Newsletter
IT and Cyber Security News Update from
Centre for Research and Prevention of Computer
Crimes,
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
Since June 2005 December
01, 2014 Issue no 1513
Tenth year of
uninterrupted publication
Todays edition
STATS : Indian
Cyber Security Violations Similar to Global Trends
DAMAGE : Films leaked online after Sony Pictures hack
TREND : UK set to establish digital cheques
in 2015
SPYWARE : Regin, the super-spyware the security industry is silent
about
(Click on heading above to jump to related item. Click on Top to be back here)
STATS : Indian Cyber Security
Violations Similar to Global Trends
Indo-Asian
News Service
November
28, 2014
New
Delhi: With the proliferation of
Information Technology (IT), the trend in increasing cyber security violations
in India is similar to that of worldwide, Communications and IT Minister Ravi
Shankar Prasad said on Friday.
"The
government has taken a slew of measures to tackle cyber security violations and
cyber crimes in the country," Mr Prasad said in a written reply in the Rajya Sabha.
"A
total number of 23, 254, 552, 1,237, 2,565, 8,266, 10,315, 13,301, 22,060,
71,780 and 96,383 security incidents including phishing, scanning, spam,
malicious code, website intrusions etc. were reported to the Indian Computer
Emergency Response Team (CERT-In) during the years 2004 to 2014 (till
September), respectively."
"During
the years 2009 to 2014 (till September) a total no. of 11,831, 20,701, 21,699,
27,605, 28,481 and 14,151 Indian websites were also hacked by various hacker
groups spread across worldwide," he said.
"The
government has also initiated Information Security Education and Awareness
(ISEA) project with the aim to develop human resource in the area of
Information Security at various levels. Phase-I of the programme has been
completed," Mr Prasad informed the house.
He
mentioned that all major websites are being monitored regularly to detect
malicious activities.
"All
central government ministries or departments and state or Union Territory
governments have been advised to conduct security auditing of entire
Information Technology infrastructure. All the new government websites and
applications are to be audited with respect to cyber security prior to their
hosting," the minister said.
CERT-In
has empanelled a total number of 45 security auditors to carry out security
audit of the IT infrastructure of government, public and private sector
organisations.
Mentioning
that close watch is kept to scan malicious activities on the important networks
in the government, public and service providers, the minister said: "All
the ministries/departments of central government and state governments have
been asked to implement the crisis management plan to counter cyber attacks and
cyber terrorism."
Also
see-
DAMAGE : Films leaked online after
Sony Pictures hack
Warwick
Ashford
01
December 2014
High-quality
copies of still-to-be-released films have been leaked online a week after Sony
Pictures Entertainment was reportedly hacked.
The
firm was forced to shut down its entire computer network on 25 November 2014
after a cyber attack by a group of hackers identifying themselves only as #GOP
or Guardians of Peace.
The
group reportedly issued the company with a list of unspecified demands, saying
sensitive data would be released if the firm did not co-operate.
Although
there is no confirmed link with leaked films, there has been widespread media
speculation that digital copies of the films were among the 11TBs of data that
was reportedly stolen.
The
files are also believed to include sensitive financial data, emails, and
personal information relating to cast and crew working on films still in
production.
The
films leaked on torrent sites and their official US release dates are: To Write
Love on Her Arms (March 2015), Still Alice (16 January 2015), Mr Turner (19
December 2014), Annie (19 December 2014), and Fury (17 October 2014), according
to Torrentfreak.
While
little is known about the group calling itself #GOP, Sony Pictures is
reportedly investigating whether the recent hack is linked to North Korea.
The
company believes the attack may be linked to the film The Interview, which
concerns a plot to assassinate North Korean leader Kim Jong
Un, according to Re/code.
The
film, set to be released on 25 December 2014, stars Seth Rogen
and James Franco as journalists who plan to interview the North Korean leader
and are recruited by the CIA to kill him.
An
unofficial spokesperson for North Korea has criticised
the film in an interview with The Telegraph saying it "shows the
desperation of the US government and American society."
Sony
has declined to comment on the breach of its network beyond a statement which
said: Sony Pictures Entertainment experienced a system disruption, which we
are working diligently to resolve.
A
statement on the film leaks said: "The theft of Sony Pictures
Entertainment content is a criminal matter, and we are working closely with law
enforcement to address it."
Sony
cyber attacks
The
latest confirmed hacker intrusion at Sony comes just three months after Sony's
PlayStation Network (PSN) was forced offline by a distributed denial-of-service
(DDoS) attack in August 2014.
Sonys
PSN was also taken offline for more than three weeks in 2011 after a hack that
compromised the personal information of millions of customers.
Data
privacy expert at law firm Eversheds Liz Fitzsimions said the reports of a further attack on Sony
demonstrate how cyber criminals are seeking to damage corporate reputations and
businesses, causing financial consequences for everyone whether through the
impact on employment prospects, investment returns for pensions or levels of
taxation raised by governments.
"Currently,
there is heated debate about how law enforcement and intelligence should
investigate internet use and communications to catch criminals, due to the
impact on law-abiding citizens and their privacy," she said.
This
cyber attack is a reminder that we may have to accept that our right to
communicate and use the internet lawfully may carry with it the responsibility
of accepting some potential interference where needed to detect and prevent
such criminal activity.
The
alternative is we pay the price of having our privacy rights guaranteed by
governmental bodies, with a consequential likely increase in abuses by
criminals who have no respect for privacy or other legal rights," she
added.
Also
see
http://www.theregister.co.uk/2014/11/28/sony_staff_reduced_to_pencil_and_paper_as_computers_still_crippled_by_hackers/
http://www.business2community.com/tech-gadgets/sony-pictures-hacked-gop-mean-01077919
http://www.theregister.co.uk/2014/11/25/sony_pictures_in_it_lockdown_after_alleged_hacker_hosing/
TREND : UK set to establish digital
cheques in 2015
Cliff Saran
01 December 2014
In January 2015 the UK
government is expected to make the digital image of a cheque legal tender,
paving the way to end paper cheque processing.
Following the change in
legislation in the first six months of 2015, HM Treasury will set out rules and
timeframes.
Banks will then be able to
implement digital cheque processing.
The change will mean that
institutions will be able to process a picture or scan of a signed physical
cheque.
Customers will no longer need
to go to a branch to deposit cheques. As well as
benefiting the consumer, it could improve cashflow in
small businesses, since company owners would be able to scan in paper cheques themselves, rather than have to take them to the
bank.
It is highly likely banks
will offer cheque scanning functionality in their mobile banking apps;
commercial banking customers will be able to process cheques
using bulk scanning machines, with prices starting between £400-500 for a
low-volume scanner.
The history of digital cheques
Digital cheque processing has
been technically possible since the 1990s. In fact, NCR developed the
cheque-reading machine in 1998, based on artificial intelligence research from Yann LeCun, who is now the
director of artificial intelligence (AI) research at Facebook.
The technology was first
implemented in the US 10 years ago, but adoption took a long time due to
volume.
A case study published last
year by analyst Forrester estimated that US bank Redstone Credit Union saved
$3.60 or 90% of the cost of processing each cheque, by enabling mobile
deposit transactions.
In other words, while a
branch transaction costs around $4.00, the equivalent digital cheque-style of
transaction would only cost Redstone Credit Union $0.40 to process.
The UK processes 750 million cheques a year and, while in decline, the humble cheque will
play a part of the UK economy for many years. The costs of processing
paper-based cheques makes a clear case for digitising the process, but legislation has held back the
implementation of digital cheques in the UK so far.
In Canada, the legislation to
process digital cheques went through in September
2013. What can the UK learn from Canadas experience?
Lessons from Canada
Annually, Canada processes
about 25% more cheques (1 billion per year) than the
UK. Canadian Imperial Bank Commerce (CIBC) is one of the banks that has now implemented digital cheque processing.
Speaking
about the banks implementation, Fraser Mackay, vice-president of self-service
operations & support at CIBC, said: "There's the technical side and
there is a cultural challenge. To
get a holistic implementation for a bank, you have to go for all the front-end
channels, through to the image exchange at the back end, which is a massive
amount of work and a massive amount of expense."
This is Canadas second
attempt at digital cheques.
In 2008, following a
government mandate, Canadian financial institutes attempted to roll out cheque
imaging. According to reports at the time, the initiative failed because the
banks could not get their IT systems to talk together, to enable end-to-end
cheque clearing across the banking network.
The initiative was rebooted,
allowing banks to go at their own pace. CIBC processes
about a quarter of a billion cheques a year, almost a
quarter of the countrys cheques.
This time round, Mackay said,
the bank wanted to gain a first-mover advantage in digital cheque processing,
which it launched as part of its mobile banking platform in early 2013. A few
months later it launched a version for commercial banking. "We focused on
doing cheque imaging in our own organisation, and it was still an awful lot of
work," he said.
These were the easier parts,
from a banking infrastructure perspective. He admitted changing cheque
processing at branch-level would involve a lot of work. "You can automate
the teller, so bank clerks use a similar scanner to commercial customers. But
we also have a lot of customers who deposits cheques
by putting them in an envelope and dropping them into the ATM. So, to digitise cheques, we would need
to enable digital scanning at the ATM. We have 1,100 branches and 4,000 ATMs,
so this represents a significant amount of work."
The challenge in digitising the whole process is that not only do the cash
machines need to have a built-in cheque scanner,
optical character recognition (OCR) software is required at the back end to
validate the value of the cheque and the signature.
Digital cheques
also change peoples relationship with the bank. Mackay said: "The
challenge is that people are used to going into a branch, lining up for a bank
teller and depositing a cheque." This is the customer education element,
where the bank explains to customers they no longer need to queue and can
instead take a photograph of a cheque with a mobile phone, or scan it in using
a PC at home.
The bank used NCR APTRA
passport software for digital cheque processing at ATMs. The software reads the
handwritten text for the amount, compares this to the amount entered in the
amount box, and checks this against the figure the customer enters at the ATM
terminal.
"We try to implement
this in a way that, if there is doubt, rather than get the customer to try
again and again, the cheque raises an exception at the back end, where it is
routed for manual review," Mackay said.
The future of digital cheques
The UK processes 750 million cheques a year. Processing paper cheques,
along with using the armoured vehicle to deliver them
as part of the clearing process, means that cheque handling is expensive. A
fully digitised cheque clearing system would allow
businesses and individuals to receive payments quicker.
UK legislative approval is
expected soon after Christmas 2014. This legislation will mean that a cheque
image is a legal replacement for a physical cheque. Following the legislation,
HM Treasury will give dates for implementation.
Unless it is mandated like
Canadas first attempt, individual banks will need to decide when to deploy
digital cheque technology.
Giovanni Bandi,
director business development at NCR, said: "In terms of hardware, the UK
is behind Canada. In the UK, 10% of ATMS have a cheque capability and only a
small fraction of these are able to image cheques."
To date, two UK banks have implemented cheque image processing, one of which is
Barclays, which announced it would develop a smartphone
cheque.
Mobile is likely to be the
most prominent channel, because every phone can take a picture. In a blog post
earlier in 2014, Forrester analyst Oliwia Berdak wrote: "Remote deposit capture is a win-win
solution. It cuts the time and cost of check transaction and processing, frees
up branch staff for higher-value services, and enables customers to complete
their goals whenever and wherever they want."
SPYWARE : Regin,
the super-spyware the security industry is silent about
NSA fingered as likely source of complex malware family
By
Iain Thomson
24
Nov 2014
A
public autopsy of sophisticated intelligence-gathering spyware Regin is causing waves today in the computer security
world.
But
here's a question no one's answering: given this super-malware first popped up
in 2008, why has everyone in the antivirus industry kept quiet about it until
now? Has it really taken them years to reverse engineer it?
On
Sunday, Symantec published a detailed dissection of the Regin
malware, and it looks to be one of the most advanced pieces of spyware code yet
found.
The
software targets Windows PCs, and a zero-day vulnerability said to be in Yahoo!
Messenger, before burrowing into the kernel layer. It hides itself in own
private area on hard disks, has its own virtual filesystem,
and encrypts and morphs itself multiple times to evade detection. It uses a
toolkit of payloads to eavesdrop on the administration of mobile phone masts,
intercept network traffic, pore over emails, and so
on.
It
appears to target people working in telecommunications, including internet
backbone providers and cellular networks, plus the energy sector where Yahoo!
Messenger is apparently popular. All in all, it seems to be the handiwork of an
intelligence agency rather than a run-of-the-mill malware writer, infosec bods have concluded.
For
one thing, it doesn't operate like conventional spyware: Regin
doesn't form a remotely controlled botnet
suggesting its masters really didn't want it to be found nor does it harvest
personal financial information.
Instead
it collects intelligence useful to state spies. Coupled with the fact that
virtually no infections have been reported in the US, UK or other Five Eyes
nations, some to suspect it's the work of the NSA, GCHQ or their contractors.
Kaspersky's
report on Regin today shows it has the ability to
infiltrate GSM phone networks. The malware can receive commands over a cell
network, which is unusual.
The Regin malware popped up on antivirus radars years ago.
Symantec says it has been investigating Regin for
over a year, although reckons earlier builds have been circulating since 2008.
Microsoft first reported it back in 2011, and Kaspersky
Lab thinks that it could have been around for as long as ten years.
So why the silence? Security software vendors usually love deluging the
press with reports of malware, so you'd think that when Regin
was first caught and analyzed, people would have made a song and dance about
it.
F-Secure,
one of the leading outfits investigating government malware, spotted Regin on a customer's computer two
years ago. Chief research officer Mikko Hypponen said on Monday his company had kept silent on the
malware because its client had asked it to, although he said F-Secure had added
detection for the spyware to its antivirus software. Hypponen
is sure Regin is state-sponsored malware.
@ProfWoodward @dakami @iblametom @jeremiahg Malware decoded, detection added, no press
release as customer doesn't want one. That's it.
Mikko Hypponen
(@mikko) November 24, 2014
Only
a few hundred infections have been linked to Regin, but the choice of targets is striking. The
malware apparently infiltrated the computers of noted Belgian cryptographer
Professor Jean-Jacques Quisquater and Belgian telco Belgacom a network
compromise blamed on the NSA and GCHQ by Edward Snowden.
This low infection count could have been what has
allowed Regin to fly under the radar for quite so
long. With hundreds of thousands
of malware samples found every year, a small outbreak doesn't get much
attention, which is just what a state-sponsored attacker would be looking for.
Much
more attention is now being focused on Regin in the
coming days. While it's impossible to say where exactly the malware came from,
it looks likely that your tax dollars or pounds could be at work.
Also
see
http://www.theregister.co.uk/2014/11/24/regin/
Direct Digital Marketing
Direct digital marketing, also known as "DDM," is
a type of marketing that is done exclusively through digital means. It may be
used to supplement or even replace traditional physical marketing strategies.
The primary channels of direct digital marketing include e-mail and the Web.
While most of us still receive an abundance of physical
marketing materials in our mailboxes each week, many of these mailings have
been replaced by e-mail. By using e-mail marketing, companies can drastically
reduce their mailing costs, since the cost of sending e-mail messages is
essentially free. Compare this to mailing physical brochures that may cost
$0.50 per recipient. If a company sends out one million mailings, using e-mail
could save the company $500,000 in mailing costs.
While e-mail marketing is great asset for many businesses,
it can also be abused. Since it doesn't cost anything to send e-mail messages,
it is possible to distribute unsolicited messages to large lists of recipients
at little to no cost. This kind of unwanted electronic junk mail has become
widely known as "spam." Fortunately, junk mail filters have helped
reduce the impact of these messages for most users. Many companies and
organizations also offer an "unsubscribe" option in their mailings,
which allow users to remove themselves from the mailing lists.
The Web is another popular medium for direct digital
marketing. Many companies now advertise on websites through banner ads, text
links, and other types of advertisements. By using Web marketing, companies can
drive visitors directly to their website with a single click. This provides a
tangible benefit over print and television advertising, which may fully not
capture a viewer's interest. Additionally, companies can target their ads on
pages with relevant content using contextual ad placement services, such as
Google AdSense. This allows businesses to attract
people who are the most likely to be interested in the products or services
they offer.
In the past few years, DDM has revolutionized the marketing
industry. By using digital communications, businesses can advertise in several
new ways that were not possible before. While e-mail and the Web remain the
most popular mediums for DDM, digital marketing continues to expand into other
areas as well. Mobile phones and video games are already being used for DDM and
you can expect many other mediums to follow.
News is what people want to
keep hidden; everything else is publicity.
Bill Moyers
Speech, May 15, 2005
Note -