CCC News


IT and Cyber Security News Update from

Centre for Research and Prevention of Computer Crimes, India


Courtesy - Sysman Computers Private Limited, Mumbai (

Since June 2005                                         February 09, 2015                                          Issue no 1541

Tenth year of uninterrupted publication

Today’s edition – 


SPY : Samsung may be eavesdropping on you

ATTACK : Anonymous launches the OpISIS and brings down ISIS social media accounts

COMPLEXITY : US Passport's Complex Security Tech, Explained By Forgery Pros

TRAGEDY : The World’s Email Encryption Software Relies on One Guy, Who is Going Broke

IT Term of the day

Quote of the day


(Click on heading above to jump to related item. Click on “Top” to be back here)



SPY : Samsung may be eavesdropping on you

Javier E. David

8 Feb 2015


Samsung's Smart TV may be a little too smart for its own good.


Tucked into the privacy policy of the South Korean electronics behemoth's Smart TV are a few paragraphs that may send chills down the spine of some consumers. According to the document, the unit's voice recognition protocols can "capture voice commands and associated texts so that [Samsung] can provide you with Voice Recognition features and evaluate and improve the features."


The boilerplate language—which granted few people read in its entirety—sounds fairly anodyne. That is, until the company adds this warning: "Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition."


The TV's voice features can be disabled. However, the company adds another caveat: "While Samsung will not collect your spoken word, Samsung may still collect associated texts and other usage data so that we can evaluate the performance of the feature and improve it."


In other words, owners of the Samsung Smart TVs may need to watch what they say in their own homes, and especially where they say it.


A spokesperson for the company told CNBC that Samsung "takes consumer privacy very seriously," while adding that the company "does not retain voice data, or sell it to third parties. If a consumer consents and uses the voice recognition feature, voice data is provided to a third party during a requested voice command search."


The warning, first reported by The Korea Times and picked up on social media, may add fuel to a raging debate over how much control humans are willing to relinquish to automation for the sake of convenience. Tech companies are resorting to more creative, and some say surreptitious, ways to mine consumer data and profit from it.


Voice command technology is becoming more ubiquitous, and many consumers rely on those solutions—such as Apple's Siri—to power their devices.


Yet those protocols are only several degrees removed from autonomous devices, which is increasingly migrating from science fiction to reality. They also raise a host of privacy questions that experts are struggling to comprehend.


Artificial intelligence is an increasingly hot topic, with high-profile technophiles such as Elon Musk, Stephen Hawking and Bill Gates warning about the unintended consequences of unchecked smart technology.




ATTACK : Anonymous launches the OpISIS and brings down ISIS social media accounts

by Pierluigi Paganini

February 9th, 2015


Anonymous announced the OpISIS and launched a series of attacks against the jihadist websites supporting the ISIS and its propaganda on the Web.


As promised the Anonymous collective has launched a massive cyber attack against Islamic State (ISIS) terror group, the popular  group shouted revenge in the aftermath of the vicious against the satirical magazine Charlie Hebdo in Paris. After the attack, Anonymous launched the #OpCharlieHebdo against the member of ISIS on the web, the popular hacking team cry out for vengeance for the assault on the Charlie Hebdo, convinced that what happened is not tolerable.


Anonymous ha also posted the manifest of the Op Charlie Hebdo on Pastebin, below the translation of an excerpt from the message:


“It is our responsibility to react … Attacking freedom of speech is a direct hit to democracy. Expect a massive reaction from us, because this freedom is what we’ve been always fighting for.”


Anonymous considers the supporters of a violent jihad as “enemies of freedom of expression,” so it announced the Op Charlie Hebdo.


The Anonymous collective announced a series of attack against the jihadist websites supporting the ISIS and its propaganda on the Web and used by the ISIS to recruit new members. The Belgian wing of Anonymous published a video on the Internet in which is announcing its revenge, the collective promises to raze social networks of accounts promoting violent jihad.


True to his declaration of war, Anonymous announced the # OpISIS in a video appeared on YouTube. The popular collective and the RedCult claimed to have carried out cyber attack against hundreds of Twitter and Facebook accounts used by the terrorists of the Islamic State.


According to the video, Operation OpISIS is managed by “Muslims, Christians, Jews”, a masked man explains the motivation of the attack that is conducted by ordinary people that together decided to join the forces against the ISIS.


[We are] “hackers, crackers, Hacktivist, phishers, agents, spies, or just the guy next door… students, administrators, workers, clerks, unemployed, rich, poor.” They are also “young, or old, gay or straight… from all races, countries, religions, and ethnicity. United as one, divided by zero.” the video explains.


Anonymous released a list of more than hundred Twitter and Facebook accounts suspected to belong to ISIS members, they represent the target of the OpISIS. Anonymous released the following message to the ISIS supporters:


    We will hunt you, take down your sites, accounts, emails, and expose you…

    From now on, no safe place for you online…

    You will be treated like a virus, and we are the cure…

    We own the internet…

    We are Anonymous; we are Legion; we do not forgive, we do not forget, Expect us.


On the other side, the ISIS is demonstrating an excellent command of web technologies such as social networks, which uses daily to communicate with his followers.


Recently it has been discovered a manual released by the ISIS to its members to avoid online surveillance during their web experience. Twitter has already suspended more than 1500 ISIS accounts and dozens of militant recruiting websites were shut down by ISP and by DDoS Attack run by Anonymous members.


It isn’t the first time that Anonymous targets jihadist online communities, in June the group run a campaign dubbed Operation NO2ISIS against some states it accuses of supporting the Islamic terror group ISIS.


As part of the OpISIS, Anonymous also threatened to target Saudi Arabia and all those government that are secretly funding and supporting the strategy of the ISIS.

                 “We are unable to target ISIS because they predominantly fight on the ground. But we can go after the people or states who fund them.”



Also see -



COMPLEXITY : US Passport's Complex Security Tech, Explained By Forgery Pros

Kelsey Campbell-Dollaghan

Gawker Media

Feb 5, 2015


The passport is a bizarre and unique object. Think about it: The goal is to put it in the hands of millions upon millions of people-and for none of them to ever understand the technology that's at work in their wallets.


It's an extremely important mystery: Passports protect our identities, they protect national security, they are the best proof of ID we have. These days, it's actually incredibly difficult to counterfeit security elements in passports. It's much more common to see passport fraud committed with real passports, not forged ones. Still, the huge black market for passports has inspired very smart, very capable people to go to great lengths to fake them.


US passports are printed at the US Government Printing Office using 60 different materials. All in all, there are as many as 30 security features at work in that piece of plastic and paper-and most of them aren't even visible to the holder.


While our passports are ubiquitous objects, the specifics of the assembly process is still top-secret protected information. When I contacted Homeland Security for this article I was told that the forensic lab's experts couldn't discuss the security "in the specificity I'd be interested in." Even online, it's difficult to find out specifics about the technology inside our passports. So I asked a few passport and forgery experts to tell me more.

Holograms: The Hidden Cost of Complexity


Obviously, you want to know about the holograms first, because holograms.


Even though they were invented in the late 1940s, holograms have only been a part of passport security for a few decades, as Tom Topol, a passport historian and collector, recently told me. Topol says the UN was the first issuer to put one on its passports in 1984, and other countries quickly followed. Today, there's probably a see-through hologram covering your "biodata" page-where your biographical data is stored-but that came even later, in the 1990s.


There are dozens of types of holograms, and often, the technique used on banknotes or passports are proprietary to a particular company. For example, a company called Kinegram developed a unique hologram that it applies as strips or stamps to documents, like this banknote.


That said, some holograms can be forged-or at least closely recreated-using a number of techniques, the simplest of which uses a piece of metal pressed onto the hologram and then using that piece as a die to cast new holograms.


I had a fascinating conversation with Tony Sales, a self-described reformed fraudster in the UK who allegedly stole millions of dollars over the course of just a few years thanks in part to his skills with fraud and forgery, who confirmed that with enough time, you can learn (or buy) nearly anything.


"The first machine I ever saw was a holographic stamper, it just punched a hologram into the actual item; it wasn't complicated at all," says Sales of his early days forging documents including passports (he's often described in the media as "Britain's greatest fraudster"). Since then, he's turned his skill set into a career helping companies prevent fraud and theft-working with companies to develop better EAS tags, for example, and helping security experts understand how criminals might attack a particular defense using fraud.


How hard is it to get ahold of a machine that can stamp holograms? According to Sales, it's gotten more difficult since he was working. "Checks are done a lot more thoroughly on companies that want to obtain that kind of equipment," he says. But it's not impossible to obtain these machines. "They can just open up a shell company and as long as they're willing to confirm that they're the company, nine times out of ten it'll get shipped," says Sales.


Still, holograms seem like an increasingly difficult element to forge as technology improves. They're often layered with other security elements like specialty inks or fine line engraving. One major improvement over the past decade is the transparent hologram that's overlaid on your biodata page:


At the same time, one major weakness of holograms on IDs is the fact that as they get harder and harder to copy, they also get more complex-and all those details can be too much for a security agent to even remember. "The danger is that the OVD [Optical Visual Device] itself becomes so complex that it is impossible for an inspector to remember all the features that distinguish the genuine article," explained Robert Smith in the Keesing Journal of Documents & Identity in 2011. "Many simulations look good enough to pass visual inspection even if they contain inaccuracies that would rapidly be detected upon level two or three inspection."


Complexity, even though it's tougher to copy, isn't always good for security.


Ink You Never See and Paper That Hides Secrets


Inks are another key element passport security-you might have never noticed these minute details, but the chemical makeup of ink, thread, and paper are all key features. "Most advanced security features are unknown by the bearer of a passport," Topol says.


There are thermochromatic inks that change color when heated or cooled; inks that dissolve when they're tampered with; inks that are one color from one angle and another color from a different vantage; and UV inks that appear or disappear under a UV light-many passorts, including Canada's new design, have a "hidden" design only visible under a UV light.


There are dozens of unique printing techniques used to make passports around the world. The USA on the corner of your biodata page, for example, is printed with an optically variable security ink-so it looks green in one light and gold in another, as the State Department explains on its website. The paper might include florescent particles that react to UV light, as you can see in a close-up of a UK passport below, or the thread itself might include unique fibers.


Sometimes, it's not ink at all. The cover of your passport is made from plastic, plain and simple. The elaborate seals that are specific to your country of origin are applied through a common process called hot foil stamping-it's used on everything from fancy candy packaging to luxury handbags. Rather than applying regular ink with a stamp, as you might with a letterpress, the printer uses a piece of foil to stamp into the plastic, then peels the excess foil away.


Does that mean that these printing techniques are easy to reproduce? Not necessarily. "A lot of the forgers in the early days would have had a printing background, so they'd be aware of it," says Sales. It's all about research-and even then, it can be difficult to gain access to specialized knowledge.

Printing & Type: Still the Hardest Part to Fake


More than anything else, passport security is about printing. That sounds boring; it's not.


Security printing is fascinating, combining techniques that date back to the early Medieval age like intaglio printing, where those complex, twisting patterns you find on your passport pages are engraved on a steel plate and then the paper is laid over the inked plate to create a print.


Other printing techniques come from the bleeding edge of the printing industry. Some of the printing on your passport is invisible without a magnifying glass-microprinting-or even a microscope-nanoprinting. Thanks to super-high-res printing techniques, some patterns and text can get down to one micron, according to Smith's article from 2011. "This far exceeds the resolution available via any other copying, printing or scanning device in the printing industry, and cannot be replicated by forgers," he writes.


Tiny details of the type can be a key way to spot fraud, too. An errant line or bump in a word could help investigators determine whether a passport is legit. As Gizmodo's Jesus Diaz recently pointed out, security printing on dollars has increased in resolution to the point where under a microscope, tiny details of the print are highly raised and visible.


So in a way, the most banal part of your passport-the printing-is actually one of the strongest.


I asked Sales what the most difficult element to forge on a passport was, and his answer surprised me. It wasn't thermochromatic ink or RFID chips or specialized holograms. It was something super simple: The typeface.


"No one ever gets the exact font," he says, explaining that under a microscope, tiny inconsistencies are incredibly difficult to replicate. In fact, some typefaces used by the government have deliberate, minute imperfections-like ink bleeds-that make them harder to digitally re-draw. Copying a country's font would mean actually getting ahold of a copy of the typeface. "Then we're talking industrial espionage, where people are stealing fonts for computers, and that becomes something totally different," he says.


The Verdict Is Still Out on Machines and Chips


The most controversial aspect of modern passport design, of course, is the electronic chip nestled in the upper lefthand corner of the back page of your passport book (this State Department podcast is a great source for more about how they're manufactured). This RFID chip usually contains information like your name, your photo, and other details, and in the US, the State Department programs and locks them at the Government Printing Office in DC to ensure they're secure.


That said, the security of RFID chips and other machine-readable elements of the passport have been questioned again and again since their introduction. In 2006, a security researcher named Lukas Grunwald demonstrated to Wired's Kim Zetter-and later at BlackHat-that he could clone the chip and rewrite the new version with software that could crash or override the machines used to check the chips.


Given that almost a decade has passed since his demonstration, I asked Grunwald whether anything has changed, and he pointed out that Germany has since changed the passport number to include characters, which is an improvement. But in the end, it's still quite easy to learn how to carry out the same process online. "There is right now several open source projects out that would do," said Grunwald over email. "Many of them works with normal JCOP (JavaCard) Smartcards available on the internet."


This Is a Race That Will Never End


The sense I got was that this is an eternally tied race: As security technology has improved, so have counterfeiters, spurring more changes on the state side of things, and so on. The internet, and the dark web, have made it even easier to buy and sell the technology needed to manufacture a passable passport. "We live in a digital age where information is easily obtained," says Sales. "I'm sure I've looked on the dark web before and all of the information and places to buy these machines, are for sale for anyone who wants to chance their luck at it."


Moreover, passports are products of globalization, just like almost everything else we own. A recent audit by the Government Printing Office investigated the supply chain found that the US passport is made from 60 different commercial materials, supplied by 16 different contractors-six of which are sub-contractors that the office has zero relationship with. These materials are assembled in countries all over the world, by contractors specializing in everything from fluorescing thread to specialized holograms to.


That's not to say our passports aren't secure-these are some of the most advanced document security techniques in the world. But rather, the process of keeping them secure is one that will never be perfect. As I heard again and again, there's not magical high-tech solution that will end this race-a combination of emerging and tried-and-true security features works the best. It's an iterative process, like so much design work, that will need constant updating and improvements every year.


Next time you pack your passport for a trip, take a second to appreciate just how contentious that little piece of plastic and fiber and metal really is. You'll probably have one for the rest of your life, but within that time, the technology inside it will have evolved dozens of times.




TRAGEDY : The World’s Email Encryption Software Relies on One Guy, Who is Going Broke

Werner Koch’s code powers the email encryption programs around the world. If only somebody would pay him for the work.

by Julia Angwin


Feb. 5, 2015


In 1997, Werner Koch attended a talk by free software evangelist Richard Stallman. Stallman urged the crowd to write their own version of existing encryption software. Inspired, Koch decided to try. "I figured I can do it," he recalled. (Willi Nothers for ProPublica)


The man who built the free email encryption software used by whistleblower Edward Snowden, as well as hundreds of thousands of journalists, dissidents and security-minded people around the world, is running out of money to keep his project alive.


Werner Koch wrote the software, known as Gnu Privacy Guard, in 1997, and since then has been almost single-handedly keeping it alive with patches and updates from his home in Erkrath, Germany. Now 53, he is running out of money and patience with being underfunded.


"I'm too idealistic," he told me in an interview at a hacker convention in Germany in December. "In early 2013 I was really about to give it all up and take a straight job." But then the Snowden news broke, and "I realized this was not the time to cancel."


Like many people who build security software, Koch believes that offering the underlying software code for free is the best way to demonstrate that there are no hidden backdoors in it giving access to spy agencies or others. However, this means that many important computer security tools are built and maintained by volunteers.


Now, more than a year after Snowden's revelations, Koch is still struggling to raise enough money to pay himself and to fulfill his dream of hiring a full-time programmer. He says he's made about $25,000 per year since 2001 — a fraction of what he could earn in private industry. In December, he launched a fundraising campaign that has garnered about $43,000 to date — far short of his goal of $137,000 — which would allow him to pay himself a decent salary and hire a full-time developer.


The fact that so much of the Internet's security software is underfunded is becoming increasingly problematic. Last year, in the wake of the Heartbleed bug, I wrote that while the U.S. spends more than $50 billion per year on spying and intelligence, pennies go to Internet security. The bug revealed that an encryption program used by everybody from Amazon to Twitter was maintained by just four programmers, only one of whom called it his full-time job. A group of tech companies stepped in to fund it.


Koch's code powers most of the popular email encryption programs GPGTools, Enigmail, and GPG4Win. "If there is one nightmare that we fear, then it's the fact that Werner Koch is no longer available," said Enigmail developer Nicolai Josuttis. "It's a shame that he is alone and that he has such a bad financial situation."


The programs are also underfunded. Enigmail is maintained by two developers in their spare time. Both have other full-time jobs. Enigmail's lead developer, Patrick Brunschwig, told me that Enigmail receives about $1,000 a year in donations — just enough to keep the website online.


GPGTools, which allows users to encrypt email from Apple Mail, announced in October that it would start charging users a small fee. The other popular program, GPG4Win, is run by Koch himself.


Email encryption first became available to the public in 1991, when Phil Zimmermann released a free program called Pretty Good Privacy, or PGP, on the Internet. Prior to that, powerful computer-enabled encryption was only available to the government and large companies that could pay licensing fees. The U.S. government subsequently investigated Zimmermann for violating arms trafficking laws because high-powered encryption was subject to export restrictions.


In 1997, Koch attended a talk by free software evangelist Richard Stallman, who was visiting Germany. Stallman urged the crowd to write their own version of PGP. "We can't export it, but if you write it, we can import it," he said.


Inspired, Koch decided to try. "I figured I can do it," he recalled. He had some time between consulting projects. Within a few months, he released an initial version of the software he called Gnu Privacy Guard, a play on PGP and an homage to Stallman's free Gnu operating system.


Koch's software was a hit even though it only ran on the Unix operating system. It was free, the underlying software code was open for developers to inspect and improve, and it wasn't subject to U.S. export restrictions.


Like many people who build security software, Koch believes that offering the underlying code for free is the best way to demonstrate that there are no hidden backdoors giving access to spy agencies or others. (Willi Nothers for ProPublica)


Koch continued to work on GPG in between consulting projects until 1999, when the German government gave him a grant to make GPG compatible with the Microsoft Windows operating system. The money allowed him to hire a programmer to maintain the software while also building the Windows version, which became GPG4Win. This remains the primary free encryption program for Windows machines.


In 2005, Koch won another contract from the German government to support the development of another email encryption method. But in 2010, the funding ran out.


For almost two years, Koch continued to pay his programmer in the hope that he could find more funding. "But nothing came," Koch recalled. So, in August 2012, he had to let the programmer go. By summer 2013, Koch was himself ready to quit.


But after the Snowden news broke, Koch decided to launch a fundraising campaign. He set up an appeal at a crowdsourcing website, made t-shirts and stickers to give to donors, and advertised it on his website. In the end, he earned just $21,000.


The campaign gave Koch, who has an 8-year-old daughter and a wife who isn't working, some breathing room. But when I asked him what he will do when the current batch of money runs out, he shrugged and said he prefers not to think about it. "I'm very glad that there is money for the next three months," Koch said. "Really I am better at programming than this business stuff."


Update, Feb. 5, 2015, 8:10 p.m.: After this article appeared, Werner Koch informed us that last week he was awarded a one-time grant of $60,000 from Linux Foundation's Core Infrastructure Initiative. Werner told us he only received permission to disclose it after our article published. Meanwhile, since our story was posted, donations flooded Werner's website donation page and he reached his funding goal of $137,000. In addition, Facebook and the online payment processor Stripe each pledged to donate $50,000 a year to Koch’s project.




IT Term of the day

Cloud Engineer

A cloud engineer is an IT professional responsible for any technological duties associated with cloud computing, including design, planning, management, maintenance and support.


The cloud engineer position can be broken into multiple roles, including cloud software engineer, cloud security engineer, cloud systems engineer and cloud network engineer. Each position focuses on a specific type of cloud computing, rather than the technology as a whole. Companies that hire cloud engineers are often looking to deploy cloud or further their cloud understanding and technology.


Job listings on seek cloud engineers with at least three to five years' experience with cloud -- including open source technology, software development, system engineering, scripting languages and multiple cloud provider environments. Additionally, cloud engineers must have a background building or designing web services in the cloud.


Cloud engineers need to be familiar with programming languages including Java, Python and Ruby. Many companies looking to hire cloud engineers seek experience with OpenStack, Linux, Amazon Web Services, SoftLayer, Rackspace, Google cloud, Microsoft Azure and Docker. Experience with APIs, orchestration, automation, DevOps and databases like NoSQL are also important.


A cloud engineer should have a Bachelor of Science degree in computer science, engineering or another related field, but some companies prefer a Master of Science degree. Additional certifications may be required.




Quote of the day

The human voice can never reach the distance that is covered by the still small voice of conscience.


Mahatma Gandhi





Note -

  1. As a member of this group, you get useful information to protect yourself and your IT assets and processes from various Computer and Related Crimes.
  2. If you think that your other friends/colleagues/acquaintances/relatives/foes/enemies also needs this information, forward the mail to them and request them to send their e-mail addresses and names to us with subject as "Subscribe".
  3. If you or someone has become victim of Computer Crimes or has any query on prevention, you are welcome to write to us.
  4. If you are not interested in it and would like to unsubscribe - send a reply mail with subject as "Unsubscribe".
  5. Disclaimer - We have taken due care to research and present these news-items to you. Though we've spent a great deal of time researching these matters, some details may be wrong. If you use any of these items, you are using at your risk and cost. You are required to verify and validate before any usage. Most of these need expert help / assistance to use / implement. For any error or loss or liability due to what-so-ever reason, CRPCC and/or Sysman Computers (P) Ltd. and/or any associated person / entity will not be responsible.