Developing national cybersecurity architecture

India developing national cybersecurity architecture

India is in the midst of developing and implementing a national cybersecurity architecture that is aimed at preventing sabotage and espionage of its core IT systems and networks.
In a report Monday, the Economic Times said that the system will protect critical information infrastructure and networks by monitoring activities, while designated government agencies will offer certification to vendors and service providers to provide additional safety measures.
"It will also involve capacity and authority for operations in cyberspace," said Shivshankar Menon, national security advisor for India, in the report.
"The goal is to prevent sabotage, espionage, and other forms of cyber attacks that could hurt us," he added.Menon said that the National Security Council has approved the architecture in principle, and implementation details are being worked out with the ministries and agencies. Following this, it will take its proposal to the Cabinet for approval.
The creation of such a cybersecurity system follows the announcement of a five-year roadmap by the Indian government to revamp its online security apparatus for critical sectors in the country and meet the growing challenges of Web-based attacks.

Summary: The nationwide system will be designed to protect core IT installations and networks from sabotage and espionage.



Student expelled for helping find security flaws at university


Ahmed Al-Khabaz, who was studying computer science at the Dawson College, discovered that the student software managing their college accounts had a significant flaw that could allow any user to retrieve students' personal information, according to the National Post.
Al-Khabaz brought the issue up with the college, who thanked Al-Khabaz and colleague fellow student who discovered the flaw with him, and was told that the college would work with the creator of the software, Skytech, to ensure it was fixed. The software in question — Omnivox — is also in use at a number of other universities.
When Al-Khabaz tested the system two days later, he received a phone call from Skytech President Edouard Taza, who, according to Al-Khabaz's account of the incident, threatened to have him arrested unless he signed a non-disclosure agreement, which, in addition to preventing him from discussing the issue, also prevented him from disclosing that such an agreement even existed.
Al-Khabaz had used a toolkit called Acunetix to test whether the flaw still existed. It typically tests for common vulnerabilities, such as cross site scripting flaws or for where developer has failed to protect against SQL injection attacks. Many of the tests can simply be attempted manually, but probing web applications falls into a relatively grey area, legally and ethically.
Despite Al-Khabaz signing the non-disclosure agreement, the university moved to expel Al-Khabaz from the university and zeroed his grades, ruining his chances of applying at another university.
Al-Khabaz's appeals to the university have been denied.
Dawson Student Union has now set up a site petitioning the university to recognise that Al-Khabaz's intents were not malicious and to have his expulsion overturned. It has already received about 5,000 signatures, while Al-Khabaz has received seven job offers.According to CBC News and the student union's petition website, Al-Khabaz has also received a scholarship and part-time job offer from Skytech itself.
At the time of writing, Skytech's website was unavailable.The incident echoes that of Australian security researcher Patrick Webster, who, similar to Al-Khabaz, discovered a flaw in First State Super's site, informed them, but was later questioned by local police. The investigation was later dropped once the story hit the media, and the Privacy Commissioner's investigation, which found First State Super to be in breach of the Privacy Act, later noted that the NSW Police and First State Super had stopped pursuing Webster.
Summary: A student at a Montreal university has been expelled and had his grades zeroed after he discovered and reported a flaw in the software that is responsible for holding students' personal information.Such incidents have led well-intending researchers to either not report vulnerabilities as they find them, or take pre-emptive action to obtain a lawyer before informing the vulnerable organisation.

Comments

Popular Posts

Hacker steals data of millions of Bulgarians, emails it to local media

​Linux totally dominates supercomputers

Microsoft tries to stem its self-made collaboration-tool confusion