Newsletter
IT and Cyber Security News Update from
Centre for Research and Prevention of Computer
Crimes,
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
Since June 2005 December
15, 2014 Issue no 1519
Tenth year of
uninterrupted publication
Todays edition
ATTRESTED : ISIS twitter account operator Mehdi arrested in Bangalore
HACKED : Ukrainian Hackers Leak Russian Interior Ministry
Docs with Evidence of Russian Invasion
STOLEN : Serbia Hackers claimed to have stolen the entire
national database
DoS : Airport
chaos as London airspace is restricted and flights delayed after computer
failure
(Click on heading above to jump to related item. Click on Top to be back here)
ATTRESTED : ISIS twitter account
operator Mehdi arrested in Bangalore
PTI
December
13, 2014
In a
major breakthrough, the alleged handler of the most influential pro-Islamic
State (IS) Twitter account was arrested from an apartment
In a
major breakthrough, the alleged handler of the most influential pro-Islamic
State (IS) Twitter account was arrested from an apartment here in the early
hours today.
Mehdi Masroor Biswas has confessed he
was handling the pro-jihad tweeter @ShamiWitness
and he was particularly close to English-speaking ISIS terrorists, Karnataka
DGP L Pachau told reporters here.
An
engineer working as manufacturing executive with a Bengaluru-based
multinational company for an annual package of Rs 5.3 lakh, he became a source
of incitement and information for the new ISIS recruits, Pachau
said.
Biswas,
hailing from West Bengal, had admitted to operating @ShamiWitness
twitter account for the last many years, he said, announcing the breakthrough
along with Bengaluru Police Commissioner M N Reddi.
Cases
had been registered against Mehdi under various
provisions of IPC, Unlawful Activities (Prevention) Act and IT Act, Reddi said.
Pachau
said Mehdi had more than 17,000 followers on Twitter
and used to ferociously tweet by aggregating information and closely watching
developments of the region.
The Bengaluru Police had launched a manhunt for Mehdi after Britains Channel 4 News had aired the report
regarding the countrys IT capitals link with the Twitter account that is
followed by foreign jihadis.
Channel
4 News had said its investigation had revealed that the man operating the
account is called Mehdi and he is an executive in
Bangalore working for an Indian conglomerate.
Mehdi was
interested in the Levantine region, also known as Eastern Mediterranean,
consisting of Cyprus, Israel, Jordan, Lebanon, Palestine, Syria and part of
Southern Turkey from 2003 onwards, Pachau said.
He
used to work in the office during daytime and became active on the Internet at
nights, he said, adding, he had bought 60 GB Internet connection on monthly
basis to read all breaking news on websites relating to ISIS/ISL.
Pachau
said through his social media propaganda, Mehdi
abetted ISIL in its agenda to wage war against Asiatic powers.
Mehdi was
careful in hiding his true identity and was confident that it would never get
revealed, the state police chief said. His identity was exposed by Channel 4
and inputs were passed on to the Indian agencies.
His
parents live in West Bengal and he has two elder sisters, Pachau
said. His father is a retired employee of the West Bengal State Electricity
Board.
The
British news broadcaster had not revealed Mehdis
full name as he said his life would be in danger. The account was shut down
after the report surfaced.
In
its report, Channel 4′ yesterday said the man operating the account had
been able to remain anonymous until now and avoiding questions about his role
in the Islamic States propaganda war.
Channel
4 News had said its investigation had, however, revealed that the man operating
the account is called Mehdi and he is an executive
with an Indian conglomerate in Bengaluru.
His
tweets, written under the name Shami Witness, were
seen two million times each month, making him perhaps the most influential
Islamic State Twitter account, with over 17,700 followers, it said.
Also
see
HACKED : Ukrainian Hackers Leak
Russian Interior Ministry Docs with Evidence of Russian Invasion
By Aric Toler
13
December 2014
Hacking
collectives on both sides of the Ukraine-Russia information war have been
instrumental in revealing key facts and documents that some would prefer to
remain hidden. The latest leak by Ukrainian hackers purports to reveal new
evidence of Russian soldiers presence in Ukraine.
On
Friday, Ukrainian activist Evgeniy Dokukin and Ukrainian Cyber Forces, the hacktivist
group he founded earlier this year, released 1.7GB of files taken from the
Russian Interior Ministry. Later, Dokukin released an
additional 34GB of data from the Interior Ministry servers, most of which has
not yet been fully analyzed by journalists.
As
with most leaks, most notably the September hack of the Liberal Democratic
Party of Russia (LDPR), the majority of the leaked documents are
overwhelmingly useless and dull. However, as in the case of
the LDPR leak, evidence of Russian involvement in eastern Ukraine can be found
buried underneath heaps of bureaucratic minutiae. While most of the
files are inconsequential, the fact that they originate from the Rostov branch
of the Interior Ministry is intriguing, as the Rostov region in Russia shares a
border that spans hundreds of miles with eastern Ukraine.
Dokukin
told RuNet Echo that he and the Ukrainian Cyber
Forces hacked an e-mail account of the Russian Interior Ministry and two other
servers, and that they also gained access to additional information that has
not yet been publically released. Dokukin says he has
personally not spent much time reviewing the documents taken from the Ministry
server, but instead relies on journalists to parse through the gigabytes of
information.
The
Ministry Files
Even
a quick look through the hundreds of documents makes it immediately clear that
either all or nearly all of them are the real deal. A truly massive amount of
manpower would have been necessary to fabricate the level of detail in the
reports and lists in this leak, including metadata that seems genuine. For
example, in a randomly selected document from the archive the documents
content and metadata all check out. Take, for instance, an Overview of the
state of the rule of law and public safety during public events held in the
first quarter of 2014 from the General Directorate for the Protection of
Public Order (GUOOOP). According to the metadata, the document was created on
April 29, 2014 by Sergei Lukin, who, according to a
number of news articles, is the Deputy Head of the same department. It is
possible that a Ukrainian hacker spent months forging thousands of documents
that perfectly match the style and content of Russian paperwork, along with
matching metadata, but common sense and Occams razor would lead one to believe
otherwise.
The
most interesting document in the cache of files so far may be a police account
written on August 26 describing the circumstances of an August 25 battle
between Russian soldiers and the Ukrainian National Guard 10 km northwest of
the small village of Prognoi. The reason why the
Interior Ministryand not the Foreign Affairs Ministrywrote this account is
because four of the Russian soldiers sustained injuries and were evacuated to a
Rostov garrison hospital. With independent verification, this police account
could serve as proof of the Russian governments knowledge of its military
units operating in, or at the border of, a foreign country and firing upon its
soldiers. This verification is not terribly hard to find.
On
August 26, Andriy Lysenko, the spokesperson of the
Ukrainian National Security and Defense Council, gave a briefing detailing an
attack on Ukrainian border guards in the area of Krasnaya
Talovka, which lies almost exactly 10 kilometers
northwest of the small village of Prognoi. The
Ukrainian account of this battle matches the account given by the Russian
Interior Ministry.
Ukrainian
account Translation:
On August 25 in the area of Krasnaya
Talovka of the Luhansk
oblast, a sabotage and reconnaissance group which crossed the border from
Russia was detected. At 3:00pm, a well-disguised border detail used automatic
weapons to stop the advance of the saboteurs. Additional operational combat
groups of border guards arrived at the battle as reinforcements. The fierce
battle with Russian mercenaries lasted for two-and-a-half hours. The
diversionary group was supported with fire from mortars, two APCs, and two IFVs
from the Russian Federation. Additionally, Ukrainian border guards were fired
upon by unguided rockets from two Mi-24 combat helicopters of the Russian armed
forces. During the battle, four border guards died and three were wounded.
Thanks to the actions of the heroes, a breakthrough across the border did not
occur. The enemy suffered significant losses. The wounded and killed saboteurs
were evacuated from the battlefield in Russia with an IFV under the cover of
fire from APCs and helicopters.
Leaked
Russian document Translation:
On August 25, 2014 around 3:50pm,
M.V. Polstyankin, O.Yu. Volgin, Yu.A.
Alekseev, and A.A. Gerasimenko, serving in contracted
Unit 51182 of the Millerovo locality, suffered
injuries in the performance of official duties during a clash with the forces
of the National Guard of Ukraine 10km north-west of the small village of Prognoi of the Tarasovsky region.
At 6:52pm on August 25, 2014, the wounded were evacuated to the Rostov garrison
hospital via a Mi-8 helicopter of the Russian armed forces.
There
are additional details from the leaked document that can be independently
verified, especially through a Gruz 200 investigation
of Mikhail Polstyankin, a Russian soldier who
perished during the battle near Krasnaya Talovka. Gruz (Cargo) 200,
referencing the code name of the transport for Russian military casualties, is
an advocacy group that has documented Russian military casualties in the
Ukrainian conflict. Presenting four pieces of evidence, including a Facebook post of a family friend on August 28 reporting the
death of a Mikhail Polstyakin on August 25, Gruz 200 makes a convincing case that corroborates the
account found in the leaked Interior Ministry document.
This
leak is almost certainly genuine and provides a rare glimpse into the inner
workings of the Russian Interior Ministry, though limited to the Rostov branch.
There are other interesting details in this set of documents, such as Russias
concern about weapons being trafficked from Ukraine, but the August 26 report
documenting four injuriesone of which led to a deathof Russian soldiers
confirms what nearly everyone has already suspected: Russia has used its
official, enlisted military personnel to engage in combat with Ukrainian
soldiers.
Ukrainian
Cyber Forces
Dokukin
has not exactly been secretive about his part in the ongoing cyber warfare. He
frequently gives interviews and boasts of his groups successes online. Other
than his hack of the Russian Interior Ministry servers, Dokukin
provided RuNet Echo with a list of ongoing operations
of the Ukrainian Cyber Forces, including the blocking of accounts belonging
to pro-Russian separatists on electronic payment systems, such as Yandex Money Wallet, and performing DDoS
(distributed-denial-of-service) attacks on pro-separatist websites, such as
novorosnews.ru and novorossia.co.
When
asked about how he and the Ukrainian Cyber Forces differ from pro-Russian
hacking groups, such as CyberBerkut, Dokukin says that the Russian hackers work under the
Russian FSB (Federal Security Service), while his group, he claims, acts
independently and is conducting a Cyber ATO (anti-terrorist operation)
against the terrorist and Russian aggressors on the Internet. Furthermore, Dokukin sees Ukrainian Cyber Forces work as patriotic, as
he believes that what they do protect[s] Ukraine from their [Russias]
invasion.
It's cyber war. And we fight against web sites,
e-mails, accounts of terrorists in social networks and their videos and
channels on YouTube. But some of our operations [are] related to off-line, like
those in June-August with SMS-spamming and call-spamming on terrorists phones,
and especially blocking funding accounts of terrorists, which decrease possibilities
of terrorists in real war.
Dokukin
and Ukrainian Cyber Forces say that the goal of the Interior Ministry hack was
to find information about [the] Russian war against Ukraine. Although a
wealth of information is now available online for checking and verification, it
is unclear how the Ukrainian law enforcement and security services might use
this leaked evidence. Russian officials, meanwhile, continue to deny the
presence of Russian troops in Ukraine or their involvement in the conflict.
STOLEN : Serbia Hackers claimed to
have stolen the entire national database
by Pierluigi Paganini
Security Affairs
December 13 2014
http://securityaffairs.co/wordpress/31068/cyber-crime/serbia-hackers-stolen-national-database.html
A group of hackers
claims to have compromised the national database system stolen all information
related to citizens resident in Serbia.
Hackers claim to have data
about all citizens in Serbia, if the news is confirmed this is another
clamorous data breach that could have serious repercussion on the Government.
It seems that cyber criminals
hacked the Serbian States network, accessed to the identities of almost all
Serbians, which are now exposed to risks of frauds and identity theft. Five hackers have claimed they hacked the
internet backbone of the Serbian Identity system and stolen ID numbers of
almost all citizens of Serbia. Though the has not been confirmed by the Serbian authorities, the
hackers have leaked a screenshot of what seems to be details of Serbian
citizens.
The crew of cybercriminals
that claim for the attack on the States network of Serbia is composed of five
hackers that claimed that they violated the internet backbone of the Serbian
Identity system and stolen ID numbers of almost all citizens of the country. An the time Im writing, the Government of Serbia hasnt
confirmed the data breach, meanwhile the hackers have leaked online a
screenshot of the alleged list displaying data of Serbian citizens.
The hackers have announced
the data breach via email to the Serbian daily Blic,
as reported also by the news portal InSerbia.
We have whole Serbia in our hand. We have
almost all information about the Serbian citizens starting from ID numbers to
what they do, where they work, live, their phone numbers. is
reported in the email.
The image reporting a table
of the Serbian national archive was attached to the email,
it contains data of Serbian citizens living in different cities of the country.
The hackers seem to be
Serbians that protest against national cyber police because it is more
interested in the persecution of national hackers instead Albanian cyber
criminal crews.
We
show this information in public for many reasons. The first and main reason is
that our cyber police chases exclusively Serbian
hackers while it ignores Albanian hackers. Now they will have more than
specific reason to look for us, but they will waste their time, states the
email.
The hackers have alleged also
other motivations to the patriotic attack, they declared to have hit the
national database also to demonstrate that the Serbian cyber system is
vulnerable.
The
third reason is that the state sees, and after multiple warnings realizes, that
the security of the system is weak and that they should take more care about
it, the e-mail reads.
If the data breach is
confirmed, the possible consequences for the population are dramatic. Unaware
people could be targeted by cyber criminals that could be used the stolen data
for illegal activities. The economic impact is severe, something similar
happened to South Korea, where national ID system was compromised, causing the
exposure of as much as 80 per cent of the population.
Modernizing the whole nation
system will have a great economic impact, it would cost to the South Korea
about $650m.
DoS : Airport chaos as London
airspace is restricted and flights delayed after computer failure
PASSENGERS faced widespread cancellations and delays to their
flights today after a computer failure at the UK's air traffic control centre.
By
Sarah Ann Harris
December
12, 2014
According
to the European Organisation for the Safety of Air Navigation, a computer
failure resulted in all airspace over London being severely restricted this
afternoon.
NATS,
the main air navigation service provider in the UK, confirmed that a technical
problem had been reported at Swanwick Air Traffic
Control centre.
While
the problem lasted between 3.30pm and 4pm delays and cancellations were
expected to drag on into the evening.
At
Heathrow fifty flights were cancelled while other journeys were delayed but
planes are now landing and taking off from the busy airport.
Transport
Secretary Patrick McLoughlin said the disruption was
unacceptable.
He
said: "Any disruption to our aviation system is a matter of the utmost
concern, especially at this time of year in the run up to the holiday season.
"Disruption
on this scale is simply unacceptable and I have asked NATS for a full
explanation of this evening's incident. I also want to know what steps will be
taken to prevent this happening again."
Passengers
departing Gatwick and Stansted also faced delays
while the problem also affected airports in Bristol, Southampton and Birmingham
among others.
Heathrow
warned more flights could be cancelled and delays were expected to continue and
could last into tomorrow.
In a
statement NATS said: "It will take time for operations across the UK to
fully recover so passengers should contact their airline for the status of
their flight.
"We
apologise for any delays and the inconvenience this
may have caused."
They
added they were investigating the causes of the delay but it was not due to a
power outage as previously reported.
Airports
as far north as Aberdeen and Edinburgh were hit by the computer problem.
Other
airports that reported delays included Manchester, Luton,
Leeds, Glasgow, London City and the East Midlands.
This
evening large queues formed in front of check-in and customer services desks at
Heathrow Terminal Five.
Worried
travellers stood waiting for updates in front of
flight information boards and television screens.
Some
complained that airport staff could not tell them what was happening with their
flight or what had caused the problem.
Susan
Atkinson and husband Michael Alcock, from Trumbull in
Connecticut, US, anxiously awaited news on their 8pm flight to Manchester.
Ms
Atkinson, 53, said she was "disappointed" at the delay because she
had not seen her family in Lymm, Cheshire, for two
years.
She
said: "I just want to get home to see my father and sister. I couldn't
make it last year because of ill health.
"Hopefully
we can fly tonight, we don't have anyone to stay with
here in London."
While
Mr Alcock, 70, added: "I would say for now the
word to describe how we're feeling is disappointed.
"If
the hours go by without anything changing that could become more hostile
feelings, especially since we don't really know what is going on."
Kevin
Read, 38, an HGV driver from Bristol, was at Heathrow to pick up his wife Phennapha and baby son Brandon.
He
said: "They are flying back from Thailand and were supposed to arrive at
5pm.
"The
board says the flight was cancelled but I heard someone say that it's been
diverted to Copenhagen. It's a nightmare situation for my wife - she's
travelling alone with a nine-month-old baby and all the
luggage.
"There's
a lot of Heathrow staff around and they are being helpful, but there's not many
BA staff here and they are the ones with information to do with flights.
"I
queued for an hour at the customer service desk but they couldn't tell me
anything."
Parked up at Heathrow but
have nowhere to go. Engines have been switched off to save fuel as we
wait for si... https://t.co/bpYiQxixbP
Simon Peach (@SimonPeach)
December 12, 2014
Stuck on the runway at Heathrow en route to
Berlin... but we have beer! And it's Christmas! @BBCLondonNews
#Heathrow pic.twitter.com/cES0EHPuCo
Phil Damerell
(@Phil_Damerell) December 12, 2014
At
around 4.15pm NATS had said their system had been restored and at the time were
in the process of returning to normal operations.
While
airspace restrictions were in place online flight maps had showed dozens of
planes over Heathrow waiting to land.
Earlier
today Heathrow Airport said in a tweet from its official account: "Flights
are currently experiencing delays due to a power outage at NATS control centre
affecting UK airspace."
During
the delays to take-offs several passengers have tweeted pictures and videos
from the runways of London's airports.
Clips
reveal gridlocked planes taxiing slowly, as well as planes sitting with their
engines switched off.
Some
passengers said that they only found out what was going on when they received
news alerts and calls from concerned relatives.
Kitty
Read tweeted: "Just been told we're going to have to wait until at least
7.00!!
"Everyone
around me seems to be a bit annoyed but not too angry."
Some
passengers were understandably frustrated Christine Leigh tweeted: "@HeathrowAirport you better have
compensation for this computer failure I'm pushing 4 hrs delayed already and
were stuck at gate."
However
others seemed to be trying to make the best of things Phil Damerall tweeted a picture of passengers on board a plane
wearing festive hats and drinking beer, accompanied by the caption: "Stuck
on the runway at Heathrow en route to Berlin... but we have beer! And it's
Christmas!"
Daniel
Howells, who lives near Heathrow, tweeted: "London airspace has been closed;
I can literally see flights being diverted away. (The joys of
living under the Heathrow flight path)".
Disk Image
A disk image is a software copy of a physical disk. It
saves the entire data from the disk, including the file structure and all files
and folders from the disk, in a single file. Because disk images are exact
copies, or "clones," of original disks, they can be used to duplicate
disks or serve as full backups in case a system restore must be done.
Disk images can be created from both hard disks and optical
media, such as CDs and DVDs. However, optical media images are technically
called "disc images" instead of "disk images." Several
programs, such as Nero, IsoBuster, and Norton Ghost
can be used to make disk images for Windows. Programs like Apple Disk Utility
and Roxio Toast can create disk images for Mac OS X.
Most disk image files store data in a raw, binary format.
This means they do not have a file system, which tells the computer how to
access the files and folders in the disk image. Therefore, in order for the
data in a disk image to be readable by the computer, the image must first be
mounted by either the operating system or a disk utility program.
File extensions: .ISO, .BIN, .DMG
The masses have never
thirsted after truth. Whoever can supply them with illusions is easily their
master; whoever attempts to destroy their illusions is always their victim.
Gustave Le Bon
"The Crowd"
Note -