Newsletter
IT and Cyber Security News Update from
Centre for Research and Prevention of Computer
Crimes,
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
Since June 2005 December
08, 2014 Issue no 1516
Tenth year of
uninterrupted publication
Todays edition
IDENTIFY : Iran
minister says all web surfers to be 'identified'
LAW : GCHQ web surveillance does not breach human rights,
says UK security court
TOR : Tor a Big Source of Bank Fraud US Treasury
Dept
RISK : Businesses
do not take IT risks seriously enough - KPMG study
(Click on heading above to jump to related item. Click on Top to be back here)
IDENTIFY : Iran minister says all web
surfers to be 'identified'
AFP
December
7, 2014
https://au.news.yahoo.com/world/a/25705474/iran-minister-says-all-web-surfers-to-be-identified/
Tehran
(AFP) - Iran's telecommunications minister has said his technicians are
developing a system to identify any Internet user in the country at the moment
of log-on, the ISNA news agency reported Saturday.
"Because
of our efforts, in future when people want to use the Internet they will be
identified, and there will be no web surfer whose identity we do not
know," Mahmoud Vaezi
said, without elaborating on how this would technically be done.
Last
month, he said the Islamic republic would have "smart filtering"
within six months to weed out Internet content the authorities deem offensive
or criminal.
"The
first phase of smart online filtering will be ready within a month, a second
phase within three months and a third within six months", ISNA reported him
as saying on November 14.
Iran
formed a special Internet police unit in early 2011 to combat "cyber
crimes", particularly on social networking sites which are popular among
the opposition and dissidents.
Internet
censorship is a bone of contention between conservative hardliners and
government members including President Hassan Rouhani
who use social networks.
The
authorities regularly block access to networks including, Facebook,
YouTube and Twitter since public protests against the 2009 re-election of Rouhani's predecessor, Mahmoud Ahmadinejad.
Official
figures show that more than 30 million people out of Iran's total population of
75 million use the Internet.
A
recent study found that 69 percent of young users use illegal software to
bypass official restrictions.
In
October, Iran prevented access to an Instagram page
devoted to the lifestyle of Tehran's young elite that stirred indignation in
the sanctions-hit country.
In
September, the judiciary gave the government a month to ban messaging applications
Viber, Tango and WhatsApp
over insults to Iranian officials, but the apps remain accessible.
LAW : GCHQ web surveillance does
not breach human rights, says UK security court
Fiona
O'Cleirigh
05
December 2014
Data
interception of citizens by the UK intelligence services complies with articles
eight and 10 of the Human Rights Act, according to the judgment of Britain's
top security court.
The
five judges of the Investigatory Powers Tribunal (IPT) found, however, that a
disclosure made by the intelligence services relating to information sharing
between the UK and US showed the interception regime was not compliant prior to
that disclosure. As to how the revelation made it compliant, counsel said they
didn't know.
The
week-long public hearing in July 2014 followed a legal complaint alleging
GCHQ's mass surveillance of internet communications violates human rights law.
Privacy
International, Liberty, Amnesty International, the American Civil Liberties
Union and other overseas human rights groups brought the action to obtain
confirmation that UK intelligence services have intercepted telecommunications
data under the Tempora programme.
They
also hoped to establish whether or not GCHQ has access to intelligence
collected by the US under its Prism and Upstream programmes revealed in the
revelations by whistleblower Edward Snowden and whether that violates the
rights to privacy and freedom of expression laid out in articles eight and 10
of the European Convention on Human Rights.
The
latest judgment is based on a hypothetical situation which asks that if
interception has taken place, would it have contravened the Human Rights Act.
The court has yet to rule on whether such interception has in fact taken place.
The
disclosure submitted in October 2014 related to information sharing
arrangements between the UK and US governments, whereby the UK government may
have access to UK citizens' data intercepted by the US National Security Agency
(NSA).
The
interception of data in the UK by government bodies is regulated by the
Retention of Investigatory Powers Act (RIPA). In all other respects, the IPT
declared, UK surveillance practices do not contravene the Human Rights Act.
Amnesty
International's counsel Nick Williams said he is concerned the use of
US-intercepted data will allow the government to circumvent statutory
safeguards and that the court has given it a "green light".
"We
want a much fuller picture, which they are not prepared to give us," he
said. "There is this possibility they may have gone around RIPA via the
back door."
President
of the IPT panel Mr Justice Burton said the case has thrown valuable light onto
hitherto unknown surveillance practices: "The public should be grateful to
the claimants who brought this claim."
Amnesty
UKs legal advisor Rachel Logan said Amnesty will appeal to the European courts
in Strasbourg. The IPT is a court of exclusive jurisdiction so even the UK High
Court cannot hear an appeal against its judgements.
The
governments entire defence has amounted to trust
us and now the tribunal has said the same. Since we only know about the scale
of such surveillance thanks to Snowden, and given that national security has
been recklessly bandied around, trust us isnt enough, said Logan.
"We
will now appeal to Strasbourg, which might not be as inclined to put its trust
in the UK government given what we know so far.
Amnesty
pointed out the judgment was made on the basis of hypothetical facts given
the governments continued refusal to confirm or deny any of its surveillance
practices. The tribunal held considerable portions of the proceedings in
secret.
TOR : Tor a Big Source of Bank
Fraud US Treasury Dept
Krebs on Security
December 5, 2014
https://krebsonsecurity.com/2014/12/treasury-dept-tor-a-big-source-of-bank-fraud/
A new report from the U.S.
Treasury Department found that a majority of bank account takeovers by cyberthieves over the past decade might have been thwarted
had affected institutions known to look for and block transactions coming
through Tor, a global communications network that helps users maintain
anonymity by obfuscating their true location online.
The findings come in a
non-public report obtained by KrebsOnSecurity that
was produced by the Financial Crimes Enforcement Network (FinCEN),
a Treasury Department bureau responsible for collecting and analyzing data
about financial transactions to combat domestic and international money
laundering, terrorist financing and other financial crimes.
In the report, released on
Dec. 2, 2014, FinCEN said it examined some 6,048
suspicious activity reports (SARs) filed by banks between August 2001 and July
2014, searching the reports for those involving one of more than 6,000 known
Tor network nodes. Investigators found 975 hits corresponding to reports
totaling nearly $24 million in likely fraudulent activity.
Analysis of these documents
found that few filers were aware of the connection to Tor, that the bulk of
these filings were related to cybercrime, and that Tor related filings were
rapidly rising, the report concluded. Our BSA [Bank Secrecy Act] analysis of
6,048 IP addresses associated with the Tor darknet
[link added] found that in the majority of the SAR filings, the underlying
suspicious activity most frequently account takeovers might have been
prevented if the filing institution had been aware that their network was being
accessed via Tor IP addresses.
FinCEN said it was clear from the SAR filings that most
financial institutions were unaware that the IP address where the suspected fraudulent
activity occurred was in fact a Tor node.
Our analysis of the type of
suspicious activity indicates that a majority of the SARs were filed for
account takeover or identity theft, the report noted. In addition, analysis
of the SARs filed with the designation Other revealed that most were filed for
Account Takeover, and at least five additional SARs were filed incorrectly
and should have been Account Takeover.'
The government also notes
that there has been a fairly recent and rapid rise in the number of SAR filings
over the last year involving bank fraud tied to Tor nodes.
From October 2007 to March
2013, filings increased by 50 percent, the report observed. During the most
recent period March 1, 2013 to July 11, 2014 filings rose 100 percent.
While banks may be able to
detect and block more fraudulent transactions by paying closer attention to or
outright barring traffic from Tor nodes, such an approach is unlikely to have a
lasting impact on fraud, said Nicholas Weaver, a researcher at the
International Computer Science Institute (ICSI) and at the University of
California, Berkeley.
Im not surprised by this:
Tor is easy for bad actors to use to isolate their identity, Weaver said Yet
blocking all Tor will do little good, because there are many other easy ways
for attackers to hide their source address.
Earlier this summer, the
folks who maintain the Tor Project identified this problem that many sites
and even ISPs are increasingly blocking Tor traffic because of its abuse by
fraudsters as an existential threat to the anonymity network. The
organization used this trend as a rallying cry for Tor users to consider
lending their brainpower to help the network thrive in spite of these threats.
A growing number of websites
treat users from anonymity services differently Slashdot doesnt let you post
comments over Tor, Wikipedia wont let you edit over Tor, and Google sometimes
gives you a captcha when you try to search (depending
on what other activity theyve seen from that exit relay lately), wrote Tor
Project Leader Roger Dingledine. Some sites like
Yelp go further and refuse to even serve pages to Tor users.
Dingledine continued:
The result is that the
Internet as we know it is siloing. Each website
operator works by itself to figure out how to handle anonymous users, and generally neither side is happy with the
solution. The problem isnt limited to just Tor users, since these websites
face basically the same issue with users from open proxies, users from AOL,
users from Africa, etc.
Weaver said the problem of
high volumes of fraudulent activity coming through the Tor Network presents
something of a no-win situation for any website dealing with Tor users.
If you treat Tor as hostile,
you cause collateral damage to real users, while the scum use many easy
workarounds. If you treat Tor as benign,
the scum come flowing through, Weaver said. For some sites, such as
Wikipedia, there is perhaps a middle ground. But for banks?
Thats another story.
Also see
http://securityaffairs.co/wordpress/30837/cyber-crime/treasury-dept-report-tor-network-abuse.html
RISK : Businesses do not take IT
risks seriously enough - KPMG study
Cliff
Saran
05
December 2014
UK
businesses are paying out £410,000 per year for unplanned IT problems, a study
from KPMG has warned.
An average of 776,000 individuals were affected and around four million bank and credit card
accounts were compromised by each IT failure.
Over
50% of IT problems were caused by coding errors or failed IT changes, according
to a study from KPMG.
KPMGs
Tech Risk Radar highlighted the case of a utility company facing a £10m fine
when technical glitches occurred during the transfer to a new billing system.
Customers did not receive bills for months; were then sent inaccurate payment
demands; and refused prompt refunds when the company eventually acknowledged
the errors.
In
November 2014, the Financial Conduct Authority (FCA) and the Prudential
Regulation Authority (PRA) jointly fined the Royal Bank of Scotland (RBS)
₤56m for an IT outage that left customers unable to access their bank
accounts, but said underinvestment was not the cause.
IT
at the heart of business
Commenting
on the challenges facing the banking sector, KPMG partner David DiCristofaro said: Banks are under pressure. Rationalising relationships by cutting numbers and
consolidating external suppliers can help. Banks should also focus on the
underlying contracts related to supplier relationships.
Jon Dowie, partner in KPMGs Technology Risk practice, said:
"Technology is no longer a function in a business which operates largely
in insolation. It is at the heart of everything a
company does and, when it goes wrong, it affects an organisations
bottom line, its relationship with customers and its wider reputation."
The
study found 7.3% of reported events resulted from human error. KPMG said this
shows that basic investments in training are being ignored at the employers
expense.
Dowie
said: "With ever greater complexity in IT systems not to mention the
challenge of implementing IT transformational change companies are running to
stand still in managing their IT risks.
"The
cost of failure is all too clear. It is crucial for both public and private
sector organisations to understand the risks associated with IT, and how they
can be managed, mitigated and avoided."
Matching
risk assessment with investment
Data-loss
related incidents continued to be a major problem for all industries. KPMG
found a significant number of those (16%) were unintentional.
As
Computer Weekly previously reported, the Information Commissioners Office
(ICO) served a £180,000 penalty on the Ministry of Justice for serious
failings in personal data protection at prisons in England and Wales.
"Investment
in technology will continue to rise as businesses embrace digital and other
opportunities, but this needs to be matched by investments in assessing,
managing and monitoring the associated risks. At a time when even our
regulators have shown themselves to be vulnerable to technology risk, no-one
can afford to be complacent," Dowie said.
In a
warning to the insurance sector, Dowie said: I
believe there is a real threat that resources and management will once again be
distracted and diverted by the final stages of the implementation of Solvency
II in time for January 2016.
Directory
DirectX is a set of standard commands and functions that
software developers can use when creating their programs. While any
Windows-based software program can include DirectX commands, they are usually
used in video games. For example, developers may use DirectX for controlling
video playback, sound effects, and peripheral input (such as a keyboard, mouse,
or joystick). By incorporating DirectX functions into a computer game,
programmers can use predefined commands to manage the video and sound of their
game, as well as user input. This makes it easier for programmers to develop
video games and also helps the games look more uniform, since DirectX games use
many of the same commands.
Technically, DirectX is known as an application programming
interface (API), which consists of predefined functions and commands. In order
to create programs that use DirectX, software developers must use the DirectX
software development kit, available from Microsoft. However, most users need
only the DirectX "End-User Runtime" installed on their computer in order
to run DirectX-enabled software. The DirectX API is available for Windows
software and Xbox video games.
It's not who you are on the
inside but what you do that defines you!
Kautilya
Note -