WISH YOU A HAPPY AND SECURE YEAR 2009

Friday, January 9, 2009

Unquotes of the day – ;-(

Unquotes of the day – ;-(

It was like riding a tiger, not knowing how to get off without being eaten – Ramlinga Raju (Asatyam)

While the law will take its course, this incident is particularly unfortunate as the Indian IT-BPO industry had set very high standards of ethics and corporate governance. - NASSCOM

(Congratulations. We are sure that these standards are not only set but also properly documented, implemented and verifiable/certifiable)

New IT Term of the day

New IT Term of the day


Tempest


Tempest originated with the U.S. military in the 1960s as the name of a classified study of the security of telecommunications devices that emit electromagnetic radiation (EMR). Every electronic, electro-optical or electromechanical device gives off some type of electromagnetic signals, whether or not the device was designed to be a transmitter. This is why the use of cellular phones is not permitted on airplanes - their unintentional signals can interfere with navigational equipment. The EMR that "leaks" from devices can be intercepted and, using the proper equipment, reconstructed on a different device. The U.S. government began studying this phenomenon in order to prevent breaches in military security, but today the term has made its way into popular culture because of the proliferation of pervasive computing.

The EMR that is emitted by devices contains the information that the device is displaying or storing or transmitting. With equipment designed to intercept and reconstruct the data, it is possible to steal information from unsuspecting users by capturing the EMR signals. For example, in theory someone sitting in a van outside a person's house can read the EMR that is emanating from the user's laptop computer inside the house and reconstruct the information from the user's monitor on a different device. Different devices have different levels of susceptibility to Tempest radiation, and more and more devices are being created that shield the EMR from leaking from the device. The distance at which emanations can be monitored depends on whether or not there are conductive media such as power lines, water pipes or even metal cabinets in the area that will carry the signals further away from the original source.

While the name Tempest was the code name for the military operations in the 1960s, at a later stage the word became an acronym for Telecommunications Electronics Material Protected from Emanating Spurious Transmissions and an abbreviation of Transient Electromagnetic Pulse Emanation Standard.

The dark side of the flash drive

DANGER : The dark side of the flash drive

By Mark Ward

Technology correspondent, BBC News

2009/01/06

http://news.bbc.co.uk/go/pr/fr/-/2/hi/technology/7807999.stm

To most people the USB stick is a humble, innocuous device that does nothing more than help them tote around their most important files.

But to the US Department of Defense (DoD), the USB stick has a dark side - one that criminally-minded hackers are only too eager to exploit.

In late November, the US DoD imposed a temporary ban on the use of flash drives and other removable, recordable media such as CDs, DVDs and floppy disks. The ban applied to users of both the classified and unclassified networks the US military operates.

The order was sent out to help the security staff at the DoD combat the spread of a Windows worm - a self-propagating program. In this case the malicious program was a variant of the SillyFDC worm known as Agent.btz.

This lurks unseen on USB drives and only springs to life when an infected flash drive is inserted into an uninfected PC.

Once installed, the worm does not sit dormant. Instead, it downloads code from elsewhere on the net and stays in touch with its creators.

To scupper the chance that criminals could be using its network resources, the DoD slapped a ban on the use of USB sticks.

But, said Tim Ellsmore, chief executive of security firm 3ami, those restrictions could make it harder for people to get their jobs done.

"A USB drive is an important business tool for a lot of people," he said. The fact that they were cheap, portable and spacious helped an increasingly mobile workforce cope, he said.

But, he added, flash drives did represent a management headache for many companies.

Mr Ellsmore said 3ami regularly helped organisations that have tens of thousands of users who use many hundreds of flash drives every day.

Rogue devices

Few companies had any idea what was being done with those drives or any other removable media, he said.

Research by Israeli security firm Insightix showed that organisations can have large numbers of "rogue" devices joining their networks every day.

The network auditing firm said that, on average, 20% of the devices connecting to a large organisation's network could be classed as "rogue".

"Not all of the unknown devices will be bad," said Mr Arkin, "but if someone did plug one of these devices in you may not be aware of it and that could be a problem."

Unless organisations know who is connecting to their network and what they are using, said Mr Arkin, managing what they are doing is impossible.

"Knowledge is the foundation of good security," said Mr Arkin.

Chris Boyd, head of forensics at Detica, said the roominess of USB drives made them dangerous devices to leave unwatched.

"The reality is that you can easily buy a very high capacity drive that will hold an awful lot of intellectual property or government secrets," he said.

But, he acknowledged, finding the right policy for USB use was tricky. Get it wrong, he warned, and users could resist.

"If a security protocol is a hindrance rather than a help then users will try to avoid it," he said.

Despite this, he said, organisations had to get to grips with managing their networks and what people were doing on them - if only to protect themselves from unwarranted leaks.

"On a well-managed network that's policed properly, it's very difficult for members of team A to access team B's data," he said.

At the least, he said, data on USB drives should be encrypted so that if it does go astray there is not much that can be done with it.

For 3ami's Tim Ellsmore, an active policy of watching what users do on a network is the only answer.

Users, he said, should be reminded of their responsibilities and the efforts companies were making to keep data secure.

"Until you reach the stage where you can see what people in the organisation are doing, you do not have a clue," he said.

"And if you do not have a clue then how do you go about stopping bad behaviour or promoting good?"

Data Breaches up 47% in 2008; Insiders Blamed

TREND : Data Breaches up 47% in 2008; Insiders Blamed

'If I Were a Financial Institution, I'd be Nervous' : Researcher

Linda McGlasson, Managing Editor

January 7, 2009

Reported data breaches increased by nearly half in 2008, and 12 percent of the total hacks were at financial institutions - up from 7 percent in 2007.

This is the news from the Identity Theft Resource Center's (ITRC) 2008 breach report, which shows that 2008's 656 reported breaches were up 47 percent over 2007's total of 446. Seventy-eight of the breaches were at financial services companies. And the ITRC says breaches will continue expanding until more companies start taking data protection seriously.

The two most prevalent types of methods used to remove data from financial services companies are external hacking and insiders, according to Jay Foley, Executive Director at ITRC. "The most recent CSI report shows that 70 percent of hacking has been from the inside, meaning a trusted insider did it," Foley says. "If I were a financial institution, I'd be nervous."

Other data-loss methods tracked include data on the move, accidental exposure and subcontractors.

The ITRC monitors reports from five groups: business, education, government/military, health/medical and financial/credit. Over the three years the ITRC has compiled this report, the financial, banking and credit industries have remained the most proactive groups in terms of data protection.

Report Card for Banking Institutions

But despite having the best record among the five groups, financial institutions still suffer a great deal of loss. Missing laptops and backup tapes stand out as some of the more glaring areas for data loss. In looking at the entire number of breaches, only 2.4 percent of all breaches had encryption or other strong protection methods in use, and only 8.5 percent of reported breaches had minimal password protection.

"That leaves the rest that were unprotected," Foley notes. "Encryption is an extremely positive tool." If one bank encrypts its information, and the bank next door doesn't, he asks, "Where do you think the hacker will go to get data?" An additional point Foley makes is that most backup tapes or cartridges must be read on equipment that is expensive and not easily attainable to the average hacker. "If I was a bank and one of my non-encrypted backup tapes went missing, I wouldn't worry too much. An unencrypted laptop goes missing, that's a whole different matter," he says.

Foley recommends making the rewards for using encryption higher than penalties for not using it. One type of reward would be if encrypted data is stolen, an institution would not have to report it except to law enforcement and regulators. "The fact is, encryption is incredibly strong, and unless a hacker is spending a great deal of time and effort to break it, it won't be breached," he adds, cautioning that no data can be 100 percent protected.

Reputations at Risk

The financial services industry is doing three times better than businesses in protecting data, says Foley, though the industry is not immune to the trends that continue to pervade the other four groups.

Foley sees the tides are turning, with laws such as the FACTA ID Theft Red Flags rule, and companies will begin to face lawsuits because of improper data protection. "In the coming years we're going to see more and more lawyers stepping up to say 'Company X, you didn't have proper procedures in place to protect customer data,'" he predicts.

The other side pressuring change will be the consumers who have heard "for the last eight to 10 years that they need to protect their personal information. Most consumers' data is spread everywhere from the doctor's office to a mortgage loan application to an application for utility service. "A consumer at best only controls 15 percent of their personal information," Foley says. "Companies and other entities hold the other 85 percent." These companies and financial institutions need to be ready to answer the hard questions from John Q. Public when they ask "How are you protecting my data?"

Recommendations

Based on the breach reports from the past 3 years, the ITRC strongly advises all agencies and companies to:

v Minimize personnel with access to personal identifying information;

v Require all mobile data storage devices that contain identifying information to encrypt sensitive data;

v Limit the number of people who may take information out of the workplace, and set into policy safe procedures for storage and transport;

v When sending data or back-up records from one location to another, encrypt all data before it leaves the sender and create secure methods for storage of the information, whether electronic or paper;

v Properly destroy all paper documents prior to disposal. If they are in a storage unit that is relinquished, ensure that all documents are removed;

v Verify that your server and/or any PC with sensitive information are secure at all times. In addition to physical security, you must update anti-virus, spyware and malware software at least once a week and allow your software to update as necessary in between regular maintenance dates;

v Train employees on safe information handling until it becomes second nature.

Internet phone services a risk to national security – MI5

RISK : Internet phone services a risk to national security – MI5

Leo King

Computerworld UK

January 8, 2009

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9125378

Internet telephone services pose a serious threat to Britain's security, the head of MI5 said.

The danger with online calls, said spy chief Jonathan Evans, was that they do not result in telephone bills, which are key evidence documents in prosecutions. This meant it would be much easier for terrorists to make the calls and eventually escape prosecution if they are tried for criminal offenses.

In an interview with the media Wednesday, Evans, director general at MI5 since 2007, said online phone calls posed a "significant detriment to national security" by enabling terrorists to communicate with less risk.

Evans lent his support to the government's planned database of every phone call, Internet use and e-mail in the U.K., saying that it was important the security agencies could access this information.

"If we are to maintain our capability, we are going to have to make decisions [on powers to intercept communications] in the next few years," he was reported as saying in the Daily Telegraph. "Because traditional ways are unlikely to work."

He was speaking to a small audience of newspaper journalists on the centenary of MI5's creation. It was the first time in MI5's history that a serving head of MI5 had interviewed with the press.

Evans underscored that Israel's attack on Gaza could inspire further extremism and warned that the economic fallout from the global credit crunch may bring fresh security risks.

But critics contend that allowing the government to create such a "super database" raises privacy concerns as well as potential security problems over how the data would be stored.

It emerged in recent weeks that the government has been looking for a private firm to run the database.

A Career in Jihad, Interested?

CAREER : A Career in Jihad, Interested?

By Shashank Shekhar, Anshuman G Dutta

2009-01-08

http://www.mid-day.com/news/2009/jan/080109-Terrorist-organisations-hiring-Pakistani-computer-professionals-target-Indian-websites.htm

Delhi: Terrorist organisations are hiring Pakistani computer professionals to target Indian websites both government and corporate.

It is not just the big IT companies who are looking for tech-savvy youth in Pakistan. The terrorist organisations are equally interested.

Advertisements are regularly put up to attract young professionals for making a career in Jihad. Once recruited, the young minds undergo rigorous training to specifically target Indian websites both government and corporate to steal critical data, said a senior intelligence official.

"All terror groups have hired IT professionals, who are highly qualified to launch e-attacks and sabotage websites. It can not be denied that they are nurturing a new breed of cyber experts for targeting the Indian virtual space," the official added.

Attacks on Indian cyberspace from Pakistani hacker communities have increased in intensity and frequency.

"Pakistani websites feature vacancies for hackers who are capable to attack Indian websites. Considering the number and intensity of Pakistani attacks it can be ascertained that they are well-funded but we are not sure about who is behind it,"

It is learnt that students from Pakistan and Middle East are all set to launch a major attack on Indian websites.

"Lashkar-e-Hackers, which is also known as LeH, is an active group which only attacks Indian websites. They have already attacked many Indian sites and they are expected to get more aggressive,"

Such hackers leave messages for Indian hackers daring them to retaliate. PCA (Pakistan Cyber Army), KSA, Pakbugs Z-company and Zombie_ksa(pakbugscrew) are some of the most active hacker groups in Pakistan.

The cyber war between the hacker communities of the two countries is nothing new. It peaked between 1997 and 2002. From the Pakistani side, the war was led by Pakistan Hackers Club (PHC) and Gforce. These two groups were responsible for defacing hundreds of Indian websites during that period.

Wednesday, January 7, 2009

Quote of the day

Quote of the day

Nothing can bring you peace but the triumph of principles

Ralph Waldo Emerson

New IT Term of the day

New IT Term of the day


Teardrop attack


A DoS attack where fragmented packets are forged to overlap each other when the receiving host tries to reassemble them.

Cyberspace becomes battleground in Gaza conflict

CYBER-WAR : Cyberspace becomes battleground in Gaza conflict

Israel hacks Arab TV station

By John Leyden

6th January 2009

http://www.theregister.co.uk/2009/01/06/idf_al_aqsa_hack/

Israeli military forces have reportedly hacked into a Hamas-run TV station to broadcast propaganda.

The hijack of the Al-Aqsa television station last weekend represents the latest phase in a war in cyberspace that has accompanied the ongoing conflict in Gaza. Al-Aqsa is known for featuring allegedly antisemitic childrens' cartoons as part of its broadcast schedule last year.

Instead of the controversial Farfour character, audiences were treated to propaganda clips featuring the gunning down of Hamas' leadership, accompanied by a message in Arabic that "Time is running out," Israel's Channel 10. The cyberattack on Sunday followed earlier propaganda broadcasts and the bombing of Al-Aqsa's main studio by IDF planes last month.

On Saturday an Al-Aqsa broadcast was interrupted by the image of a ringing phone that was left unanswered, accompanied by an Arabic voiceover that stated "Hamas leaders are hiding and they are leaving you on the front line". Al-Aqsa radio has also been disrupted by propaganda broadcasts, Wired adds.

The conflict online that has accompanied real-world Arab-Israeli hostilities has been far from one-sided. For example, an Israeli domain registration server was hacked last week by a Moroccan hacking crew. Team Evil's assault on DomainTheNet's registration system had the effect of redirecting surfers hoping to visit ynetnews.com and Bank Discount to a webpage featuring an anti-Israeli message.

A huge upswing in hacker attacks since the conflict began last month has also been recorded, according to local reports.

Pirate copies of new Windows system leaked and downloaded

LEAK : Pirate copies of new Windows system leaked and downloaded

Dan Raywood

January 05 2009

http://www.scmagazineuk.com/Pirate-copies-of-new-Windows-system-leaked-and-downloaded/article/123489/

Fortify Software has warned against downloading and installing pirate copies of the new Microsoft operating system.

Windows 7 has been leaked onto P2P file-sharing sites and apparently been downloaded by tens of thousands of users

Rob Rochwald, Fortify's director of product marketing, claimed that the main problem with this version is that there is no way of authenticating that the early build has not been tampered with by a hacker, who may have coded all sorts of malware into the 2.44 gigabytes file.

Rochwald said that anyone hooking up a PC with the early version of Windows 7 Ultimate to the internet could find their PC generating malware, hacker and denial-of-service attacks, as well as email spam, without them being aware of it.

“And that's just for starters. It's highly unlikely that any IT security application will protect the new operating system from internally-coded malware, so the fall-out from trying an unofficial version of the new operating system could be quite severe”, he said.

Microsoft has remained tight-lipped on when the new version will be released, but has hinted that the beta version will be available next week. Some commentators have suggested however that Microsoft may release the Windows 7 beta as early as January 7, as CEO Steve Ballmer delivers a keynote that evening at the Consumer Electronics Show in Las Vegas.

Hackers Breaks into SA Banking Confidential Info.

HACKED : Hackers Breaks into SA Banking Confidential Info.

Competition body wants hackers prosecuted

Linda Ensor

BusinessDay, South Africa

06 January 2009

http://www.businessday.co.za/articles/topstories.aspx?ID=BD4A913093

CAPE TOWN — The Competition Commission has laid criminal charges against the unknown hackers who lifted the lid on highly confidential information about the South African banking system that the four big banks wanted to keep under wraps.

The charges had been laid in terms of the Electronic Communications and Transactions Act, the commission’s manager for strategy and stakeholder relations, Nandisile Mokoena, said yesterday.

The confidential information is contained in the technical report of the inquiry into the banking system undertaken by the commission.

An uncensored version of the report was posted on the Wikileaks.org website after hackers — believed to be based in SA — broke through the security measures put in place by the commission.

The banks agreed to the public release of the report only on condition that strategic and sensitive information relating to their customer profiling, profit growth, pricing strategies, cost structures and revenue from penalty fees was blacked out.

The commission gave this undertaking of confidentiality, which is legally binding in terms of the Competition Act.

Other data blacked out related to the breakdown of the credit card market and the fees earned from credit cards relative to their costs.

However, the secret information was decrypted (except for certain blacked-out sections which were resistant to “decensoring”) and posted on Wikileaks, which describes itself as a website for anonymous whistle-blowers. It is dedicated to leaking sensitive government, corporate and religious documents.

Mokoena said Wikileaks had refused a request by the Competition Commission to remove the report from its website immediately. Commissioner Shan Ramburuth said in a letter to the website’s proprietors that the information obtained by Wikileaks was “obtained illegally under South African law”.

Mokoena said the leak was a very serious violation of the commission’s confidentiality obligations and meant that it would have to strengthen its security arrangements.

She did not believe a criminal prosecution was “hopeless”, saying the police would have to try to trace the hackers electronically.

The Wikileaks website was launched in December 2006 by dissidents, journalists, mathematicians and technologists from the US, Taiwan, Europe, Australia and SA. It boasts a database of more than 1-million documents and recently made available a confidential briefing document relating to the collapse of the UK’s Northern Rock bank.

It has also posted documents relating to corruption in Kenya, military expenditure in Afghanistan, operating procedures for the US army at the Guantan amo Bay detention centre, and a list of the 13500 supporters of the far right-wing British National Party.

According to reports on the internet, the Wikileaks website was shut down by a court injunction in California last year on the basis of an application brought on behalf of Swiss bank Julius Baer.

This was after “several hundred" documents were posted on the website about the bank’s alleged offshore activities, specifically money laundering and tax evasion at its Cayman Islands branch.

Wikileaks slammed the court order as “unconstitutional" and said that the site had been “forcibly censored". The injunction was subsequently overturned and the bank dropped its case in March after the American Civil Liberties Union and the Electronic Frontier Foundation filed a motion protesting against the censorship of Wikileaks.

A coalition of US publishers and press organisations joined the application as a friend of the court on behalf of Wikileaks. US legal experts said the case highlighted the difficulty of enforcing national jurisdiction over a globalised internet.

(Courtesy - Sizwe Snail in South Africa)

Pak hackers plan attack on Indian cyber networks

BEWARE : Pak hackers plan attack on Indian cyber networks

PTI

Jan 06 2008

http://in.news.yahoo.com/20/20090106/1416/tnl-pak-hackers-plan-attack-on-indian-cy.html

New Delhi, Jan 6 (PTI) After the Mumbai terror strikes, anti-India elements in Pakistan are now planning an attack on Indian computer networks, intelligence agencies have warned. Already Pakistani hackers are trying out a dry run against Indian networks through popular websites registered there after the Mumbai terror strikes, Home Ministry sources told PTI here today.

"Every time the relations between the two countries dampen, Pakistanis start attacking Indian computer networks and this has increased after the Mumbai terror attacks," a Home Ministry source said. Pakistani hackers have created websites such as the www.Songs.Pk, which are infested with software to hack data from the targeted computers, it said.

"The website www.Songs.Pk has over 12 lakh Indian users who are downloading stuff from these websites daily," said a cyber expert in the Ministry. With these websites being highly popular, it will take only a few minutes for the hackers to take command of over 12 lakh computers in few minutes and the number of such computers can multiply in every minute, sources said.

"Instead of the existing less harmful virus, new ones such as Botnet and Zoombie can be easily released into the Indian computers, which later on replicate and make the entire server vulnerable," the expert said. "Now a days new virus and worms are detected while downloading songs from these websites, which could be just a dry run to manage a bigger attack," he said. PTI

Monday, January 5, 2009

Quote of the day

Quote of the day

The true civilization is where every man gives to every other every right that he claims for himself.

Robert Ingersoll

New IT Term of the day

New IT Term of the day


TCP WRAPPER


A computer program that provides firewall services to UNIX users on a network by monitoring incoming packets to determine if the external device is authorized to have access. TCP Wrapper monitors and filters incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services.

Mobile phone users warned of SMS attack

MARCH : Mobile phone users warned of SMS attack

SC Staff

January 05 2009

http://www.scmagazineuk.com/Mobile-phone-users-warned-of-SMS-attack/article/123493/

Mobile phone users could be hit by a denial-of-service attack.

Called the ‘SMS Curse of Silence', it can crash the SMS function of the phone, meaning users cannot receive new text messages.

According to researcher Tobias Engel, who was speaking at the Chaos Communication Congress in Berlin, the attack uses specially formatted SMS messages to wage a denial-of-service attack on the victim's phone. It targets a vulnerability in versions 8 through 9.2 of the Symbian operating system and so far has been shown to affect the Nokia Series 60 phone versions 2.6, 2.8, 3.0, 3.1, and the Sony Ericsson UiQ.

Engel explained that the denial-of-service attack consists of sending one, or depending on the phone model, several specifically formatted SMS messages to the smartphone that is being targeted.

The messages then crash the phone's SMS system, but the phone remains functional otherwise. Older models do not show symptoms of the attack that would be visible to the user, however newer phones can show messages that the phone is running out of memory or experience constantly flashing message icons after the attack.

Engel said: “At least it is not possible to steal user data from the phones or make calls at other people's expense, but it shows again that mobile phones are just computers which are connected to the network all the time. Phone manufacturers and network operators have to make sure that there is a way to quickly deploy bug-fix firmware releases to phones, free of charge to the user."

Smartphones that can be attacked this way include UiQ devices and S60 2nd Edition Feature Packs 2 and 3, 3rd Edition and 3rd Edition Feature Pack 1. S60 3rd Edition Feature Pack 2 or 5th Edition phones are not affected.

Samu Konttinen, vice president of the Mobile Business Unit at F-Secure said: “Performing the attack does not require technical expertise, and due to this, there is a risk of it becoming a nuisance.”

Many RFID cards poorly encrypted

RISK : Many RFID cards poorly encrypted

1 January 2009

http://www.heise-online.co.uk/security/25C3-Many-RFID-cards-poorly-encrypted--/news/112336

Karsten Nohl, the security investigator who had a big hand in cracking NXP's Mifare Classic chips, says many RFID smartcards from other manufacturers are also vulnerable to a simple hacker attack. He told the 25th Chaos Communication Congress (25C3) in Berlin that "Almost all RFID cards use weak proprietary encryption systems" and only the latest types were any better. For example, several generations of Legic, HID and Atmel cards have holes in their armour.

RFID cards are used today to control access to buildings, rooms, cars or electronic devices. Mifare chips are also widely used in payment systems, such as those in short-distance public transport. The general expectation is that such RFID tags, all operating on the same frequency of 13.56 MHz, will evntually be used as generic identifiers for products and people, and they are already in use in passports and credit cards. However, said Nohl, the chip manufacturers have so far criminally neglected the standard of encryption used by these chips and the standard of the reading systems, which ought to satisfy the requirements of both data protection and system security.

Using as an example the Mifare Classic card, he and his comrade-in-arms in the Chaos Computer Club (CCC), Henryk Plötz, demonstrated that its encryption could be compromised by simple proxy or relay attacks. In principle, he said, an attacker need only determine, say with an emulator, that an appropriate SmartCard was within range. All doors would then be open to him.

For example, freely available OpenPICC hardware, a counterpart to the OpenPCD RFID reader, could be used for hacking these cards. This emulator, said Nohl, can be carried in a trousers pocket, and can generate and send a suitable RFID tag identification number. All that is needed is to eavesdrop on a legitimate authentication, initiate the same routine later on, and respond with the recorded communication. Random numbers are also required, but as a rule these tiny radio chips have insufficient processing power to generate them reliably. In the case of many RFID cards, therefore, these supposedly random sequences of digits have proved to be easy to predict. A further weakness, added Plötz, is that readers do not use existing protocols to check the distance between themselves and a nearby chip. Such protocols require a measurement of the time taken for the radio signals to travel out and back which would add considerably to the cost of card readers.

Nohl reported that many RFID cards do not put up much resistance to more sophisticated cryptographic attacks, such as algebraic, statistical or brute force attacks. It is usually sufficient to determine the purely statistical vulnerabilities in the encryption applications. In order to help hackers make further tests on the security of radio chips, the two researchers have published the TI EVM tool, which, they say, supports various protocols. They have also announced OpenPICC2 as a further powerful emulator, which doubles as an e-book reader. Nohl recommended that the makers of RFID solutions use standardised encryption algorithms and protocols and not to prescribe the use of their radio systems for tagging humans. Tested norms should furthermore be worked out for "secure RFID".

China claims world's largest piracy bust

PIRACY : China claims world's largest piracy bust

Eleven men sentenced to record terms for masterminding piracy ring

by Shaun Nichols in San Francisco

vnunet.com

03 Jan 2009

http://www.vnunet.com/vnunet/news/2233213/china-lays-claim-world-largest

The Chinese state government has issued lengthy prison sentences after cracking what is believed to be the largest and most lucrative software piracy operation in the world.

Courts in Shenzhen issued prison terms to 11 men thought to have masterminded the counterfeiting ring. The operation was said to be based out of southern China with distribution to 36 countries on five continents.

Microsoft said that the ring was distributing at least 19 of its products with a market value of $2bn (£1.37bn).

The syndicate was broken up by Chinese authorities in 2007 at the conclusion of a joint operation by Chinese and American law enforcement agencies.

Microsoft also claimed a role in the investigation, saying that it collected thousands of user reports and information from some 100 resellers that had provided payment information and correspondence with the piracy ring.

The jail terms handed down by the courts range from 18 months to six and a half years for each of the men, record sentences for piracy infractions in China. The country had received criticism from western governments for its lenient stance on patent infringement.

"Enforcement of intellectual property rights is critical to fostering an environment of innovation and fair competition," said Fengming Liu, Microsoft's vice president of the greater China region.

"Thanks to the actions of the Chinese government, we have seen a significant improvement in the environment for intellectual property rights in China."

The investigation brought to light what Microsoft describes as a global epidemic of piracy. Cybercrime experts have pointed to the global nature of internet crimes, and a lack of clear-cut jurisdictions, as major hurdles for law enforcement groups.

David Finn, associate general counsel at Microsoft's worldwide anti-piracy and anti-counterfeiting operation, echoed that sentiment.

"Unfortunately, software counterfeiting is a global, illegal business without borders," he said. "Criminals may be on the other side of the globe and may not even speak the same language, but they prey on customers and partners all over the world."

UK Police set to step up hacking of home PCs

BIG BROTHER : UK Police set to step up hacking of home PCs

David Leppard

The Sunday Times, UK

January 4, 2009

http://www.timesonline.co.uk/tol/news/politics/article5439604.ece

THE UK Home Office has quietly adopted a new plan to allow police across Britain routinely to hack into people’s personal computers without a warrant.

The move, which follows a decision by the European Union’s council of ministers in Brussels, has angered civil liberties groups and opposition MPs. They described it as a sinister extension of the surveillance state which drives “a coach and horses” through privacy laws.

The hacking is known as “remote searching”. It allows police or MI5 officers who may be hundreds of miles away to examine covertly the hard drive of someone’s PC at his home, office or hotel room.

Material gathered in this way includes the content of all e-mails, web-browsing habits and instant messaging.

Under the Brussels edict, police across the EU have been given the green light to expand the implementation of a rarely used power involving warrantless intrusive surveillance of private property. The strategy will allow French, German and other EU forces to ask British officers to hack into someone’s UK computer and pass over any material gleaned.

A remote search can be granted if a senior officer says he “believes” that it is “proportionate” and necessary to prevent or detect serious crime — defined as any offence attracting a jail sentence of more than three years.

However, opposition MPs and civil liberties groups say that the broadening of such intrusive surveillance powers should be regulated by a new act of parliament and court warrants.

They point out that in contrast to the legal safeguards for searching a suspect’s home, police undertaking a remote search do not need to apply to a magistrates’ court for a warrant.

Shami Chakrabarti, director of Liberty, the human rights group, said she would challenge the legal basis of the move. “These are very intrusive powers – as intrusive as someone busting down your door and coming into your home,” she said.

“The public will want this to be controlled by new legislation and judicial authorisation. Without those safeguards it’s a devastating blow to any notion of personal privacy.”

She said the move had parallels with the warrantless police search of the House of Commons office of Damian Green, the Tory MP: “It’s like giving police the power to do a Damian Green every day but to do it without anyone even knowing you were doing it.”

Richard Clayton, a researcher at Cambridge University’s computer laboratory, said that remote searches had been possible since 1994, although they were very rare. An amendment to the Computer Misuse Act 1990 made hacking legal if it was authorised and carried out by the state.

He said the authorities could break into a suspect’s home or office and insert a “key-logging” device into an individual’s computer. This would collect and, if necessary, transmit details of all the suspect’s keystrokes. “It’s just like putting a secret camera in someone’s living room,” he said.

Police might also send an e-mail to a suspect’s computer. The message would include an attachment that contained a virus or “malware”. If the attachment was opened, the remote search facility would be covertly activated. Alternatively, police could park outside a suspect’s home and hack into his or her hard drive using the wireless network.

Police say that such methods are necessary to investigate suspects who use cyberspace to carry out crimes. These include paedophiles, internet fraudsters, identity thieves and terrorists.

The Association of Chief Police Officers (Acpo) said such intrusive surveillance was closely regulated under the Regulation of Investigatory Powers Act. A spokesman said police were already carrying out a small number of these operations which were among 194 clandestine searches last year of people’s homes, offices and hotel bedrooms.

“To be a valid authorisation, the officer giving it must believe that when it is given it is necessary to prevent or detect serious crime and [the] action is proportionate to what it seeks to achieve,” Acpo said.

Dominic Grieve, the shadow home secretary, agreed that the development may benefit law enforcement. But he added: “The exercise of such intrusive powers raises serious privacy issues. The government must explain how they would work in practice and what safeguards will be in place to prevent abuse.”

The Home Office said it was working with other EU states to develop details of the proposals.

Sunday, January 4, 2009

Quote of the day

Quote of the day

At his best, man is the noblest of all animals; separated from law and justice he is the worst

Aristotle

New IT Term of the day

New IT Term of the day


TCP SYN attack


A sender transmits a volume of connections that cannot be completed. This causes the connection queues to fill up, thereby denying service to legitimate TCP users. A TCP SYN attack (also called SYN attack) is a common type of Denial of Service attack.

Internet sites could be given 'cinema-style age ratings'

OPINION : Internet sites could be given 'cinema-style age ratings'

Internet sites could be given cinema-style age ratings as part of a UK Government crackdown on offensive and harmful online activity to be launched in the New Year, the Culture Secretary says.

By Robert Winnett, Deputy Political Editor

Telegraph, UK

27 Dec 2008

http://www.telegraph.co.uk/scienceandtechnology/technology/technologynews/3965051/Internet-sites-could-be-given-cinema-style-age-ratings-Culture-Secretary-says.html

Culture Secretary Andy Burnham says internet sites could be given 'cinema-style age ratings'

Internet sites could be given 'cinema-style age ratings', Culture Secretary says Photo: MARTIN POPE

In an interview with The Daily Telegraph, Andy Burnham says he believes that new standards of decency need to be applied to the web. He is planning to negotiate with Barack Obama’s incoming American administration to draw up new international rules for English language websites.

The Cabinet minister describes the internet as “quite a dangerous place” and says he wants internet-service providers (ISPs) to offer parents “child-safe” web services.

Giving film-style ratings to individual websites is one of the options being considered, he confirms. When asked directly whether age ratings could be introduced, Mr Burnham replies: “Yes, that would be an option. This is an area that is really now coming into full focus.”

ISPs, such as BT, Tiscali, AOL or Sky could also be forced to offer internet services where the only websites accessible are those deemed suitable for children.

Mr Burnham also uses the interview to indicate that he will allocate money raised from the BBC’s commercial activities to fund other public-service broadcasting such as Channel Four. He effectively rules out sharing the BBC licence fee between broadcasters as others have recommended.

His plans to rein in the internet, and censor some websites, are likely to trigger a major row with online advocates who ferociously guard the freedom of the world wide web.

However, Mr Burnham said: “If you look back at the people who created the internet they talked very deliberately about creating a space that Governments couldn’t reach. I think we are having to revisit that stuff seriously now. It’s true across the board in terms of content, harmful content, and copyright. Libel is [also] an emerging issue.

“There is content that should just not be available to be viewed. That is my view. Absolutely categorical. This is not a campaign against free speech, far from it; it is simply there is a wider public interest at stake when it involves harm to other people. We have got to get better at defining where the public interest lies and being clear about it.”

Mr Burnham reveals that he is currently considering a range of new safeguards. Initially, as with copyright violations, these could be policed by internet providers. However, new laws may be threatened if the initial approach is not successful.

“I think there is definitely a case for clearer standards online,” he said. “More ability for parents to understand if their child is on a site, what standards it is operating to. What are the protections that are in place?”

He points to the success of the 9pm television watershed at protecting children. The minister also backs a new age classification system on video games to stop children buying certain products.

Mr Burnham, himself a parent of three young children, says his goal is for internet providers to offer “child-safe” web services.

“It worries me - like anybody with children,” he says. “Leaving your child for two hours completely unregulated on the internet is not something you can do. This isn’t about turning the clock back. The internet has been empowering and democratising in many ways but we haven’t yet got the stakes in the ground to help people navigate their way safely around…what can be a very, very complex and quite dangerous world.”

Mr Burnham also wants new industry-wide “take down times”. This means that if websites such as YouTube or Facebook are alerted to offensive or harmful content they will have to remove it within a specified time once it is brought to their attention.

He also says that the Government is considering changing libel laws to give people access to cheap low-cost legal recourse if they are defamed online. The legal proposals are being drawn up by the Ministry of Justice.

Mr Burnham admits that his plans may be interpreted by some as “heavy-handed” but says the new standards drive is “utterly crucial”. Mr Burnham also believes that the inauguration of Barack Obama, the President-Elect, presents an opportunity to implement the major changes necessary for the web.

“The change of administration is a big moment. We have got a real opportunity to make common cause,” he says. “The more we seek international solutions to this stuff – the UK and the US working together – the more that an international norm will set an industry norm.”

The Culture Secretary is spending the Christmas holidays at his constituency in Lancashire but is planning to take major decisions on the future of public-service broadcasting in the New Year. Channel Four is facing a £150m shortfall in its finances and is calling for extra Government help. ITV is also growing increasingly alarmed about the financial implications of meeting the public-service commitments of its licenses.

Mr Burnham says that he is prepared to offer further public assistance to broadcasters other than the BBC. However, he indicates that he does not favour “top-slicing” the licence fee. Instead, he may share the profits of the BBC Worldwide, which sells the rights to programmes such as Strictly Come Dancing to foreign broadcasters.

“I feel it is important to sustain quality content beyond the BBC,” he said. “The real priorities I have got in my mind are regional news, quality children’s content and original British children’s content, current affairs documentaries – that’s important. The thing now is to be absolutely clear on what the public wants to see beyond the BBC.

“Top-slicing the licence fee is an option that is going to have to remain on the table. I have to say it is not the option that I instinctively reach for first. I think there are other avenues to be explored.”

Castle Cops shuts up shop

END : Castle Cops shuts up shop

Sad demise of volunteer security community

By John Leyden

29th December 2008

http://www.theregister.co.uk/2008/12/29/castlecops_closes/

Updated CastleCops (http://www.castlecops.com), the volunteer security community, has called it a day.

For six years CastleCops campaigned against internet fraud by running malware and phishing scam investigations and take-downs. CastleCops also ran volunteer training programs, as well as maintaining other services including computer virus clean-up assistance to ordinary punters.

Since the organisation was established in 2002, CastleCops has maintained close ties with other members of the anti-malware community and law enforcement to make the internet a cleaner and safer environment. Despite its sterling work in multiple areas, CastleCops has long had problems with funding and hostile actions by cybercriminals. For example, CastleCops has been the target of repeated denial of service attacks as well as attempts by crooks to discredit the site.

Paul Laudanski was the main man behind CastleCops for three years before he took up (http://www.geek.com/articles/microsoft/castlecops-paul-laudanski-accepts-job-at-microsoft-20080613) a full-time job as an internet safety investigator with Microsoft back in June. The failure to replace Laudanski made the announcement that CastleCops was closing sadly predictable, at least in retrospect. The announcement itself (below) took the wider security community a little by surprise.

You have arrived at the Castle Cops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end. Keep up the good fight folks, for the spirit of this community lies within each of us. We are empowered to improve the safety and security of the Internet in our own way. Let us feel blessed for the impact we made and the relationships created.

CastleCops pledged to refund donations for its upkeep made through PalPal. Donations to the service made by cheque can't easily be refunded and will be passed onto the Internet Software Consortium (not the Internet Storm Centre as we initially incorrectly reported) by the middle of March, unless instructions to the contrary are received.

SBI fixes website after hacking attack

HACKED : SBI fixes website after hacking attack

28 Dec 2008

http://timesofindia.indiatimes.com/Business/SBI_fixes_website_after_hacking_attack/articleshow/3903956.cms

MUMBAI: The country's largest lender State Bank of India said on Sunday that it has resolved the "technical problem" with its website , which had become temporarily unavailable due to a reported hacking attempt.

An attempted attack caused a shutdown of SBI’s website on Saturday. “There has been an attempt to disrupt the system,” a senior official confirmed. But he refused to divulge any further details. While the bank’s internet banking site www.onlinesbi.com was operational, its sites www.statebankofindia.com and www.sbi.co.in were down on Saturday.

"I don't want to use the word 'hacking'. It was a temporary technical problem which was resolved by yesterday evening," the public sector bank's Deputy Managing Director (IT) R P Sinha said on Sunday.

After the restoration of the website, Sinha stressed that the technical fault did not affect any transactions, including fund transfer and there was no loss of customer data.

Late on Saturday evening, officials said that the bank was targeting to get its website operational by 9 pm. Later, the bank put up a message stating that site was under maintenance and directed online applicants to clerical positions to the Institute of Banking Personnel Selection site.

SBI is the country’s largest bank with over three million online customers. The number of people with access to internet banking has increased dramatically after SBI installed its core banking solutions in over 11,100 branches across the country. In the past too, government websites have been attacked by hackers who left behind anti-India slogans.

Last year, Bank of India’s website had fallen victim to hackers who planted malware on the site that installs itself on the user’s computer and transmits sensitive information to the hacker. Besides this there have been phishing attempts on customers of various banks where the hacker puts up a website identical to that of a bank to steal passwords.

India has to gear up to face the virtual assault

ATTACK : India has to gear up to face the virtual assault

Bhuvan Bagga

January 2, 2009

http://indiatoday.digitaltoday.in/index.php?option=com_content&task=view&id=24165&sectionid=4&issueid=86&Itemid=1

New Delhi, It is not just terror on the ground that India is worried about any more. The Computer Emergency Response Team of India (CERT-In) estimates that Pakistan- based hackers have attacked Indian networks more than 100 times since the November 26 strike on Mumbai.

According to Gulshan Rai, director, CERT-In–the specialised arm of India’s Information Technology ministry – network hacks from Pakistan- based programmers have been “naïve but effective”.

Says Rai: “As soon as the dust over the November 26 attacks settled and the Pakistani role in it became clear, Pakistan- based hackers have defaced more than 100 Indian websites with anti- India messages. Other attacks include those on government networks and networks of government- affiliated agencies.” In fact, the IT ministry has its own informal list of “most wanted” Pakistan- based hackers. Cyberlord, an Internet nickname of one such has executed 70 attacks on Indian Web sites. Similarly yusufislam (58 attacks), el_ muhammed (46 attacks), iranianboysblackhat (52 attacks), mirim (35 attacks) and cracker_ child (103 attacks) lead the way for Pakistan-origin cyberspace strikes.

Experts even say that these are “the Dawoods, the Zaki-ur-Rehman Lakhvis and the Masood Azhars of the virtual world”. They are strongly anti-Indian and several of them work freelance for anti-Indian outfits in the real world.

It is not just hackers from Pakistan.

Says Rai: “In 2008, Chinabased entities broke into one State Bank of India website and took complete control. Luckily it was only a consumer information site. But also remember that almost every bank has critical financial data online and it does not take a genius to realise what would happen if a hacker — especially one that is statesupported — took over the site, and deleted or manipulated all financial records.” CERT- In recorded 401 cybersecurity- related incidents in November 2008 and a total of 291 defaced websites — primarily by agents based out of Pakistan, China, Russia, Iran and America.

On November 29, a cyber security related blog on ZD Net reported that a “virus outbreak had affected 75 percent of all systems at the largest US military base in Afghanistan. The intrusion was severe enough to necessitate the briefing of the President. We don’t know the source of the attack but signs point to state actors, with the most popular contenders either being Russia or China”.

The West woke up to the threat early, even going on to make the ahead of its time Sandra Bullock starrer Hollywood blockbuster The Net in 1995. With the kind of attacks we’ve been facing in 2008, India should strengthen its cyber security force many fold.

A senior IPS officer told Mail Today: “We don’t really have advanced cyber security systems, certainly not as strong as in the US or in the UK. We also need strong state support to thwart such attacks.”

A Delhi Special Cell Police officer said: “The US, Russia and China officially allow the use of ethical hackers to solve Internet crime and cybersecurity breaches. However, in India, a police officer can be arrested for asking for funds to hire a hacker, since hacking itself is illegal. The Indian state does not differentiate between ethical hacking and subversive hacking. Yet, the police are expected to show results.”

Cyber security experts say that they want to ask for state funding and laws structured to current reality and advancements. The Special Cell officer told Mail Today: “Our officers lack basic knowledge. It is a known fact that India- based hackers get sold to the highest bidder, and some of the best hacking minds in India work for China, the US or Russia. Today, I can send an email to any agency in a way that it would seem to have emerged from any other country.

I can break into sites and networks and steal the most strategic secrets. Alok Mukhopadhyay, an Associate at the Institute for Defense Studies and Analyses, says: “Information or rather disinformation warfare is the one for the 21st century.

The wars are now being fought over the Internet – not only through attempts of hacking, stealing and defacing, but through a smokescreen of disinformation.” It is not that cyberwars are unknown. Americans routinely target the Chinese and Russian hackers. The Chinese and the Russian state arms retaliate the same way with virus attacks, hacking and defacing.

The Special Cell officer said: “At a time when information is the key and an ever bigger proportion of it is in the cyberspace — India better buckle up fast — because if we lose this fight, the physical fight would only become even tougher.”

What they specialise in

China – Known to be keeping a very close watch on India’s Networks, specially government ones. Known for being good at putting in spywares.

Russia – Known for launching up very aggressive financial attacks. Primarily into stealing critical data, oganisation’s or military’s for financial benefits.

Pakistan – Primarily into anti-India propaganda, and Website defacing and damaging the primary information pool

Eastern Europe – Hacking into financial instruments and stealing data.

Middle East including Iran – Into Islamic propaganda, specially into anti- India doctored stories of Hindu-Muslim disunity.

Nigeria - Famous for black dollar scam.

The infamous hackers

Yusufislam – 58 websites defaced/ attack incidents in recent months

El_ muhammed – 46 websites defaced/ attack incidents in recent months

Iranianboysblackhat – 52 websites defaced/ attack incidents in recent months

Cracker_ child – 103 websites defaced/ attack incidents in recent months

Mirim – 35 websites defaced/ attack incidents in recent months

This Day in History

Thanks for your Visit