Newsletter
IT and Cyber Security News Update from
Centre for Research and Prevention of Computer
Crimes,
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
Since June 2005 January
26, 2015 Issue
no 1535
Tenth year of
uninterrupted publication
Todays edition
LOSS :
Cyber attacks cost companies $400 billion every year - Lloyd CEO
ATTACK : Banks
must prepare for state-sponsored cyber crime, says Bank of England
SURVEILLANCE :
New police radars can 'see' inside homes
TREND : Cyber
attacks targeting hardware
(Click on heading above to jump to related item. Click on Top to be back here)
LOSS : Cyber attacks cost
companies $400 billion every year - Lloyd CEO
by Stephen Gandel
January 23, 2015
http://fortune.com/2015/01/23/cyber-attack-insurance-lloyds/
Last year, the insurance industry took
in $2.5 billion in premiums on policies to protect companies from losses
resulting from hacks.
Lloyds, the British insurance
company, is known for specializing in obscure risks. When civilians finally
push off into space, they will likely be insured, along with the aircraft they
travel in, by Lloyds.
But one initially rare insurance
product has become far more common: hack coverage. Inga Beale, the CEO of
Lloyds, which manages a clearinghouse for insurance policies, said that demand
for cyber insurance has grown considerably in recent years. Last year, the
insurance industry took in $2.5 billion in premiums on policies to protect
companies from losses resulting from hacks. That was up from around $2 billion
a year before, and less than $1 billion two years before that.
Cyber-security has been a hot topic at
this years World Economic Forum, the global gathering of CEOs, world leaders,
and other power players in Davos, Switzerland. On
Wednesday, Cisco Systems CEO John Chambers predicted that 2015 would be an even
worse year for cyber attacks.
Beale said that Lloyds estimates that
cyber attacks cost businesses as much as $400 billion a year, including the
damage itself and subsequent disruption to the normal course of business.
Beale, who became the CEO of Lloyds a year ago, said that she did not know
just how much coverage companies have purchased, but she thinks its a fraction
of what companies are losing on account of hacks. And its usually the firms
that are best prepared for cyber attacks that wind up buying insurance. Whats
more, about 90% of cyber insurance is being purchased by U.S. firms, leaving
other companies around the world exposed.
The U.S. companies are ahead of the
curve, said Beale. Insurance used to be about concrete, protecting the loss
of physical things. Now you have to get companies to insure against more
intangible things.
Beale said that, right now, the
maximum cyber insurance coverage any single company can purchase from Lloyds
is $300 million. She said that about 10% of all cyber insurance is underwritten
on the Lloyds platform.
Every time there is an attack, demand
for policies goes up, said Beale.
ATTACK : Banks must prepare for
state-sponsored cyber crime, says Bank of England
BY Karl Flinders
26 January 2015
In a survey of 36 financial firms in
the UK, the Bank of England revealed it found no immediate gaps in their IT defences but warned against complacency.
A senior Bank of England executive
said the regulator will be going back to banks again to check that improvements
are made in certain areas.
In a security conference speech, Bank
of England director Andrew Gracie said banks should be prepared for the highest
level security attacks, including state-sponsored intrusions. Given the
importance of these firms to the stability of the financial system, this
implies a level of resilience that goes beyond basic cyber hygiene but aims
instead to ensure that firms are in a position to manage advanced persistent
threats that are the hallmark of some state-sponsored attackers," he said.
He warned that cyber security should
not be the responsibility of junior IT staff and company boards need to get
involved.
Gracie also encouraged financial firms
to get involved with ethical hacks that enable companies to test each other's
security defences.
Cyber war games
The UK and US
have agreed to a series of simulated cyber attacks to test each others
resilience. The first exercise will be simulated attacks on the City of London
and Wall Street, amid growing fears about the vulnerability of the financial
sector.
One IT security expert working in the
UK banking sector told Computer weekly that banks have attempted attacks every
day. He said they are not reported because banks dont want to scare customers.
This view was backed up in November
2014 by Cambridge University researcher Richard Clayton, a senior researcher in
security economics. He told a Treasury select committee that the amount of
money being taken from people's accounts through cyber crime is twice as much
as what is reported. Insiders tell me the going rate is about twice the amount
of money reported by banks goes walkies out of
peoples accounts.
On 12 November 2013, Operation Waking
Shark 2 organised by UK financial services
regulators tested thousands of staff at Londons major financial institutions
with a simulated cyber attack on systems on which the UKs financial system
depends.
SURVEILLANCE : New police radars can 'see'
inside homes
Radar devices allowing
officers to detect movement through walls have been secretly used by at least
50 U.S. law enforcement agencies over the last two years. VPC
At least 50 U.S. law
enforcement agencies quietly deployed radars that let them effectively see
inside homes, with little notice to the courts or the public.
By Brad Heath
USA TODAY
January 20, 2015
http://www.usatoday.com/story/news/2015/01/19/police-radar-see-through-walls/22007615/
WASHINGTON At least 50 U.S.
law enforcement agencies have secretly equipped their officers with radar
devices that allow them to effectively peer through the walls of houses to see
whether anyone is inside, a practice raising new concerns about the extent of
government surveillance.
Those agencies, including the
FBI and the U.S. Marshals Service, began deploying the radar systems more than
two years ago with little notice to the courts and no public disclosure of when
or how they would be used. The technology raises legal and privacy issues
because the U.S. Supreme Court has said officers generally cannot use high-tech
sensors to tell them about the inside of a person's house without first
obtaining a search warrant.
The radars work like finely
tuned motion detectors, using radio waves to zero in on movements as slight as
human breathing from a distance of more than 50 feet. They can detect whether
anyone is inside of a house, where they are and whether they are moving.
The RANGE-R handheld radar is
used by dozens of U.S. law enforcement agencies to help detect movement inside
buildings. See how it works in this video provided by L-3 Communications VPC
Current and former federal
officials say the information is critical for keeping officers safe if they
need to storm buildings or rescue hostages. But privacy advocates and judges
have nonetheless expressed concern about the circumstances in which law
enforcement agencies may be using the radars and the fact that they have so
far done so without public scrutiny.
"The idea that the
government can send signals through the wall of your house to figure out what's
inside is problematic," said Christopher Soghoian,
the American Civil Liberties Union's principal technologist. "Technologies
that allow the police to look inside of a home are among the intrusive tools
that police have."
Agents' use of the radars was
largely unknown until December, when a federal appeals court in Denver said
officers had used one before they entered a house to arrest a man wanted for
violating his parole. The judges expressed alarm that agents had used the new
technology without a search warrant, warning that "the government's
warrantless use of such a powerful tool to search inside homes poses grave
Fourth Amendment questions."
By then, however, the
technology was hardly new. Federal contract records show the Marshals Service
began buying the radars in 2012, and has so far spent at least $180,000 on
them.
Justice Department spokesman
Patrick Rodenbush said officials are reviewing the
court's decision. He said the Marshals Service "routinely pursues and
arrests violent offenders based on pre-established probable cause in arrest
warrants" for serious crimes.
The device the Marshals
Service and others are using, known as the Range-R, looks like a sophisticated
stud-finder. Its display shows whether it has detected movement on the other
side of a wall and, if so, how far away it is but it does not show a picture
of what's happening inside. The Range-R's maker, L-3 Communications, estimates
it has sold about 200 devices to 50 law enforcement agencies at a cost of about
$6,000 each.
Other radar devices have far
more advanced capabilities, including three-dimensional displays of where
people are located inside a building, according to marketing materials from
their manufacturers. One is capable of being mounted on a drone. And the
Justice Department has funded research to develop systems that can map the
interiors of buildings and locate the people within them.
The radars were first
designed for use in Iraq and Afghanistan. They represent the latest example of
battlefield technology finding its way home to civilian policing and bringing
complex legal questions with it.
Those concerns are especially
thorny when it comes to technology that lets the police determine what's
happening inside someone's home. The Supreme Court ruled in 2001 that the
Constitution generally bars police from scanning the outside of a house with a
thermal camera unless they have a warrant, and specifically noted that the rule
would apply to radar-based systems that were then being developed.
In 2013, the court limited
police's ability to have a drug dog sniff the outside of homes. The core of the
Fourth Amendment, Justice Antonin Scalia wrote, is
"the right of a man to retreat into his own home and there be free from
unreasonable governmental intrusion."
Still, the radars appear to
have drawn little scrutiny from state or federal courts. The federal appeals
court's decision published last month was apparently the first by an appellate
court to reference the technology or its implications.
That case began when a
fugitive-hunting task force headed by the U.S. Marshals Service tracked a man
named Steven Denson, wanted for violating his parole, to a house in Wichita.
Before they forced the door open, Deputy U.S. Marshal Josh Moff
testified, he used a Range-R to detect that someone was inside.
Moff's report made no mention of the radar; it said only
that officers "developed reasonable suspicion that Denson was in the
residence."
Agents arrested Denson for
the parole violation and charged him with illegally possessing two firearms
they found inside. The agents had a warrant for Denson's arrest but did not
have a search warrant. Denson's lawyer sought to have the guns charge thrown
out, in part because the search began with the warrantless use of the radar
device.
Three judges on the federal
10th Circuit Court of Appeals upheld the search, and Denson's conviction, on
other grounds. Still, the judges wrote, they had "little doubt that the
radar device deployed here will soon generate many questions for this
court."
But privacy advocates said
they see more immediate questions, including how judges could be surprised by
technology that has been in agents' hands for at least two years. "The
problem isn't that the police have this. The issue isn't the technology; the
issue is always about how you use it and what the safeguards are," said Hanni Fakhoury, a lawyer for the
Electronic Frontier Foundation.
The Marshals Service has
faced criticism for concealing other surveillance tools. Last year, the ACLU
obtained an e-mail from a Sarasota, Fla., police sergeant asking officers from
another department not to reveal that they had received information from a cellphone-monitoring tool known as a stingray. "In the
past, and at the request of the U.S. Marshals, the investigative means utilized
to locate the suspect have not been revealed," he wrote, suggesting that
officers instead say they had received help from "a confidential
source."
William Sorukas,
a former supervisor of the Marshals Service's domestic investigations arm, said
deputies are not instructed to conceal the agency's high-tech tools, but they
also know not to advertise them. "If you disclose a technology or a method
or a source, you're telling the bad guys along with everyone else," he
said.
TREND : Cyber attacks targeting
hardware
By Melissa Sim
The Straits Times
Jan 25, 2015
http://digital.asiaone.com/digital/news/cyber-attacks-targeting-hardware
WASHINGTON - When Sony Pictures'
computer systems were hacked in November last year, few realised
that the problem went far deeper than the gossipy e-mail messages that were
leaked or the delayed release of the movie The Interview.
While most think of the hacking as an
attack on software, Sony's hardware was also hit, locking employees out of
their e-mail boxes for weeks.
Security experts say that more
attention should be paid to the physical threats posed by cyber attacks that
cause power grid outages or manufacturing plants to shut down, for example.
On Tuesday, US President Barack Obama
touched on the issue of cyber security during his State of the Union address,
urging Congress to pass legislation to "better meet the evolving threat of
cyber attacks, combat identity theft, and protect our children's
information".
But Mr Shawn Henry, president of
security company Crowdstrike Services, believes the
President missed an opportunity to map out the larger risks. He said "the
risks are greater than what the average American recognises".
"There are often physical attacks
on hardware, on physical equipment, and this is the changing risk that people
don't see," he said.
To illustrate this point, Mr Joe
Weiss, managing partner of Applied Control Solutions, a control system cyber
security consultancy, likened data theft to a highway patrol cop using a radar to find out how fast you are going.
But he added that the threats that we
face now are more in line with "someone knowing your speed and remotely
taking control of the gas pedal or steering wheel".
Mr Weiss said: "In IT, all you
want to do is stop the information flow. In a control system world, you want to
prevent them from taking over the system."
He is quick to point out that such
attacks are not happening only in the US. The same computer systems for
factories or power plants used in the US are also used in Singapore, he said.
"This is an international
problem."
In the lead-up to the State of the
Union address, the Obama administration has addressed some of these issues,
although much of their focus has been on consumer protection and privacy.
For example, last week, Mr Obama
revealed his legislative proposals to increase the sharing of cyber attack
information between private companies and the government and to give law
enforcers more teeth to investigate and prosecute cyber criminals.
Mr Ken Levine, president and chief
executive of data protection company Digital Guardian, said sharing technical
details of existing breaches would help to put others on alert.
"They can look for the same
indicators of compromise in their environment and find them before significant
damage is done," he said. Increased intelligence sharing would also
"increase the sophistication and timing of our response".
Mr Chris Doggett, managing director of
IT security company Kaspersky Lab North America,
added that empowering law enforcers to pursue cyber crimes would act as a
deterrent.
"One of the reasons that organised crime has turned to cyberspace and that we have
seen such an exponential rise in attacks is that the risk to those who commit
them is much lower than in physical crimes," he said.
But governments should not be alone in
bearing the responsibility of preventing cyber attacks. Companies "have to
assume they are going to get attacked" and do more to "secure
networks with better defences", said Mr Daniel
Vasquez, Japan country director of cyber security company Fortis Security
International.
"Everything has to be protected -
from personal information to the national power grid."
DOS
Stands for "Disk
Operating System." DOS was the first
operating system used by IBM-compatible computers. It was originally available
in two versions that were essentially the same, but marketed under
two different names. "PC-DOS" was the version developed by IBM and
sold to the first IBM-compatible manufacturers. "MS-DOS" was the
version that Microsoft bought the rights to, and was bundled with the first
versions of Windows.
DOS uses a command line, or text-based interface, that
allows the user to type commands. By typing simple instructions such as pwd (print working directory) and cd
(change directory), the user can browse the files on the hard drive, open
files, and run programs. While the commands are simple to type, the user must
know the basic commands in order to use DOS effectively (similar to Unix). This made the operating system difficult for novices
to use, which is why Microsoft later bundled the graphic-based Windows
operating system with DOS.
The first versions of Windows (through Windows 95) actually
ran on top of the DOS operating system. This is why so many DOS-related files
(such as .INI, .DLL, and .COM files) are still used
by Windows. However, the Windows operating system was rewritten for Windows NT
(New Technology), which enabled Windows to run on its own, without using DOS.
Later versions of Windows, such as Windows 2000, XP, and Vista, also do not
require DOS.
DOS is still included with Windows, but is run from the
Windows operating system instead of the other way around. The DOS command
prompt can be opened in Windows by selecting "Run..." from the Start
Menu and typing cmd.
Democracy consists of
choosing your dictators, after they've told you what you think it is you want
to hear.
Alan Corenk
Note -