Newsletter
IT and Cyber Security News Update from
Centre for Research and Prevention of Computer
Crimes,
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
Since June 2005 January
05, 2015 Issue
no 1527
Tenth year of
uninterrupted publication
Todays edition
GROWTH : Cyber crimes in India likely to double to 3 lakh in
2015
GOOD YEAR : 2014
was a golden year for cybercrime
GAME-CHANGER : Sony hack could be game changer
(Click on heading above to jump to related item. Click on Top to be back here)
GROWTH : Cyber crimes in India
likely to double to 3 lakh in 2015
PTI
January
5, 2015
Rising
at an alarming rate, the number of cyber crimes in the country may double to 3
lakh in 2015 and could pose serious economic and national security challenges,
an Assocham-Mahindra SSG study has warned.
The
increasing use of smartphones and tablets for online
banking and other financial transactions have increased risks.
India
has emerged as a favourite among cybercriminals,
mostly hackers and other malicious users who use the Internet to commit crimes
such as identity theft, spamming, phishing and other types of fraud.
As
per the studys findings, total number of cyber crimes registered during 2011,
2012, 2013 and 2014 stood at 13,301, 22,060, 71,780 and 1,49,254
respectively.
What
is causing even more concern is that the origin of these crimes is widely based
abroad in countries like China, Pakistan, Bangladesh and Algeria, among
others, Assocham Secretary General D S Rawat said.
Phishing
attacks of online banking accounts or cloning of ATM/debit cards are common
occurrences. Maximum number of offenders belong to the 18-30 age group, added
the report.
With
increasing use of information technology (IT) enabled services such as
e-governance, online business and electronic transactions, protection of
personal and sensitive data have assumed paramount importance.
The
economic growth of any nation and its security whether internal or external and
competitiveness depends on how well is its cyberspace secured and protected,
said Rawat.
The
attacks have mostly originated from the cyber space of countries including the
US, Europe, Brazil, Turkey, China, Pakistan, Bangladesh, Algeria and the UAE,
the study revealed.
Smartphone
users rarely check for security certificates while downloading apps (games,
music and other software) from third party or unsecured sites, the study said, adding
that mobile banking apps store data such as PIN and account number, on the
phone.
There
is a risk that if the phone is hacked or stolen, then the information is
compromised, the study said.
It
further stated that mobile frauds are an area of concern for companies as 35-40
per cent of financial transactions are done via mobile devices and this number
is expected to grow to 55-60 per cent by 2015.
Rising
Internet penetration and online banking have made India a favourite
among cybercriminals, who target online financial transactions using malicious
software (malware). India ranks third after Japan and US in the list of
countries most affected by online banking malware during 2014, the study said.
Andhra
Pradesh, Karnataka and Maharashtra have seen the highest number of cyber crimes
registered under the new IT Act in India. Interestingly, these three states
together contribute more than 70 per cent to Indias revenue from IT and IT
related industries.
Also
see
http://www.orissadiary.com/ShowBussinessNews.asp?id=56198
GOOD YEAR
: 2014 was a golden year for cybercrime
2014 was not a good year for keeping things safe under digital
lock and key
The
Conversation
January
3, 2015
http://mybroadband.co.za/news/security/116171-2014-was-a-golden-year-for-cybercrime.html
Looking
back, 2014 was not a good year for keeping things safe under digital lock and
key. If a score was being kept, it might seem that the cybercriminals are in
the lead, despite the valiant efforts and own goals from the cybersecurity profession worldwide.
Cast
your mind back to March, everyone was panicking about the HeartBleed
bug. Based on an error in code upon which the majority of the worlds secure
servers relied, experts had plenty of time to fix the issue. Sadly there was an
array of conflicting information about changing passwords, leading to
widespread confusion. While most IT administrators made sure this was managed
in a professional manner, it created a stir that seemed to set the tone for the
year.
In
May, online auction giant Ebay admitted to having
been compromised. The site said its systems, with personal details of tens of
millions of users, may have had been vulnerable for months. Everyone was
advised, indeed forced, to change their password.
In
the same month, iPhones were hijacked and their
owners blackmailed by the cunning Oleg Pliss ransomware, locking phones and threatening to delete data
unless cash was paid.
In
this case, the criminals managed to acquire a database of usernames and
passwords, maybe via HeartBleed, and cracked the
passwords. As its well-known that many users reuse
the same passwords for many accounts, the Oleg Pliss
attackers searched for iCloud email accounts and
simply stepped through their list of passwords until they were successful. Then
they remotely locked the phones and demanded a ransom. What was clever about
this attack is that it targeted the weak link lax security among humans
rather than the tough target, the security of the iPhone
itself.
Already
3-0 to the cybercriminals by half-time, it wasnt looking too good for Team Cybersecurity. In June there was finally a score for law
enforcement: Gameover Zeus, a prolific botnet, was brought down through a combined operation from
the FBI, UK National Crime Agency and other international agencies. It gave
security experts time to hose down their systems, upgrade security measures and
re-group, knowing that it would be weeks before this botnet
could rally.
The
most popular mobile phone and tablet operating system, Android did not have a
good year. With the most mobile malware, Android is seen as a system that needs
to clean up its act, with vulnerabilities exploited through text messages, and
potentially revealing intimate details left behind on second-hand devices that
had been supposedly wiped.
In
July, the focus was back on Apples iOS phone
operating system, in which a back door was discovered, proving a major
embarrassment for the company. Its interesting that the subsequent release of iOS, version eight, brought full encryption to the phone,
suggesting that Apple has tried to fill this hole much to the annoyance of
some national security agencies.
September
arrived with a bang, as dozens of celebrities found naked pictures of themselves posted online. The issues earlier in the year
that proved the potential to gain access to iCloud
accounts had been realised, with the images stripped
not from the phones themselves but from the iCloud
accounts linked to them. Apples response was to generate a notification
following any access to an iCloud account but that
may be too little too late if an intruder has already copied your more intimate
snaps.
Later
the same month, the discovery of the Shellshock bug makes it 7-1. This was a
another issue arising from decades old code in the Bash shell software, since
incorporated into millions of computers and embedded devices worldwide. Its
ironic that, after years in which Microsoft Windows was regularly compromised,
2014 was the year in which the heat was turned on open source systems like
Linux.
As
November came around we witnessed a spectacular own goal, when a particularly
complex and aggressive malware, Regin, was alleged to
be the product of Western intelligence agency experts. Of course, nobody has
come forward to take the credit but its clear that there are very capable cybersecurity or cybercriminal experts out there who have
the time and resources to create bespoke attacks for their own ends.
December
brings the season for joy for many but not for Sony Pictures, which suffered
an attack that leaked unreleased films online, posted embarrassing internal
emails for all to see, and brought the companys internal systems to their
knees. Perhaps most embarrassing is that this seems to be becoming a habit for
Sony Corporation.
Come
Christmas Day, the servers supporting the XBox and
PlayStation online gaming platforms were hacked.
All
in all, such a 10-1 thrashing points to an eventful year, and unfortunately
leaves no doubt that the criminals have the edge, leaving the security experts
nursing their own goals and playing catch up.
GAME-CHANGER : Sony hack could be game changer
By Cory Bennett
Jaunary 04, 2015
The high-profile hack at Sony
Pictures has injected new urgency into the years-old push for cybersecurity legislation, with a broad spectrum of
lawmakers suddenly vowing to take action in the new Congress.
Its basically fair game for
everything cyber after the cyberattack on Sony, said
Jessica Herrera-Flanigan, a lobbyist at Monument
Policy Group, which represents tech giants like Microsoft.
The recent cyber assault
caused Sony to briefly pause the release of a multi-million dollar movie,
spurred a White House response and escalated tensions between the U.S. and
North Korea, which the FBI has blamed for the attack.
It has also transformed what
some viewed as a stale debate on Capitol Hill over cybersecurity
issues.
Weve been having the same
discussion on information sharing
since the mid-90s, said Herrera-Flanigan, referring to various long-stalled cybersecurity information-sharing measures that would give
legal protections for companies exchanging cyber threat info with the
government.
After years of narrow
congressional focus, the Sony cyberattack has put an
array of new cyber topics on the table, including offensive cyber tactics,
cyber crime laws and the international communitys definition of cyber warfare,
to name a few.
Lawmakers have pledged to
hold hearings on these topics, called on the White House to declare cyber war
with North Korea and pressed for heightened economic sanctions on the reclusive
East Asian regime.
The sudden attention springs
directly from the movie studios decision to temporarily scrap the Christmas
Day release of a film in the wake of violent threats from the hackers. The
controversial comedy, The Interview, portrays the assassination of North
Korean leader Kim Jong Un.
If they would have just
released the God---- movie, the president wouldnt be talking about it, said
Jason Healey, a director at the Atlantic Council who has worked on cyber
defenses at the White House and for Goldman Sachs in Hong Kong.
This would have just been
another company being hacked and having their personal emails and such put out
there, Herrera-Flanigan said.
Even though Sony recanted a
week later releasing the film online and in several small theaters the
initial decision set off a firestorm in Washington. Lawmakers scrambled to
denounce the encroachment on Americans free speech and decry the weak White
House response.
That rhetoric puts the onus
on Congress to actually do something when it reconvenes in January.
A lot of members who had not
previously dedicated a lot of their own time and resources to cybersecurity
are going to get smarter on it in 2015,
said Andrew Borene, a fellow with the Truman National
Security Project who teaches a class on transnational crime at American
University. I think thats inevitable.
But what can lawmakers
actually achieve legislatively to back up their calls for action?
Despite passing a flurry of
small-bore bills in late 2014, Congress has not moved major cybersecurity
legislation in years. And the issues raised by the Sony incident cyber
relations with China, United Nations guidelines for how countries handle cyber
issues are not necessarily areas where Congress wields a heavy hand.
Im not sure theres such a
direct output for Congress on the international side of things, said Kristen Eichensehr, an international security professor at the
University of California, Los Angeles, School of Law and former State
Department attorney.
House Foreign Affairs
Committee Chairman Ed Royce (R-Calif.) has called on Congress to ratchet up
economic sanctions on North Korea a realistic step Congress could take,
according to Scott Snyder, a Korean studies fellow with the Council on Foreign
Relations.
I think theres going to be
pressure to move forward with the resolution that the House has already passed
to essentially bring the level of North Korean financial sanctions up to the
level we currently have on Iran, he told reporters last week.
Incoming Senate Armed Forces
Committee John McCain (R-Ariz.) has been outspoken in his criticism of
President Obama for not classifying the Sony hit as a North Korean act of cyber
war. Eichensehr expects to see an increased
questioning of the executive from McCains committee as a result, but not
necessarily specific cyber bills.
For years, the Capitol Hill
cyber conversation has revolved around a bill that would enable the private and
public sectors to exchange cyber threat information. Industry groups and
intelligence agencies argue such a measure is necessary to defend the countrys
critical infrastructure against destructive cyberattacks.
Privacy advocates are concerned such a bill could further enable government
collection of Americans sensitive data.
Some speculate that the
intense public attention the Sony attack has brought to cyber issues could move
an info-sharing bill to the fore in 2015.
It may be enough to reopen
the possibility, Borene said.
Still, others suggest that
the Sony flap has actually pivoted the cyber narrative away from domestic
information sharing and toward a broader discussion of international cyber
responses.
Its not clear how that info
sharing piece plays into what happened with Sony, Herrera-Flanigan
said.
Robyn Greene, policy counsel
for New America Foundations Open Technology Institute, was more direct.
It is unlikely that
information sharing would have prevented the Sony hack, said Greene, who
supports increased cyber information sharing, but not Congresss most recent
proposal. Eighty to 90 percent of all attacks are the result of poor cyber
hygiene and internal system monitoring.
While the Sony hack has
generated an unprecedented congressional response on cybersecurity,
it remains to be seen if lawmakers attention lasts. Cyber issues tend to
follow a boom and bust cycle on the Hill following major data breaches, experts
said.
I dont know if they stay in
the long run, said Herrera-Flanigan. This could be
another situation, she said, in which Congress decides, We deal with this main
crisis and then were through it.
Also see
TREND : Lizard Squad launches DDoS tool that lets anyone take down online services,
starting at $6 per month
December
30, 2014
Lizard
Squad, the hacker group best known for attacking Microsofts Xbox Live and
Sonys PlayStation Network, has now launched a distributed denial-of-service (DDoS) attack tool. Now anyone can now take down the website
or online service of their choice thanks to Lizard Stresser,
which were not linking to for obvious reasons.
A DDoS attack is a common method for taking down a server by
overloading it with requests. The end goal is to make a machine or network
resource unavailable to its intended users.
Welcome
to LizardStresser, brought to you by Lizard Squad,
reads the tools introduction page. This booter is
famous for taking down some of the worlds largest gaming networks such as Xbox
Live, Playstation Network, Jagex,
BattleNet, League of Legends, and many more! With
this stresser, you wield the power to launch some of
the worlds largest denial of service attacks.
It
offers eight packages, ranging from $6 monthly (for taking down a site for 100
seconds) to $130 monthly (for taking down a site for 30,000 seconds, or over 8
hours). It also has lifetime options that are one-time fees ranging from $30
to $500 (the page notes this actually means five years, because thats
apparently how long the tool will exist).
Not
only is Lizard Stresser open to anyone willing to
pay, but customers can also use it against any target they wish. As a result,
if someone wanted to target Xbox Live and PlayStation Network again, they could
do so, even though Lizard Squad itself promised not to attack those services
anymore.
Lizard
Stresser even has a referral system: We give you 10
percent of whatever money your referrals spend. To cash out the money, please
open a ticket and tell us which plan you want.
It
also lets you upgrade to higher-end packages, presumably by paying the
difference, if you want more power. Lizard Stresser
offers add-ons as well:
The
service only accepts the cryptocurrency bitcoin, though the group says PayPal support is coming
soon. The payment system doesnt work with VPNs, so those making purchases
will have to find other ways to hide their identity and location if they want
to remain anonymous.
At
the time of report, Lizard Stresser has supposedly
been used seven times (Update: Now the page says three times, so the number is
clearly not accurate, and either way it is quite low given sales opened seven
hours ago). The site claims attack power (the amount of traffic requests with
which customers can overload their targets) currently stands at a 2Tbps average
and that the total network traffic is 30Tbps, which is simply preposterous.
As
expected, Lizard Squad is making other grand claims about its booter on Twitter. Here is an example:
Without correct power distribution, if you
hit a home connection right now, you'll drop the entire city.
R.I.U. Lizard Squad (@LizardMafia)
December 30, 2014
Commercial
tools for DDoS attacks are nothing new and are
readily available on hacking forums. Yet even if the above claims are
significantly exaggerated, Lizard Stresser is
certainly unique in its alleged size, as is the groups track record Lizard
Squad clearly plans to use its fame on Twitter to attract potential clients.
The
group, which has had multiple Twitter accounts suspended but merely creates new
ones, has previously hinted that it is funded by interested parties. In fact,
Lizard Squad has previously said it has sold DDoS as
a service, which is exactly what Lizard Stresser is.
This
would suggest all the attacks so far have simply been a marketing ploy for
Lizard Stresser. Whoever is funding the group is now
looking to cash in on their investment.
Lizard
Squad gained fame this month by attacking Microsofts Xbox Live and Sonys
PlayStation Network multiple times, most notably on Christmas Day, resulting in
many being unable to play video games online. The impact was particularly large
for many reasons.
First
of all, the DDoS attack targeted both Xbox Live and
PSN, the two largest console gaming networks. Next, the timing was key: Many gamers naturally wanted to play on their day off,
whether on an already-purchased game console or on one received as a present
for Christmas. Finally, the aftermath of the attack was massive, if not greater
than the attack itself, because the game networks couldnt handle the traffic
of millions of consoles trying to get back online all at once after the attack
was over.
While
VentureBeat hasnt tested Lizard Stresser,
I expect it works given Lizard Squads history, even if doesnt offer the
capacity the group claims. That said, Lizard Squad has
made dubious claims in the past, so naturally I recommend looking at everything
it does with some skepticism.
Dock
The Dock is a feature of the Macintosh operating system
that was introduced with Mac OS X. It is a virtual tray of icons that provides
fast, one-click access to commonly used programs and files.
By default, the Dock is displayed at the bottom of the Mac
OS X desktop. It contains icons for several of the applications included with
Mac OS X and always includes the Finder icon on the far left and the Trash icon
on the far right. While the Dock has a default size and location, these options
can be changed within the Dock System Preference pane. For example, the Dock
can be moved to the left or right side of the screen. You can also change the
size of the dock and the magnification percentage, which magnifies the icons as
you roll over them with the cursor. If you want the Dock to only appear when
you need it, you can select "Automatically hide and show the Dock,"
which will hide the Dock unless you move the mouse to the bottom of the screen.
To open an application, file, or folder from the Dock,
simply click the icon (you don't need to double-click items in the Dock). When
you open an application, the icon will bounce while the program is opening.
Once the program opens, the icon will have a dot underneath it, which indicates
the application is running. You can also open files by dragging them to the
appropriate application in the Dock. If the application is not already running,
it will start up, then open the file.
If you want to add items to the Dock, you can drag the
corresponding icons to the Dock from open windows or the desktop. Note that
applications are located on the left of the Dock and files and folders are
located on the right side. Therefore, make sure you drag the icon to the
correct side. When you move an icon to the Dock, a space will open for it and
you can place it wherever you like. You can also move icons around by simply
dragging them to different spots within the Dock.
If you want to remove an icon from the Dock, simply drag it
from the Dock to the desktop. You will see an animation involving a puff of
smoke, which indicates the program has been removed. Since the icons in the
Dock are only shortcuts to the original files and applications, the actual
program or file will remain untouched, even after you remove the icon from the
Dock.
When truth is replaced by
silence, the silence is a lie.
Yevgeny Yevtushenk
Note -