Newsletter
IT and Cyber Security News Update from
Centre for Research and Prevention of Computer
Crimes,
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
Since June 2005 December
05, 2014 Issue no 1515
Tenth year of
uninterrupted publication
Todays edition
Snowden documents : UK spy agency hacked
Reliance cables, accessed data
COOPERATION :
India, Japan can work together to tackle cyber crimes - Prasad
LEAKED : Sony Pictures hack spreads to
Deloitte: thousands of audit firms salaries are leaked
COST : The
Cost of a Data Breach in 2014: An Industry by Industry Breakdown
(Click on heading above to jump to related item. Click on Top to be back here)
Snowden
documents : UK spy agency hacked
Reliance cables, accessed data
Saikat
Datta
Hindustan
Times
December
04, 2014
British
intelligence hacked into two major undersea cables owned by Reliance
Communications compromising millions of users, including those from the Indian government, reveal the latest scan of documents leaked by
Edward Snowden, the US National Security Agency (NSA)
contractor-turned-whistleblower. This security breach took place sometime
between 2009 and 2011.
A
private company, bought by telecom major Vodafone in 2012, helped the British
intelligence agency General Communications Headquarters (GCHQ) in hacking the
Reliance cables and 27 others that converged in the UK, reveal the documents.
These
revelations were made in the last week of November by UKs Channel 4 and German
newspaper Süddeutsche Zeitung
that jointly investigated the Snowden cache.
The
Reliance cables carry internet and data traffic between Asia and Europe, and
Europe to the American continent. Indian users compromised by this breach
include those who don't necessarily use a Reliance connection as the cables
carry data from a multitude of internet service providers in multiple
countries.
The
website of Reliance Globacom, part of Anil Ambanis Reliance Telecom group, describes itself as being
one of the worlds largest private undersea cable system spanning 67,000 km
route.
Renamed
Global Cloud Xchange (GCX) in March, it owns two key
undersea cables FLAG, which connects Europe to Asia, and FLAG Atlantic 1
(FA1), which connects the American continent with Europe. Both cables meet at a
junction in southwest UK and are connected by the local area network operated
by Vodafone subsidiary Cable & Wireless.
The
FLAG Europe-Asia undersea cable has landing stations in Egypt, the Arabian peninsula, India, Malaysia, Thailand, Hong Kong, mainland
China, Taiwan and Japan. It was a key target, the documents show, since it
carries data from countries that the US and UK are most interested in, like
Middle East countries, India and also China.
The
documents showed that the GCHQ had a secret financial arrangement with Cable
& Wireless to use its facility in Skewjack Farm
in southwest England to hack into the 29 undersea cables. This was part of a
major operation codenamed PFENNING ALPHA, a computer exploitation network run
jointly by the USs NSA, and GCHQ. In separate documents, this operation has
also been identified as the NSAs fourth-largest information collection
exercise from the global Internet.
In
August 2013, Süddeutsche Zeitung
accessed the Snowden papers to reveal the code names given by British
intelligence to private telecom companies that cooperated with GCHQ for tapping
internet communications. Cable & Wireless was identified by the codename
GERONTIC while British Telecom (BT) is referred to as REMEDY. Both
companies were part of an elaborate spying programme code-named TEMPORA.
The
documents also reveal how GCHQ used a secret software known as XKeyscore to pull out data to analyse
the data it was intercepting. The filtering of the Internet was carried out
using technology developed by a Boeing subsidiary company, Narus.
It would pull out packets of information that included phone numbers, emails,
and IP addresses in real time.
Reliance
Communications declined to reply to HTs queries.
Ben Padovan, the official spokesperson of Vodafone in the UK,
said in a statement: "Cable & Wireless was not owned, operated or
controlled by Vodafone until 2012. We examined the past history of Cable &
Wireless compliance prior to its acquisition by Vodafone and found no evidence
that would substantiate these allegations
The
statement ends saying that Vodafone is legally bound not to disclose any
information regarding warrants received and the processes and systems in place
to respond to such warrants and the penalty for doing so is five years in
prison.
Also
see-
http://www.ehacking.net/2014/12/nsa-spied-on-companies-and-groups.html
COOPERATION : India, Japan can work
together to tackle cyber crimes - Prasad
PTI
/ The Hindu
December
3, 2014
Minister
for Communications and Information Technology Ravi Shankar Prasad on Wednesday
said India and Japan could leverage each others prowess in technology to
jointly work in areas like green technologies, cyber security and ICT
(information and communication technologies) development.
Speaking
at the second meeting of the India-Japan joint working group on ICT, Mr. Prasad
said the Indian government had launched a massive programme to digitalise administrative functioning with the sole
objective of improving efficiency and delivery of services.
India
has taken a big leap forward in letting technology play a pivotal role in brining about the much needed change in governance in
India. With friends like Japan, there is a natural scope to help us in achieving
this objective, he added.
This
is the second meeting of the group, which was formed in October 2013 to boost
bilateral trade in the field of ICT.
Mr.
Prasad is leading the Indian delegation, while Yasuo
Sakamoto, Vice Minister for Policy Coordination, International Affairs, is
heading the Japan team.
Mr.
Prasad said the programme will benefit greatly with the help of a tested ally
like Japan, which has established supremacy in ICT. It is also expected to help
in increasing trade manifold between both the countries, which is currently
about one per cent.
The
group is also exploring cooperation in national ID application and utilisation project.
Yasuo
Sakamoto said the economic cooperation between the two countries is on the
verge of a new turning point and the opportunities are abundant.
He
added that entrepreneurs from both the countries can collaborate in fields of
cyber security or green ICT.
LEAKED : Sony Pictures hack spreads
to Deloitte: thousands of audit firms salaries are leaked
By Kevin Roose
and Alexis C. Madrigal
03 December 2014
The Sony Pictures hack that
has sent the Hollywood mega-studio into chaos is spreading far beyond the film
industry, as hackers appear to have released documents containing detailed
salary information for more than 30,000 employees of Deloitte, the New
York-based auditing and professional services firm.
Along with the files smuggled
out of Sony Pictures this week, we also discovered a cache of documents
apparently relating to internal personnel matters at Deloitte. This appears to
be an accident of circumstance. The files appear to come from a single targets
computer. While this person appears to be currently employed in human resources
at Sony Pictures, the employee had previously worked at Deloitte, and had saved
some files. These were exfiltrated with the other
documents by the alleged hackers, who call themselves Guardians of Peace.
Included among the Deloitte
files is a spreadsheet that appears to contain the 2005 salary information for
31,124 U.S. Deloitte employees. The same spreadsheet also contains race and
gender data for each worker, although unlike the Sony Pictures files, names are
not attached to the salary information. If the spreadsheet is accurate, the
data provides a rare look inside a high-profile firms salary structure.
The data includes salaries
from many Deloitte divisions including Deloitte Tax LLP and Deloitte
Consulting LLP, as well as Deloitte & Touche, the
firms auditing arm. (Deloitte does not appear to be Sony Pictures primary
independent auditor that would be PricewaterhouseCoopers Aarata.)
The two companies have worked together in the past recently, for example,
Sony Pictures hired Deloitte for a project that used data analysis to determine
the effect of social media posts on DVD sales but the hacked data does not
appear to be related to any official partnership between the companies.
The Deloitte data also
appears to show to a pay disparity between men and women within the firm. We
sorted the spreadsheet by gender, and plotted salaries against the ranks within
those genders to get the following chart:
While were continuing to
analyze the data, its worth noting that of the salaries included in the
documentwhich contains more than 1,000 of Deloittes companys directorsthe
top 10 highest earners are all men, as are 22 of the top 25, 43 of the top 50,
and 85 of the top 100.
The numbers appear to have
been compiled for a 2006 internal study that sought to understand if there was
racial or gender-based compensation discrimination within the company.
According to materials in the document trove, that research looked at 251 groups
within Deloitte and then ran statistical tests to see if race or gender would
predict an employees salary, as opposed to factors like location, job tenure,
continuity of employment, and performance rating.
According to a PowerPoint
document included in the files, the vast majority of the groups that were
examined did not meet their statistical threshold for compensation
discrimination. But 18 groups did, and closer examination of them was
recommended.
Of the 251 regressions,
where we looked at all the possible variables that could predict salary there
were 58 groups where salary was predicted by race or gender, the document
reads. Of these 58 regressions, 34 included race or gender as a predictor in a
discriminatory way. Some of these were more significant than others. Of the 34
significant regressions, there were 18 that were problematic based on both
regressions & t-tests. These 18 groups were looked at very carefully to
make appropriate recommendations.
A spokeswoman for Deloitte
did not immediately respond to a request for comment. A call to Sony Pictures
went unanswered.
UPDATE: Deloitte released
this statement to Fusion in response to our requests for comment: We have seen
coverage regarding what is alleged to be 9-year-old Deloitte data from a
non-Deloitte system. We have not confirmed the veracity of this information at
this time. Deloitte has long been recognized as a leader in its commitment to
pay equality and all forms of inclusion.
COST : The Cost of a Data Breach
in 2014: An Industry by Industry Breakdown
By Thu
Pham
December
04, 2014
The
average total cost of a data breach increased 15 percent in 2014 to $3.5
million, this according to the Ponemon Institutes
2014 Cost of Data Breach Study: Global Analysis.
But
how does that average vary from industry to industry, each with different types
of consumer information and different data regulations? Also, how do data
breaches affect related industries, such as the insurance or banking sectors
that must shoulder some of the subsequent costs?
One
uniting factor in data breaches from all types of industries is the fact that
the most costly data breaches were the result of malicious and criminal
attacks, according to Ponemon.
Lets
take a look at the costs associated with each type of data breach, including
retail, financial/banking, healthcare and education:
Cost
of a Financial/Banking Data Breach
·
JPMorgan Chase
was breached this summer, and while financial/banking firms do not always
release their own financial details, they did mention their increased
investments in security improvements will cost them $250 million a year with a
team of people dedicated to leading them, according to the International
Business Times.
·
National industry
groups, including the National Retail Federation (NRF), have lobbied Congress
regarding fair and expansive cross-industry data breach standards. They argue
that consumers have a right to know when theyve been breached, regardless of
where the risk arises.
Cost
of a Healthcare Data Breach
·
New York Presbyterian
Hospital and Columbia University, reported in May 2014 -$4.8 million in
government fees, without any insight into other costs such as legal or
investigation fees. This is the largest HIPAA settlement to date recorded by
the Dept. of Health and Human Services.
·
Cignet Health Center was fined $4.3 million in October 2010,
partly due to denying patient requests for their medical records and their
failure to cooperate with the investigation.
·
Consequences of a
healthcare data breach also affect other industries, including $80 billion
yearly to the public insurance sector caused by criminals fraudulently
receiving healthcare services by stealing medical identities and pretending to
be insured, according to MDEverywhere.com.
·
While only the
government fees are on record, other costs place the healthcare industry at the
top when it comes to per capita data breach costs, followed by the education
and pharmaceutical sectors, according to the Ponemon
Institute.
Cost
of an Education Data Breach
·
A hacked server
at the Maricopa County Community College (MCCCD) cost them upwards of $19.7
million, with $2.3 going to lawyers fees; $300k to records management; and
another $17.1 million spent on consulting, repairs, more lawyers, notification
and credit monitoring. Two class action lawsuits were also filed in April,
seeking $2.5k for each affected individual, thats 2.5 million total.
·
The University of
Maryland estimated costs of $6.2 million just in credit monitoring costs for
students and staff affected by a data breach early this year. Adding encryption
could raise costs to $20-30 million, in addition to consulting fees.
·
Other places
universities and educational institutions take a hit is with their reputation
and with rising student tuition costs to deal with unexpected breach expenses.
Cost
of a Retail Data Breach
·
Target, reported
in August 2014 - $148 million in associated data breach expenses, including
legal, consulting and credit monitoring fees
·
Home Depot,
reported in November 2014 - $43 million so far in associated data breach
expenses spent in one quarter, including identity protection services, credit
monitoring, increased call center staffing, legal and other professional
services, according to their quarterly SEC filing.
·
Costs to other
industries as a result of these retailer data breaches include heavy hits to
the banks and credit unions. Credit unions spent $60 million in September after
the Home Depot breach reissuing stolen cards, according to TheHill.com.
·
According to a
report from the Consumer Bankers Association, the cost of replacing credit and
debit cards after the Target breach ran up a tally of $240 million.
·
The real business
consequences to a retail organization may result in a hit to customer loyalty
and trust, with lower profits and more reputation control costs to manage than
other industries.
As
weve witnessed over the past twelve months, attackers have hit large retailers
and franchisors alike, stealing customer card data. This can be seen in the
examples above and the list goes on.
If
you're interested in learning more about how to prevent a potential attack on
financial data, please check out our free guide that provides a detailed
overview of the retail industry's current state of security and recommendations
on safeguarding customer financial information.
Directory
A directory is another name for a folder. Files on your
hard disk are organized into various folders, or directories, so that it is
easier to keep track of them. For example, you may keep your pictures in one
folder and your music files in another folder. Folders can also contain other
folders, allowing for more specific organization.
Since you can have folders within a folder, files on your
hard drive are organized much like branches on a tree. The main directory on
your hard drive is appropriately called the "root directory." Folders
that exist within the root directory most likely contain other folders, which
may branch out to even more folders.
When you are browsing one directory and want to open the
folder that contains the current directory, it is called "moving up a
directory." As you move up directories, you will eventually move up to the
root directory. In Windows, this may be your C:\ directory, while on the Mac it
will be the name of your hard drive, such as "Macintosh HD."
When you invite people to
think, you are inviting revolution
Ivana Gabara
Note -