Newsletter
IT and Cyber Security News Update from
Centre for Research and Prevention of Computer
Crimes,
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
Since June 2005 January
02, 2015 Issue
no 1526
Tenth year of
uninterrupted publication
Todays edition
GROWTH : Cyber
crime cases in Cyberabad rose sharply during 2014
HACKED : Internet Systems Consortium Site Redirects to
Angler Exploit
THIN LINE : When does cyber crime become act of cyberwar?
2014 : Top
10 cyber crime stories of 2014
(Click on heading above to jump to related item. Click on Top to be back here)
GROWTH : Cyber crime cases in Cyberabad rose sharply during 2014
PTI
Dec
30, 2014
HYDERABAD:
Cybercrime cases rose sharply under Cyberabad Police Commissionerate limits here during 2014 as compared to last
year.
A
total of 256 cyber crime cases were reported this year as against 109 recorded
in 2013, Cyberabad Police Commissioner C V Anand told
reporters at a press meet here today.
Out
of the 256 cyber crime cases 39 were registered for cyber crime offences
against women while 76 cases were abusive mails, 31 were online cheating and 29
were online job frauds among others, the CP said.
Overall,
crimes decreased by 15 per cent to 5,343 cases during 2014 as against 6,158
cases during the same period last year, Anand said, adding that crime against
women declined this year by three per cent to 2,338 from 2,404 last year,
though rape cases remained at 138.
Cyberabad
Police Commissionerate recorded highest detection of
cases of property crime by any unit in Telangana
State with detection of 68 per cent of cases and 74 percentage recovery. The total property lost was Rs 30,66,79,391 and the recovery stood at Rs 22,76,79,164.
In
view of country-wide general alert issued by Central agencies, Cyberabad Police has stepped up security measures and also
reviewed the security of software companies located in the IT corridor here,
Anand said adding "We are alert. We will do our best so that nothing
happens in Cyberabad".
HACKED : Internet Systems Consortium
Site Redirects to Angler Exploit
by Brian
Donohue
December
29, 2014
http://threatpost.com/internet-systems-consortium-site-redirects-to-angler-exploit/110131
The
Internet Systems Consortium website is offline today after the non-profit
domain name service maintainer announced its website had possibly become
infected with malware.
The
ISC, as it is commonly known, is perhaps best known as the developers of BIND,
the most widely used DNS software on the Internet. However, the group also
maintains the F-root server, one of the Internets 13 root name servers.
The
security firm Cyphort says it notified ISC.org of the
infection on December 22. Sometime thereafter, the ICS replaced its homepage with a static notice informing users of the
infection.
We
believe the web site may have become infected with malware, the ISC announced.
Please scan any machine that has accessed this site recently for malware. This
is a WordPress issue, ftp.isc.org, kb.isc.org and our
other network resources are unaffected.
The
consortium goes on to note that it has not received any complaints of visitors
having been infected with malware, but is urging that any potential victims
contact ISCs security officer via email.
Cyphort
explained last week that attackers managed to compromise ISC.org through a WordPress
bug that allowed them to modify the ISC homepage with code that redirected
visitors to a landing page hosting the Angler exploit kit. The kit, they say,
is known to deploy a variety of exploits. In this case, Cyphort
says the kit relied on Internet Explorer, Flash and Silverlight exploits.
In
order to evade detection, the attackers have been cycling through the redirect
domains hosting Angler.
The
initial IE exploit is obfuscated. Upon deobfuscation,
Cyphort determined that the kit attempts to detect
the presence security products and virtual machine use. After that, it starts
to enumerates plugins
present and attempts to find a vulnerable version of IE. If there is a
vulnerable version of Microsofts browser, Angler exploits it.
The
kit then deobfuscates shellcode
that finds windows APIs using an API hash technique and downloads the binary
from the server. After decoding that binary, Cyphort
explained that the shellcode downloads another pair
of binaries (one for 32-bit and another for 64-bit systems).
Cyphort
researcher McEnroe Navaraj says the shellcode is particularly clever because even if the user
dumps the file from the memory, the hash of the loaded binary will be different
each time the exploit loads.
The
reason behind this file hash difference is a few modified fields in the PE
Optional Header, Navaraj wrote. It stores the
dynamically allocated buffer address as part of PE Optional Header. This trick
modifies the file hash each time you load the exploit.
Each
of the binaries are DLL files. the
32-bit MD5 hash is 38f583da8bc6e3d09799c88213206f14″ while the 64-bit
variety is deacb2e37746ec97ac199e28e445c123″
The
64-bit DLL has the following exports: AtTwo, BothCase, IsAroundMustSyntax, LineNames, ThereForAboveColumnLearn,
TruthFileIs and WithinFor.
The 32-bit DLL has the following exports: StartMustValueTrailing,
ThatRecognisedOptionHeaderm WithinShareMustTheFile
and YouLeastBrokenIntoDefining.
ISC
spokesperson Vicky Risk told Threatpost via email
that they have zero indication that this attack was specifically targeted
toward the ISC. In fact, she explained, the injected code contained an explicit
statement regarding how the exploit should proceed for both WordPress
and Drupal sites. ISC, of course, does not use Drupal, so if the attack had been targeting them
exclusively, there would be no need for a Drupal
module.
We
think the web site vulnerability was first discovered by Sucuri.net, a company
that offers a web site virus scanning and remediation service for WordPress and Drupal (and some
other CMSes), Risk said. We remediated ourselves
after they reported we had some spam redirect links, removed the hidden spam,
added a more complex captcha, updated our php and made a few other security improvements. This
remediation was presumably inadequate in hindsight, because later, we were
infected with the Angler Exploit.
We
are reconsidering our use of WordPress, Risk
continued. We have fairly simple needs and we could go to a more static site.
However, in the meantime, we have protected our site with the Sucuri web site scanning service. We should probably have had a web site virus
protection plan in place, just as nobody would use a pc these days without
virus protection.
While
it appears that this attack only would have affected visitors to the ISC site
and not the organizations BIND software or other work, it is troubling
nonetheless, considering the ISCs broad role in the architecture of the
Internet. The attack also invites comparison to another earlier this month,
when unknown hackers were able to compromise vital systems belonging to ICANN,
the organization that manages the global top-level domain system, and had
access to the system that manages the files with data on resolving specific
domain names.
THIN LINE : When does cyber crime become act
of cyberwar?
By RACHEL MARSDEN
December 30, 2014
Syndicated Columnist
http://staugustine.com/news/national-news/2014-12-30/when-does-cyber-crime-become-act-cyberwar
The recent online dumping of
Sony Pictures Entertainments confidential business data and emails, believed
by the U.S. government and cyber security experts to have been committed by
North Korea, has been deemed an act of computer hacking and theft.
Given this, what level would
a cyber crime need to reach that also would constitute an act of cyberwar?
About 10 years ago, over
dinner in Los Angeles, the late Andrew Breitbart
(founder of Breitbart News) said that Islamic
terrorists had already attacked the military and financial might of the West by
hitting the Pentagon and the World Trade Center, and suggested that if they wanted
to hit the epicenter of Western culture, all they would need to do is stuff a
Hollywood celebrity into an orange jumpsuit. Targeting a Hollywood studio from
behind computer terminals accomplishes more or less the same goal, instilling
fear and insecurity at the heart of American exportable soft power.
No ones suggesting that
Islamic extremists have anything to do with the Sony breach, but it wouldnt be
hard to imagine that other bad guys who favor this kind of asymmetric attack
might be taking notes on its effectiveness.
Still, its not technically
war. As liberally as the term cyberwar is tossed
around these days -- to describe everything from temporary denial of service
attacks on websites to corporate database breaches by foreign actors -- international
law recognizes that in order for any cyber attack to meet the threshold to be
considered an act of war, it must constitute a prohibited use of force under
international law.
NATOs Tallinn Manual On the
International Law Applicable To Cyber Warfare attempts to fit cyber use of
force into conventional rules of war and existing international law: Whatever
force may be, it is not mere economic or political coercion. Cyber operations
that involve, or are otherwise analogous to, these coercive activities are
definitely not prohibited uses of force.
According to
Tallinn, a cyber attack crosses the line into cyberwar
when it causes physical harm to civilians or civil infrastructure. Mere
inconvenience and irritation never constitutes an act of cyberwar. The Sony leak isnt explicitly prohibited under
international laws of war, regardless of its cause: International law does not
prohibit propaganda, psychological operations, espionage, or mere economic
pressure per se.
A cyber crime is rarely
tantamount to an act of cyberwar -- even if
celebrities emails are involved and its featured on cable news all day long.
So what recourse does a
company have? It can lay a complaint with local law enforcement, who may find
that legal recourse ends at their own nations border when it involves a
foreign cyber attacker, because international cooperation and the law tend to
always be several steps behind in the domain of cyber crime.
Better laws and international
harmonization between them are needed to combat cyber breaches, but cutting
through the whining of the usual critics who think that every bit of legal
tinkering involving anything cyber related somehow brings America one step
closer to police state status will no doubt prove challenging.
In the case of a prominent
multinational of significant economic importance to the American economy (and
Im not convinced that a Hollywood studio actually qualifies), a diplomatic
channel could be opened to address the attack either directly with the attackers
nation state, or via an ally who benefits from close relations with it -- as
Obama is reportedly doing now in addressing China in the Sony case.
At least maybe the critics
who were upset when the top secret documents leaked by former NSA contractor
Edward Snowden last year showed that Canadas signals intelligence agency
gathered economic intelligence on oil and gas companies in Brazil will now have
a more concrete example of exactly how economic interests and national
interests can be inextricable. For example, if the Sony screwball comedy film
mocking Kim Jong-un that has been derailed in this
fiasco has nothing to do with American national interests, then why so much
insistence that Sony must stick to its guns and defend the spirit of the First
Amendment by releasing this film?
Companies that arent
considered to be of critical economic importance to the state can always hire
their own private security and political operatives to prevent, mitigate, or
resolve any problems.
While we havent seen any
actual cyberwar yet, its everything below that
threshold -- the low level cyber insurgency -- that risks causing grief if
measures arent taken to mitigate it.
Also see-
http://www.wnd.com/2014/12/is-cyber-pearl-harbor-coming/
http://www.politico.com/story/2014/12/fbi-briefed-on-alternate-sony-hack-theory-113866.html
2014 : Top 10 cyber crime stories
of 2014
By Warwick
Ashford
31
December 2014
Cyber
crime featured heavily in security news coverage in 2013, and continued to do
so in 2014 with cyber criminals and cyber law enforcers upping their games with
each passing month.
The
production of malware continues on an industrial scale, with exploit kits and
malware services putting sophisticated attack methods in the hands of relatively
unskilled cyber criminals.
However,
2014 has seen a series of international anti-cyber crime operations that have
demonstrated an unprecedented level co-operation between law enforcement
agencies around the world.
These
efforts have been boosted by the UK-led Joint Cybercrime Action Taskforce,
which is hosted by Europols European Cyber Crime Centre in The Hague.
Law
enforcement officers have emphasised that business
needs to take cyber crime seriously, with every size of company in every sector
being targeted.
Despite
the advances in law enforcement operations, UK police are facing a steep
learning curve in their efforts to come to grips with cyber-enabled crime.
That
challenge is likely to continue as cyber criminals are expected to evolve in a
number of ways in 2015, with some expected to become information dealers
offering rich data sets about individuals to the underground market.
Read
Computer Weekly's top 10 cyber crime stories of 2014 here:
1.
Business needs to take cyber crime seriously, says top EU cyber cop
Business
needs to take cyber crime very seriously, according to Troels
Oerting, head of Europols European Cybercrime
Centre.
At
some time or other, all businesses are likely to be hit by cyber crime as the
world becomes increasingly online, Oerting told
Computer Weekly. Companies that do not think information security is important
should reconsider, otherwise they could end up going
out of business.
The
threat of cyber crime is much greater than most people think, he said, because
much of it still goes unreported.
We
know of a lot of cyber crimes that are very costly to business that are not
reported to the police, said Oerting. We also see
losses through fraud and other crimes of more than 9m in some months, but
these are going unreported.
Oerting
believes businesses that invest in the right processes, procedures and
technologies will be rewarded in the longer term but failure to do so could
have devastating consequences.
2.
Service model driving cyber crime, says Europol report
The
cyber crime support industry is becoming increasingly commercialised,
according to a report published by Europols European Cybercrime Centre in
September.
Specialists
in the virtual underground economy are developing products and services for use
by other cyber criminals, the Internet Organised
Crime Threat Assessment (IOCTA) report said.
The
reports authors believe this crime-as-a-service business model drives
innovation and sophistication, and provides access to a wide range of services
that facilitate almost any type of cyber crime. As a result, the barriers to
entry for cyber crime are being lowered to allow those lacking technical expertise
including traditional organised crime groups to
conduct cyber crime.
The
report also highlighted the abuse of legitimate services and tools such as anonymisation, encryption and virtual currencies, as well
as the abuse of darknets for illicit online trade
in drugs, weapons, stolen goods, stolen personal and payment card data, forged
identity documents and child abuse material.
3.
UK-led cyber crime taskforce proving its worth, says top EU cyber cop
Just
one month into a six-month pilot, a UK-led international cyber crime looked set
to become permanent, Troels Oerting,
head of Europols European Cybercrime Centre (EC3) said in October.
EC3
is hosting the Joint Cybercrime Action Taskforce (J-Cat) set up in September
2014 to co-ordinate international investigations with partners, targeting key
cyber crime threats and top targets.
Initiated
by EC3, the EU Cybercrime Taskforce, the FBI and the National Crime Agency
(NCA), the J-Cat is made up of cyber liaison officers from EU states, non-EU
law enforcement partners and EC3.
Oerting
said the unit, which is led by deputy director of the UKs National Cyber Crime
Unit (NCCU) Andy Archibald, is due for its first evaluation at the end of
February 2015.
There
are already indications it will be extended for at least another six months,
but I think it is likely to become permanent as it keeps acquiring cases and we
are trying to get European Union (EU) funding for it, he said.
4.
UK operation nets 17 suspected Blackshades cyber
attackers
In
May, the first-ever UK-wide cyber crime operation netted 17 suspected users of Blackshades malware, which is designed to take over control
of computers and steal information.
Co-ordinated by the new National Crime Agency, the week-long
operation in May involved nearly every UK regional organised
crime unit as well as Police Scotland and the Metropolitan Police.
The
UK investigation was part of global activity targeting developers and prolific
users of Blackshades, a set of malware tools sold
online for less than £100.
In
an operation initiated by the FBI and co-ordinated in
Europe through Eurojust and the European Cybercrime
Centre at Europol, police forces internationally apprehended dozens of
suspected users.
Arrests
took place in the UK, the Netherlands, Belgium, Finland, Austria, Estonia,
Denmark, Canada, Chile, Croatia and Italy, taking the total number of arrests
in connection with Blackshades to 97. The most common
Blackshades product is a remote access tool (Rat),
which enables cyber criminals to remotely take over and control the operations
of an infected computer.
5.
Dark markets downed in international anti-cyber crime operation
International
law enforcers took down several dark markets operating on hidden Tor networks
and arrested 17 cyber crime suspects in early November.
Operation
Onymous involved law enforcement officers from 16 European
states and the US in one of the biggest anti-cyber crime operations to date.
The
operation was aimed at halting the sale, distribution and promotion of illegal
and harmful items, including weapons and drugs through dark marketplaces
online.
Operation
Onymous was co-ordinated
from Europol's European Cybercrime Centre in The Hague and supported by the
UK-led Joint Cybercrime Action Taskforce (J-Cat). Operation Onymous
was J-Cats second big success in just over a month of a six-month pilot, and came
just weeks after Operation Imperium, which resulted
in 31 arrests and 42 house searches.
6.
UK police make four arrests in international cyber crime crackdown
UK
police made four arrests in late November as part of an international crackdown
on cyber criminals who use malware tools to hijack computers and steal data.
The UK raids were led by the NCA, and involved officers from a number of police
Regional Organised Crime Units (ROCUs).
The
international operation was co-ordinated through
Europol, and focused on the threat posed by tools known as remote access trojans.
Police
in Estonia, France, Romania, Latvia, Italy and Norway made 11 further arrests.
In the UK, two 33-year-old men and a 30-year-old woman were arrested in Leeds,
and a 20-year-old man was arrested in Kent. Police executed a search warrant on
a 19-year-old man from Liverpool, who had been brought in for voluntary
questioning.
The
NCA said that, in addition to arresting people believed to be using remote
access trojans, police use a variety of approaches to
warn individuals that any movement into cyber criminality will result in
further action.
7.
More than a hundred cyber criminals arrested in global operation
Law
enforcement agencies around the world arrested 118 suspects, including around
40 in the UK, in the third international cyber-crime operation of its kind in
late November.
The
operation was led by Europols European Cybercrime Centre in The Hague and co-ordinated with the help of Interpol in Singapore and Ameripol in Bogota. The operation was aimed at tackling
online fraud and was conducted in collaboration with the airline, travel and
credit card industries.
More
than 60 airlines and 45 countries were involved in the activity, which took
place at more than 80 airports across the world. The co-ordinated
action targeted criminals suspected of fraudulently purchasing plane tickets
online using stolen or fake credit card data. In many cases it was revealed how
the credit card fraud has links to or is facilitating other forms of serious
crime, such as drug trafficking.
8.
UK National Cyber Crime Unit open to business
The
UK's National Cyber Crime Unit (NCCU) is open to working with
business and other organisations in the private sector, according to deputy
director Andy Archibald.
Business
is welcome to contact us directly about dynamic, fast-moving cyber crime in
action, and we will work with them to ensure they get the most appropriate
response, he told Computer Weekly.
The
NCCU sees a deeper, more defined and developed relationship with private sector
businesses as crucial, not only to identify crimes and patterns of criminal
activity, but also to tap into specialist skills.
We
need to be able to go to organisations in the private sector and ask to work
with people with the skills we need in some of our investigations, said
Archibald. "Industry can bring things to the table that we may not be
aware of, and we will work with the private sector within the law if the
solution to an operation is something the private sector can take the lead on.
9.
UK police face steep learning curve on cyber crime
UK
police face a steep learning curve in getting to grips with cyber crime, but
several initiatives underway are geared to growing capability and capacity, the
London Assemblys Police and Crime Committees Online Crime Working Group heard
in November.
The
working group is gathering evidence on the response of the Metropolitan Police
Service to cyber-enabled crimes. Asked whether policing is behind the curve
when it comes to tacking cyber-enabled crime, College of Policing CEO Alex
Marshall said it is clear there is an inconsistent response to this threat.
There
is much catching up to be done, he said, with experienced officers
increasingly having to deal with complex, online and cyber issues, which they
were never originally trained for.
Marshall
said the 18-month-old College of Policing plans to publish new national
standards for online investigation and intelligence in 2015 to replace outdated
standards published in 2010. The college has also developed a huge range of
online training courses for police in England and Wales, as well as specific
courses for different skill areas in cyber or online crime.
10.
Cyber criminals set to become information dealers, says Websense
Cyber
criminals are set to become information dealers in the coming year, according
to the top 10 cyber security predictions for 2015 by Websense
Security Labs.
Websense
principal security analyst Carl Leonard said criminals will use the sale of
credit card numbers to fund the collection of a broader range of data about victims.
The
underground market is flooded with stolen credit card data, but that will help
fund the collection of fuller, richer personal information sets about
individuals, he told Computer Weekly.
These
data sets will be far more lucrative than credit card details on the
underground market and will include details of multiple credit cards, as well
as regional, geographic, behavioural and personal
data. Websense expects this emerging trade in data
sets on individuals will enable a new level of identity theft to enable fraud.
DNS Record
DNS records are stored in zone files and are used for
translating domain names to IP addresses. They also contain other data,
including the domain name's name server and mail server information. If there
are domain name aliases, such as the commonly used "www" preceding
the domain name, these will also be listed in the DNS record.
A typical DNS record may look something like this:
; Nameservers
;
IN NS ns1.4servers.com. ; 123.456.789.01
IN NS ns2.4servers.com. ; 123.456.789.02
;
; Domain Mail
Handlers
;
yourdomain.com. IN
MX 0 mail
yourdomain.com. IN
MX 10 mail
;
;
; hosts in order
;
yourdomain. IN
A Your.IP.XXX
www IN
A Your.IP.XXX
smtp IN
CNAME www
pop IN
CNAME www
ftp IN
CNAME www
mail IN
A Your.IP.XXX
;
; end
Since DNS records are made up entirely of text, they are
easy to modify when needed. However, one small typo could redirect a domain
name to the wrong Web server or prevent it from showing up at all. This is why
it is important to enter DNS information accurately and double-check your
changes entry before saving the zone file.
The death of democracy is not
likely to be an assassination from ambush. It will be a slow extinction from
apathy, indifference, and undernourishment.
Robert M. Hutchins
Note -