IT and Cyber Security News Update from
Centre for Research and Prevention of Computer
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
Since June 2005 December 05, 2014 Issue no 1515
Tenth year of uninterrupted publication
(Click on heading above to jump to related item. Click on Top to be back here)
December 04, 2014
British intelligence hacked into two major undersea cables owned by Reliance Communications compromising millions of users, including those from the Indian government, reveal the latest scan of documents leaked by Edward Snowden, the US National Security Agency (NSA) contractor-turned-whistleblower. This security breach took place sometime between 2009 and 2011.
A private company, bought by telecom major Vodafone in 2012, helped the British intelligence agency General Communications Headquarters (GCHQ) in hacking the Reliance cables and 27 others that converged in the UK, reveal the documents.
These revelations were made in the last week of November by UKs Channel 4 and German newspaper Süddeutsche Zeitung that jointly investigated the Snowden cache.
The Reliance cables carry internet and data traffic between Asia and Europe, and Europe to the American continent. Indian users compromised by this breach include those who don't necessarily use a Reliance connection as the cables carry data from a multitude of internet service providers in multiple countries.
The website of Reliance Globacom, part of Anil Ambanis Reliance Telecom group, describes itself as being one of the worlds largest private undersea cable system spanning 67,000 km route.
Renamed Global Cloud Xchange (GCX) in March, it owns two key undersea cables FLAG, which connects Europe to Asia, and FLAG Atlantic 1 (FA1), which connects the American continent with Europe. Both cables meet at a junction in southwest UK and are connected by the local area network operated by Vodafone subsidiary Cable & Wireless.
The FLAG Europe-Asia undersea cable has landing stations in Egypt, the Arabian peninsula, India, Malaysia, Thailand, Hong Kong, mainland China, Taiwan and Japan. It was a key target, the documents show, since it carries data from countries that the US and UK are most interested in, like Middle East countries, India and also China.
The documents showed that the GCHQ had a secret financial arrangement with Cable & Wireless to use its facility in Skewjack Farm in southwest England to hack into the 29 undersea cables. This was part of a major operation codenamed PFENNING ALPHA, a computer exploitation network run jointly by the USs NSA, and GCHQ. In separate documents, this operation has also been identified as the NSAs fourth-largest information collection exercise from the global Internet.
In August 2013, Süddeutsche Zeitung accessed the Snowden papers to reveal the code names given by British intelligence to private telecom companies that cooperated with GCHQ for tapping internet communications. Cable & Wireless was identified by the codename GERONTIC while British Telecom (BT) is referred to as REMEDY. Both companies were part of an elaborate spying programme code-named TEMPORA.
The documents also reveal how GCHQ used a secret software known as XKeyscore to pull out data to analyse the data it was intercepting. The filtering of the Internet was carried out using technology developed by a Boeing subsidiary company, Narus. It would pull out packets of information that included phone numbers, emails, and IP addresses in real time.
Reliance Communications declined to reply to HTs queries.
Ben Padovan, the official spokesperson of Vodafone in the UK, said in a statement: "Cable & Wireless was not owned, operated or controlled by Vodafone until 2012. We examined the past history of Cable & Wireless compliance prior to its acquisition by Vodafone and found no evidence that would substantiate these allegations
The statement ends saying that Vodafone is legally bound not to disclose any information regarding warrants received and the processes and systems in place to respond to such warrants and the penalty for doing so is five years in prison.
PTI / The Hindu
December 3, 2014
Minister for Communications and Information Technology Ravi Shankar Prasad on Wednesday said India and Japan could leverage each others prowess in technology to jointly work in areas like green technologies, cyber security and ICT (information and communication technologies) development.
Speaking at the second meeting of the India-Japan joint working group on ICT, Mr. Prasad said the Indian government had launched a massive programme to digitalise administrative functioning with the sole objective of improving efficiency and delivery of services.
India has taken a big leap forward in letting technology play a pivotal role in brining about the much needed change in governance in India. With friends like Japan, there is a natural scope to help us in achieving this objective, he added.
This is the second meeting of the group, which was formed in October 2013 to boost bilateral trade in the field of ICT.
Mr. Prasad is leading the Indian delegation, while Yasuo Sakamoto, Vice Minister for Policy Coordination, International Affairs, is heading the Japan team.
Mr. Prasad said the programme will benefit greatly with the help of a tested ally like Japan, which has established supremacy in ICT. It is also expected to help in increasing trade manifold between both the countries, which is currently about one per cent.
The group is also exploring cooperation in national ID application and utilisation project.
Yasuo Sakamoto said the economic cooperation between the two countries is on the verge of a new turning point and the opportunities are abundant.
He added that entrepreneurs from both the countries can collaborate in fields of cyber security or green ICT.
By Kevin Roose and Alexis C. Madrigal
03 December 2014
The Sony Pictures hack that has sent the Hollywood mega-studio into chaos is spreading far beyond the film industry, as hackers appear to have released documents containing detailed salary information for more than 30,000 employees of Deloitte, the New York-based auditing and professional services firm.
Along with the files smuggled out of Sony Pictures this week, we also discovered a cache of documents apparently relating to internal personnel matters at Deloitte. This appears to be an accident of circumstance. The files appear to come from a single targets computer. While this person appears to be currently employed in human resources at Sony Pictures, the employee had previously worked at Deloitte, and had saved some files. These were exfiltrated with the other documents by the alleged hackers, who call themselves Guardians of Peace.
Included among the Deloitte files is a spreadsheet that appears to contain the 2005 salary information for 31,124 U.S. Deloitte employees. The same spreadsheet also contains race and gender data for each worker, although unlike the Sony Pictures files, names are not attached to the salary information. If the spreadsheet is accurate, the data provides a rare look inside a high-profile firms salary structure.
The data includes salaries from many Deloitte divisions including Deloitte Tax LLP and Deloitte Consulting LLP, as well as Deloitte & Touche, the firms auditing arm. (Deloitte does not appear to be Sony Pictures primary independent auditor that would be PricewaterhouseCoopers Aarata.) The two companies have worked together in the past recently, for example, Sony Pictures hired Deloitte for a project that used data analysis to determine the effect of social media posts on DVD sales but the hacked data does not appear to be related to any official partnership between the companies.
The Deloitte data also appears to show to a pay disparity between men and women within the firm. We sorted the spreadsheet by gender, and plotted salaries against the ranks within those genders to get the following chart:
While were continuing to analyze the data, its worth noting that of the salaries included in the documentwhich contains more than 1,000 of Deloittes companys directorsthe top 10 highest earners are all men, as are 22 of the top 25, 43 of the top 50, and 85 of the top 100.
The numbers appear to have been compiled for a 2006 internal study that sought to understand if there was racial or gender-based compensation discrimination within the company. According to materials in the document trove, that research looked at 251 groups within Deloitte and then ran statistical tests to see if race or gender would predict an employees salary, as opposed to factors like location, job tenure, continuity of employment, and performance rating.
According to a PowerPoint document included in the files, the vast majority of the groups that were examined did not meet their statistical threshold for compensation discrimination. But 18 groups did, and closer examination of them was recommended.
Of the 251 regressions, where we looked at all the possible variables that could predict salary there were 58 groups where salary was predicted by race or gender, the document reads. Of these 58 regressions, 34 included race or gender as a predictor in a discriminatory way. Some of these were more significant than others. Of the 34 significant regressions, there were 18 that were problematic based on both regressions & t-tests. These 18 groups were looked at very carefully to make appropriate recommendations.
A spokeswoman for Deloitte did not immediately respond to a request for comment. A call to Sony Pictures went unanswered.
UPDATE: Deloitte released this statement to Fusion in response to our requests for comment: We have seen coverage regarding what is alleged to be 9-year-old Deloitte data from a non-Deloitte system. We have not confirmed the veracity of this information at this time. Deloitte has long been recognized as a leader in its commitment to pay equality and all forms of inclusion.
By Thu Pham
December 04, 2014
The average total cost of a data breach increased 15 percent in 2014 to $3.5 million, this according to the Ponemon Institutes 2014 Cost of Data Breach Study: Global Analysis.
But how does that average vary from industry to industry, each with different types of consumer information and different data regulations? Also, how do data breaches affect related industries, such as the insurance or banking sectors that must shoulder some of the subsequent costs?
One uniting factor in data breaches from all types of industries is the fact that the most costly data breaches were the result of malicious and criminal attacks, according to Ponemon.
Lets take a look at the costs associated with each type of data breach, including retail, financial/banking, healthcare and education:
Cost of a Financial/Banking Data Breach
· JPMorgan Chase was breached this summer, and while financial/banking firms do not always release their own financial details, they did mention their increased investments in security improvements will cost them $250 million a year with a team of people dedicated to leading them, according to the International Business Times.
· National industry groups, including the National Retail Federation (NRF), have lobbied Congress regarding fair and expansive cross-industry data breach standards. They argue that consumers have a right to know when theyve been breached, regardless of where the risk arises.
Cost of a Healthcare Data Breach
· New York Presbyterian Hospital and Columbia University, reported in May 2014 -$4.8 million in government fees, without any insight into other costs such as legal or investigation fees. This is the largest HIPAA settlement to date recorded by the Dept. of Health and Human Services.
· Cignet Health Center was fined $4.3 million in October 2010, partly due to denying patient requests for their medical records and their failure to cooperate with the investigation.
· Consequences of a healthcare data breach also affect other industries, including $80 billion yearly to the public insurance sector caused by criminals fraudulently receiving healthcare services by stealing medical identities and pretending to be insured, according to MDEverywhere.com.
· While only the government fees are on record, other costs place the healthcare industry at the top when it comes to per capita data breach costs, followed by the education and pharmaceutical sectors, according to the Ponemon Institute.
Cost of an Education Data Breach
· A hacked server at the Maricopa County Community College (MCCCD) cost them upwards of $19.7 million, with $2.3 going to lawyers fees; $300k to records management; and another $17.1 million spent on consulting, repairs, more lawyers, notification and credit monitoring. Two class action lawsuits were also filed in April, seeking $2.5k for each affected individual, thats 2.5 million total.
· The University of Maryland estimated costs of $6.2 million just in credit monitoring costs for students and staff affected by a data breach early this year. Adding encryption could raise costs to $20-30 million, in addition to consulting fees.
· Other places universities and educational institutions take a hit is with their reputation and with rising student tuition costs to deal with unexpected breach expenses.
Cost of a Retail Data Breach
· Target, reported in August 2014 - $148 million in associated data breach expenses, including legal, consulting and credit monitoring fees
· Home Depot, reported in November 2014 - $43 million so far in associated data breach expenses spent in one quarter, including identity protection services, credit monitoring, increased call center staffing, legal and other professional services, according to their quarterly SEC filing.
· Costs to other industries as a result of these retailer data breaches include heavy hits to the banks and credit unions. Credit unions spent $60 million in September after the Home Depot breach reissuing stolen cards, according to TheHill.com.
· According to a report from the Consumer Bankers Association, the cost of replacing credit and debit cards after the Target breach ran up a tally of $240 million.
· The real business consequences to a retail organization may result in a hit to customer loyalty and trust, with lower profits and more reputation control costs to manage than other industries.
As weve witnessed over the past twelve months, attackers have hit large retailers and franchisors alike, stealing customer card data. This can be seen in the examples above and the list goes on.
If you're interested in learning more about how to prevent a potential attack on financial data, please check out our free guide that provides a detailed overview of the retail industry's current state of security and recommendations on safeguarding customer financial information.
A directory is another name for a folder. Files on your hard disk are organized into various folders, or directories, so that it is easier to keep track of them. For example, you may keep your pictures in one folder and your music files in another folder. Folders can also contain other folders, allowing for more specific organization.
Since you can have folders within a folder, files on your hard drive are organized much like branches on a tree. The main directory on your hard drive is appropriately called the "root directory." Folders that exist within the root directory most likely contain other folders, which may branch out to even more folders.
When you are browsing one directory and want to open the folder that contains the current directory, it is called "moving up a directory." As you move up directories, you will eventually move up to the root directory. In Windows, this may be your C:\ directory, while on the Mac it will be the name of your hard drive, such as "Macintosh HD."
When you invite people to think, you are inviting revolution