CCC News

Newsletter

IT and Cyber Security News Update from

Centre for Research and Prevention of Computer Crimes, India

(www.cccnews.in)

Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)

Since June 2005                                         January 28, 2015                                          Issue no 1536

Tenth year of uninterrupted publication


Today’s edition – 

 

SCAM : Email scam nets $214 million in 14 months - FBI

CRIME : China To Kenya - We Want Our Cyber Criminals Back

SHORTAGE : US scrambling to hire enough cyber security agents to protect itself

LAW : The Flaws in Obama’s Cybersecurity Initiative

IT Term of the day

Quote of the day

                                                                                               

(Click on heading above to jump to related item. Click on “Top” to be back here)

 

Top


SCAM : Email scam nets $214 million in 14 months - FBI

In the scheme, fake invoices are delivered to businesses which deal with overseas suppliers, asking for payment by wire transfer.

AFP

Jan 23, 2015

http://timesofindia.indiatimes.com/tech/tech-news/Email-scam-nets-214-million-in-14-months-FBI/articleshow/45992117.cms

 

WASHINGTON: An email scam which targets businesses with bogus invoices has netted more than $214 million from victims in 45 countries in just over one year, an FBI task force said.

 

The Internet Crime Complaint Center, a joint effort of the FBI and the non-profit National White Collar Crime Center, said the losses were calculated from October 1, 2013 to December 1, 2014.

 

In the scheme, fake invoices are delivered to businesses which deal with overseas suppliers, asking for payment by wire transfer.

 

"The fraudulent wire transfer payments sent to foreign banks may be transferred several times but are quickly dispersed," the task force said in a statement.

 

"Asian banks, located in China and Hong Kong, are the most commonly reported ending destination for these fraudulent transfers."

 

The scam has claimed 1,198 US victims and 928 in other countries, according to the statement. US firms have lost more than $179 million of the total.

 

The FBI "believes the number of victims and the total dollar loss will continue to increase," the statement said.

 

In one version of the scheme, a business which works with overseas supplier is contacted by phone, fax or email asking for payment. The emails are "spoofed" to look as if they came from the legitimate supplier. Phone and fax requests also appear genuine.

 

In another version, email accounts of high-level executives are compromised to allow the criminals to request a wire transfer, often including instructions to "urgently send" funds.

 

A third version of the scheme involves the hacking of an employee's email account, which then sends out bogus invoices to vendors or suppliers.

 

The FBI task force said vulnerable businesses should avoid using free web-based emails for official accounts and to exercise caution about posting company information on websites and social media.

 

The group also suggests additional security steps such as two-step verification or digital signatures.

 

"Always verify via other channels that you are still communicating with your legitimate business partner," the statement said.

 

 

Top


CRIME : China To Kenya - We Want Our Cyber Criminals Back

By Dana Sanchez

January 27, 2015

http://afkinsider.com/86411/china-kenya-want-cyber-criminals-back/

 

Kenya has detained 76 Chinese suspects in its first major international cyber crime case and China wants them repatriated, ChristianScienceMonitor reports.

 

China is the largest foreign investor in Kenya and its second largest trading partner with bilateral trade volume reaching $3.27 billion in 2014, according to Chinese customs officials. Recently, China made a $3.8-billion loan to Kenya to fund a railway line to boost trade between Kenya and its landlocked neighbors.

 

Kenyan officials arrested 76 Chinese and a one Thai citizen on charges of cross-border telecommunication fraud and electronically stealing more than 100 million yuan ($16.5 million) from Chinese victims.

 

Chinese officials say all of the victims are in China so the suspects should be extradited to China for investigation and prosecution.

 

Kenyan leaders want the suspects tried in Kenya since the alleged crimes were committed in Kenya.

 

Kenya has charged the suspects with operating an unlicensed telecommunication facility after arresting them in Nairobi in December. If found guilty, each suspect faces fines of five million Kenyan shillings ($54,000) and up to 15 years in jail. More charges are pending, ChristianScienceMonitor reports.

 

In December, Kenyan police responded to a house fire in the high-end Nairobi suburb of Runda, home to expats, prominent politicians and embassies including the American Embassy located two kilometers from the fire. Police found more than 70 Chinese citizens living in cramped quarters. One person died in the fire, according to a report in SecurityGladiators.

 

Police also found computers, Internet equipment, and what looked like a radio station and command center.

 

The Chinese citizens were arrested and charged with running an illegal radio communication station, SecurityGladiators reports.

 

The case is Kenya’s first major international cybercrime case, and highlights vulnerabilities in the country’s cybersecurity network, ChristianScienceMonitor reports. Suspects may have seen Kenya as an ideal cybercrime base because it has few cybercrime laws and relatively strong Internet connections.

 

“Cybercrime laws remain largely unclear,” said Barry Macharia, a technical manager at Tespok Kenya, a telecommunication service providers association. “This, coupled with (the) lack of proper security mechanisms in place, makes Kenyans a lucrative target for cyber criminals.”

 

Computer crime costs Kenyans $22.8 million a year, according to a recent report on cyber security from Serianu Limited, a Kenyan IT and business consulting firm, ChristianScienceMonitor reports. Kenyan banks in 2013 lost $17 million through fraudulent schemes involving their employees. There were 2.6 million cyber attacks in 2012 and 5.4 million in 2013, Serianu reported.

 

Cybercrime in Kenya gone on unnoticed for some time, according to security expert Richard Tutah. “We have to take this very seriously and fight it with the same zeal as we are fighting terrorism.”

 

 

Top


SHORTAGE : US scrambling to hire enough cyber security agents to protect itself

By Matthew Hall

January 27, 2015

http://www.watoday.com.au/it-pro/expertise/us-scrambling-to-hire-enough-cyber-security-agents-to-protect-itself-20150127-12zd5l.html

 

With repercussions from the Sony Entertainment hack continuing to echo around the world, the US government has identified cyber security as "the problem of the 21st century" and warned of a lack of hands-on talent to battle online crime.

 

Law enforcement agencies such as the Federal Bureau of Investigation have launched new year campaigns to  recruit "cyber agents" while an official from the Department of Homeland Security – which serves both the US government and the private sector – told Fairfax Media it is hiring new recruits to battle cybercrime. The good news? They need no previous expertise in the area and non-US citizens can be considered, including Australians.

 

The catch, according to Andy Ozment, the Assistant Secretary of the Department of Homeland Security's Office of Cyber Security, is that expertise in another field is well regarded.

 

"Cyber security is the problem of the 21st century," Mr Ozment said. "Cyber security and cyberspace touch everything we do. Every agency in the [United States] government is dealing with the world it faces and consequentially they all have to deal with cyber security.

 

"There is a huge workforce challenge. If you are a student and you are not in the field of cyber security let me urge you to change that immediately. But don't just study cyber security. Get some broader context. You need domain knowledge. It is not enough to be a cyber security expert. You need to be able to apply cyber security expertise to the specific problems of the financial sector or the energy sector – you name it."

 

Mr Ozment said that is department has already recruited staff with no previous experience in cyber security and added the government agency still could not find enough talent to battle online bad guys.

 

"We can take a person who knows a lot about the energy sector and help them come up to speed with enough on cyber security so they can make a key contribution there. Nevertheless, the pipeline of talent is an enormous problem for us."

 

Ralph Langner, a consultant who has advised the US government and International Atomic Energy Agency on cyber security issues and is acknowledged as an expert on Stuxnet, said budget factors played a key role in recruitment – especially when remuneration often did not reflect the skills required to fill positions. Individuals working in what he called the "offensive" side – with know-how on how to attack networks – were usually well paid while those with defensive expertise were not.

 

"If you want to make a career in cyber security you will find good money on the offence positions," Mr Langner said. "When you are talking about defence, that is a completely different story. The real issue is that you have to put cash on the table. If you want to excel [in] cyber security why would you [take] defensive jobs – whether in the government or private sector – when you are guaranteed to make less money than any lawyer or dentist?"

 

The FBI launched a new year recruitment drive for agents to work in the department that claimed the infamous Sony hack was the work of North Korea's government or, at least, agents working on its behalf.

 

FBI hires must be aged between 23- and 36-years-old, pass a fitness test and earn starting salaries between $US59,000 and $US76,500. An FBI spokesman said specialty agents were needed citing bank robberies as an example where cyber intrusions required no crime scene tape but instead forensic examination of hard drives.

 

While most US government agency work requires applicants to be American citizens, doors are still open for Australian expertise in the field.

 

"If US citizenship is not an absolute requirement for a job, employers are generally willing to sponsor an immigrant or non-immigrant work visa to attract and retain top talent," said Dimiter Blyangov, a New York immigration attorney.

 

"Australian nationals in particular benefit from the E-3 nonimmigrant visa program designed for skilled occupations and from visas granted to people whose skills are in the national interest of the United States."

 

Top


LAW : The Flaws in Obama’s Cybersecurity Initiative

By David M. Upton

January 20, 2015

https://hbr.org/2015/01/the-flaws-in-obamas-cybersecurity-initiative?utm_campaign=Socialflow&utm_source=Socialflow&utm_medium=Tweet

 

President Obama’s new raft of proposals aim to address the growing concern that America is not taking tough-enough action against the increasing cybersecurity problem of nation-states and criminals (usually criminal gangs) attacking U.S. consumers and organizations. The evildoers’ motivation for doing so is most often money, but intellectual property is also being filched, and the internet is also being used for anything from identity theft to illicit political objectives.

 

The cornerstones of the proposal are to:

 

·      Prohibit the sale of botnets and similar tools

·      Give the courts the power to shut down networks assembled for cybercrime such as those involved in “distributed denial of service” (DDOS) attacks

·      Protect companies that share information with the government about computer threats from liability

 

He also calls for better cooperation between companies and the government when tackling cybercrime.

 

The problems are certainly real. We are losing on the battleground of cybersecurity. For example, the gains that IT contributed to the GDP of the Netherlands in 2014 were wiped out by the even larger cost of cybercrime. Cybercrime has now become widespread enough to be a drag on growth in many countries. By some estimates, it costs between $500 billion to $1 trillion worldwide. That’s bigger than the GDP of 75 countries combined.

 

But how much can any government do to address the problem of cybercrime?  And will these proposals do anything to fix the situation in the U.S.? Many of the criminal gangs (and certainly nation-states) lurk beyond U.S. jurisdiction — or at least, beyond the capacity of law enforcement to track them down in large numbers. Therefore, criminalizing many of the activities and products associated with cybercrime is likely to have more symbolic value than actual effect.

 

This is a limitation that would be faced by any country’s government, except perhaps the one where the crooks live. Russia, for example, has an exploding underground cybercrime industry. Trend Micro’s findings are that you can buy a botnet outright for about $700, or rent one for an hour for $2 — enough time to do serious damage. Trojans that let you spy on incoming and outgoing texts will run you $350.

 

Every country now has its own special wares to peddle. Brazil is apparently the place to go if you’re in the market for some banking malware. China’s gangs have their own special portfolio to sell. In terms of the competition between Russia and the United States, the homes of the biggest criminal hosts, Russia is winning bigtime. In three months in 2012, Russia’s share of malicious hosts rose by around 10%, and the United States lost 10% of its bad boy computers. There’s ample evidence that for every cybercriminal activity that gets squashed in the United States, an offshore competitor takes it — at cheaper rates. And even those rates are falling fast as more players and countries compete for their share of the pie.

 

In other words, Obama’s proposals are tackling a problem that was already diminishing in the U.S. The bad guys that really cause problems for Americans (and everyone else) are beyond the long arm of the law.

 

But what of the part about encouraging companies to share information about cyberthreats with the U.S. Department of Homeland Security by offering them “targeted liability protection”? That has to be a good thing, right? Well, the thing is that it’s already happening. In the United States, many company groups already share information — without government involvement — concerning cyberattacks and threats.

 

Each of these industries is dealing with its own kind of ugly crook, looking to use its specialized expertise to exploit vulnerabilities peculiar to that industry. The Retail Cyber Intelligence Sharing Center has been up and running since last year, when some 30 large retail companies got together and decided to share information on threats with each other. The oil and gas industry are doing something similar through ONG-ISAC (an acronym likely brought to us by the spawn of the same marketing-savvy engineers that coined TCP/IP and PCMCIA). And FS-ISAC does the same thing for the financial services industry, a particularly important sector for Willie Sutton reasons.

 

It makes sense for companies to form their own cybersafety industry groups to combat their particular threats. Individual companies are also putting great effort into safeguarding their value, though the facts about and nature of their work is often secret.

 

A bigger issue is that cybercrimes are grossly under-reported and fear of liability is only one part of the problem. Companies just don’t see the governmental resources available to successfully prosecute the kinds of cybercrime they experience, and the track record probably supports that view. Why share information with the government if it won’t help your situation?

 

There are also hosts of not-so-wacky conspiracy theorists who worry about any governmental involvement with the internet. (Some of them actually think the government is using it to snoop on us!) They also worry that if Congress passes a bill when prompted by a crisis, there are almost always additional consequences:  usually giving the government more power than we would like.

 

Nevertheless, a few things make this part of the proposals much more palatable. First, there are many cybercrimes that aren’t just industry specific. Lots of nasty stuff would simply fall through the cracks if left to individual industries. We might not see innovations and changes that affect all of us, and we not might be as good at communicating new general threats more publicly.

 

For example, the fastest growing malware targets smartphones. With the right hack, your phone can be used to bug you or see what its camera sees. Not a great sales pitch for a conflicted phone industry. How about cars getting hacked? What about Skype-enabled TVs peering into thousands of homes and the streams being sold on the dark web? We might want companies to share that kind of information with the government — and us — without too much fear of reprisal.

 

Probably more important than our internet-of-everything gadgets are the power, water, sewage, manufacturing and transportation networks. A surprise, broad attack might put us, if only temporarily, somewhere between now and the Middle Ages. And even though governments are trying hard to protect this infrastructure, we’d probably want any hint of a private breach likely to be correlated with a broad-scale, warfare-like attack shared centrally (sooner rather than later).

 

In summary, I believe Obama’s proposals are well-intentioned. Information sharing is, on balance, a good thing. They at least start to address a set of problems that will impact the next generation even more than ours and may be the basis for some fundamental research. But I just doubt that they will be very effective in combating cybercrime.

 

So what is the answer?  We know it is a global problem requiring a global solution. We know we need more global cyber capacity to fight cybercrime. International cooperation is critical. Global information sharing is also important — and we are doing some of it. A better understanding of the psychology of how insiders are coaxed, blackmailed, or tricked into sharing access to their computer systems would help organizations defend themselves. Good technology exists and will help, if we use it. Most important is education: Everyone — individuals, employees, companies, and boards of directors — needs to understand the new dangers.

 

One of the best results of Obama’s initiative may be to put the cybercrime issue a little higher on everyone’s agenda. If it spurs more good guys to learn and focus on the challenges, this second-order effect may have the greater impact.

 

 

Top


IT Term of the day


Dot Matrix


A dot matrix is a 2D matrix of dots that can represent images, symbols, or characters. They are used for electronic displays, such as computer monitors and LED screens, as well as printed output.

 

In a dot matrix display, the images are estimated using a discrete set of dots instead of lines and shapes. Therefore, the more dots that are used, the more clear and accurate the image representation will be. For example, a 16x16 dot matrix can represent the letter "S" more accurately than a 8x8 matrix. If enough dots are used, the image will appear as a contiguous display rather than a group of dots. This is because the human eye blends the dots together to create a coherent image. For example, newspaper print is made up of dot matrixes, but it is hard to notice unless you look very closely at the paper.

 

Bitmap images on a computer screen are also dot matrixes, since they are made up of a rectangular grid of pixels. If you look closely enough at your monitor, you may even be able to see the dots that make up the image. But be nice to your eyes and don't stare too long!

 

While "dot matrix" has a broad definition, it can also be used to describe a specific type of printer. Dot matrix printers, or "impact printers," were introduced in the 1970s. These printers typically use the kind of paper with small holes on each side that are used to feed the paper through the printer. They are called dot matrix printers because they use a matrix of dots to print each character. While they do not have a very high resolution, dot matrix printers are an effective way of printing basic text documents. Therefore, while most businesses now use inkjet or laser printers, some organizations still find dot matrix printers to be an efficient printing solution.

 

 

Top


Quote of the day


Society in every state is a blessing, but government even in its best state is but a necessary evil; in its worst state an intolerable one; for when we suffer, or are exposed to the same miseries by a government, which we might expect in a country without government, our calamity is heightened by reflecting that we furnish the means by which we suffer.

 

Thomas Paine

(1737-1809)

US Founding father, pamphleteer, author

 

 

Top


Note -

  1. As a member of this group, you get useful information to protect yourself and your IT assets and processes from various Computer and Related Crimes.
  2. If you think that your other friends/colleagues/acquaintances/relatives/foes/enemies also needs this information, forward the mail to them and request them to send their e-mail addresses and names to us with subject as "Subscribe".
  3. If you or someone has become victim of Computer Crimes or has any query on prevention, you are welcome to write to us.
  4. If you are not interested in it and would like to unsubscribe - send a reply mail with subject as "Unsubscribe".
  5. Disclaimer - We have taken due care to research and present these news-items to you. Though we've spent a great deal of time researching these matters, some details may be wrong. If you use any of these items, you are using at your risk and cost. You are required to verify and validate before any usage. Most of these need expert help / assistance to use / implement. For any error or loss or liability due to what-so-ever reason, CRPCC and/or Sysman Computers (P) Ltd. and/or any associated person / entity will not be responsible.