Newsletter
IT and Cyber Security News Update from
Centre for Research and Prevention of Computer
Crimes,
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
Since June 2005 February
02, 2015 Issue no 1538
Tenth year of
uninterrupted publication
Todays edition
CHANGE : US
Military to Replace Passwords with "Cognitive Fingerprints"
TREND : Ford Lincoln announces
remote-control car app as BMW issues security patch
TRIGGER : Only
fall of global firm will shake up cyber security
(Click on heading above to jump to related item. Click on Top to be back here)
CHANGE : US Military to Replace
Passwords with "Cognitive Fingerprints"
By Tara
Seals
Infosecurity
Magazine
29
Jan 2015
The
US military is working on replacing passwords with cognitive fingerprints.
These rely on stylometrics, which is an analysis of
how language is used by individuals. Each person has a different stylometric profile of how they type and word-process,
which can be more personally identifying than simple biometrics.
The
identity verification system is being developed thanks to a multimillion-dollar
grant to the West Point military academy. The system will use a persons
behavior to confirm identity, by recognizing the way a person typesfrequent
typos, how the mouse or cursor is used, typing speed and so on.
"Just
as when you touch something with your finger you leave behind a fingerprint,
when you interact with technology you do so in a pattern based on how your mind
processes information, leaving behind a 'cognitive fingerprint', explained a
contract document seen by Sky News and reported by Yahoo! Finance.
It
added, "The biometrics program is creating a next generation biometric
capability built from multiple stylometric/behavioral
modalities using standard Department of Defense computer hardware."
The
system will be used for encrypted data communications across all of its
services, and is part of the Defense Advanced Research Projects Agency (DARPA) active authentication program. But consumer
applications for the technology could be myriad, particularly when it comes to
e-commerce, online banking and the internet of things ecosystem.
The
current standard method for validating a users identity for authentication on
an information system requires humans to do something that is inherently
unnatural: create, remember, and manage long, complex passwords, DARPA said. Moreover, as long as the session remains
active, typical systems incorporate no mechanisms to verify that the user
originally authenticated is the user still in control of the keyboard. Thus unauthorized individuals may improperly
obtain extended access to information system resources if a password is
compromised or if a user does not exercise adequate vigilance after initially
authenticating at the console.
Pirate Bay Wont Make A Full Comeback,
Staff Revolt
By
Ernesto
January
27, 2015
According
to insiders The Pirate Bay will slim down its operations for the planned
comeback. The new version of the site is expected to operate without former admins and moderators, who have responded furiously to the
decision. Many key staffers have left the ship to launch their own TPB.
Judging
from all the teasers on the Pirate Bay homepage the notorious torrent site is
preparing to relaunch this weekend.
Those
in control of the domain have yet to make an official announcement but several
sources inform TF that the site wont make a full
comeback.
Instead,
The Pirate Bay is expected to launch a trimmed down version without room for
the dozens of moderators and admins who looked after
the site over the past decade.
This
lighter version of The Pirate Bay will be easier to operate but the plan has
also upset many former staffers. This includes people who have been with the
site for over a decade, removing fake torrents and other types of spam.
Several
admins and moderators have responded to the news with
anger and are now openly distancing themselves from the thepiratebay.se site
that was their home for years.
I
wish I had better news to come with. The launch that is about to take place on
February 1 is not us, says WTC-SWE, one of the lead admins of The Pirate Bay.
It
was until some dickhead decided to take TPB crew out
of the picture. He thinks a site can be run without any staff at all and at the
same time keeping up with fakes, internal issues etc, he adds.
What
stings them the most is that many dedicated individuals, who put countless
hours into keeping the site functioning, now appear to be being pushed aside on
a whim.
Personally
I wont accept this neither will any of the crew
thats been active for almost 10-11 years. As an admin and human, I wont stand
aside and accept this kind of behavior. This is the worst scenario that could
happen, WTC-SWE says.
You
dont treat people like horseshit, he adds.
The staff, now in open revolt, have closed the official #thepiratebay IRC channel on EFnet
to the public. They wont offer support anymore for a site that they have no
control over, but warn people who do want to visit it to be cautious of
malware.
Instead,
the TPB former crew members are now preparing to
launch their own version of the site. This spin-off will be operated from a new
domain and will have several long-time mods and admins on board.
WTC-SWE says that they are in possession of a TPB backup which will be used to revive the old site in
full. The full staff of moderators and admins remains
under his wings and will start over at a home.
Its
only a matter of time. I will need to blast the whole coding and clean up all
the mess. The real TPB will be back with proper staff
and all, WTC-SWE says.
Thus
far, the people running the official thepiratebay.se domain have remained
quiet. In a few days, when the count-down completes, we are likely to know more
about their vision for the sites future.
TREND : Ford Lincoln announces remote-control car app as BMW issues security
patch
02 February 2015
Ford Motor Companys Lincoln luxury brand is to announce an
app to enable users to control their cars remotely as BMW issues a security
patch for a flaw affecting 2.2 million vehicles.
The MyLincoln smartphone
app developed with Google will allow users to schedule remote starts as
well as lock and unlock their cars, reports The Detroit News.
The SLE97144SD Secure Element helps secure
business-critical applications
MyLincoln is the first app of its kind to be
integrated with the Android organiser app Google Now,
and is likely to raise concerns with privacy watchdogs and cyber security
professionals.
But users may disregard the risks to benefit from remote
start functionality that will ensure the vehicle is cooled off or warmed up by
the time they are ready to drive.
Delivering unique experiences for the luxury client
throughout ownership is fundamental to Lincoln, Matt VanDyke,
director, global Lincoln, said in a statement.
By innovating with leading tech companies, we have an
opportunity to personalize the ongoing interaction between the customer and the
vehicle.
The Google Now and MyLincoln apps
will be connected through an embedded modem in the vehicle.
Security
concerns
Lincoln said the MyLincoln Mobile
connectivity and Google services are opt-in features, and notifications can be
turned off.
But the car maker made no mention of security or privacy,
which will be key to the apps success, especially as
it can also be used to locate vehicles.
Security concerns are underlined by the fact that BMW
released a patch for a security flaw that could have allowed hackers to unlock
about 2.2 million BMW, Rolls-Royce and Mini cars.
The vulnerability in BMWs ConnectedDrive
infotainment system was discovered by the German motorist association ADAC, reports Slashgear.
ADAC said it proved with several
vehicles they could be unlocked remotely using a smartphone.
The procedure leaves no trace and runs in minutes, the organisation said in a
statement.
ADAC said it had waited for BMW to
release a patch before revealing the flaw. "As a responsible consumer
advocate we have held off publication of this vulnerability until it was closed
by the manufacturer to prevent criminals exploiting the attack," the
organisation said.
Finance-grade
encryption
Like the MyLincoln app, the BMW
system uses a mobile data connection to enable users to lock vehicles remotely.
BMW has boosted the security of the system with the same
encryption used by financial institutions and other connected services in its
vehicles. Affected vehicles should update automatically.
The patched systems can now confirm that they are connected
to one of BMW's servers and not a cyber criminal.
BMW said: "No cases have come to light yet in which
data has been called up actively by unauthorised
persons.
But BMW should have ensured the data transmission was
secure in the first place, said independent security consultant Graham Cluley.
Yes, its good that BMW has fixed the problem. But frankly
I think theyre being a little disingenuous talking about 'rapid response' if
this issue was first brought to their attention in the middle of last year, he
wrote in a blog post.
Cluley said BMW, Rolls-Royce or Mini
owners who are concerned their vehicle may not have received the update should
choose Update Services from the cars menu.
ADAC has called on all car makers and
technology partners to protect against cyber attacks by certifying their
systems and processes against information security standards like The Common
Criteria for Information Technology Security Evaluation.
TRIGGER : Only fall of global firm
will shake up cyber security
Warwick
Ashford
30
January 2015
http://www.computerweekly.com/news/2240239200/Only-fall-of-global-firm-will-shake-up-cyber-security
It
will take a major global company going down in the wake of a cyber attack to
really shake up information security, according to City of London Police
commissioner Adrian Leppard.
This
is evidenced by the fact JP Morgan has doubled its information security budget
after it was hit with a breach in August 2014, along with several other banking
institutions.
Loss of trust in a large multi-national is
probably the only thing that will make governments do anything radically
different, Leppard told a NEDForum
summit in London.
But,
he said, this was not a criticism of the UK government, which is doing all it
can with investment of nearly £1bn in support of a national cyber security
strategy.
We
really could not ask more of the UK government, yet cyber crime is getting
worse not better, which means we have reached the point where everyone has to
take responsibility, said Leppard.
It
is becoming clear that governments are no longer able to protect citizens in the
same way as they did in the past, he added, with criminals able to strike from
anywhere in the world.
The UK, and London in particular, is also one of the most highly
targeted countries in the world because it is one of the largest global
economic centres, with many financial institutions.
Leppard
said: It is clear that although we are getting better at dealing with cyber
crime, law enforcement with scale cyber crime society is facing. We are never
going to enforce our way out of the problem.
The
only way we are going to be able to deal with cyber crime properly is by
everyone improving their crime prevention capabilities in combination with
increased action business and industry."
According
to Leppard, law enforcement organisations around the
world are now looking to partner with business and industry to help them to
protect the global economy, because they hold all the critical data.
In
the UK alone, some estimates put the cost of cyber crime at £27bn a year. But Leppard said the value of reported cyber crime comes
nowhere near this figure.
UK
police forces estimate only a fraction of cyber crime is reported.
We
believe we see only about 20% of all cyber enabled fraud, only 20% of these
reports can be followed up and only 20% result in successful prosecutions,
said Leppard. "The way forward is partnership
with business and industry."
Police
pursuing closer relationship with business
UK
police, including the National Crime Agencys National Cyber Crime Unit, are
actively pursuing a closer relationship with business.
We are also discussing ways of encouraging
industry to increase the level of reporting whether this is about providing
easier electronic means for doing so or if legislation is needed, said Leppard.
Finding
the right approach is a huge challenge facing policy and law makers, and this
is something the police are discussing with government.
But
all governments shy away from legislation that could potentially stifle
legislation. I am advocating that we have a rigorous debate about how best to
encourage people to do the right thing.
The
answer may lie in regulation or legislation, but I think the answer is more
likely to be found through enabling business to see a commercial advantage in
good cyber security.
Leppard
said another important part of the solution is finding ways to harden
targets. We need to be able to gather and share threat intelligence quickly,
but that depends on better reporting, he said.
Businesses
must adopt a good cyber security standard
Businesses
also need to adopt a good cyber security standard that is part of overall
company security and ensure that everyone in the company is working to that
standard.
The
answer is not more policing," said Leppard. "But better collaboration between law enforcement and
industry, with the role of police increasingly about helping industry to
protect itself.
It
would help if all organisations were working to a common standard of
information security, but I do not know how that could be achieved.
Leppard
said the UK governments Cyber Essentials Scheme is a good place to start in
establishing a minimum standard, but he said this only provides lightweight
protection.
The
biggest concerns for police in the year ahead, he said, is the potential
proliferation of encrypted communications and the potential loss of security
integrity of mobile communications.
It
is difficult to know where the biggest challenges will lie, but we are
confident they will involve a cyber element, Leppard
concluded.
Double Click
Double clicking involves clicking your mouse button quickly
two times. To perform a double click, and not just two clicks, the mouse button
must be pressed twice within a very short time, typically about half a second.
Most operating systems allow you to lengthen or shorten the maximum time
allowed for a double click, using the Mouse Control Panel or System Preference.
A double click is recognized by your computer as a specific
command, just like pressing a key on your keyboard. Double clicking is used to to perform a variety of actions, such as opening a program,
opening a folder, or selecting a word of text. In order to double click an
object, just move the cursor over the item and press the left mouse button
quickly two times.
It is always a simple matter
to drag the people along, whether it is a democracy, or a fascist dictatorship,
or a parliament, or a communist dictatorship. Voice or no voice, the people can
always be brought to the bidding of their leaders. That is easy. All you have
to tell them is that they are being attacked and denounce the peacemakers for
lack of patriotism and exposing the country to danger. It works the same in any
country.
Hermann Goering,
Nuremberg Trials
Note -