Newsletter
IT and Cyber Security News Update from
Centre for Research and Prevention of Computer
Crimes,
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
Since June 2005 February
09, 2015 Issue no 1541
Tenth year of
uninterrupted publication
Todays edition
SPY : Samsung
may be eavesdropping on you
ATTACK : Anonymous
launches the OpISIS and brings down ISIS social media
accounts
COMPLEXITY :
US Passport's Complex Security Tech, Explained By Forgery Pros
TRAGEDY : The
Worlds Email Encryption Software Relies on One Guy, Who is Going Broke
(Click on heading above to jump to related item. Click on Top to be back here)
SPY : Samsung may be
eavesdropping on you
Javier
E. David
CNBC.com
8
Feb 2015
Samsung's
Smart TV may be a little too smart for its own good.
Tucked
into the privacy policy of the South Korean electronics behemoth's Smart TV are
a few paragraphs that may send chills down the spine of some consumers.
According to the document, the unit's voice recognition protocols can
"capture voice commands and associated texts so that [Samsung] can provide
you with Voice Recognition features and evaluate and improve the
features."
The
boilerplate languagewhich granted few people read in its entiretysounds
fairly anodyne. That is, until the company adds this warning: "Please be
aware that if your spoken words include personal or other sensitive
information, that information will be among the data captured and transmitted
to a third party through your use of Voice Recognition."
The
TV's voice features can be disabled. However, the company adds another caveat:
"While Samsung will not collect your spoken word, Samsung may still
collect associated texts and other usage data so that we can evaluate the
performance of the feature and improve it."
In
other words, owners of the Samsung Smart TVs may need to watch what they say in
their own homes, and especially where they say it.
A
spokesperson for the company told CNBC that Samsung "takes consumer
privacy very seriously," while adding that the company "does not
retain voice data, or sell it to third parties. If a consumer consents and uses
the voice recognition feature, voice data is provided to a third party during a
requested voice command search."
The
warning, first reported by The Korea Times and picked up on social media, may
add fuel to a raging debate over how much control humans are willing to
relinquish to automation for the sake of convenience. Tech companies are
resorting to more creative, and some say surreptitious, ways to mine consumer
data and profit from it.
Voice
command technology is becoming more ubiquitous, and many consumers rely on
those solutionssuch as Apple's Sirito power their
devices.
Yet
those protocols are only several degrees removed from autonomous devices, which
is increasingly migrating from science fiction to reality. They also raise a
host of privacy questions that experts are struggling to comprehend.
Artificial
intelligence is an increasingly hot topic, with high-profile technophiles such
as Elon Musk, Stephen Hawking and Bill Gates warning
about the unintended consequences of unchecked smart technology.
ATTACK : Anonymous launches the OpISIS and brings down ISIS social media accounts
by Pierluigi Paganini
February
9th, 2015
http://securityaffairs.co/wordpress/33288/hacking/anonymous-launches-opisis.html
Anonymous
announced the OpISIS and launched a series of attacks
against the jihadist websites supporting the ISIS and its propaganda on the
Web.
As
promised the Anonymous collective has launched a massive cyber attack against
Islamic State (ISIS) terror group, the popular group shouted revenge in the aftermath
of the vicious against the satirical magazine Charlie Hebdo
in Paris. After the attack, Anonymous launched the #OpCharlieHebdo
against the member of ISIS on the web, the popular hacking team
cry out for vengeance for the assault on the Charlie Hebdo,
convinced that what happened is not tolerable.
Anonymous
ha also posted the manifest of the Op Charlie Hebdo
on Pastebin, below the translation of an excerpt from
the message:
It is our responsibility to react
Attacking freedom
of speech is a direct hit to democracy. Expect a massive reaction from us,
because this freedom is what weve been always fighting for.
Anonymous
considers the supporters of a violent jihad as enemies of freedom of
expression, so it announced the Op Charlie Hebdo.
The
Anonymous collective announced a series of attack against the jihadist websites
supporting the ISIS and its propaganda on the Web and used by the ISIS to
recruit new members. The Belgian wing of Anonymous published a video on the
Internet in which is announcing its revenge, the collective promises to raze
social networks of accounts promoting violent jihad.
True
to his declaration of war, Anonymous announced the # OpISIS
in a video appeared on YouTube. The popular collective and the RedCult claimed to have carried out cyber attack against
hundreds of Twitter and Facebook accounts used by the
terrorists of the Islamic State.
According
to the video, Operation OpISIS is managed by
Muslims, Christians, Jews, a masked man explains the
motivation of the attack that is conducted by ordinary people that together
decided to join the forces against the ISIS.
[We are] hackers, crackers, Hacktivist, phishers, agents,
spies, or just the guy next door
students, administrators, workers, clerks,
unemployed, rich, poor. They are also young, or old, gay or straight
from
all races, countries, religions, and ethnicity. United as one, divided by
zero. the video explains.
Anonymous
released a list of more than hundred Twitter and Facebook
accounts suspected to belong to ISIS members, they
represent the target of the OpISIS. Anonymous
released the following message to the ISIS supporters:
We will hunt you, take down your sites,
accounts, emails, and expose you
From now on, no safe place for you online
You will be treated like a virus, and we
are the cure
We own the internet
We are Anonymous; we are Legion; we do not
forgive, we do not forget, Expect us.
On
the other side, the ISIS is demonstrating an excellent command of web
technologies such as social networks, which uses daily to communicate with his
followers.
Recently
it has been discovered a manual released by the ISIS to its members to avoid
online surveillance during their web experience. Twitter has already suspended
more than 1500 ISIS accounts and dozens of militant recruiting websites were
shut down by ISP and by DDoS Attack run by Anonymous
members.
It
isnt the first time that Anonymous targets jihadist online communities, in
June the group run a campaign dubbed Operation NO2ISIS against some states it
accuses of supporting the Islamic terror group ISIS.
As
part of the OpISIS, Anonymous also threatened to
target Saudi Arabia and all those government that are secretly funding and
supporting the strategy of the ISIS.
We are unable to target ISIS
because they predominantly fight on the ground. But we can go after the people
or states who fund them.
Also
see -
COMPLEXITY : US Passport's Complex
Security Tech, Explained By Forgery Pros
Kelsey Campbell-Dollaghan
Gawker Media
Feb 5, 2015
The passport is a bizarre and unique
object. Think about it: The goal is to put it in the hands of millions upon
millions of people-and for none of them to ever understand the technology
that's at work in their wallets.
It's an extremely important mystery:
Passports protect our identities, they protect national security, they are the best proof of ID we have. These days, it's
actually incredibly difficult to counterfeit security elements in passports.
It's much more common to see passport fraud committed with real passports, not
forged ones. Still, the huge black market for passports has inspired very
smart, very capable people to go to great lengths to fake them.
US passports are printed at the US
Government Printing Office using 60 different materials. All in all, there are
as many as 30 security features at work in that piece of plastic and paper-and
most of them aren't even visible to the holder.
While our passports are ubiquitous
objects, the specifics of the assembly process is
still top-secret protected information. When I contacted Homeland Security for
this article I was told that the forensic lab's experts couldn't discuss the
security "in the specificity I'd be interested in." Even online, it's
difficult to find out specifics about the technology inside our passports. So I
asked a few passport and forgery experts to tell me more.
Holograms: The Hidden Cost of
Complexity
Obviously, you want to know about the
holograms first, because holograms.
Even though they were invented in the
late 1940s, holograms have only been a part of passport security for a few
decades, as Tom Topol, a passport historian and
collector, recently told me. Topol says the UN was
the first issuer to put one on its passports in 1984, and other countries
quickly followed. Today, there's probably a see-through hologram covering your
"biodata" page-where your biographical data
is stored-but that came even later, in the 1990s.
There are dozens of types of
holograms, and often, the technique used on banknotes or passports are
proprietary to a particular company. For example, a company called Kinegram developed a unique hologram that it applies as
strips or stamps to documents, like this banknote.
That said, some holograms can be
forged-or at least closely recreated-using a number of techniques, the simplest
of which uses a piece of metal pressed onto the hologram and then using that
piece as a die to cast new holograms.
I had a fascinating conversation with
Tony Sales, a self-described reformed fraudster in the UK who allegedly stole
millions of dollars over the course of just a few years thanks in part to his
skills with fraud and forgery, who confirmed that with enough time, you can
learn (or buy) nearly anything.
"The first machine I ever saw was
a holographic stamper, it just punched a hologram
into the actual item; it wasn't complicated at all," says Sales of his
early days forging documents including passports (he's often described in the
media as "Britain's greatest fraudster"). Since then, he's turned his
skill set into a career helping companies prevent fraud and theft-working with
companies to develop better EAS tags, for example,
and helping security experts understand how criminals might attack a particular
defense using fraud.
How hard is it to get ahold of a machine that can stamp holograms? According to
Sales, it's gotten more difficult since he was working. "Checks are done a
lot more thoroughly on companies that want to obtain that kind of
equipment," he says. But it's not impossible to obtain these machines.
"They can just open up a shell company and as long as they're willing to
confirm that they're the company, nine times out of ten it'll get shipped,"
says Sales.
Still, holograms seem like an
increasingly difficult element to forge as technology improves. They're often
layered with other security elements like specialty inks or fine line
engraving. One major improvement over the past decade is the transparent hologram
that's overlaid on your biodata page:
At the same time, one major weakness
of holograms on IDs is the fact that as they get harder and
harder to copy, they also get more complex-and all those details can be too
much for a security agent to even remember. "The danger is that the
OVD [Optical Visual Device] itself becomes so complex
that it is impossible for an inspector to remember all the features that
distinguish the genuine article," explained Robert Smith in the Keesing Journal of Documents & Identity in 2011.
"Many simulations look good enough to pass visual inspection even if they
contain inaccuracies that would rapidly be detected upon level two or three
inspection."
Complexity, even though it's tougher
to copy, isn't always good for security.
Ink You Never See and Paper That Hides Secrets
Inks are another key element passport
security-you might have never noticed these minute details, but the chemical
makeup of ink, thread, and paper are all key features. "Most advanced
security features are unknown by the bearer of a passport," Topol says.
There are thermochromatic
inks that change color when heated or cooled; inks that dissolve when they're
tampered with; inks that are one color from one angle and another color from a
different vantage; and UV inks that appear or disappear under a UV light-many passorts, including Canada's new design, have a
"hidden" design only visible under a UV light.
There are dozens of unique printing
techniques used to make passports around the world. The USA on the corner of
your biodata page, for example, is printed with an
optically variable security ink-so it looks green in one light and gold in
another, as the State Department explains on its website. The paper might
include florescent particles that react to UV light, as you can see in a
close-up of a UK passport below, or the thread itself might include unique
fibers.
Sometimes, it's not ink at all. The
cover of your passport is made from plastic, plain and simple. The elaborate
seals that are specific to your country of origin are applied through a common
process called hot foil stamping-it's used on
everything from fancy candy packaging to luxury handbags. Rather than applying
regular ink with a stamp, as you might with a letterpress, the printer uses a
piece of foil to stamp into the plastic, then peels the excess foil away.
Does that mean that these printing
techniques are easy to reproduce? Not necessarily. "A lot of the forgers
in the early days would have had a printing background, so they'd be aware of
it," says Sales. It's all about research-and even then, it can be
difficult to gain access to specialized knowledge.
Printing & Type: Still the Hardest
Part to Fake
More than anything else, passport
security is about printing. That sounds boring; it's not.
Security printing is fascinating,
combining techniques that date back to the early Medieval age like intaglio
printing, where those complex, twisting patterns you find on your passport
pages are engraved on a steel plate and then the paper is laid over the inked
plate to create a print.
Other printing techniques come from
the bleeding edge of the printing industry. Some of the printing on your
passport is invisible without a magnifying glass-microprinting-or
even a microscope-nanoprinting. Thanks to
super-high-res printing techniques, some patterns and text can get down to one
micron, according to Smith's article from 2011. "This far exceeds the
resolution available via any other copying, printing or scanning device in the
printing industry, and cannot be replicated by forgers," he writes.
Tiny details of the type can be a key
way to spot fraud, too. An errant line or bump in a word could help
investigators determine whether a passport is legit. As Gizmodo's
Jesus Diaz recently pointed out, security printing on dollars has increased in
resolution to the point where under a microscope, tiny details of the print are
highly raised and visible.
So in a way, the most banal part of
your passport-the printing-is actually one of the strongest.
I asked Sales what the most difficult
element to forge on a passport was, and his answer surprised me. It wasn't thermochromatic ink or RFID chips
or specialized holograms. It was something super simple: The typeface.
"No one ever gets the exact
font," he says, explaining that under a microscope, tiny inconsistencies
are incredibly difficult to replicate. In fact, some typefaces used by the
government have deliberate, minute imperfections-like ink bleeds-that make them
harder to digitally re-draw. Copying a country's font would mean actually
getting ahold of a copy of the typeface. "Then
we're talking industrial espionage, where people are stealing fonts for
computers, and that becomes something totally different," he says.
The Verdict Is Still Out on Machines and Chips
The most controversial aspect of
modern passport design, of course, is the electronic chip nestled in the upper lefthand corner of the back page of your passport book
(this State Department podcast is a great source for more about how they're
manufactured). This RFID chip usually contains
information like your name, your photo, and other details, and in the US, the
State Department programs and locks them at the Government Printing Office in
DC to ensure they're secure.
That said, the security of RFID chips and other machine-readable elements of the
passport have been questioned again and again since their introduction. In
2006, a security researcher named Lukas Grunwald
demonstrated to Wired's Kim Zetter-and
later at BlackHat-that he could clone the chip and
rewrite the new version with software that could crash or override the machines
used to check the chips.
Given that almost a decade has passed
since his demonstration, I asked Grunwald whether
anything has changed, and he pointed out that Germany has since changed the
passport number to include characters, which is an improvement. But in the end,
it's still quite easy to learn how to carry out the same process online.
"There is right now several open source projects
out that would do," said Grunwald over email.
"Many of them works with normal JCOP (JavaCard) Smartcards
available on the internet."
This Is a Race That Will Never End
The sense I got was that this is an
eternally tied race: As security technology has improved, so have
counterfeiters, spurring more changes on the state side of things, and so on.
The internet, and the dark web, have made it even
easier to buy and sell the technology needed to manufacture a passable
passport. "We live in a digital age where information is easily
obtained," says Sales. "I'm sure I've looked on the dark web before
and all of the information and places to buy these machines,
are for sale for anyone who wants to chance their
luck at it."
Moreover, passports are products of
globalization, just like almost everything else we own. A recent audit by the
Government Printing Office investigated the supply chain found that the US
passport is made from 60 different commercial materials, supplied by 16
different contractors-six of which are sub-contractors that the office has zero
relationship with. These materials are assembled in countries all over the
world, by contractors specializing in everything from fluorescing thread to
specialized holograms to.
That's not to say our passports aren't
secure-these are some of the most advanced document security techniques in the
world. But rather, the process of keeping them secure is one that will never be
perfect. As I heard again and again, there's not magical high-tech solution
that will end this race-a combination of emerging and tried-and-true security
features works the best. It's an iterative process, like so much design work,
that will need constant updating and improvements every year.
Next time you pack your passport for a
trip, take a second to appreciate just how contentious that little piece of
plastic and fiber and metal really is. You'll probably have one for the rest of
your life, but within that time, the technology inside it will have evolved
dozens of times.
TRAGEDY : The Worlds Email
Encryption Software Relies on One Guy, Who is Going Broke
Werner Kochs code powers the email encryption programs around
the world. If only somebody would pay him for the work.
by Julia Angwin
ProPublica,
Feb.
5, 2015
In
1997, Werner Koch attended a talk by free software evangelist Richard Stallman.
Stallman urged the crowd to write their own version of existing encryption
software. Inspired, Koch decided to try. "I figured I can do it," he
recalled. (Willi Nothers
for ProPublica)
The
man who built the free email encryption software used by whistleblower Edward
Snowden, as well as hundreds of thousands of journalists, dissidents and
security-minded people around the world, is running out of money to keep his
project alive.
Werner
Koch wrote the software, known as Gnu Privacy Guard, in 1997, and since then
has been almost single-handedly keeping it alive with patches and updates from
his home in Erkrath, Germany. Now 53, he is running
out of money and patience with being underfunded.
"I'm
too idealistic," he told me in an interview at a hacker convention in
Germany in December. "In early 2013 I was really about to give it all up
and take a straight job." But then the Snowden news broke, and "I
realized this was not the time to cancel."
Like
many people who build security software, Koch believes that offering the
underlying software code for free is the best way to demonstrate that there are
no hidden backdoors in it giving access to spy agencies or others. However,
this means that many important computer security tools are built and maintained
by volunteers.
Now,
more than a year after Snowden's revelations, Koch is still struggling to raise
enough money to pay himself and to fulfill his dream
of hiring a full-time programmer. He says he's made about $25,000 per year
since 2001 a fraction of what he could earn in private industry. In December,
he launched a fundraising campaign that has garnered about $43,000 to date
far short of his goal of $137,000 which would allow him to pay himself a
decent salary and hire a full-time developer.
The
fact that so much of the Internet's security software is underfunded is
becoming increasingly problematic. Last year, in the wake of the Heartbleed bug, I wrote that while the U.S. spends more than
$50 billion per year on spying and intelligence, pennies go to Internet
security. The bug revealed that an encryption program used by everybody from
Amazon to Twitter was maintained by just four
programmers, only one of whom called it his full-time job. A group of tech
companies stepped in to fund it.
Koch's
code powers most of the popular email encryption programs GPGTools,
Enigmail, and GPG4Win. "If there is one
nightmare that we fear, then it's the fact that Werner Koch is no longer
available," said Enigmail developer Nicolai Josuttis. "It's a shame that he is alone and that he
has such a bad financial situation."
The
programs are also underfunded. Enigmail is maintained
by two developers in their spare time. Both have other full-time jobs. Enigmail's lead developer, Patrick Brunschwig,
told me that Enigmail receives about $1,000 a year in
donations just enough to keep the website online.
GPGTools,
which allows users to encrypt email from Apple Mail, announced in October that
it would start charging users a small fee. The other popular program, GPG4Win,
is run by Koch himself.
Email
encryption first became available to the public in 1991, when Phil Zimmermann
released a free program called Pretty Good Privacy, or PGP,
on the Internet. Prior to that, powerful computer-enabled encryption was only
available to the government and large companies that could pay licensing fees.
The U.S. government subsequently investigated Zimmermann for violating arms
trafficking laws because high-powered encryption was subject to export
restrictions.
In
1997, Koch attended a talk by free software evangelist Richard Stallman, who
was visiting Germany. Stallman urged the crowd to write their own version of PGP. "We can't export it, but if you write it, we can
import it," he said.
Inspired,
Koch decided to try. "I figured I can do it," he recalled. He had
some time between consulting projects. Within a few months, he released an
initial version of the software he called Gnu Privacy Guard, a play on PGP and an homage to Stallman's free Gnu
operating system.
Koch's
software was a hit even though it only ran on the Unix
operating system. It was free, the underlying software code was open for
developers to inspect and improve, and it wasn't subject to U.S. export
restrictions.
Like
many people who build security software, Koch believes that offering the
underlying code for free is the best way to demonstrate that there are no
hidden backdoors giving access to spy agencies or others. (Willi
Nothers for ProPublica)
Koch
continued to work on GPG in between consulting
projects until 1999, when the German government gave him a grant to make GPG compatible with the Microsoft Windows operating system.
The money allowed him to hire a programmer to maintain the software while also
building the Windows version, which became GPG4Win. This remains the primary
free encryption program for Windows machines.
In
2005, Koch won another contract from the German government to support the
development of another email encryption method. But in 2010, the funding ran
out.
For
almost two years, Koch continued to pay his programmer in the hope that he
could find more funding. "But nothing came," Koch recalled. So, in
August 2012, he had to let the programmer go. By summer 2013, Koch was himself
ready to quit.
But
after the Snowden news broke, Koch decided to launch a fundraising campaign. He
set up an appeal at a crowdsourcing website, made
t-shirts and stickers to give to donors, and advertised it on his website. In
the end, he earned just $21,000.
The
campaign gave Koch, who has an 8-year-old daughter and
a wife who isn't working, some breathing room. But when I asked him what he
will do when the current batch of money runs out, he shrugged and said he
prefers not to think about it. "I'm very glad that there is money for the
next three months," Koch said. "Really I am better at programming
than this business stuff."
Update,
Feb. 5, 2015, 8:10 p.m.: After this article appeared, Werner Koch informed us
that last week he was awarded a one-time grant of $60,000 from Linux
Foundation's Core Infrastructure Initiative. Werner told us he only received
permission to disclose it after our article published. Meanwhile, since our
story was posted, donations flooded Werner's website donation page and he
reached his funding goal of $137,000. In addition, Facebook
and the online payment processor Stripe each pledged to donate $50,000 a year
to Kochs project.
Cloud Engineer
A cloud engineer is an IT professional responsible for any
technological duties associated with cloud computing, including design,
planning, management, maintenance and support.
The cloud engineer position can be broken into multiple
roles, including cloud software engineer, cloud security engineer, cloud
systems engineer and cloud network engineer. Each position focuses on a
specific type of cloud computing, rather than the technology as a whole.
Companies that hire cloud engineers are often looking to deploy cloud or
further their cloud understanding and technology.
Job listings on Dice.com seek cloud engineers with at least
three to five years' experience with cloud -- including open source technology,
software development, system engineering, scripting languages and multiple
cloud provider environments. Additionally, cloud engineers must have a
background building or designing web services in the cloud.
Cloud engineers need to be familiar with programming
languages including Java, Python and Ruby. Many companies looking to hire cloud
engineers seek experience with OpenStack, Linux,
Amazon Web Services, SoftLayer, Rackspace,
Google cloud, Microsoft Azure and Docker. Experience
with APIs, orchestration, automation, DevOps and
databases like NoSQL are also important.
A cloud engineer should have a Bachelor of Science degree
in computer science, engineering or another related field, but some companies
prefer a Master of Science degree. Additional certifications may be required.
The human voice can never
reach the distance that is covered by the still small voice of conscience.
Mahatma Gandhi
Note -