Newsletter
IT and Cyber Security News Update from
Centre for Research and Prevention of Computer
Crimes,
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
Since June 2005 January
21, 2015 Issue
no 1533
Tenth year of
uninterrupted publication
Todays edition
LAW : Obama
Says Stricter Cybersecurity Laws Needed To Combat
Hackers
DRILL : US
and UK to play "cyber war games" with each other
ESPIONAGE : Mercenary Hacker Crews Offering
Espionage-as-a-Service Are On The Rise
UNSAFE : 2
million car unsafe on road due to unsafe insurance dongle
(Click on heading above to jump to related item. Click on Top to be back here)
LAW : Obama Says Stricter Cybersecurity Laws Needed To Combat Hackers
By Thomas Halleck
January 20 2015
U.S. President Barack Obama said that
new cybersecurity laws are necessary to address
hacking, identity theft and cyberwarfare in his
annual State of the Union address on Tuesday evening. Critics say the new laws
are overly harsh and could impede computer security research in the U.S.
Obama also asked Congress during the
Tuesday night speech to Congress to pass laws to protect consumers affected by
a data breach and enable better communication between the government and
companies about cyberthreats. The president said the
U.S. is not able to fully protect its citizens privacy online, including the
private data of children.
No foreign nation, no hacker, should
be able to shut down our networks, steal our trade secrets, or invade the
privacy of American families, Obama said in remarks prepared ahead of his
State of the Union address. We are making sure our government integrates
intelligence to combat cyberthreats, just as we have
done to combat terrorism.
Recent events have highlighted the
need for government action, Obama said. The hacking of Sony Pictures
Entertainment and data breaches at major retailers, are evidence that if the
U.S. doesn't act, "well leave our nation and our economy vulnerable. If we do, we can continue to protect the
technologies that have unleashed untold opportunities for people around the
globe.
The White House has said the laws will
focus on communication between the government and private industry on emerging
cyber threats, requiring businesses to notify individuals about data breaches
and enacting stricter laws to punish cyber criminals. Critics say that the laws
overreach -- a 10-year penalty for sharing an HBO Go password, for example --
and could have a negative effect on the nation's cybersecurity.
"Under the Administration's
proposal, the Department of Justice could get creative and threaten up to 10
years in prison if you know your friend will use one of your passwords you
shared with themeven if you have no 'intent to defraud,' important limiting
language the Administration wants removed from the statute," said a
statement from the Electronic Frontier Foundation (EFF),
an Internet freedom advocacy group.
The most serious issue with Obama's cybersecurity proposal is that an action that "exceeds
authorized access" on a computer becomes a criminal act. The EFF claims the
new laws could "chill the computer security research that is a central
part of our best defense against computer crime."
Also see -
https://firstlook.org/theintercept/2015/01/20/obamas-cyber-proposals-sound-good-totally-clueless/
http://www.tomsguide.com/us/obama-cfaa-revisions-infosec,news-20330.html
DRILL : US and UK to play
"cyber war games" with each other
by Lee Munson
January 16, 2015
https://nakedsecurity.sophos.com/2015/01/16/us-and-uk-to-play-cyber-war-games-with-each-other/
US and UK. Image
courtesy of Shutterstock.Agents from the United
States and United Kingdom will carry out simulated cyber attacks against each
other following talks between President Barack Obama and Prime Minister David
Cameron.
A series of "war games" will
begin with a staged attack against the financial sector as both countries look
to bolster their defences against computerised
attacks.
According to the BBC, the first
exercise will involve the Bank of England and commercial banks and will also
target the City of London as well as Wall Street.
Later exercises will be run to test
other areas of critical infrastructure including power suppliers and transport
networks.
The two countries will jointly create
a "cyber cell" that will include agents from both nations who will
conduct the tests and then share information on the threats as well as plans
for combatting hackers.
The Guardian reports that the US
division of the cell has already been set up with agents from MI5, GCHQ and the FBI. It says a similar cell will be created
within the UK shortly.
The planned measures are part of a two
day set of talks between Obama and Cameron in which the pair are discussing the
economy and terrorism, as well as cybersecurity. The
talks come in the wake of the recent Sony hack and the takeover of social media
accounts under the control of US Central Command earlier this week.
The new deal on cybersecurity
will also see additional funds made available towards the training of the next
generation of security experts an area currently experiencing a huge skills
shortage, David Cameron said:
The joint exercises and training of our next generation of
cyber-experts will help to ensure that we have the capability we need to
protect critical sectors like our energy, transport and financial
infrastructure from emerging threats.
As talks continue, Cameron is expected
to push for more cooperation from tech and social giants including Google,
Apple, Facebook and Twitter. He is likely to ask
Obama to exert more pressure on such companies to collaborate with the security
services as they look to gather more communications data and intelligence from
suspected terrorists.
Earlier this week Cameron said he
will, if re-elected prime minister in Mays national election, legislate
against encrypted communications that currently pose problems for the security
services who are unable to read them.
In an interview with the BBCs Nick
Robinson, David Cameron explained how cyber attacks are one of "the
biggest modern threats we face", stating that 8 out of 10 large companies
in Britain have had some sort of cyber attack against them.
Cameron went on to say that the
expertise to deal with such threats already exists on both sides of the
Atlantic but by combining resources the two countries could create "a
system where countries and hostile states and hostile organisations know that
they shouldnt attack us."
ESPIONAGE : Mercenary Hacker Crews
Offering Espionage-as-a-Service Are On The Rise
PRNewswire
Jan. 16, 2015
http://jeffreycarr.blogspot.co.uk/2015/01/mercenary-hacker-crews-offering.html
Although the Sony attack was loud,
damaging and hugely embarrassing to the company, the bigger threat is from
mercenary hacker crews who steal billions of dollars of valuable technology
secrets every year from U.S. companies on behalf of paying clients according to
Jeffrey Carr, President and CEO of Taia Global, Inc.
"These mercenary hacker groups
range from small groups with little funding to specialty shops run by
ex-government spooks to highly financed criminal groups who use similar if not
identical tactics to nation state actors," according to Carr, the author
of a new report on the subject. "That they are rarely discovered is due in
part to their skill level and in part to being mis-identified
as a state actor instead of a non-state actor if they are discovered. The low
risk of discovery, frequent misattribution to a nation state, and growing
demand of their services ensures that the EaaS threat
actor will flourish in the coming 12 to 24 months."
The FBI filed a criminal complaint
last summer and a federal grand jury subsequently indicted Su Bin, the
President of Lode-Tech. Bin was charged with 5 counts of conspiracy on a cyber
espionage campaign that was in operation from at least 2010 until 2014. The
hacker crew that he hired wasn't named and is presumed to still be active. Stolen technologies included information
about the F-35, F-22, and C-17 aircraft, and according to the criminal
complaint, the hackers claimed that they were in a position to breach the
network of Brahmos Aerospace, a joint venture between
the Indian government and a Russian joint stock company.
"This report reveals details on EaaS operations culled from court documents, published
papers, and personal interviews that I've had with Russian and Chinese
hackers," said Carr. "It also helps companies understand how to
defend against this new type of threat actor."
Mercenary hacker groups are
small, skillful, well-paid and have no nation-state affiliation. Instead, they
are hackers for hire, whether it's a Chinese millionaire like Su Bin, a Russian
oligarch or a western business competitor of the company being targeted. The aerospace industry is among the hardest
hit, but any company who is investing in high value research and development
can be a target. Taia Global's
report "The TRIES Framework: Counter-Reconnaissance against EaaS Threat Actors" is available for download
atTaiaGlobal.com at https://taia.global/wp-content/uploads/2015/01/EAAS-White-Paper.pdf
UNSAFE : 2 million car unsafe on
road due to unsafe insurance dongle
Hacker Says Attacks On
'Insecure' Progressive Insurance Dongle In 2 Million US Cars Could Spawn Road
Carnage
Forbes
15 January 2015
Corey Thuen
has been braving the snow and sub-zero temperatures of Idaho nights in recent
weeks, though any passerby would have been perplexed by a man, laptop in hand,
tinkering with his aptly-named 2013 Toyota Tundra at such an ungodly hour.
He hasnt been doing repairs, however.
Quite the opposite. Thuen, a
security researcher at Digital Bond Labs who will present his findings at the
S4 conference in a talk titled Remote Control Automobiles, has been figuring
out how he might hack the vehicles on-board network via a dongle that connects
to the OBD2 port of his pickup truck. That little device, Snapshot, provided by
one of the biggest insurance providers in the US, Progressive Insurance, is
supposed to track his driving to determine whether he deserves to pay a little
more or less for his cover. Its used in more than two million vehicles in the
US. But its wholly lacking in security, meaning it could be exploited to allow
a hacker, be they in the car or outside, to take control over core vehicular
functions, he claims.
Its long been theorised
that such usage-based insurance dongles, which are permeating the market apace,
would be a viable attack vector. Thuen says hes now
proven those hypotheses; previous attacks via dongles either didnt name the
OBD2 devices or focused on another kind of technology, namely Zubie, which tracks the performance of vehicles for
maintenance and safety purposes.
But he hasnt gone as far to actually mess with the controls of his Toyota. By hooking
up his laptop directly to the device he says he would have been able to unlock
doors, start the car and gather engine information, but he chose not to weaponise his exploits, he told Forbes. Controlling it
wasnt the focus, finding out if it was possible was the focus.
He started by extracting the firmware
from the dongle, reverse engineering it and determining how to exploit it. It
emerged the Snapshot technology, manufactured by Xirgo
Technologies, was completely lacking in the security department, Thuen said. The firmware running on the dongle is minimal
and insecure. It does no validation or signing of firmware updates, no secure
boot, no cellular authentication, no secure communications or encryption, no
data execution prevention or attack mitigation technologies
basically it uses
no security technologies whatsoever.
The researcher noted that for a remote
attack to take place, the concomitant u-blox modem,
which handles the connection between Progressives servers and the dongle,
would have to be compromised too. Such systems have been exploited in the past,
as noted in a paper here from Ralf-Philipp Weinmann,
from the University of Luxembourg.
Regardless of the steps needed for a
successful attack, its apparent such dongles are insecure, posing a genuine
risk to peoples lives, Thuen added. I suspected that
these dongles were built insecurely, and I was correct. The technology being
used in them is outdated and vulnerable to attack which is highly troubling
considering it is being used to remotely access insecure by design vehicle
computers, he said. A skilled attacker could almost certainly compromise such
dongles to gain remote control of a vehicle, or even an entire fleet of
vehicles. Once compromised, the consequences range from privacy data loss to
life and limb.
Also, there is the attack vector of
Progressive backend infrastructure. If those systems are compromised, an
attacker would have control over the devices that make it out to the field.
In simple terms, we have seen that
cars can be hacked and we have seen that cell comms
can be hacked.
Privacy of data within cars is also a
growing concern, one highlighted by Thuens research.
BMW this week said it had repeatedly been asked by technology companies and
advertisers to hand over the data their cars generated, but it has refused to
give in to those requests. Thuen said it would be
possible to intercept data passed between the dongles and the insurance
providers servers, likely including location and performance information, as
they do nothing to encrypt or otherwise protect the information they collect.
Xirgo had not
responded to Forbes requests for comment. Thuen said
hed tried to disclose his findings to Xirgo but got
no response. Progressive said it hadnt heard from Thuen,
but handed this comment via email to Forbes: The safety of our customers is
paramount to us. We are confident in the performance of our Snapshot device
used in more than two million vehicles since 2008 and routinely monitor the
security of our device to help ensure customer safety.
However, if an individual has
credible evidence of a potential vulnerability related to our device, we would
prefer that the person would first disclose that potential vulnerability to us
so that we could evaluate it and, if necessary, correct it before the
vulnerability could be exploited. While its unfortunate that Mr. Thuen didnt share his findings with us privately in
advance, we would welcome his confidential and detailed input so that we can
properly evaluate his claims.
The findings landed on the same day as
the World Economic Forums Global Risks 2015 report warned about the increasing
potential for digital attacks on cars. There are more devices to secure
against hackers, and bigger downsides from failure: hacking the location data
on a car is merely an invasion of privacy, whereas hacking the control system
of a car would be a threat to life. The current internet infrastructure was not
developed with such security concerns in mind, the report read.
One of the reports contributors, John
Drzik, president for global risk and specialties at
insurance giant Marsh, told Forbes the insurance industry hasnt quite grasped
the problem of vehicular digital security.
Drzik said
insurance companies could actually provide much of the impetus required to
secure cars from hackers. They could, for instance, develop standards for being
insured against such cyber risks or within the technologies, he added.
Donationware
Donationware
is software that is free to use, but encourages users to make a donation to the
developer. Some donationware programs request a
specific amount, while others allow users to determine what the program is
worth and send in an appropriate donation. Unlike shareware, which may provide
limited functionality until a registration key is purchased, donationware is fully functional. Therefore, donationware is more similar to freeware, which is free to
use, but retains the author's copyright.
Some donationware programs make
subtle requests for donations, such as an option in the menu bar. Others are
more blatant, and may prompt you for a donation each time you open the program.
This dialog box should disappear once you have made a contribution. Most donationware programs allow you to donate to the developer
via a credit card or PayPal account.
If you find a certain donationware
application program to be useful, you can be sure the developer
will appreciation your donation. Just make sure that the website you use
to donate is legitimate and provides a secure (HTTPS) connection.
Nations have recently been
led to borrow billions for war; no nation has ever borrowed largely for
education... no nation is rich enough to pay for both war and civilization. We
must make our choice; we cannot have both.
Abraham Flexner
Note -