IT and Cyber Security News Update from
Centre for Research and Prevention of Computer
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
Since June 2005 December 08, 2014 Issue no 1516
Tenth year of uninterrupted publication
(Click on heading above to jump to related item. Click on Top to be back here)
December 7, 2014
Tehran (AFP) - Iran's telecommunications minister has said his technicians are developing a system to identify any Internet user in the country at the moment of log-on, the ISNA news agency reported Saturday.
"Because of our efforts, in future when people want to use the Internet they will be identified, and there will be no web surfer whose identity we do not know," Mahmoud Vaezi said, without elaborating on how this would technically be done.
Last month, he said the Islamic republic would have "smart filtering" within six months to weed out Internet content the authorities deem offensive or criminal.
"The first phase of smart online filtering will be ready within a month, a second phase within three months and a third within six months", ISNA reported him as saying on November 14.
Iran formed a special Internet police unit in early 2011 to combat "cyber crimes", particularly on social networking sites which are popular among the opposition and dissidents.
Internet censorship is a bone of contention between conservative hardliners and government members including President Hassan Rouhani who use social networks.
The authorities regularly block access to networks including, Facebook, YouTube and Twitter since public protests against the 2009 re-election of Rouhani's predecessor, Mahmoud Ahmadinejad.
Official figures show that more than 30 million people out of Iran's total population of 75 million use the Internet.
A recent study found that 69 percent of young users use illegal software to bypass official restrictions.
In October, Iran prevented access to an Instagram page devoted to the lifestyle of Tehran's young elite that stirred indignation in the sanctions-hit country.
In September, the judiciary gave the government a month to ban messaging applications Viber, Tango and WhatsApp over insults to Iranian officials, but the apps remain accessible.
05 December 2014
Data interception of citizens by the UK intelligence services complies with articles eight and 10 of the Human Rights Act, according to the judgment of Britain's top security court.
The five judges of the Investigatory Powers Tribunal (IPT) found, however, that a disclosure made by the intelligence services relating to information sharing between the UK and US showed the interception regime was not compliant prior to that disclosure. As to how the revelation made it compliant, counsel said they didn't know.
The week-long public hearing in July 2014 followed a legal complaint alleging GCHQ's mass surveillance of internet communications violates human rights law.
Privacy International, Liberty, Amnesty International, the American Civil Liberties Union and other overseas human rights groups brought the action to obtain confirmation that UK intelligence services have intercepted telecommunications data under the Tempora programme.
They also hoped to establish whether or not GCHQ has access to intelligence collected by the US under its Prism and Upstream programmes revealed in the revelations by whistleblower Edward Snowden and whether that violates the rights to privacy and freedom of expression laid out in articles eight and 10 of the European Convention on Human Rights.
The latest judgment is based on a hypothetical situation which asks that if interception has taken place, would it have contravened the Human Rights Act. The court has yet to rule on whether such interception has in fact taken place.
The disclosure submitted in October 2014 related to information sharing arrangements between the UK and US governments, whereby the UK government may have access to UK citizens' data intercepted by the US National Security Agency (NSA).
The interception of data in the UK by government bodies is regulated by the Retention of Investigatory Powers Act (RIPA). In all other respects, the IPT declared, UK surveillance practices do not contravene the Human Rights Act.
Amnesty International's counsel Nick Williams said he is concerned the use of US-intercepted data will allow the government to circumvent statutory safeguards and that the court has given it a "green light".
"We want a much fuller picture, which they are not prepared to give us," he said. "There is this possibility they may have gone around RIPA via the back door."
President of the IPT panel Mr Justice Burton said the case has thrown valuable light onto hitherto unknown surveillance practices: "The public should be grateful to the claimants who brought this claim."
Amnesty UKs legal advisor Rachel Logan said Amnesty will appeal to the European courts in Strasbourg. The IPT is a court of exclusive jurisdiction so even the UK High Court cannot hear an appeal against its judgements.
The governments entire defence has amounted to trust us and now the tribunal has said the same. Since we only know about the scale of such surveillance thanks to Snowden, and given that national security has been recklessly bandied around, trust us isnt enough, said Logan.
"We will now appeal to Strasbourg, which might not be as inclined to put its trust in the UK government given what we know so far.
Amnesty pointed out the judgment was made on the basis of hypothetical facts given the governments continued refusal to confirm or deny any of its surveillance practices. The tribunal held considerable portions of the proceedings in secret.
Krebs on Security
December 5, 2014
A new report from the U.S. Treasury Department found that a majority of bank account takeovers by cyberthieves over the past decade might have been thwarted had affected institutions known to look for and block transactions coming through Tor, a global communications network that helps users maintain anonymity by obfuscating their true location online.
The findings come in a non-public report obtained by KrebsOnSecurity that was produced by the Financial Crimes Enforcement Network (FinCEN), a Treasury Department bureau responsible for collecting and analyzing data about financial transactions to combat domestic and international money laundering, terrorist financing and other financial crimes.
In the report, released on Dec. 2, 2014, FinCEN said it examined some 6,048 suspicious activity reports (SARs) filed by banks between August 2001 and July 2014, searching the reports for those involving one of more than 6,000 known Tor network nodes. Investigators found 975 hits corresponding to reports totaling nearly $24 million in likely fraudulent activity.
Analysis of these documents found that few filers were aware of the connection to Tor, that the bulk of these filings were related to cybercrime, and that Tor related filings were rapidly rising, the report concluded. Our BSA [Bank Secrecy Act] analysis of 6,048 IP addresses associated with the Tor darknet [link added] found that in the majority of the SAR filings, the underlying suspicious activity most frequently account takeovers might have been prevented if the filing institution had been aware that their network was being accessed via Tor IP addresses.
FinCEN said it was clear from the SAR filings that most financial institutions were unaware that the IP address where the suspected fraudulent activity occurred was in fact a Tor node.
Our analysis of the type of suspicious activity indicates that a majority of the SARs were filed for account takeover or identity theft, the report noted. In addition, analysis of the SARs filed with the designation Other revealed that most were filed for Account Takeover, and at least five additional SARs were filed incorrectly and should have been Account Takeover.'
The government also notes that there has been a fairly recent and rapid rise in the number of SAR filings over the last year involving bank fraud tied to Tor nodes.
From October 2007 to March 2013, filings increased by 50 percent, the report observed. During the most recent period March 1, 2013 to July 11, 2014 filings rose 100 percent.
While banks may be able to detect and block more fraudulent transactions by paying closer attention to or outright barring traffic from Tor nodes, such an approach is unlikely to have a lasting impact on fraud, said Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley.
Im not surprised by this: Tor is easy for bad actors to use to isolate their identity, Weaver said Yet blocking all Tor will do little good, because there are many other easy ways for attackers to hide their source address.
Earlier this summer, the folks who maintain the Tor Project identified this problem that many sites and even ISPs are increasingly blocking Tor traffic because of its abuse by fraudsters as an existential threat to the anonymity network. The organization used this trend as a rallying cry for Tor users to consider lending their brainpower to help the network thrive in spite of these threats.
A growing number of websites treat users from anonymity services differently Slashdot doesnt let you post comments over Tor, Wikipedia wont let you edit over Tor, and Google sometimes gives you a captcha when you try to search (depending on what other activity theyve seen from that exit relay lately), wrote Tor Project Leader Roger Dingledine. Some sites like Yelp go further and refuse to even serve pages to Tor users.
The result is that the Internet as we know it is siloing. Each website operator works by itself to figure out how to handle anonymous users, and generally neither side is happy with the solution. The problem isnt limited to just Tor users, since these websites face basically the same issue with users from open proxies, users from AOL, users from Africa, etc.
Weaver said the problem of high volumes of fraudulent activity coming through the Tor Network presents something of a no-win situation for any website dealing with Tor users.
If you treat Tor as hostile, you cause collateral damage to real users, while the scum use many easy workarounds. If you treat Tor as benign, the scum come flowing through, Weaver said. For some sites, such as Wikipedia, there is perhaps a middle ground. But for banks? Thats another story.
05 December 2014
UK businesses are paying out £410,000 per year for unplanned IT problems, a study from KPMG has warned.
An average of 776,000 individuals were affected and around four million bank and credit card accounts were compromised by each IT failure.
Over 50% of IT problems were caused by coding errors or failed IT changes, according to a study from KPMG.
KPMGs Tech Risk Radar highlighted the case of a utility company facing a £10m fine when technical glitches occurred during the transfer to a new billing system. Customers did not receive bills for months; were then sent inaccurate payment demands; and refused prompt refunds when the company eventually acknowledged the errors.
In November 2014, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) jointly fined the Royal Bank of Scotland (RBS) ₤56m for an IT outage that left customers unable to access their bank accounts, but said underinvestment was not the cause.
IT at the heart of business
Commenting on the challenges facing the banking sector, KPMG partner David DiCristofaro said: Banks are under pressure. Rationalising relationships by cutting numbers and consolidating external suppliers can help. Banks should also focus on the underlying contracts related to supplier relationships.
Jon Dowie, partner in KPMGs Technology Risk practice, said: "Technology is no longer a function in a business which operates largely in insolation. It is at the heart of everything a company does and, when it goes wrong, it affects an organisations bottom line, its relationship with customers and its wider reputation."
The study found 7.3% of reported events resulted from human error. KPMG said this shows that basic investments in training are being ignored at the employers expense.
Dowie said: "With ever greater complexity in IT systems not to mention the challenge of implementing IT transformational change companies are running to stand still in managing their IT risks.
"The cost of failure is all too clear. It is crucial for both public and private sector organisations to understand the risks associated with IT, and how they can be managed, mitigated and avoided."
Matching risk assessment with investment
Data-loss related incidents continued to be a major problem for all industries. KPMG found a significant number of those (16%) were unintentional.
As Computer Weekly previously reported, the Information Commissioners Office (ICO) served a £180,000 penalty on the Ministry of Justice for serious failings in personal data protection at prisons in England and Wales.
"Investment in technology will continue to rise as businesses embrace digital and other opportunities, but this needs to be matched by investments in assessing, managing and monitoring the associated risks. At a time when even our regulators have shown themselves to be vulnerable to technology risk, no-one can afford to be complacent," Dowie said.
In a warning to the insurance sector, Dowie said: I believe there is a real threat that resources and management will once again be distracted and diverted by the final stages of the implementation of Solvency II in time for January 2016.
DirectX is a set of standard commands and functions that software developers can use when creating their programs. While any Windows-based software program can include DirectX commands, they are usually used in video games. For example, developers may use DirectX for controlling video playback, sound effects, and peripheral input (such as a keyboard, mouse, or joystick). By incorporating DirectX functions into a computer game, programmers can use predefined commands to manage the video and sound of their game, as well as user input. This makes it easier for programmers to develop video games and also helps the games look more uniform, since DirectX games use many of the same commands.
Technically, DirectX is known as an application programming interface (API), which consists of predefined functions and commands. In order to create programs that use DirectX, software developers must use the DirectX software development kit, available from Microsoft. However, most users need only the DirectX "End-User Runtime" installed on their computer in order to run DirectX-enabled software. The DirectX API is available for Windows software and Xbox video games.
It's not who you are on the inside but what you do that defines you!