IT and Cyber Security News Update from
Centre for Research and Prevention of Computer
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
Since June 2005 January 02, 2015 Issue no 1526
Tenth year of uninterrupted publication
(Click on heading above to jump to related item. Click on Top to be back here)
Dec 30, 2014
HYDERABAD: Cybercrime cases rose sharply under Cyberabad Police Commissionerate limits here during 2014 as compared to last year.
A total of 256 cyber crime cases were reported this year as against 109 recorded in 2013, Cyberabad Police Commissioner C V Anand told reporters at a press meet here today.
Out of the 256 cyber crime cases 39 were registered for cyber crime offences against women while 76 cases were abusive mails, 31 were online cheating and 29 were online job frauds among others, the CP said.
Overall, crimes decreased by 15 per cent to 5,343 cases during 2014 as against 6,158 cases during the same period last year, Anand said, adding that crime against women declined this year by three per cent to 2,338 from 2,404 last year, though rape cases remained at 138.
Cyberabad Police Commissionerate recorded highest detection of cases of property crime by any unit in Telangana State with detection of 68 per cent of cases and 74 percentage recovery. The total property lost was Rs 30,66,79,391 and the recovery stood at Rs 22,76,79,164.
In view of country-wide general alert issued by Central agencies, Cyberabad Police has stepped up security measures and also reviewed the security of software companies located in the IT corridor here, Anand said adding "We are alert. We will do our best so that nothing happens in Cyberabad".
by Brian Donohue
December 29, 2014
The Internet Systems Consortium website is offline today after the non-profit domain name service maintainer announced its website had possibly become infected with malware.
The ISC, as it is commonly known, is perhaps best known as the developers of BIND, the most widely used DNS software on the Internet. However, the group also maintains the F-root server, one of the Internets 13 root name servers.
The security firm Cyphort says it notified ISC.org of the infection on December 22. Sometime thereafter, the ICS replaced its homepage with a static notice informing users of the infection.
We believe the web site may have become infected with malware, the ISC announced. Please scan any machine that has accessed this site recently for malware. This is a WordPress issue, ftp.isc.org, kb.isc.org and our other network resources are unaffected.
The consortium goes on to note that it has not received any complaints of visitors having been infected with malware, but is urging that any potential victims contact ISCs security officer via email.
Cyphort explained last week that attackers managed to compromise ISC.org through a WordPress bug that allowed them to modify the ISC homepage with code that redirected visitors to a landing page hosting the Angler exploit kit. The kit, they say, is known to deploy a variety of exploits. In this case, Cyphort says the kit relied on Internet Explorer, Flash and Silverlight exploits.
In order to evade detection, the attackers have been cycling through the redirect domains hosting Angler.
The initial IE exploit is obfuscated. Upon deobfuscation, Cyphort determined that the kit attempts to detect the presence security products and virtual machine use. After that, it starts to enumerates plugins present and attempts to find a vulnerable version of IE. If there is a vulnerable version of Microsofts browser, Angler exploits it.
The kit then deobfuscates shellcode that finds windows APIs using an API hash technique and downloads the binary from the server. After decoding that binary, Cyphort explained that the shellcode downloads another pair of binaries (one for 32-bit and another for 64-bit systems).
Cyphort researcher McEnroe Navaraj says the shellcode is particularly clever because even if the user dumps the file from the memory, the hash of the loaded binary will be different each time the exploit loads.
The reason behind this file hash difference is a few modified fields in the PE Optional Header, Navaraj wrote. It stores the dynamically allocated buffer address as part of PE Optional Header. This trick modifies the file hash each time you load the exploit.
Each of the binaries are DLL files. the 32-bit MD5 hash is 38f583da8bc6e3d09799c88213206f14″ while the 64-bit variety is deacb2e37746ec97ac199e28e445c123″
The 64-bit DLL has the following exports: AtTwo, BothCase, IsAroundMustSyntax, LineNames, ThereForAboveColumnLearn, TruthFileIs and WithinFor. The 32-bit DLL has the following exports: StartMustValueTrailing, ThatRecognisedOptionHeaderm WithinShareMustTheFile and YouLeastBrokenIntoDefining.
ISC spokesperson Vicky Risk told Threatpost via email that they have zero indication that this attack was specifically targeted toward the ISC. In fact, she explained, the injected code contained an explicit statement regarding how the exploit should proceed for both WordPress and Drupal sites. ISC, of course, does not use Drupal, so if the attack had been targeting them exclusively, there would be no need for a Drupal module.
We think the web site vulnerability was first discovered by Sucuri.net, a company that offers a web site virus scanning and remediation service for WordPress and Drupal (and some other CMSes), Risk said. We remediated ourselves after they reported we had some spam redirect links, removed the hidden spam, added a more complex captcha, updated our php and made a few other security improvements. This remediation was presumably inadequate in hindsight, because later, we were infected with the Angler Exploit.
We are reconsidering our use of WordPress, Risk continued. We have fairly simple needs and we could go to a more static site. However, in the meantime, we have protected our site with the Sucuri web site scanning service. We should probably have had a web site virus protection plan in place, just as nobody would use a pc these days without virus protection.
While it appears that this attack only would have affected visitors to the ISC site and not the organizations BIND software or other work, it is troubling nonetheless, considering the ISCs broad role in the architecture of the Internet. The attack also invites comparison to another earlier this month, when unknown hackers were able to compromise vital systems belonging to ICANN, the organization that manages the global top-level domain system, and had access to the system that manages the files with data on resolving specific domain names.
By RACHEL MARSDEN
December 30, 2014
The recent online dumping of Sony Pictures Entertainments confidential business data and emails, believed by the U.S. government and cyber security experts to have been committed by North Korea, has been deemed an act of computer hacking and theft.
Given this, what level would a cyber crime need to reach that also would constitute an act of cyberwar?
About 10 years ago, over dinner in Los Angeles, the late Andrew Breitbart (founder of Breitbart News) said that Islamic terrorists had already attacked the military and financial might of the West by hitting the Pentagon and the World Trade Center, and suggested that if they wanted to hit the epicenter of Western culture, all they would need to do is stuff a Hollywood celebrity into an orange jumpsuit. Targeting a Hollywood studio from behind computer terminals accomplishes more or less the same goal, instilling fear and insecurity at the heart of American exportable soft power.
No ones suggesting that Islamic extremists have anything to do with the Sony breach, but it wouldnt be hard to imagine that other bad guys who favor this kind of asymmetric attack might be taking notes on its effectiveness.
Still, its not technically war. As liberally as the term cyberwar is tossed around these days -- to describe everything from temporary denial of service attacks on websites to corporate database breaches by foreign actors -- international law recognizes that in order for any cyber attack to meet the threshold to be considered an act of war, it must constitute a prohibited use of force under international law.
NATOs Tallinn Manual On the International Law Applicable To Cyber Warfare attempts to fit cyber use of force into conventional rules of war and existing international law: Whatever force may be, it is not mere economic or political coercion. Cyber operations that involve, or are otherwise analogous to, these coercive activities are definitely not prohibited uses of force.
According to Tallinn, a cyber attack crosses the line into cyberwar when it causes physical harm to civilians or civil infrastructure. Mere inconvenience and irritation never constitutes an act of cyberwar. The Sony leak isnt explicitly prohibited under international laws of war, regardless of its cause: International law does not prohibit propaganda, psychological operations, espionage, or mere economic pressure per se.
A cyber crime is rarely tantamount to an act of cyberwar -- even if celebrities emails are involved and its featured on cable news all day long.
So what recourse does a company have? It can lay a complaint with local law enforcement, who may find that legal recourse ends at their own nations border when it involves a foreign cyber attacker, because international cooperation and the law tend to always be several steps behind in the domain of cyber crime.
Better laws and international harmonization between them are needed to combat cyber breaches, but cutting through the whining of the usual critics who think that every bit of legal tinkering involving anything cyber related somehow brings America one step closer to police state status will no doubt prove challenging.
In the case of a prominent multinational of significant economic importance to the American economy (and Im not convinced that a Hollywood studio actually qualifies), a diplomatic channel could be opened to address the attack either directly with the attackers nation state, or via an ally who benefits from close relations with it -- as Obama is reportedly doing now in addressing China in the Sony case.
At least maybe the critics who were upset when the top secret documents leaked by former NSA contractor Edward Snowden last year showed that Canadas signals intelligence agency gathered economic intelligence on oil and gas companies in Brazil will now have a more concrete example of exactly how economic interests and national interests can be inextricable. For example, if the Sony screwball comedy film mocking Kim Jong-un that has been derailed in this fiasco has nothing to do with American national interests, then why so much insistence that Sony must stick to its guns and defend the spirit of the First Amendment by releasing this film?
Companies that arent considered to be of critical economic importance to the state can always hire their own private security and political operatives to prevent, mitigate, or resolve any problems.
While we havent seen any actual cyberwar yet, its everything below that threshold -- the low level cyber insurgency -- that risks causing grief if measures arent taken to mitigate it.
By Warwick Ashford
31 December 2014
Cyber crime featured heavily in security news coverage in 2013, and continued to do so in 2014 with cyber criminals and cyber law enforcers upping their games with each passing month.
The production of malware continues on an industrial scale, with exploit kits and malware services putting sophisticated attack methods in the hands of relatively unskilled cyber criminals.
However, 2014 has seen a series of international anti-cyber crime operations that have demonstrated an unprecedented level co-operation between law enforcement agencies around the world.
These efforts have been boosted by the UK-led Joint Cybercrime Action Taskforce, which is hosted by Europols European Cyber Crime Centre in The Hague.
Law enforcement officers have emphasised that business needs to take cyber crime seriously, with every size of company in every sector being targeted.
Despite the advances in law enforcement operations, UK police are facing a steep learning curve in their efforts to come to grips with cyber-enabled crime.
That challenge is likely to continue as cyber criminals are expected to evolve in a number of ways in 2015, with some expected to become information dealers offering rich data sets about individuals to the underground market.
Read Computer Weekly's top 10 cyber crime stories of 2014 here:
1. Business needs to take cyber crime seriously, says top EU cyber cop
Business needs to take cyber crime very seriously, according to Troels Oerting, head of Europols European Cybercrime Centre.
At some time or other, all businesses are likely to be hit by cyber crime as the world becomes increasingly online, Oerting told Computer Weekly. Companies that do not think information security is important should reconsider, otherwise they could end up going out of business.
The threat of cyber crime is much greater than most people think, he said, because much of it still goes unreported.
We know of a lot of cyber crimes that are very costly to business that are not reported to the police, said Oerting. We also see losses through fraud and other crimes of more than 9m in some months, but these are going unreported.
Oerting believes businesses that invest in the right processes, procedures and technologies will be rewarded in the longer term but failure to do so could have devastating consequences.
2. Service model driving cyber crime, says Europol report
The cyber crime support industry is becoming increasingly commercialised, according to a report published by Europols European Cybercrime Centre in September.
Specialists in the virtual underground economy are developing products and services for use by other cyber criminals, the Internet Organised Crime Threat Assessment (IOCTA) report said.
The reports authors believe this crime-as-a-service business model drives innovation and sophistication, and provides access to a wide range of services that facilitate almost any type of cyber crime. As a result, the barriers to entry for cyber crime are being lowered to allow those lacking technical expertise including traditional organised crime groups to conduct cyber crime.
The report also highlighted the abuse of legitimate services and tools such as anonymisation, encryption and virtual currencies, as well as the abuse of darknets for illicit online trade in drugs, weapons, stolen goods, stolen personal and payment card data, forged identity documents and child abuse material.
3. UK-led cyber crime taskforce proving its worth, says top EU cyber cop
Just one month into a six-month pilot, a UK-led international cyber crime looked set to become permanent, Troels Oerting, head of Europols European Cybercrime Centre (EC3) said in October.
EC3 is hosting the Joint Cybercrime Action Taskforce (J-Cat) set up in September 2014 to co-ordinate international investigations with partners, targeting key cyber crime threats and top targets.
Initiated by EC3, the EU Cybercrime Taskforce, the FBI and the National Crime Agency (NCA), the J-Cat is made up of cyber liaison officers from EU states, non-EU law enforcement partners and EC3.
Oerting said the unit, which is led by deputy director of the UKs National Cyber Crime Unit (NCCU) Andy Archibald, is due for its first evaluation at the end of February 2015.
There are already indications it will be extended for at least another six months, but I think it is likely to become permanent as it keeps acquiring cases and we are trying to get European Union (EU) funding for it, he said.
4. UK operation nets 17 suspected Blackshades cyber attackers
In May, the first-ever UK-wide cyber crime operation netted 17 suspected users of Blackshades malware, which is designed to take over control of computers and steal information.
Co-ordinated by the new National Crime Agency, the week-long operation in May involved nearly every UK regional organised crime unit as well as Police Scotland and the Metropolitan Police.
The UK investigation was part of global activity targeting developers and prolific users of Blackshades, a set of malware tools sold online for less than £100.
In an operation initiated by the FBI and co-ordinated in Europe through Eurojust and the European Cybercrime Centre at Europol, police forces internationally apprehended dozens of suspected users.
Arrests took place in the UK, the Netherlands, Belgium, Finland, Austria, Estonia, Denmark, Canada, Chile, Croatia and Italy, taking the total number of arrests in connection with Blackshades to 97. The most common Blackshades product is a remote access tool (Rat), which enables cyber criminals to remotely take over and control the operations of an infected computer.
5. Dark markets downed in international anti-cyber crime operation
International law enforcers took down several dark markets operating on hidden Tor networks and arrested 17 cyber crime suspects in early November.
Operation Onymous involved law enforcement officers from 16 European states and the US in one of the biggest anti-cyber crime operations to date.
The operation was aimed at halting the sale, distribution and promotion of illegal and harmful items, including weapons and drugs through dark marketplaces online.
Operation Onymous was co-ordinated from Europol's European Cybercrime Centre in The Hague and supported by the UK-led Joint Cybercrime Action Taskforce (J-Cat). Operation Onymous was J-Cats second big success in just over a month of a six-month pilot, and came just weeks after Operation Imperium, which resulted in 31 arrests and 42 house searches.
6. UK police make four arrests in international cyber crime crackdown
UK police made four arrests in late November as part of an international crackdown on cyber criminals who use malware tools to hijack computers and steal data. The UK raids were led by the NCA, and involved officers from a number of police Regional Organised Crime Units (ROCUs).
The international operation was co-ordinated through Europol, and focused on the threat posed by tools known as remote access trojans.
Police in Estonia, France, Romania, Latvia, Italy and Norway made 11 further arrests. In the UK, two 33-year-old men and a 30-year-old woman were arrested in Leeds, and a 20-year-old man was arrested in Kent. Police executed a search warrant on a 19-year-old man from Liverpool, who had been brought in for voluntary questioning.
The NCA said that, in addition to arresting people believed to be using remote access trojans, police use a variety of approaches to warn individuals that any movement into cyber criminality will result in further action.
7. More than a hundred cyber criminals arrested in global operation
Law enforcement agencies around the world arrested 118 suspects, including around 40 in the UK, in the third international cyber-crime operation of its kind in late November.
The operation was led by Europols European Cybercrime Centre in The Hague and co-ordinated with the help of Interpol in Singapore and Ameripol in Bogota. The operation was aimed at tackling online fraud and was conducted in collaboration with the airline, travel and credit card industries.
More than 60 airlines and 45 countries were involved in the activity, which took place at more than 80 airports across the world. The co-ordinated action targeted criminals suspected of fraudulently purchasing plane tickets online using stolen or fake credit card data. In many cases it was revealed how the credit card fraud has links to or is facilitating other forms of serious crime, such as drug trafficking.
8. UK National Cyber Crime Unit open to business
The UK's National Cyber Crime Unit (NCCU) is open to working with business and other organisations in the private sector, according to deputy director Andy Archibald.
Business is welcome to contact us directly about dynamic, fast-moving cyber crime in action, and we will work with them to ensure they get the most appropriate response, he told Computer Weekly.
The NCCU sees a deeper, more defined and developed relationship with private sector businesses as crucial, not only to identify crimes and patterns of criminal activity, but also to tap into specialist skills.
We need to be able to go to organisations in the private sector and ask to work with people with the skills we need in some of our investigations, said Archibald. "Industry can bring things to the table that we may not be aware of, and we will work with the private sector within the law if the solution to an operation is something the private sector can take the lead on.
9. UK police face steep learning curve on cyber crime
UK police face a steep learning curve in getting to grips with cyber crime, but several initiatives underway are geared to growing capability and capacity, the London Assemblys Police and Crime Committees Online Crime Working Group heard in November.
The working group is gathering evidence on the response of the Metropolitan Police Service to cyber-enabled crimes. Asked whether policing is behind the curve when it comes to tacking cyber-enabled crime, College of Policing CEO Alex Marshall said it is clear there is an inconsistent response to this threat.
There is much catching up to be done, he said, with experienced officers increasingly having to deal with complex, online and cyber issues, which they were never originally trained for.
Marshall said the 18-month-old College of Policing plans to publish new national standards for online investigation and intelligence in 2015 to replace outdated standards published in 2010. The college has also developed a huge range of online training courses for police in England and Wales, as well as specific courses for different skill areas in cyber or online crime.
10. Cyber criminals set to become information dealers, says Websense
Cyber criminals are set to become information dealers in the coming year, according to the top 10 cyber security predictions for 2015 by Websense Security Labs.
Websense principal security analyst Carl Leonard said criminals will use the sale of credit card numbers to fund the collection of a broader range of data about victims.
The underground market is flooded with stolen credit card data, but that will help fund the collection of fuller, richer personal information sets about individuals, he told Computer Weekly.
These data sets will be far more lucrative than credit card details on the underground market and will include details of multiple credit cards, as well as regional, geographic, behavioural and personal data. Websense expects this emerging trade in data sets on individuals will enable a new level of identity theft to enable fraud.
DNS records are stored in zone files and are used for translating domain names to IP addresses. They also contain other data, including the domain name's name server and mail server information. If there are domain name aliases, such as the commonly used "www" preceding the domain name, these will also be listed in the DNS record.
A typical DNS record may look something like this:
IN NS ns1.4servers.com. ; 123.456.789.01
IN NS ns2.4servers.com. ; 123.456.789.02
; Domain Mail Handlers
yourdomain.com. IN MX 0 mail
yourdomain.com. IN MX 10 mail
; hosts in order
yourdomain. IN A Your.IP.XXX
www IN A Your.IP.XXX
smtp IN CNAME www
pop IN CNAME www
ftp IN CNAME www
mail IN A Your.IP.XXX
Since DNS records are made up entirely of text, they are easy to modify when needed. However, one small typo could redirect a domain name to the wrong Web server or prevent it from showing up at all. This is why it is important to enter DNS information accurately and double-check your changes entry before saving the zone file.
The death of democracy is not likely to be an assassination from ambush. It will be a slow extinction from apathy, indifference, and undernourishment.
Robert M. Hutchins