAs can be approached for getting Digital Signature Certificate. The website addresses are given below.
www.safescrypt.com www.nic.in www.idrbtca.org.in www.tcs-ca.tcs.co.in www.mtnltrustline.com www.ncodesolutions.com www.e-Mudhra.com

Civil Wrongs under IT Act

Chapter IX of IT Act, Section 43 Whoever without permission of owner of the computer
Secures access (mere U/A access) Not necessarily through a network Downloads, copies, extracts any data Introduces or causes to be introduced any viruses or contaminant Damages or causes to be damaged any computer resource Destroy, alter, delete, add, modify or rearrange Change the format of a file Disrupts or causes disruption of any computer resource Preventing normal continuance of computer

Civil Wrongs under IT Act (Contd.)

Denies or causes denial of access by any means Denial of service attacks Assists any person to do any thing above Rogue Websites, Search Engines, Insiders providing vulnerabilities Charges the services availed by a person to the account of another person by tampering or manipulating any computer resource Credit card frauds, Internet time thefts Liable to pay damages not exceeding Rs. One crore to the affected party Investigation by ADJUDICATING OFFICER Powers of a civil court

Data diddling: changing data prior or during input into a

computer
Section 66 and 43(d) of the I.T. Act covers the offence of data diddling Penalty: Not exceeding Rs. 1 crore

Case in point : NDMC Electricity Billing Fraud Case: A private contractor who was to deal with receipt and accounting of electricity bills by the NDMC, Delhi. Collection of money, computerized accounting, record maintenance and remittance in his bank who misappropriated huge amount of funds by manipulating data files to show less receipt and bank remittance.

Adjudication and Cyber Appellate Tribunal - Sections 46 and thereafter

http://catindia.gov.in/ The Central Government may appoint any officer not below the rank of a director to the Government of India or a state Government as the adjudicator. The I.T. Secretary in any state is normally the nominated Adjudicator for all civil offences arising out of data thefts and resultant losses in the particular state.

Needs to be popularized

Section 46 IT Act
Section 46 of the IT Act states that an adjudicating officer shall be adjudging whether a person has committed a contravention of any of the provisions of the said Act, by holding an inquiry. All proceedings before him are deemed to be judicial proceedings, every Adjudicating Officer has all powers conferred on civil courts Appeal to cyber Appellate Tribunal- from decision of Controller, Adjudicating Officer {section 57 IT Act}

Section47 47, ITAct Act Section IT

Section 47 of the Act lays down that while adjudging the quantum of compensation under this Act, the adjudicating officer shall have due regard to the following factors, namely-

(a) the amount of gain of unfair advantage, wherever quantifiable, made as a result of the default;
(b) the amount of loss caused to any person as a result of the default; (c) the repetitive nature of the default

Cybercrime provisions under IT Act,2000

Offences & Relevant Sections under IT Act

Tampering with Computer source documents Sec.65 Hacking with Computer systems, Data alteration Sec.66 (Modified by amendment in 2008, discussed in length later) Publishing obscene information Un-authorized access to protected system Breach of Confidentiality and Privacy Publishing false digital signature certificates

Sec.67 Sec.70 Sec.72 Sec.73

Contd..
Types of Cyber Crime
Cyber Crime Cyber Stalking Cyber Pornography including child pornography Intellectual Property Crimes Brief Description Stealthily following a person, tracking his internet chats. Publishing Obscene in Electronic Form involving children Source Code Tampering, piracy, copyright infringement etc. Protection against cyber terrorism Relevant Section in IT Act 43, 65, 66 67, 67 (2) Punishments
3 years, or with fine up to 2 lakh 10 years and with fine may extends to 10 lakh 3 years, or with fine up to 2 lakh Imprisonment for a term, may extend to 7 years 3 years, or with fine up to 2 lakh 3 years, or with fine up to 2 lakh

te

65 69

Cyber Terrorism

Cyber Hacking Phishing

Destruction, deletion, alteration, etc in a computer resources Bank Financial Frauds in Electronic Banking Unauthorised access to computer

66 43, 65, 66

Privacy

43, 66, 67, 69, 72

Cognizability and Bailability

Not mentioned in the Act
- Rely on Part II of Schedule I of CrPC

If punishable with death, imprisonment for life or imprisonment for more than 7 years: cognizable, NonBailable, Court of Session If punishable with imprisonment for 3 years and upwards but not more than 7 years: Cognizable, Non-Bailable, Magistrate of First Class
If punishable with imprisonment of less than 3 years: NonCognizable, Bailable, Any Magistrate (or Controller of CAs)

AmendmentsIndian Evidence Act 1872

Section 3 of the Evidence Act amended to take care of admissibility of Electronic Records ER as evidence along with the paper based records as part of the documents which can be produced before the court for inspection.

Extends to the whole of India (Section 1). Authentication of electronic records (Section 3) Legal Framework for affixing Digital signature by use of asymmetric crypto system and hash function (Section 3) Legal recognition of electronic records (Section 4) Legal recognition of digital signatures (Section 5)

42

Data Protection (Sections 43 & 66).

Various types of computer crimes defined and stringent penalties provided under the Act (Section 43 and Sections 66, 67, 72)
Establishment of Cyber Appellate Tribunal under the Act (Sections 48-56) Appeal from order of Adjudicating Officer to Cyber Appellate Tribunal and not to any Civil Court (Section 57) Appeal from order of Cyber Appellate Tribunal to High Court (Section 62)
43

New Section to address technology neutrality from its present technology specific form (i.e. Digital Signature to Electronic Signature)- Section 3A
New Section to address promotion of e-Governance & other IT application a) Delivery of Service b) Outsourcing Public Private Partnership- Section 6A New Section to address electronic contract-Section 10A New Section to address data protection and privacy -Section 43

Body corporate to implement best security practices-Sections 43A &72A

44

New Section for power to Indian Computer Emergency Response Team- CERTin to call and analyse information relating to breach in cyber space and cyber security-Section 70 B Revision of existing Section 79 for prescribing liabilities of service providers in certain cases and to Empower Central Government to prescribe guidelines to be observed by the service providers for providing services. It also regulate cyber cafes.-Section 79 New Section for Examiner of Digital Evidence-Section 79A New Section for power to prescribe modes of Encryption-Section 84A Punishment for most of offences were reduced from three years to two years

45

66A. Punishment for sending offensive messages through communication service, etc. Any person who sends, by means of a computer resource or a communication device, (a) any information that is grossly offensive or has menacing character; or (b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device,

(c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages, shall be punishable with imprisonment for a term which may extend to three years and with fine.

Read Pavan Duggals (an advocate at the Supreme Court of India) article in Business Standard, link: http://www.business-standard.com/article/economy-policy/-b-pavan-duggal-bsection-66a-of-it-act-your-friend-or-foe-112112800134_1.html

When you send Offensive message or otherwise either by means of a Computer, Computer System, Computer Network or using Mobile Phone, Smart Phone, iPhone, iPad, Tablet, Smart Devices, Personal Digital Assistants, BlackBerry or any other communication devices, you could be covered under Section 66A of the amended Indian Information Technology Act, 2000

PIL in Supreme Court

"the phraseology of Section 66A of the IT Act, 2000 is so wide and vague and incapable of being judged on objective standards, that it is susceptible to wanton abuse and hence falls foul of Article 14, 19 (1)(a) and Article 21 of the Constitution. The PIL has sought issue of guidelines, by the apex court, to "reconcile section 41 and 156 (1) of the Criminal Procedure Code with Article 19 (1)(a) of the Constitution" and that offences under the Indian penal Code and any other legislation if they involve the freedom of speech and expression be treated as a non-cognizable offence for the purposes of Section 41 and Section 156 (1).

Section 41 of the CrPC empowers the police to arrest any person without an order from the magistrate and without a warrant in the event that the offence involved is a cognizable offence. Section 156 (1) empowers the investigation by the police into a cognizable offence without an order of a magistrate.

Guidelines

Text of guidelines Nov 29, 2012

... the concerned police officer or police station may not register any complaints (under Section 66 (A))unless he has obtained prior approval at the level of an officer not below the DCP rank in urban and rural areas and IG level in metros,

Care.
Till such time Section 66A is either changed, modified, varied or amended, it will be imperative that you exercise due diligence when you send information on the Internet, social media and mobile networks.

The focus of the law is not on publishing information, it is on the offence of sending information.

IS BLOG sending or publishing- legal point????

Safe Practices for Internet Usage

(Internet Safety)

What is Internet Safety?

Internet safety or online safety is the security of people and their information when using the Internet. Internet safety means protecting your personal information while online. Details such as your address, full name, telephone number, birth date and/or social security number can potentially be used by on-line criminals.
Adapted from: - Wikipedia: http://en.wikipedia.org/wiki/Internet_safety - eHow: http://www.ehow.com/about_6577504_definition-internet-safety.html

Personal Protection From

Internet Predators Coffee-Shop-Data-Collectors Script-Kiddies (what you might think of as hackers) are unskilled individuals who use scripts or programs developed by others to attack computer systems and networks and deface websites Viruses / Trojans / Ad-Ware Phishing Attempts
(Masquerading as a trustworthy entity while attempting to acquire sensitive information)

Scam Artists
Email scams are meant to take your money Scams on Craigslist that are using you to commit fraudulent activities

Coffee-Shop-Data-Collectors
Most public wireless connections are NOT secure Its easy to capture your data Dont log into websites that reveal your sensitive credentials (email, bank account, etc.) Use onboard firewall software Lock your screen before leaving your seat Dont store sensitive information on your computer Use an encrypted VPN (Virtual Private Network)

Coffee Shop Scenario

Typical unsecured wireless connection. This is what you think that you are logging into

Man In The Middle Attack

The Man-In-The-Middle grabs and/or modifies data that is sent/received. http://www.interlinknetworks.com/whitepapers/Link_Layer_Security.htm

VPN Virtual Private Network

Passwords
Strong Passwords: Phrases, mixed case, special characters, and long: - 5db10mw! (Slow Down Buddy Im On My Way!) - w@yD0wny0nd3r#% (Way Down Yonder #%)

PHISHING Most dangerous

What does phishing mean? Phishing means sending an e-mail that falsely claims to be a particular enterprise and asking for sensitive financial information. Phishing, thus, is an attempt to scam the user into surrendering private information that will then be used by the scammer for his own benefit. Phishing uses 'spoofed' e-mails and fraudulent Web sites that look very similar to the real ones thus fooling the recipients into giving out their personal data. Most phishing attacks ask for credit card numbers, account usernames and passwords.According to statistics phishers are able to convince up to five per cent of the recipients who respond to them.

A sample of a fraudulent email that can be sent to ICICIBank.com customers. It purports to be from ICICIBank.com but it is not. Its intent is to get you to enter sensitive information about your account and to then use this information to commit fraud.

To ensure a legitimate and safe sign on, always enter www. icicibank.com in your browser.

How to avoid Phishing?

1. Do not disclose details like passwords, debit card grid values, etc. to anyone, even if they claim to be bank employees or on emails / links from government bodies like RBI, I.T. Dept., etc 2. Type the web address in the browser. Do not use links received in emails 3. Change your passwords from your own computer, in case you have used a cyber cafe / shared computer 4. Register for email and mobile alerts to check your account regularly 5. Install effective anti-virus / anti-spyware / personal firewall on your computer / mobile phone and update it regularly 6. Do not open email attachments from strangers as they may contain virus / trojan which transmit keyed-in details to phishers 7. A click on the padlock icon appearing on the web page will display the digital certificate for genuineness of the website 8. Report the incident to the Bank / institution on the number mentioned on the Debit / Credit card, bank / credit card statement or official website

Identify a Phishing email

More Information About Internet Safety and Phishing

http://www.visa.ca/en/personal/securewithvisa/phishing_lg.h tml http://support.apple.com/kb/HT4933 http://office.microsoft.com/en-in/outlook-help/identifyfraudulent-e-mail-and-phishing-schemes-HA001140002.aspx http://www.icicibank.com/online-safe-banking/phishing.html http://incometaxindia.gov.in/Phishing.asp http://www.rbi.org.in/scripts/BS_PressReleaseDisplay.aspx?pr id=26506

Remain Safe in cyberspace!!!!