Monday, September 1, 2008

Cyber Crime Updates

REVISIT : Unsecured wi-fi used again to send terror e-mail

Ankur Goyal and CRPCC Team

25 August 2008

Terrorists sent another terror e-mail to a media house in Mumbai on Saturday 23 August 2008 at 7:05 pm. Anti-Terror Squad (ATS) of Mumbai Police has traced the email to Matunga's Khalsa College. Further investigation revealed that it was sent using unsecured wi-fi router of Khalsa College. The router is installed in college computer center with signal range reaches even across the busy junction of 4 educational institute - Don Bosco, IICT (UDCT), VJTI and Khalsa College.

Preliminary investigations show that the terrorist would have undertaken the wardrive to find the open wi-fi connection and discovered or appeared to knew that the router settings were on default mode, which means that the default administrative log-in and password were not changed for the wi-fi router. These default setting parameters are easily available with technologists.

Terrorist created the email-id just 6 minutes before the e-mail was sent with an attachment.

Further, the terrorists also deleted the log entries of the wi-fi connection.

“The logs have been remotely accessed. Once they finished making the email ID and sending it, they deleted their entries. So in this case, though the logs were not disabled, things look difficult as everything is deleted,” said an ATS official. The router and some computers were seized by the ATS for forensic probes.

THE terror e-mail was sent from alarbi.alhindi@gmail.com, claimed to be members of the Indian Mujahideen.

The mail shows the photos of cars stolen from Navi Mumbai for terror activities.

The mail is full of sarcastic remarks about investigations into earlier emails investigations, nicknaming Intelligence Bureau as the "Ignorance Bureau" and forensic experts as “foren-sick”. The seven page mail with the attachment ‘haha.pdf” is titled ‘Mood for Destruction’. It says those named as masterminds of the Ahmedabad blasts are “innocent brothers”.

The email states that their ideology is supported by people who are technologically very far superior.

The seven-page mail concludes, without explanation, with gratitude to “Ken Haywood and associates”


CHALLENGE : Robust Russian GOST Crypto Standard attacked

European cryptologists attack hash functions

Christian Rechberger

21 August 2008


Progress in attacking hash functions was presented by cryptologists at Crypto 2008. They explained their attack on the GOST Russian hash standard – usage of GOST is mandatory in Russian government offices. They also demonstrated the first practical inversion attack against reduced variants of SHA-1 that could be used to back calculate a password from the hash.

The GOST hash function was established as part of the GOST standard at around the same time SHA-1 was established in 1995 and until now has been considered very secure. Russian information security standards, like their aerospace standards, are very conservatively designed.

But now an Austrian/Polish team of cryptologists at the Graz University of Technology and the Military University of Technology in Warsaw have found an unexpected technical vulnerability and exploited it for an attack. The result is a collision attack that is 2^23 times faster than expected. A collision attack is one where the attacker finds two arbitrary messages that generate the same hash.

By comparison, the first successful collision attack in 2005 against SHA-1 made the attack faster than expected, by a factor of 2^11 – 2^69 instead of 2^80. No meaningful attacks on the GOST hash function can be expected yet, though. The 256-bit output value means that 2^105 operations are still necessary – considerably more than can currently be realistically performed.

All of the known attacks in recent years against hash functions, such as SHA-1 and now the GOST hash function, have been collision attacks. But these attacks are mainly relevant to signature applications where the attacker has access to the document before the signature is calculated. In that scenario, it is not possible to change the document after signature calculation and preserve the validity of the signature. Many other applications of hash functions, like secure password storage, are not affected, which is why the US standards organisation NIST, for instance, continues to recommend the SHA-1 hash function for those applications.

At Crypto, researchers from the Graz University of Technology and the ENS Paris presented, for the first time, approaches to attacking SHA-1, which do affect the wider set of hash function applications. These are attacks that allow a password to be determined when only its SHA-1 hash value is known, or that permit signed documents to be changed after the signature has already been generated. The attacks work for reduced round versions of SHA-1 up to a maximum of 45 of the 80 rounds, which is comparable to collision attacks on SHA-1 four years ago, when theoretical attacks of up to 53 rounds were possible. It does not appear, at this time, that these attacks can be extended to the full 80 rounds. There is another parallel to the earlier attacks though; these new inversion attacks, as was the case with the early collision attacks before 2004, have many unused degrees of freedom. The latest collision attacks – after 2007 – now exploit all of the available degrees of freedom.

Even if many of the current attacks are still theoretical in nature, we have to remember that the analysis of cryptographic hash functions is still far from adequately researched and that new breakthroughs in the future cannot be ruled out. With entries being accepted, till October 2008, for the upcoming competition to select the new SHA-3 hash standard for 2012, it is even more important to favour hash functions with effective security arguments, which is not the case with SHA-1 or the GOST hash function.


PANIC : Germany hit by data protection scare

Dan Raywood

August 20 2008


German data protection officials have called for privacy laws to be tightened.

The call follows a scandal over the illegal sales of personal data when officials claimed that they could buy six million items online. This included bank account details and phone numbers and was set to cost only €850.

This follows a data protection office in north Germany claiming that it had received CDs containing thousands of personal data items, including bank account details, dates of birth and addresses, collected by a call centre.

Head of the office, Thilo Weichert, told Germany's Sueddeutsche Zeitung newspaper that up to 20 million pieces of data from people's bank accounts had been sold on to third parties. He said: “The sale of bank account data is just as illegal as unsolicited telephone marketing - so-called ‘cold calling'. Lawmakers can do more to protect consumers. The transfer of data for marketing purposes should be made universally conditional on the customer's approval.”

He said that firms that discover illegal use of customers' data should be obliged to inform the affected customers.


IGNOMINY : Thousands of criminal files lost in data fiasco

Sean O’Neill and Richard Ford

The Times, UK

August 22, 2008


Confidential records and sensitive intelligence on tens of thousands of the country’s most prolific criminals have been lost in a major breach of data security at the heart of Whitehall.

Scotland Yard is investigating the loss of the information, which was taken from the Police National Computer and entrusted by the Home Office to a private consultancy firm.

The data had been encrypted for security reasons but was decoded by staff at PA Consulting Group and placed on a computer memory stick that was subsequently lost. The device contains personal details and intelligence on 33,000 serious offenders, dossiers on 10,000 “priority criminals” and the names and dates of birth of all 84,000 prisoners in England and Wales. There is also information on an unspecified number of people enlisted on drug intervention programmes.

The disappearance of such a massive amount of secret information has widespread implications. Police informants could be at risk of reprisals. Named offenders may seek rehousing or police protection from vigilantes, and individuals who believe that their personal data has been compromised could seek compensation.

Jacqui Smith, the Home Secretary, was informed on Tuesday and was said to have been furious. The loss is a major setback for her efforts to reform a department described by her predecessor John Reid as “not fit for purpose”. The police were contacted yesterday and detectives from the Serious Economic Crime Command at Scotland Yard began conducting searches, viewing CCTV material and interviewing potential witnesses.

Ministers had promised to tighten security controls. The latest loss is particularly embarrassing because the data originated at the Home Office’s headquarters, where Ms Smith, her ministers and their senior officials work.

David Ruffley, the Shadow Minister for Police Reform, said: “This shambles proves that this accident-prone Home Secretary hasn’t even got a grip of what goes on in her own building.” He said that it would be outrageous if criminals were able to claim compensation as a result.

The information from the secure police computer had been collated as part of JTRack, a programme to track persistent and prolific offenders through the criminal justice system. Access is supposed to be limited to police forces, crime reduction partnerships and other official bodies. PA Consulting, which helped to develop the national ID card scheme, was brought in to work on the project last year.

A Home Office spokesman said: “We have been made aware of a serious breach of security at the offices of external contractors. A full search has been conducted and both the police and Information Commisioner have been informed.”

A spokesman for Scotland Yard said that it had been asked to review the circumstances of the loss. He added that there was no evidence that any offence had been committed.

David Smith, the Deputy Information Commissioner, said: “It is deeply worrying that after a number of major data losses and two government reports on high-profile breaches of the Data Protection Act more personal information has been reported lost. It is vital that sensitive information is held securely at all times.”

No one at PA Consulting, which reported the loss of the memory stick to the Home Office on Monday, was available to comment.


New IT Term of the day

rogue access point

A rogue access point, also called rogue AP, is any Wi-Fi access point that is installed on a network but is not authorized for operation on that network, and is not under the management of the network administrator. Rogue access points often do not conform to wireless LAN (WLAN) security policies, and additionally can allow anyone with a Wi-Fi device to connect to your network.

A rogue access point is one of two categories of rogue wireless devices, with the other being rogue peers.


Quote of the day

Peace is filled with pure thoughts, pure feelings and pure wishes. When the energy of thought, word and action is balanced and stable, the individual is at peace with the self, in relationships and with the world.

No comments:

This Day in History

Thanks for your Visit