Newsletter
IT and Cyber Security News Update from
Centre for Research and Prevention of Computer
Crimes,
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
Since June 2005 December
10, 2014 Issue no 1517
Tenth year of
uninterrupted publication
Todays edition
VIRUS : Android
phones hit by new virus that steals passwords
SPY : NSA mobile phone network hacking
raises security concerns
BYE PASSWORD :
FIDO Alliance releases 1.0 specifications for passwordless
authentication
(Click on heading above to jump to related item. Click on Top to be back here)
UNLAWFUL : Sec 66A of IT act lacks
guidelines, arrests made over social media posts prone to abuse: SC
by Utkarsh Anand
December
10, 2014
The
Supreme Court on Tuesday observed that Section 66A of the Information
Technology Act, which empowers police to make arrests over social media posts,
apparently lacked guidelines on when such power can be exercised and that
somebodys annoyance was enough in certain cases for
invoking the law.
Section
66A does not give any specific guidance on when to invoke it, unlike the
provisions in the Indian Penal Code (IPC). The IPC uses specific words and
gives specific illustrations for the offences but that does not appear to be
the case with Section 66A. It appears that nobody has to even say anything
hateful or meaning ill will
annoyance of someone could be used to invoke it,
said a bench of Justices J Chelameswar and S A Bobde.
The
courts observations came even as the central government admitted that Section
66A was prone to abuse and that there were indeed incidents in the past where
people were wrongly arrested by invoking this provision. Section 66A defines
the punishment for sending offensive messages through a computer or any other
communication device like a mobile phone or a tablet. A conviction can fetch a
maximum of three years in jail and a fine.
Additional
Solicitor General Tushar Mehta submitted that the abuse of power in certain
cases was evident and that the Centre did not seek to justify the incidents
where whimsical arrests were made. He said in most of the incidents, cited by a
batch of petitions that have challenged the constitutional validity of Section
66A, the power was abused and actions had been taken against the erring police
officers.
The
list of incidents included arrest of two girls in Maharashtra by Thane Police
in 2012 over a Facebook post, arrest of Jadavpur University professor Ambikesh
Mahapatra for forwarding caricature on Trinamool Congress chief Mamata Banerjee on Facebook, arrest of Aseem Trivedi for drawing
cartoons lampooning Parliament and the Constitution to depict their
ineffectiveness.
If
there is abuse and the abuse is so egregious, even in some cases, there is
definitely an issue to be heard and decided regarding the validity of such a provision,
retorted the court.
As
the final arguments on the petitions began, the bench sought to know if the
provisions in the IPC were not adequate to deal with the offences arising out
of electronic messages and hence Section 66A was drafted in the IT Act.
Senior
advocate Soli Sorabjee, Prashant
Bhushan and Sanjay Parikh, appearing for the
petitioners, replied that not only were the IPC provisions enough, they were
better drafted and explained the circumstances when the alleged offences could
be attracted. This, they contended, was not the case in Section 66A which was
vague and left it to the subjective discretion of the police to decide when to
arrest.
At
this, the bench replied that in most of the cases cited by the petitioners,
there was no statement which could have threatened the integrity of the
country, as alleged by the police. It said the word offensive may be
construed differently in different context and that not everything would make a
criminal offence. The bench will resume hearing on Wednesday.
VIRUS : Android phones hit by new
virus that steals passwords
Cybersecurity sleuths have alerted Android-based
smart phone users against an infectious Trojan virus which steals vital
information from the personal device.
PTI
Dec
9, 2014
NEW
DELHI: Cybersecurity sleuths have alerted
Android-based smart phone users against an infectious Trojan virus which steals
vital information from the personal device and can even illegally send SMSes to those on the mobile contact list.
The
deadly virus has been identified as 'AndroidSmssend'
and it can acquire as many as four aliases to hoodwink the user and perpetrate
its destructive activities on a personal Android enabled phone.
"Android/SmsSend is a premium service abuser family malware that
arrives bundled with legitimate Android applications and infects Android based smartphones.
"Once
infected, it sends text messages (typically with a link to itself or a
different threat) to a specific number, typically to numbers on the contact
list and is also capable to send SMS to premium rate numbers," the
Computer Emergency Response Team of India (CERT-In) said in its latest advisory
to Android phone users in the country.
The
CERT-In is the nodal agency to combat hacking, phishing and to fortify
security-related defences of the Indian internet
domain.
It
said that after a typical successful infection of the virus, basic information
about the smart phone like IMEI number, device id, device type among others are
compromised and it can even install spyware on the targeted device.
The
virus is so notorious, the agency said, that it "steals contacts and
pictures, tracks the location, steals passwords, illegally accesses text
messages, crashes a complete system, steals personal banking information when
logged in, installs other sort of spyware and disables firewall and anti-virus
program to defend itself."
The
CERT-In said the malware is created by modifying the legitimate application and
then re-distributing via marketplace or other separate channels.
The
agency has suggested some counter-measures in this regard.
"Do
not download and install applications from untrusted
sources, install applications downloaded from reputed application market only,
run a full system scan on device with mobile security solution or mobile
anti-virus solution, check for the permissions required by an application before
installing, exercise caution while visiting trusted/untrusted
sites for clicking links, install Android updates and patches and use device
encryption or encrypting external SD card feature available with most of the
android OS (operating system)," it said.
Also,
avoid using unsecured, unknown Wi-Fi networks and make a practice of taking
regular backup of the Android device, the advisory said.
Also
see
SPY : NSA mobile phone network
hacking raises security concerns
Warwick Ashford
05 December 2014
The US National Security
Agency (NSA) spied on the GSM Association to identify and exploit security
vulnerabilities in mobile phone networks, documents leaked by whistleblower
Edward Snowden reveal.
This has raised concerns
about the security of the worlds mobile networks amid speculation that the NSA
may have compromised the latest mobile encryption algorithms.
The NSA has collected
technical information on about 70% of mobile phone networks world-wide through
an operation called Auroragold, according to The
Intercept.
The operation is carried out
by specialist NSA surveillance units tasked with spying on private companies
that run cellphone networks.
According to the leaked
documents, the NSA intercepted confidential emails between hundreds of
companies and organisations internationally to find security weaknesses in
mobile phone technology.
A year ago the Washington
Post revealed the NSA had broken the most commonly used mobile phone encryption
algorithm known as A5/1.
But the information collected
under Auroragold allows the NSA to look at ways of
circumventing newer and stronger versions of A5 cellphone
encryption, such as A5/3.
The documents also reveals
how the NSA works to attack cellphone encryption
technology, and plans to secretly introduce new flaws into communication
systems so that they can be tapped into.
Security experts have
cautioned against this tactic, saying it could be exposing millions of people
to attacks by criminal hackers.
News of Auroragold
has coincided with the introduction of a new US bill aimed at protecting the
privacy and data security of US citizens.
The Secure Data bill,
introduced by US senator Ron Wyden, specifically prohibits government mandates
to build backdoors or security vulnerabilities into US software and
electronics.
Wyden said recent proposals
by government officials to compel companies to build backdoors in the security
features of their products threaten to undermine the development and deployment
of strong data security technologies.
"Strong encryption and
sound computer security is the best way to keep Americans' data safe from
hackers and foreign threats. It is the best way to protect our constitutional
rights at a time when a person's whole life can often be found on his or her smartphone, he said.
According to Wyden, strong
computer security can rebuild consumer trust that has been shaken by years of
misstatements by intelligence agencies about mass surveillance of US citizens.
"This bill sends a
message to leaders of those agencies to stop recklessly pushing for new ways to
vacuum up Americans' private information, and instead put that effort into
rebuilding public trust, he said.
Wyden said that, once a
backdoor is built in a security system, the security of the system is
inherently compromised.
The latest Snowden documents
reveal that the UK-headquartered GSM Association is among the high-profile Auroragold surveillance targets.
The mobile trade group works
closely with large US firms such as Microsoft, Facebook,
AT&T, and Cisco, as well as large international companies, including Sony,
Nokia, Samsung, Ericsson and Vodafone.
Industry commentators say
that by spying on the GSMA, the NSA has placed itself in direct conflict with
the mission of the National Institute for Standards and Technology (NIST), the
US government agency responsible for recommending cyber security standards in
the US.
The GSMA is currently funded
by NIST to develop privacy-enhancing technologies.
A surveillance review panel
convened by US president Barack Obama concluded in December 2013 that the NSA
should not in any way subvert, undermine, weaken, or make vulnerable generally
available commercial software in its final report.
Even if you love the NSA and
you say you have nothing to hide, you should be against a policy that
introduces security vulnerabilities, said Karsten Nohl, a mobile security expert and cryptographer.
Once the NSA introduces a
weakness, a vulnerability, it is not only the NSA that
can exploit it, he told The Intercept.
A top-secret world map
featured in a June 2012 presentation on Auroragold
suggests that the NSA has some degree of network coverage in almost all
countries on every continent.
This includes the US and
closely allied countries such as the UK, Germany, France, Australia and New
Zealand.
The information collected
from the companies is passed on to NSA signals development teams that focus
on infiltrating communication networks.
The data is also shared with
other US intelligence agencies and with the NSAs counterparts in countries
that are part of the Five Eyes alliance, namely the UK, Canada, Australia, and
New Zealand.
A GSMA spokesperson said the
body would not make a response until its lawyers had examined the relevant
documents.
An NSA spokeswoman declined
to discuss the tactics used by Auroragold or whether
the operation was still being conducted.
NSA collects only those
communications that it is authorised by law to collect in response to valid
foreign intelligence and counterintelligence requirements, the spokeswoman
said.
BYE PASSWORD
: FIDO Alliance releases 1.0 specifications for passwordless
authentication
Amid growing fears of stolen credentials and data breaches, the
FIDO Alliance released its long-awaited 1.0 specifications
for passwordless and multifactor authentication
systems.
By Rob
Wright
09
Dec 2014
An
upstart effort to foster standards for online passwordless
and multifactor authentication today made its specifications official -- a move
many vendors hope will be the watershed event that sparks widespread adoption
of MFA and results in the death of the password once and for all.
The
FIDO Alliance announced the ratification of version 1.0 of its Universal
Authentication Framework (UAF) and Universal 2nd Factor (U2F) specifications,
the first official versions of its burgeoning standards for enabling
interoperable MFA for any number of Web or mobile authentication scenarios, as
well as biometric authentication with fingerprint readers, voice scanners or
even facial-recognition systems.
A
non-profit vendor consortium led by the biggest names in tech including
Microsoft, Google, PayPal Inc., and many others, the FIDO Alliance was formed
two and a half years ago to lay the technological groundwork for advanced forms
of passwordless authentication. While a number of
vendors have developed one-off architectures in recent years, FIDO sought to
not only foster default integration between websites, authentication products, smartphones and payment processors, among others, but also
make non-traditional authentication easy for end-users.
Phil
Dunkelberger, CEO of Nok Nok Labs Inc., a Palo Alto, Calif.-based company and FIDO
founding member, said that FIDO members' vote to ratify the 1.0 specifications,
thereby granting members the opportunity to build and sell products based on
the specification, is proof of the success the industry consortium has had in
gathering and implementing the input of more than 150 member organizations and
nearly 20 beta implementations.
"I
think about being in a room with a white board," Dunkelberger
said, referencing his many early meetings two-plus years ago with would-be FIDO
members. "We wouldn't have had the success we've had without being able to
demonstrate that it works."
FIDO
Alliance members expect the momentum to not only continue, but also accelerate.
"Now
that the specifications are released, I think some of the more risk-averse OEMS
will explore the technology," said Art Stewart, vice president of the
biometric division at Synaptics, a FIDO Alliance
board member based in San Jose, Calif.
Andras Cser, vice president and principal analyst at Cambridge,
Mass.-based Forrester Research Inc., believes the specifications will help
drive significant interest in FIDO, especially in light of the number of
high-profile corporate data breaches tied to stolen credentials.
"I
think FIDO 1.0 is the first step in the direction of creating a uniform and
application-independent authentication and strong authentication
ecosystem," Cser said. "It provides a great
abstraction layer to hide all the complexities of two factor authentication.
For those data breaches where authentication was the weakest link, FIDO will
definitely play a role in prevention."
How
FIDO works
In
describing the role of FIDO-based technology, Dunkelberger
said it's like "a feeding mechanism for identity systems," like
directory and single sign-on systems, which ensure smooth, secure MFA sessions
for users with FIDO-compatible technology.
Both
the UAF and U2F protocols are based on public-key cryptography. The UAF
protocol allows the user to register a UAF-enabled device with a FIDO-ready
server or website, authenticate their identity on their device with a
fingerprint or PIN, and log in to the server using a secure public key. The U2F
protocol, which was originally developed by Google, is designed to augment
passwords for browsers, online service providers and operating systems by
authenticating users with a strong second factor, such as a USB touchscreen key.
"Passwords
simply aren't good enough for authentication today," said John Salter, COO
of identity protection vendor Yubico, a Palo Alto,
Calif.-based board level member of the FIDO Alliance,.
"Even if the passwords are strong, the cost of managing them and resetting
them is expensive."
In
addition to password cracks and stolen credentials, Salter said phishing
attacks have also driven more interest and awareness in FIDO technology,
specifically U2F products like Yubico's Yubikey public key device. "Phishing is an issue for a
small number of people, but those people are very influential and the attacks
on them can do a lot of damage," Salter said.
The
alliance released a draft of the proposed 1.0 specifications
earlier this year; the final 1.0 release included several key changes,
including the addition of application ID checking to allow the application and
URL key sharing for both UAF and U2F protocols.
For
future versions of the U2F specifications, Salter said the FIDO Alliance will
look to expand transport options beyond USB.
"We're
exploring Bluetooth and NFC (near-field communication) so the technology can be
used in devices like smartphones and tablets,"
Salter said, adding that Yubico has already deployed
U2F on NFC with one client.
FIDO
end-user technology today/tomorrow
At
the heart of FIDO technology is public-private key-based encryption, a security
technology that Dunkelberger -- former co-founder and
CEO of PGP Corp., which was acquired by Symantec Corp. in 2010-- called sound
and fundamental to secure authentication.
One
of the additions to the 1.0 version of the FIDO specification is the use of a
"secure element" -- a private key repository residing only on the
end-user authentication device -- to validate the device. The concept,
essentially a form of tokenization, has recently gained notoriety via Apple's
use of a similar technology in its Apple Pay software.
In
fact, online and mobile payment systems have played a crucial role in the
development of FIDO's specifications, Stewart said. "That's been by far
the biggest industry supporting [FIDO]," he said.
Stewart
also said that while several alliance members already have FIDO-ready products
for UAF and U2F protocols, there is plenty of room for additional companies to
develop more, whether they are actual authenticators or complementary products
for such a thing as encryption key management.
"There's
a tremendous amount of activity around FIDO already," he said, "and I
think the added competition will be a good thing."
Despite
the notoriously slow progress of most IT industry standards efforts, FIDO has,
in just two and a half years, gone from little more than a vague concept to a
set of standards embraced by dozens of tech's most influential companies.
Dunkelberger
said that rapid progress is evidence not only of how well the industry can work
together to foster sensible standards, but also of how eager FIDO's many
stakeholders are to usher in an era in which passwordless
authentication becomes the norm.
"To
me, this was the real bet: Can the industry come together to solve the stolen
credentials issue?" Dunkelberger said, citing
the role compromised password-based credentials have had in numerous
high-profile breaches. "Eventually this [non-password-based authentication]
will be like fluoride in the water; it'll be built in and just be there."
DirectX
DirectX is a set of standard commands and functions that
software developers can use when creating their programs. While any
Windows-based software program can include DirectX commands, they are usually
used in video games. For example, developers may use DirectX for controlling
video playback, sound effects, and peripheral input (such as a keyboard, mouse,
or joystick). By incorporating DirectX functions into a computer game,
programmers can use predefined commands to manage the video and sound of their game,
as well as user input. This makes it easier for programmers to develop video
games and also helps the games look more uniform, since DirectX games use many
of the same commands.
Technically, DirectX is known as an application programming
interface (API), which consists of predefined functions and commands. In order
to create programs that use DirectX, software developers must use the DirectX
software development kit, available from Microsoft. However, most users need
only the DirectX "End-User Runtime" installed on their computer in
order to run DirectX-enabled software. The DirectX API is available for Windows
software and Xbox video games.
That there are men in every
country that get their living by war is as shocking as it is true
Rights of Man
English Edition
Note -