Newsletter
IT and Cyber Security News Update from
Centre for Research and Prevention of Computer
Crimes,
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
Since June 2005 January
28, 2015 Issue
no 1536
Tenth year of
uninterrupted publication
Todays edition
SCAM : Email
scam nets $214 million in 14 months - FBI
CRIME : China To Kenya - We Want Our Cyber Criminals Back
SHORTAGE : US scrambling to hire enough
cyber security agents to protect itself
LAW : The
Flaws in Obamas Cybersecurity Initiative
(Click on heading above to jump to related item. Click on Top to be back here)
SCAM : Email scam nets $214
million in 14 months - FBI
In the scheme, fake invoices are delivered
to businesses which deal with overseas suppliers, asking for payment by wire
transfer.
AFP
Jan 23, 2015
WASHINGTON: An email scam which
targets businesses with bogus invoices has netted more than $214 million from
victims in 45 countries in just over one year, an FBI task force said.
The Internet Crime Complaint Center, a
joint effort of the FBI and the non-profit National White Collar Crime Center,
said the losses were calculated from October 1, 2013 to December 1, 2014.
In the scheme, fake invoices are
delivered to businesses which deal with overseas suppliers, asking for payment
by wire transfer.
"The fraudulent wire transfer
payments sent to foreign banks may be transferred several times but are quickly
dispersed," the task force said in a statement.
"Asian banks, located in China
and Hong Kong, are the most commonly reported ending destination for these
fraudulent transfers."
The scam has claimed 1,198 US victims
and 928 in other countries, according to the statement. US firms have lost more
than $179 million of the total.
The FBI "believes the number of
victims and the total dollar loss will continue to increase," the
statement said.
In one version of the scheme, a
business which works with overseas supplier is contacted by phone, fax or email
asking for payment. The emails are "spoofed" to look as if they came
from the legitimate supplier. Phone and fax requests also appear genuine.
In another version, email accounts of
high-level executives are compromised to allow the criminals to request a wire
transfer, often including instructions to "urgently send" funds.
A third version of the scheme involves
the hacking of an employee's email account, which then sends out bogus invoices
to vendors or suppliers.
The FBI task force said vulnerable
businesses should avoid using free web-based emails for official accounts and
to exercise caution about posting company information on websites and social
media.
The group also suggests additional
security steps such as two-step verification or digital signatures.
"Always verify via other channels
that you are still communicating with your legitimate business partner,"
the statement said.
CRIME : China To Kenya - We
Want Our Cyber Criminals Back
By Dana Sanchez
January 27, 2015
http://afkinsider.com/86411/china-kenya-want-cyber-criminals-back/
Kenya has detained 76 Chinese suspects
in its first major international cyber crime case and China wants them repatriated, ChristianScienceMonitor
reports.
China is the largest foreign investor
in Kenya and its second largest trading partner with bilateral trade volume
reaching $3.27 billion in 2014, according to Chinese customs officials.
Recently, China made a $3.8-billion loan to Kenya to fund a railway line to
boost trade between Kenya and its landlocked neighbors.
Kenyan officials arrested 76 Chinese
and a one Thai citizen on charges of cross-border telecommunication fraud and
electronically stealing more than 100 million yuan
($16.5 million) from Chinese victims.
Chinese officials say all of the
victims are in China so the suspects should be extradited to China for
investigation and prosecution.
Kenyan leaders want the suspects tried
in Kenya since the alleged crimes were committed in Kenya.
Kenya has charged the suspects with
operating an unlicensed telecommunication facility after arresting them in
Nairobi in December. If found guilty, each suspect faces
fines of five million Kenyan shillings ($54,000) and up to 15 years in jail.
More charges are pending, ChristianScienceMonitor
reports.
In December, Kenyan police responded
to a house fire in the high-end Nairobi suburb of Runda,
home to expats, prominent politicians and embassies including the American
Embassy located two kilometers from the fire. Police found more than 70 Chinese
citizens living in cramped quarters. One person died in the fire, according to
a report in SecurityGladiators.
Police also found computers, Internet
equipment, and what looked like a radio station and command center.
The Chinese citizens were arrested and
charged with running an illegal radio communication station, SecurityGladiators reports.
The case is Kenyas first major
international cybercrime case, and highlights vulnerabilities in the countrys cybersecurity network, ChristianScienceMonitor
reports. Suspects may have seen Kenya as an ideal cybercrime base because it
has few cybercrime laws and relatively strong Internet connections.
Cybercrime laws remain largely
unclear, said Barry Macharia, a technical manager at
Tespok Kenya, a telecommunication service providers
association. This, coupled with (the) lack of proper security mechanisms in
place, makes Kenyans a lucrative target for cyber criminals.
Computer crime costs Kenyans $22.8
million a year, according to a recent report on cyber security from Serianu Limited, a Kenyan IT and business consulting firm, ChristianScienceMonitor reports. Kenyan banks in 2013 lost
$17 million through fraudulent schemes involving their employees. There were
2.6 million cyber attacks in 2012 and 5.4 million in 2013, Serianu
reported.
Cybercrime in
Kenya gone on unnoticed for some time, according to security expert Richard Tutah. We have to take this very seriously
and fight it with the same zeal as we are fighting terrorism.
SHORTAGE : US scrambling to hire
enough cyber security agents to protect itself
By Matthew Hall
January 27, 2015
With repercussions from the
Sony Entertainment hack continuing to echo around the world, the US government
has identified cyber security as "the problem of the 21st century"
and warned of a lack of hands-on talent to battle online crime.
Law enforcement agencies such
as the Federal Bureau of Investigation have launched new year campaigns to recruit "cyber agents" while an
official from the Department of Homeland Security which serves both the US
government and the private sector told Fairfax Media it is hiring new
recruits to battle cybercrime. The good news? They
need no previous expertise in the area and non-US citizens can be considered,
including Australians.
The catch, according to Andy Ozment, the Assistant Secretary of the Department of
Homeland Security's Office of Cyber Security, is that expertise in another
field is well regarded.
"Cyber security is the
problem of the 21st century," Mr Ozment said.
"Cyber security and cyberspace touch everything we do. Every agency in the
[United States] government is dealing with the world it faces and
consequentially they all have to deal with cyber security.
"There is a huge
workforce challenge. If you are a student and you are not in the field of cyber
security let me urge you to change that immediately. But don't just study cyber
security. Get some broader context. You need domain knowledge. It is not enough
to be a cyber security expert. You need to be able to apply cyber security
expertise to the specific problems of the financial sector or the energy sector
you name it."
Mr Ozment
said that is department has already recruited staff with no previous experience
in cyber security and added the government agency still could not find enough
talent to battle online bad guys.
"We can take a person
who knows a lot about the energy sector and help them come up to speed with
enough on cyber security so they can make a key contribution there.
Nevertheless, the pipeline of talent is an enormous problem for us."
Ralph Langner,
a consultant who has advised the US government and International Atomic Energy
Agency on cyber security issues and is acknowledged as an expert on Stuxnet, said budget factors played a key role in
recruitment especially when remuneration often did not reflect the skills
required to fill positions. Individuals working in what he called the
"offensive" side with know-how on how to attack networks were
usually well paid while those with defensive expertise were not.
"If you want to make a
career in cyber security you will find good money on the offence
positions," Mr Langner said. "When you are
talking about defence, that is a completely different story. The real issue is
that you have to put cash on the table. If you want to excel
[in] cyber security why would you [take] defensive jobs whether in the
government or private sector when you are guaranteed to make less money than
any lawyer or dentist?"
The FBI launched a new year recruitment drive for agents to work in the
department that claimed the infamous Sony hack was the work of North Korea's
government or, at least, agents working on its behalf.
FBI hires must be aged
between 23- and 36-years-old, pass a fitness test and earn starting salaries
between $US59,000 and $US76,500. An FBI spokesman said
specialty agents were needed citing bank robberies as an example where cyber
intrusions required no crime scene tape but instead forensic examination of
hard drives.
While most US government
agency work requires applicants to be American citizens, doors are still open
for Australian expertise in the field.
"If US citizenship is
not an absolute requirement for a job, employers are generally willing to sponsor
an immigrant or non-immigrant work visa to attract and retain top talent,"
said Dimiter Blyangov, a
New York immigration attorney.
"Australian nationals in
particular benefit from the E-3 nonimmigrant visa program designed for skilled
occupations and from visas granted to people whose skills are in the national
interest of the United States."
LAW : The Flaws in Obamas Cybersecurity Initiative
By David M. Upton
January 20, 2015
President
Obamas new raft of proposals aim to address the growing concern that America
is not taking tough-enough action against the increasing cybersecurity
problem of nation-states and criminals (usually criminal gangs) attacking U.S.
consumers and organizations. The evildoers motivation for doing
so is most often money, but intellectual property is also being filched, and
the internet is also being used for anything from identity theft to illicit
political objectives.
The cornerstones of the proposal are
to:
·
Prohibit the sale of botnets
and similar tools
·
Give the courts the power to shut down networks
assembled for cybercrime such as those involved in distributed denial of
service (DDOS) attacks
·
Protect companies that share information with the
government about computer threats from liability
He also calls for better cooperation
between companies and the government when tackling cybercrime.
The problems are certainly real. We
are losing on the battleground of cybersecurity. For
example, the gains that IT contributed to the GDP of the Netherlands in 2014
were wiped out by the even larger cost of cybercrime. Cybercrime has now become
widespread enough to be a drag on growth in many countries. By some estimates,
it costs between $500 billion to $1 trillion worldwide. Thats bigger than the
GDP of 75 countries combined.
But how much can any government do to
address the problem of cybercrime? And
will these proposals do anything to fix the situation in the U.S.? Many of the
criminal gangs (and certainly nation-states) lurk beyond U.S. jurisdiction or
at least, beyond the capacity of law enforcement to track them down in large
numbers. Therefore, criminalizing many of the activities and products
associated with cybercrime is likely to have more symbolic value than actual
effect.
This is a limitation that would be
faced by any countrys government, except perhaps the one where the crooks
live. Russia, for example, has an exploding underground cybercrime industry.
Trend Micros findings are that you can buy a botnet
outright for about $700, or rent one for an hour for $2 enough time to do
serious damage. Trojans that let you spy on incoming and outgoing texts will
run you $350.
Every country now has its own special
wares to peddle. Brazil is apparently the place to go if youre in the market
for some banking malware. Chinas gangs have their own special portfolio to
sell. In terms of the competition between Russia and the United States, the
homes of the biggest criminal hosts, Russia is winning bigtime.
In three months in 2012, Russias share of malicious hosts rose by around 10%,
and the United States lost 10% of its bad boy computers. Theres ample evidence
that for every cybercriminal activity that gets squashed in the United States,
an offshore competitor takes it at cheaper rates. And even those rates are
falling fast as more players and countries compete for their share of the pie.
In other words, Obamas proposals are
tackling a problem that was already diminishing in the U.S. The bad guys that
really cause problems for Americans (and everyone else) are beyond the long arm
of the law.
But what of the part about encouraging
companies to share information about cyberthreats
with the U.S. Department of Homeland Security by offering them targeted
liability protection? That has to be a good thing, right? Well, the thing is
that its already happening. In the United States, many company groups already
share information without government involvement concerning cyberattacks and threats.
Each of these industries is dealing
with its own kind of ugly crook, looking to use its specialized expertise to
exploit vulnerabilities peculiar to that industry. The Retail Cyber
Intelligence Sharing Center has been up and running since last year, when some
30 large retail companies got together and decided to share information on
threats with each other. The oil and gas industry are doing something similar
through ONG-ISAC (an acronym likely brought to us by
the spawn of the same marketing-savvy engineers that coined TCP/IP and PCMCIA).
And FS-ISAC does the same thing for the financial
services industry, a particularly important sector for Willie Sutton reasons.
It makes sense for companies to form
their own cybersafety industry groups to combat their
particular threats. Individual companies are also putting great effort into
safeguarding their value, though the facts about and nature of their work is
often secret.
A bigger issue is that cybercrimes are
grossly under-reported and fear of liability is only one part of the problem.
Companies just dont see the governmental resources available to successfully
prosecute the kinds of cybercrime they experience, and the track record
probably supports that view. Why share information with the government if it
wont help your situation?
There are also hosts of not-so-wacky
conspiracy theorists who worry about any governmental involvement with the
internet. (Some of them actually think the government is using it to snoop on
us!) They also worry that if Congress passes a bill when prompted by a crisis,
there are almost always additional consequences: usually giving the government more power than
we would like.
Nevertheless, a few things make this
part of the proposals much more palatable. First, there are many cybercrimes
that arent just industry specific. Lots of nasty stuff would simply fall
through the cracks if left to individual industries. We might not see
innovations and changes that affect all of us, and we not might be as good at
communicating new general threats more publicly.
For example, the fastest growing
malware targets smartphones. With the right hack,
your phone can be used to bug you or see what its camera sees. Not a great
sales pitch for a conflicted phone industry. How about cars getting hacked?
What about Skype-enabled TVs peering into thousands of
homes and the streams being sold on the dark web? We might want companies to
share that kind of information with the government and us without too much
fear of reprisal.
Probably more important than our
internet-of-everything gadgets are the power, water, sewage, manufacturing and
transportation networks. A surprise, broad attack might put us, if only temporarily,
somewhere between now and the Middle Ages. And even
though governments are trying hard to protect this infrastructure, wed
probably want any hint of a private breach likely to be correlated with a
broad-scale, warfare-like attack shared centrally (sooner rather than later).
In summary, I believe Obamas
proposals are well-intentioned. Information sharing is, on balance, a good
thing. They at least start to address a set of problems that will impact the
next generation even more than ours and may be the basis for some fundamental
research. But I just doubt that they will be very effective in combating
cybercrime.
So what is the answer? We know it is a global problem requiring a
global solution. We know we need more global cyber capacity to fight cybercrime.
International cooperation is critical. Global information sharing is also
important and we are doing some of it. A better understanding of the
psychology of how insiders are coaxed, blackmailed, or tricked into sharing
access to their computer systems would help organizations defend themselves.
Good technology exists and will help, if we use it. Most important is
education: Everyone individuals, employees, companies, and boards of
directors needs to understand the new dangers.
One of the best results of Obamas
initiative may be to put the cybercrime issue a little higher on everyones
agenda. If it spurs more good guys to learn and focus on the challenges, this
second-order effect may have the greater impact.
Dot Matrix
A dot matrix is a 2D matrix of dots that can represent
images, symbols, or characters. They are used for electronic displays, such as
computer monitors and LED screens, as well as printed output.
In a dot matrix display, the images are estimated using a discrete
set of dots instead of lines and shapes. Therefore, the more dots that are
used, the more clear and accurate the image representation will be. For
example, a 16x16 dot matrix can represent the letter "S" more
accurately than a 8x8 matrix. If enough dots are used,
the image will appear as a contiguous display rather than a group of dots. This
is because the human eye blends the dots together to create a coherent image.
For example, newspaper print is made up of dot matrixes, but it is hard to
notice unless you look very closely at the paper.
Bitmap images on a computer screen are also dot matrixes,
since they are made up of a rectangular grid of pixels. If you look closely
enough at your monitor, you may even be able to see the dots that make up the image.
But be nice to your eyes and don't stare too long!
While "dot matrix" has a broad definition, it can
also be used to describe a specific type of printer. Dot matrix printers, or
"impact printers," were introduced in the 1970s. These printers
typically use the kind of paper with small holes on each side that are used to
feed the paper through the printer. They are called dot matrix printers because
they use a matrix of dots to print each character. While they do not have a
very high resolution, dot matrix printers are an effective
way of printing basic text documents. Therefore, while most businesses
now use inkjet or laser printers, some organizations still find dot matrix
printers to be an efficient printing solution.
Society in every state is a
blessing, but government even in its best state is but a necessary evil; in its
worst state an intolerable one; for when we suffer, or are exposed to the same
miseries by a government, which we might expect in a country without
government, our calamity is heightened by reflecting that we furnish the means
by which we suffer.
Thomas Paine
(1737-1809)
US Founding father,
pamphleteer, author
Note -