IT and Cyber Security News Update from
Centre for Research and Prevention of Computer
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
Since June 2005 February 02, 2015 Issue no 1538
Tenth year of uninterrupted publication
(Click on heading above to jump to related item. Click on Top to be back here)
By Tara Seals
29 Jan 2015
The US military is working on replacing passwords with cognitive fingerprints. These rely on stylometrics, which is an analysis of how language is used by individuals. Each person has a different stylometric profile of how they type and word-process, which can be more personally identifying than simple biometrics.
The identity verification system is being developed thanks to a multimillion-dollar grant to the West Point military academy. The system will use a persons behavior to confirm identity, by recognizing the way a person typesfrequent typos, how the mouse or cursor is used, typing speed and so on.
"Just as when you touch something with your finger you leave behind a fingerprint, when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a 'cognitive fingerprint', explained a contract document seen by Sky News and reported by Yahoo! Finance.
It added, "The biometrics program is creating a next generation biometric capability built from multiple stylometric/behavioral modalities using standard Department of Defense computer hardware."
The system will be used for encrypted data communications across all of its services, and is part of the Defense Advanced Research Projects Agency (DARPA) active authentication program. But consumer applications for the technology could be myriad, particularly when it comes to e-commerce, online banking and the internet of things ecosystem.
The current standard method for validating a users identity for authentication on an information system requires humans to do something that is inherently unnatural: create, remember, and manage long, complex passwords, DARPA said. Moreover, as long as the session remains active, typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard. Thus unauthorized individuals may improperly obtain extended access to information system resources if a password is compromised or if a user does not exercise adequate vigilance after initially authenticating at the console.
Pirate Bay Wont Make A Full Comeback, Staff Revolt
January 27, 2015
According to insiders The Pirate Bay will slim down its operations for the planned comeback. The new version of the site is expected to operate without former admins and moderators, who have responded furiously to the decision. Many key staffers have left the ship to launch their own TPB.
Judging from all the teasers on the Pirate Bay homepage the notorious torrent site is preparing to relaunch this weekend.
Those in control of the domain have yet to make an official announcement but several sources inform TF that the site wont make a full comeback.
Instead, The Pirate Bay is expected to launch a trimmed down version without room for the dozens of moderators and admins who looked after the site over the past decade.
This lighter version of The Pirate Bay will be easier to operate but the plan has also upset many former staffers. This includes people who have been with the site for over a decade, removing fake torrents and other types of spam.
Several admins and moderators have responded to the news with anger and are now openly distancing themselves from the thepiratebay.se site that was their home for years.
I wish I had better news to come with. The launch that is about to take place on February 1 is not us, says WTC-SWE, one of the lead admins of The Pirate Bay.
It was until some dickhead decided to take TPB crew out of the picture. He thinks a site can be run without any staff at all and at the same time keeping up with fakes, internal issues etc, he adds.
What stings them the most is that many dedicated individuals, who put countless hours into keeping the site functioning, now appear to be being pushed aside on a whim.
Personally I wont accept this neither will any of the crew thats been active for almost 10-11 years. As an admin and human, I wont stand aside and accept this kind of behavior. This is the worst scenario that could happen, WTC-SWE says.
You dont treat people like horseshit, he adds.
The staff, now in open revolt, have closed the official #thepiratebay IRC channel on EFnet to the public. They wont offer support anymore for a site that they have no control over, but warn people who do want to visit it to be cautious of malware.
Instead, the TPB former crew members are now preparing to launch their own version of the site. This spin-off will be operated from a new domain and will have several long-time mods and admins on board.
WTC-SWE says that they are in possession of a TPB backup which will be used to revive the old site in full. The full staff of moderators and admins remains under his wings and will start over at a home.
Its only a matter of time. I will need to blast the whole coding and clean up all the mess. The real TPB will be back with proper staff and all, WTC-SWE says.
Thus far, the people running the official thepiratebay.se domain have remained quiet. In a few days, when the count-down completes, we are likely to know more about their vision for the sites future.
02 February 2015
Ford Motor Companys Lincoln luxury brand is to announce an app to enable users to control their cars remotely as BMW issues a security patch for a flaw affecting 2.2 million vehicles.
The MyLincoln smartphone app developed with Google will allow users to schedule remote starts as well as lock and unlock their cars, reports The Detroit News.
The SLE97144SD Secure Element helps secure business-critical applications
MyLincoln is the first app of its kind to be integrated with the Android organiser app Google Now, and is likely to raise concerns with privacy watchdogs and cyber security professionals.
But users may disregard the risks to benefit from remote start functionality that will ensure the vehicle is cooled off or warmed up by the time they are ready to drive.
Delivering unique experiences for the luxury client throughout ownership is fundamental to Lincoln, Matt VanDyke, director, global Lincoln, said in a statement.
By innovating with leading tech companies, we have an opportunity to personalize the ongoing interaction between the customer and the vehicle.
The Google Now and MyLincoln apps will be connected through an embedded modem in the vehicle.
Lincoln said the MyLincoln Mobile connectivity and Google services are opt-in features, and notifications can be turned off.
But the car maker made no mention of security or privacy, which will be key to the apps success, especially as it can also be used to locate vehicles.
Security concerns are underlined by the fact that BMW released a patch for a security flaw that could have allowed hackers to unlock about 2.2 million BMW, Rolls-Royce and Mini cars.
The vulnerability in BMWs ConnectedDrive infotainment system was discovered by the German motorist association ADAC, reports Slashgear.
ADAC said it proved with several vehicles they could be unlocked remotely using a smartphone. The procedure leaves no trace and runs in minutes, the organisation said in a statement.
ADAC said it had waited for BMW to release a patch before revealing the flaw. "As a responsible consumer advocate we have held off publication of this vulnerability until it was closed by the manufacturer to prevent criminals exploiting the attack," the organisation said.
Like the MyLincoln app, the BMW system uses a mobile data connection to enable users to lock vehicles remotely.
BMW has boosted the security of the system with the same encryption used by financial institutions and other connected services in its vehicles. Affected vehicles should update automatically.
The patched systems can now confirm that they are connected to one of BMW's servers and not a cyber criminal.
BMW said: "No cases have come to light yet in which data has been called up actively by unauthorised persons.
But BMW should have ensured the data transmission was secure in the first place, said independent security consultant Graham Cluley.
Yes, its good that BMW has fixed the problem. But frankly I think theyre being a little disingenuous talking about 'rapid response' if this issue was first brought to their attention in the middle of last year, he wrote in a blog post.
Cluley said BMW, Rolls-Royce or Mini owners who are concerned their vehicle may not have received the update should choose Update Services from the cars menu.
ADAC has called on all car makers and technology partners to protect against cyber attacks by certifying their systems and processes against information security standards like The Common Criteria for Information Technology Security Evaluation.
30 January 2015
It will take a major global company going down in the wake of a cyber attack to really shake up information security, according to City of London Police commissioner Adrian Leppard.
This is evidenced by the fact JP Morgan has doubled its information security budget after it was hit with a breach in August 2014, along with several other banking institutions.
Loss of trust in a large multi-national is probably the only thing that will make governments do anything radically different, Leppard told a NEDForum summit in London.
But, he said, this was not a criticism of the UK government, which is doing all it can with investment of nearly £1bn in support of a national cyber security strategy.
We really could not ask more of the UK government, yet cyber crime is getting worse not better, which means we have reached the point where everyone has to take responsibility, said Leppard.
It is becoming clear that governments are no longer able to protect citizens in the same way as they did in the past, he added, with criminals able to strike from anywhere in the world.
The UK, and London in particular, is also one of the most highly targeted countries in the world because it is one of the largest global economic centres, with many financial institutions.
Leppard said: It is clear that although we are getting better at dealing with cyber crime, law enforcement with scale cyber crime society is facing. We are never going to enforce our way out of the problem.
The only way we are going to be able to deal with cyber crime properly is by everyone improving their crime prevention capabilities in combination with increased action business and industry."
According to Leppard, law enforcement organisations around the world are now looking to partner with business and industry to help them to protect the global economy, because they hold all the critical data.
In the UK alone, some estimates put the cost of cyber crime at £27bn a year. But Leppard said the value of reported cyber crime comes nowhere near this figure.
UK police forces estimate only a fraction of cyber crime is reported.
We believe we see only about 20% of all cyber enabled fraud, only 20% of these reports can be followed up and only 20% result in successful prosecutions, said Leppard. "The way forward is partnership with business and industry."
Police pursuing closer relationship with business
UK police, including the National Crime Agencys National Cyber Crime Unit, are actively pursuing a closer relationship with business.
We are also discussing ways of encouraging industry to increase the level of reporting whether this is about providing easier electronic means for doing so or if legislation is needed, said Leppard.
Finding the right approach is a huge challenge facing policy and law makers, and this is something the police are discussing with government.
But all governments shy away from legislation that could potentially stifle legislation. I am advocating that we have a rigorous debate about how best to encourage people to do the right thing.
The answer may lie in regulation or legislation, but I think the answer is more likely to be found through enabling business to see a commercial advantage in good cyber security.
Leppard said another important part of the solution is finding ways to harden targets. We need to be able to gather and share threat intelligence quickly, but that depends on better reporting, he said.
Businesses must adopt a good cyber security standard
Businesses also need to adopt a good cyber security standard that is part of overall company security and ensure that everyone in the company is working to that standard.
The answer is not more policing," said Leppard. "But better collaboration between law enforcement and industry, with the role of police increasingly about helping industry to protect itself.
It would help if all organisations were working to a common standard of information security, but I do not know how that could be achieved.
Leppard said the UK governments Cyber Essentials Scheme is a good place to start in establishing a minimum standard, but he said this only provides lightweight protection.
The biggest concerns for police in the year ahead, he said, is the potential proliferation of encrypted communications and the potential loss of security integrity of mobile communications.
It is difficult to know where the biggest challenges will lie, but we are confident they will involve a cyber element, Leppard concluded.
Double clicking involves clicking your mouse button quickly two times. To perform a double click, and not just two clicks, the mouse button must be pressed twice within a very short time, typically about half a second. Most operating systems allow you to lengthen or shorten the maximum time allowed for a double click, using the Mouse Control Panel or System Preference.
A double click is recognized by your computer as a specific command, just like pressing a key on your keyboard. Double clicking is used to to perform a variety of actions, such as opening a program, opening a folder, or selecting a word of text. In order to double click an object, just move the cursor over the item and press the left mouse button quickly two times.
It is always a simple matter to drag the people along, whether it is a democracy, or a fascist dictatorship, or a parliament, or a communist dictatorship. Voice or no voice, the people can always be brought to the bidding of their leaders. That is easy. All you have to tell them is that they are being attacked and denounce the peacemakers for lack of patriotism and exposing the country to danger. It works the same in any country.