CCC News

Newsletter

IT and Cyber Security News Update from

Centre for Research and Prevention of Computer Crimes, India

(www.cccnews.in)

Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)

Since June 2005                                         December 08, 2014                                          Issue no 1516

Tenth year of uninterrupted publication


Today’s edition – 

 

IDENTIFY : Iran minister says all web surfers to be 'identified'

LAW : GCHQ web surveillance does not breach human rights, says UK security court

TOR : Tor a Big Source of Bank Fraud – US Treasury Dept

RISK : Businesses do not take IT risks seriously enough - KPMG study

IT Term of the day

Quote of the day

                                                                                               

(Click on heading above to jump to related item. Click on “Top” to be back here)

 

Top


IDENTIFY : Iran minister says all web surfers to be 'identified'

AFP

December 7, 2014

https://au.news.yahoo.com/world/a/25705474/iran-minister-says-all-web-surfers-to-be-identified/

 

Tehran (AFP) - Iran's telecommunications minister has said his technicians are developing a system to identify any Internet user in the country at the moment of log-on, the ISNA news agency reported Saturday.

 

"Because of our efforts, in future when people want to use the Internet they will be identified, and there will be no web surfer whose identity we do not know," Mahmoud Vaezi said, without elaborating on how this would technically be done.

 

Last month, he said the Islamic republic would have "smart filtering" within six months to weed out Internet content the authorities deem offensive or criminal.

 

"The first phase of smart online filtering will be ready within a month, a second phase within three months and a third within six months", ISNA reported him as saying on November 14.

 

Iran formed a special Internet police unit in early 2011 to combat "cyber crimes", particularly on social networking sites which are popular among the opposition and dissidents.

 

Internet censorship is a bone of contention between conservative hardliners and government members including President Hassan Rouhani who use social networks.

 

The authorities regularly block access to networks including, Facebook, YouTube and Twitter since public protests against the 2009 re-election of Rouhani's predecessor, Mahmoud Ahmadinejad.

 

Official figures show that more than 30 million people out of Iran's total population of 75 million use the Internet.

 

A recent study found that 69 percent of young users use illegal software to bypass official restrictions.

 

In October, Iran prevented access to an Instagram page devoted to the lifestyle of Tehran's young elite that stirred indignation in the sanctions-hit country.

 

In September, the judiciary gave the government a month to ban messaging applications Viber, Tango and WhatsApp over insults to Iranian officials, but the apps remain accessible.

 

Top


LAW : GCHQ web surveillance does not breach human rights, says UK security court

Fiona O'Cleirigh

05 December 2014

http://www.computerweekly.com/news/2240236113/GCHQ-web-surveillance-does-not-breach-human-rights-says-UK-security-court?asrc=EM_EDA_37265148&utm_medium=EM&utm_source=EDA&utm_campaign=20141208_Hacker%20group%20Lizard%20Squad%20downs%20Sony%20PlayStation%20Network_

 

Data interception of citizens by the UK intelligence services complies with articles eight and 10 of the Human Rights Act, according to the judgment of Britain's top security court.

 

The five judges of the Investigatory Powers Tribunal (IPT) found, however, that a disclosure made by the intelligence services relating to information sharing between the UK and US showed the interception regime was not compliant prior to that disclosure. As to how the revelation made it compliant, counsel said they didn't know.

 

The week-long public hearing in July 2014 followed a legal complaint alleging GCHQ's mass surveillance of internet communications violates human rights law.

 

Privacy International, Liberty, Amnesty International, the American Civil Liberties Union and other overseas human rights groups brought the action to obtain confirmation that UK intelligence services have intercepted telecommunications data under the Tempora programme.

 

They also hoped to establish whether or not GCHQ has access to intelligence collected by the US under its Prism and Upstream programmes – revealed in the revelations by whistleblower Edward Snowden – and whether that violates the rights to privacy and freedom of expression laid out in articles eight and 10 of the European Convention on Human Rights.

 

The latest judgment is based on a hypothetical situation which asks that if interception has taken place, would it have contravened the Human Rights Act. The court has yet to rule on whether such interception has in fact taken place.

 

The disclosure submitted in October 2014 related to information sharing arrangements between the UK and US governments, whereby the UK government may have access to UK citizens' data intercepted by the US National Security Agency (NSA).

 

The interception of data in the UK by government bodies is regulated by the Retention of Investigatory Powers Act (RIPA). In all other respects, the IPT declared, UK surveillance practices do not contravene the Human Rights Act.

 

Amnesty International's counsel Nick Williams said he is concerned the use of US-intercepted data will allow the government to circumvent statutory safeguards and that the court has given it a "green light".

 

"We want a much fuller picture, which they are not prepared to give us," he said. "There is this possibility they may have gone around RIPA via the back door."

 

President of the IPT panel Mr Justice Burton said the case has thrown valuable light onto hitherto unknown surveillance practices: "The public should be grateful to the claimants who brought this claim."

 

Amnesty UK’s legal advisor Rachel Logan said Amnesty will appeal to the European courts in Strasbourg. The IPT is a court of exclusive jurisdiction so even the UK High Court cannot hear an appeal against its judgements.

 

“The government’s entire defence has amounted to ‘trust us’ and now the tribunal has said the same. Since we only know about the scale of such surveillance thanks to Snowden, and given that ‘national security’ has been recklessly bandied around, ‘trust us’ isn’t enough,” said Logan.

 

"We will now appeal to Strasbourg, which might not be as inclined to put its trust in the UK government given what we know so far.”

 

Amnesty pointed out the judgment was made on the basis of “hypothetical facts” given the government’s continued refusal to confirm or deny any of its surveillance practices. The tribunal held considerable portions of the proceedings in secret.

 

Top


TOR : Tor a Big Source of Bank Fraud – US Treasury Dept

Krebs on Security

December 5, 2014

https://krebsonsecurity.com/2014/12/treasury-dept-tor-a-big-source-of-bank-fraud/

 

A new report from the U.S. Treasury Department found that a majority of bank account takeovers by cyberthieves over the past decade might have been thwarted had affected institutions known to look for and block transactions coming through Tor, a global communications network that helps users maintain anonymity by obfuscating their true location online.

 

The findings come in a non-public report obtained by KrebsOnSecurity that was produced by the Financial Crimes Enforcement Network (FinCEN), a Treasury Department bureau responsible for collecting and analyzing data about financial transactions to combat domestic and international money laundering, terrorist financing and other financial crimes.

 

In the report, released on Dec. 2, 2014, FinCEN said it examined some 6,048 suspicious activity reports (SARs) filed by banks between August 2001 and July 2014, searching the reports for those involving one of more than 6,000 known Tor network nodes. Investigators found 975 hits corresponding to reports totaling nearly $24 million in likely fraudulent activity.

 

“Analysis of these documents found that few filers were aware of the connection to Tor, that the bulk of these filings were related to cybercrime, and that Tor related filings were rapidly rising,” the report concluded. “Our BSA [Bank Secrecy Act] analysis of 6,048 IP addresses associated with the Tor darknet [link added] found that in the majority of the SAR filings, the underlying suspicious activity — most frequently account takeovers — might have been prevented if the filing institution had been aware that their network was being accessed via Tor IP addresses.”

 

FinCEN said it was clear from the SAR filings that most financial institutions were unaware that the IP address where the suspected fraudulent activity occurred was in fact a Tor node.

 

“Our analysis of the type of suspicious activity indicates that a majority of the SARs were filed for account takeover or identity theft,” the report noted. “In addition, analysis of the SARs filed with the designation ‘Other revealed that most were filed for ‘Account Takeover,’ and at least five additional SARs were filed incorrectly and should have been ‘Account Takeover.'”

 

The government also notes that there has been a fairly recent and rapid rise in the number of SAR filings over the last year involving bank fraud tied to Tor nodes.

 

“From October 2007 to March 2013, filings increased by 50 percent,” the report observed. “During the most recent period — March 1, 2013 to July 11, 2014 — filings rose 100 percent.”

 

While banks may be able to detect and block more fraudulent transactions by paying closer attention to or outright barring traffic from Tor nodes, such an approach is unlikely to have a lasting impact on fraud, said Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley.

 

“I’m not surprised by this: Tor is easy for bad actors to use to isolate their identity,” Weaver said “Yet blocking all Tor will do little good, because there are many other easy ways for attackers to hide their source address.”

 

Earlier this summer, the folks who maintain the Tor Project identified this problem — that many sites and even ISPs are increasingly blocking Tor traffic because of its abuse by fraudsters — as an existential threat to the anonymity network. The organization used this trend as a rallying cry for Tor users to consider lending their brainpower to help the network thrive in spite of these threats.

 

“A growing number of websites treat users from anonymity services differently Slashdot doesn’t let you post comments over Tor, Wikipedia won’t let you edit over Tor, and Google sometimes gives you a captcha when you try to search (depending on what other activity they’ve seen from that exit relay lately),” wrote Tor Project Leader Roger Dingledine. “Some sites like Yelp go further and refuse to even serve pages to Tor users.”

 

Dingledine continued:

 

“The result is that the Internet as we know it is siloing. Each website operator works by itself to figure out how to handle anonymous users, and generally neither side is happy with the solution. The problem isn’t limited to just Tor users, since these websites face basically the same issue with users from open proxies, users from AOL, users from Africa, etc.

 

Weaver said the problem of high volumes of fraudulent activity coming through the Tor Network presents something of a no-win situation for any website dealing with Tor users.

 

“If you treat Tor as hostile, you cause collateral damage to real users, while the scum use many easy workarounds.  If you treat Tor as benign, the scum come flowing through,” Weaver said. “For some sites, such as Wikipedia, there is perhaps a middle ground. But for banks? That’s another story.”

 

Also see –

http://securityaffairs.co/wordpress/30837/cyber-crime/treasury-dept-report-tor-network-abuse.html

 

Top


RISK : Businesses do not take IT risks seriously enough - KPMG study

Cliff Saran

05 December 2014

 

UK businesses are paying out £410,000 per year for unplanned IT problems, a study from KPMG has warned.

 

An average of 776,000 individuals were affected and around four million bank and credit card accounts were compromised by each IT failure.

 

Over 50% of IT problems were caused by coding errors or failed IT changes, according to a study from KPMG.

 

KPMG’s Tech Risk Radar highlighted the case of a utility company facing a £10m fine when technical glitches occurred during the transfer to a new billing system. Customers did not receive bills for months; were then sent inaccurate payment demands; and refused prompt refunds when the company eventually acknowledged the errors.

 

In November 2014, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) jointly fined the Royal Bank of Scotland (RBS) ₤56m for an IT outage that left customers unable to access their bank accounts, but said underinvestment was not the cause.

 

IT at the heart of business

 

Commenting on the challenges facing the banking sector, KPMG partner David DiCristofaro said: “Banks are under pressure. Rationalising relationships by cutting numbers and consolidating external suppliers can help. Banks should also focus on the underlying contracts related to supplier relationships.”

 

Jon Dowie, partner in KPMG’s Technology Risk practice, said: "Technology is no longer a function in a business which operates largely in insolation. It is at the heart of everything a company does and, when it goes wrong, it affects an organisation’s bottom line, its relationship with customers and its wider reputation."

 

The study found 7.3% of reported events resulted from human error. KPMG said this shows that basic investments in training are being ignored – at the employers’ expense.

 

Dowie said: "With ever greater complexity in IT systems – not to mention the challenge of implementing IT transformational change – companies are running to stand still in managing their IT risks.

 

"The cost of failure is all too clear. It is crucial for both public and private sector organisations to understand the risks associated with IT, and how they can be managed, mitigated and avoided."

 

Matching risk assessment with investment

 

Data-loss related incidents continued to be a major problem for all industries. KPMG found a significant number of those (16%) were unintentional.

 

As Computer Weekly previously reported, the Information Commissioner’s Office (ICO) served a £180,000 penalty on the Ministry of Justice for “serious failings” in personal data protection at prisons in England and Wales.

 

"Investment in technology will continue to rise as businesses embrace digital and other opportunities, but this needs to be matched by investments in assessing, managing and monitoring the associated risks. At a time when even our regulators have shown themselves to be vulnerable to technology risk, no-one can afford to be complacent," Dowie said.

 

In a warning to the insurance sector, Dowie said: “I believe there is a real threat that resources and management will once again be distracted and diverted by the final stages of the implementation of Solvency II in time for January 2016.

 

Top


IT Term of the day


Directory


DirectX is a set of standard commands and functions that software developers can use when creating their programs. While any Windows-based software program can include DirectX commands, they are usually used in video games. For example, developers may use DirectX for controlling video playback, sound effects, and peripheral input (such as a keyboard, mouse, or joystick). By incorporating DirectX functions into a computer game, programmers can use predefined commands to manage the video and sound of their game, as well as user input. This makes it easier for programmers to develop video games and also helps the games look more uniform, since DirectX games use many of the same commands.

 

Technically, DirectX is known as an application programming interface (API), which consists of predefined functions and commands. In order to create programs that use DirectX, software developers must use the DirectX software development kit, available from Microsoft. However, most users need only the DirectX "End-User Runtime" installed on their computer in order to run DirectX-enabled software. The DirectX API is available for Windows software and Xbox video games.

 

Top


Quote of the day


It's not who you are on the inside but what you do that defines you!

 

Kautilya

 

Top


Note -

  1. As a member of this group, you get useful information to protect yourself and your IT assets and processes from various Computer and Related Crimes.
  2. If you think that your other friends/colleagues/acquaintances/relatives/foes/enemies also needs this information, forward the mail to them and request them to send their e-mail addresses and names to us with subject as "Subscribe".
  3. If you or someone has become victim of Computer Crimes or has any query on prevention, you are welcome to write to us.
  4. If you are not interested in it and would like to unsubscribe - send a reply mail with subject as "Unsubscribe".
  5. Disclaimer - We have taken due care to research and present these news-items to you. Though we've spent a great deal of time researching these matters, some details may be wrong. If you use any of these items, you are using at your risk and cost. You are required to verify and validate before any usage. Most of these need expert help / assistance to use / implement. For any error or loss or liability due to what-so-ever reason, CRPCC and/or Sysman Computers (P) Ltd. and/or any associated person / entity will not be responsible.