CCC News


IT and Cyber Security News Update from

Centre for Research and Prevention of Computer Crimes, India


Courtesy - Sysman Computers Private Limited, Mumbai (

Since June 2005                                         December 10, 2014                                          Issue no 1517

Tenth year of uninterrupted publication

Today’s edition – 


UNLAWFUL : Sec 66A of IT act lacks guidelines, arrests made over social media posts prone to abuse: SC

VIRUS : Android phones hit by new virus that steals passwords

SPY : NSA mobile phone network hacking raises security concerns

BYE PASSWORD : FIDO Alliance releases 1.0 specifications for passwordless authentication

IT Term of the day

Quote of the day


(Click on heading above to jump to related item. Click on “Top” to be back here)



UNLAWFUL : Sec 66A of IT act lacks guidelines, arrests made over social media posts prone to abuse: SC

by Utkarsh Anand

December 10, 2014


The Supreme Court on Tuesday observed that Section 66A of the Information Technology Act, which empowers police to make arrests over social media posts, apparently lacked guidelines on when such power can be exercised and that somebody’s “annoyance” was enough in certain cases for invoking the law.


“Section 66A does not give any specific guidance on when to invoke it, unlike the provisions in the Indian Penal Code (IPC). The IPC uses specific words and gives specific illustrations for the offences but that does not appear to be the case with Section 66A. It appears that nobody has to even say anything hateful or meaning ill will… annoyance of someone could be used to invoke it,” said a bench of Justices J Chelameswar and S A Bobde.


The court’s observations came even as the central government admitted that Section 66A was prone to abuse and that there were indeed incidents in the past where people were wrongly arrested by invoking this provision. Section 66A defines the punishment for sending “offensive” messages through a computer or any other communication device like a mobile phone or a tablet. A conviction can fetch a maximum of three years in jail and a fine.


Additional Solicitor General Tushar Mehta submitted that the abuse of power in certain cases was “evident” and that the Centre did not seek to justify the incidents where whimsical arrests were made. He said in most of the incidents, cited by a batch of petitions that have challenged the constitutional validity of Section 66A, the power was abused and actions had been taken against the erring police officers.


The list of incidents included arrest of two girls in Maharashtra by Thane Police in 2012 over a Facebook post, arrest of Jadavpur University professor Ambikesh Mahapatra for forwarding caricature on Trinamool Congress chief Mamata Banerjee on Facebook, arrest of Aseem Trivedi for drawing cartoons lampooning Parliament and the Constitution to depict their ineffectiveness.


“If there is abuse and the abuse is so egregious, even in some cases, there is definitely an issue to be heard and decided regarding the validity of such a provision,” retorted the court.


As the final arguments on the petitions began, the bench sought to know if the provisions in the IPC were not adequate to deal with the offences arising out of electronic messages and hence Section 66A was drafted in the IT Act.


Senior advocate Soli Sorabjee, Prashant Bhushan and Sanjay Parikh, appearing for the petitioners, replied that not only were the IPC provisions enough, they were better drafted and explained the circumstances when the alleged offences could be attracted. This, they contended, was not the case in Section 66A which was vague and left it to the subjective discretion of the police to decide when to arrest.


At this, the bench replied that in most of the cases cited by the petitioners, there was no statement which could have threatened the integrity of the country, as alleged by the police. It said the word “offensive” may be construed differently in different context and that not everything would make a criminal offence. The bench will resume hearing on Wednesday.



VIRUS : Android phones hit by new virus that steals passwords

Cybersecurity sleuths have alerted Android-based smart phone users against an infectious Trojan virus which steals vital information from the personal device.


Dec 9, 2014


NEW DELHI: Cybersecurity sleuths have alerted Android-based smart phone users against an infectious Trojan virus which steals vital information from the personal device and can even illegally send SMSes to those on the mobile contact list.


The deadly virus has been identified as 'AndroidSmssend' and it can acquire as many as four aliases to hoodwink the user and perpetrate its destructive activities on a personal Android enabled phone.


"Android/SmsSend is a premium service abuser family malware that arrives bundled with legitimate Android applications and infects Android based smartphones.


"Once infected, it sends text messages (typically with a link to itself or a different threat) to a specific number, typically to numbers on the contact list and is also capable to send SMS to premium rate numbers," the Computer Emergency Response Team of India (CERT-In) said in its latest advisory to Android phone users in the country.


The CERT-In is the nodal agency to combat hacking, phishing and to fortify security-related defences of the Indian internet domain.


It said that after a typical successful infection of the virus, basic information about the smart phone like IMEI number, device id, device type among others are compromised and it can even install spyware on the targeted device.


The virus is so notorious, the agency said, that it "steals contacts and pictures, tracks the location, steals passwords, illegally accesses text messages, crashes a complete system, steals personal banking information when logged in, installs other sort of spyware and disables firewall and anti-virus program to defend itself."


The CERT-In said the malware is created by modifying the legitimate application and then re-distributing via marketplace or other separate channels.


The agency has suggested some counter-measures in this regard.


"Do not download and install applications from untrusted sources, install applications downloaded from reputed application market only, run a full system scan on device with mobile security solution or mobile anti-virus solution, check for the permissions required by an application before installing, exercise caution while visiting trusted/untrusted sites for clicking links, install Android updates and patches and use device encryption or encrypting external SD card feature available with most of the android OS (operating system)," it said.


Also, avoid using unsecured, unknown Wi-Fi networks and make a practice of taking regular backup of the Android device, the advisory said.


Also see –



SPY : NSA mobile phone network hacking raises security concerns

Warwick Ashford

05 December 2014


The US National Security Agency (NSA) spied on the GSM Association to identify and exploit security vulnerabilities in mobile phone networks, documents leaked by whistleblower Edward Snowden reveal.


This has raised concerns about the security of the world’s mobile networks amid speculation that the NSA may have compromised the latest mobile encryption algorithms.


The NSA has collected technical information on about 70% of mobile phone networks world-wide through an operation called Auroragold, according to The Intercept.


The operation is carried out by specialist NSA surveillance units tasked with spying on private companies that run cellphone networks.


According to the leaked documents, the NSA intercepted confidential emails between hundreds of companies and organisations internationally to find security weaknesses in mobile phone technology.


A year ago the Washington Post revealed the NSA had broken the most commonly used mobile phone encryption algorithm known as A5/1.


But the information collected under Auroragold allows the NSA to look at ways of circumventing newer and stronger versions of A5 cellphone encryption, such as A5/3.


The documents also reveals how the NSA works to attack cellphone encryption technology, and plans to secretly introduce new flaws into communication systems so that they can be tapped into.


Security experts have cautioned against this tactic, saying it could be exposing millions of people to attacks by criminal hackers.


News of Auroragold has coincided with the introduction of a new US bill aimed at protecting the privacy and data security of US citizens.


The Secure Data bill, introduced by US senator Ron Wyden, specifically prohibits government mandates to build backdoors or security vulnerabilities into US software and electronics.


Wyden said recent proposals by government officials to compel companies to build backdoors in the security features of their products threaten to undermine the development and deployment of strong data security technologies.


"Strong encryption and sound computer security is the best way to keep Americans' data safe from hackers and foreign threats. It is the best way to protect our constitutional rights at a time when a person's whole life can often be found on his or her smartphone,” he said.


According to Wyden, strong computer security can rebuild consumer trust that has been shaken by years of misstatements by intelligence agencies about mass surveillance of US citizens.


"This bill sends a message to leaders of those agencies to stop recklessly pushing for new ways to vacuum up Americans' private information, and instead put that effort into rebuilding public trust,” he said.


Wyden said that, once a backdoor is built in a security system, the security of the system is inherently compromised.


The latest Snowden documents reveal that the UK-headquartered GSM Association is among the high-profile Auroragold surveillance targets.


The mobile trade group works closely with large US firms such as Microsoft, Facebook, AT&T, and Cisco, as well as large international companies, including Sony, Nokia, Samsung, Ericsson and Vodafone.


Industry commentators say that by spying on the GSMA, the NSA has placed itself in direct conflict with the mission of the National Institute for Standards and Technology (NIST), the US government agency responsible for recommending cyber security standards in the US.


The GSMA is currently funded by NIST to develop privacy-enhancing technologies.


A surveillance review panel convened by US president Barack Obama concluded in December 2013 that the NSA should not “in any way subvert, undermine, weaken, or make vulnerable generally available commercial software” in its final report.


“Even if you love the NSA and you say you have nothing to hide, you should be against a policy that introduces security vulnerabilities,” said Karsten Nohl, a mobile security expert and cryptographer.


“Once the NSA introduces a weakness, a vulnerability, it is not only the NSA that can exploit it,” he told The Intercept.


A top-secret world map featured in a June 2012 presentation on Auroragold suggests that the NSA has some degree of “network coverage” in almost all countries on every continent.


This includes the US and closely allied countries such as the UK, Germany, France, Australia and New Zealand.


The information collected from the companies is passed on to NSA “signals development” teams that focus on infiltrating communication networks.


The data is also shared with other US intelligence agencies and with the NSA’s counterparts in countries that are part of the Five Eyes alliance, namely the UK, Canada, Australia, and New Zealand.


A GSMA spokesperson said the body would not make a response until its lawyers had examined the relevant documents.


An NSA spokeswoman declined to discuss the tactics used by Auroragold or whether the operation was still being conducted.


“NSA collects only those communications that it is authorised by law to collect in response to valid foreign intelligence and counterintelligence requirements,” the spokeswoman said.



BYE PASSWORD : FIDO Alliance releases 1.0 specifications for passwordless authentication

Amid growing fears of stolen credentials and data breaches, the FIDO Alliance released its long-awaited 1.0 specifications for passwordless and multifactor authentication systems.

By Rob Wright

09 Dec 2014


An upstart effort to foster standards for online passwordless and multifactor authentication today made its specifications official -- a move many vendors hope will be the watershed event that sparks widespread adoption of MFA and results in the death of the password once and for all.


The FIDO Alliance announced the ratification of version 1.0 of its Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F) specifications, the first official versions of its burgeoning standards for enabling interoperable MFA for any number of Web or mobile authentication scenarios, as well as biometric authentication with fingerprint readers, voice scanners or even facial-recognition systems.


A non-profit vendor consortium led by the biggest names in tech including Microsoft, Google, PayPal Inc., and many others, the FIDO Alliance was formed two and a half years ago to lay the technological groundwork for advanced forms of passwordless authentication. While a number of vendors have developed one-off architectures in recent years, FIDO sought to not only foster default integration between websites, authentication products, smartphones and payment processors, among others, but also make non-traditional authentication easy for end-users.


Phil Dunkelberger, CEO of Nok Nok Labs Inc., a Palo Alto, Calif.-based company and FIDO founding member, said that FIDO members' vote to ratify the 1.0 specifications, thereby granting members the opportunity to build and sell products based on the specification, is proof of the success the industry consortium has had in gathering and implementing the input of more than 150 member organizations and nearly 20 beta implementations.


"I think about being in a room with a white board," Dunkelberger said, referencing his many early meetings two-plus years ago with would-be FIDO members. "We wouldn't have had the success we've had without being able to demonstrate that it works."


FIDO Alliance members expect the momentum to not only continue, but also accelerate.


"Now that the specifications are released, I think some of the more risk-averse OEMS will explore the technology," said Art Stewart, vice president of the biometric division at Synaptics, a FIDO Alliance board member based in San Jose, Calif.


Andras Cser, vice president and principal analyst at Cambridge, Mass.-based Forrester Research Inc., believes the specifications will help drive significant interest in FIDO, especially in light of the number of high-profile corporate data breaches tied to stolen credentials.


"I think FIDO 1.0 is the first step in the direction of creating a uniform and application-independent authentication and strong authentication ecosystem," Cser said. "It provides a great abstraction layer to hide all the complexities of two factor authentication. For those data breaches where authentication was the weakest link, FIDO will definitely play a role in prevention."


How FIDO works


In describing the role of FIDO-based technology, Dunkelberger said it's like "a feeding mechanism for identity systems," like directory and single sign-on systems, which ensure smooth, secure MFA sessions for users with FIDO-compatible technology.


Both the UAF and U2F protocols are based on public-key cryptography. The UAF protocol allows the user to register a UAF-enabled device with a FIDO-ready server or website, authenticate their identity on their device with a fingerprint or PIN, and log in to the server using a secure public key. The U2F protocol, which was originally developed by Google, is designed to augment passwords for browsers, online service providers and operating systems by authenticating users with a strong second factor, such as a USB touchscreen key.


"Passwords simply aren't good enough for authentication today," said John Salter, COO of identity protection vendor Yubico, a Palo Alto, Calif.-based board level member of the FIDO Alliance,. "Even if the passwords are strong, the cost of managing them and resetting them is expensive."


In addition to password cracks and stolen credentials, Salter said phishing attacks have also driven more interest and awareness in FIDO technology, specifically U2F products like Yubico's Yubikey public key device. "Phishing is an issue for a small number of people, but those people are very influential and the attacks on them can do a lot of damage," Salter said.


The alliance released a draft of the proposed 1.0 specifications earlier this year; the final 1.0 release included several key changes, including the addition of application ID checking to allow the application and URL key sharing for both UAF and U2F protocols.


For future versions of the U2F specifications, Salter said the FIDO Alliance will look to expand transport options beyond USB.


"We're exploring Bluetooth and NFC (near-field communication) so the technology can be used in devices like smartphones and tablets," Salter said, adding that Yubico has already deployed U2F on NFC with one client.


FIDO end-user technology today/tomorrow


At the heart of FIDO technology is public-private key-based encryption, a security technology that Dunkelberger -- former co-founder and CEO of PGP Corp., which was acquired by Symantec Corp. in 2010-- called sound and fundamental to secure authentication.


One of the additions to the 1.0 version of the FIDO specification is the use of a "secure element" -- a private key repository residing only on the end-user authentication device -- to validate the device. The concept, essentially a form of tokenization, has recently gained notoriety via Apple's use of a similar technology in its Apple Pay software.


In fact, online and mobile payment systems have played a crucial role in the development of FIDO's specifications, Stewart said. "That's been by far the biggest industry supporting [FIDO]," he said.


Stewart also said that while several alliance members already have FIDO-ready products for UAF and U2F protocols, there is plenty of room for additional companies to develop more, whether they are actual authenticators or complementary products for such a thing as encryption key management.


"There's a tremendous amount of activity around FIDO already," he said, "and I think the added competition will be a good thing."


Despite the notoriously slow progress of most IT industry standards efforts, FIDO has, in just two and a half years, gone from little more than a vague concept to a set of standards embraced by dozens of tech's most influential companies.


Dunkelberger said that rapid progress is evidence not only of how well the industry can work together to foster sensible standards, but also of how eager FIDO's many stakeholders are to usher in an era in which passwordless authentication becomes the norm.


"To me, this was the real bet: Can the industry come together to solve the stolen credentials issue?" Dunkelberger said, citing the role compromised password-based credentials have had in numerous high-profile breaches. "Eventually this [non-password-based authentication] will be like fluoride in the water; it'll be built in and just be there."



IT Term of the day


DirectX is a set of standard commands and functions that software developers can use when creating their programs. While any Windows-based software program can include DirectX commands, they are usually used in video games. For example, developers may use DirectX for controlling video playback, sound effects, and peripheral input (such as a keyboard, mouse, or joystick). By incorporating DirectX functions into a computer game, programmers can use predefined commands to manage the video and sound of their game, as well as user input. This makes it easier for programmers to develop video games and also helps the games look more uniform, since DirectX games use many of the same commands.


Technically, DirectX is known as an application programming interface (API), which consists of predefined functions and commands. In order to create programs that use DirectX, software developers must use the DirectX software development kit, available from Microsoft. However, most users need only the DirectX "End-User Runtime" installed on their computer in order to run DirectX-enabled software. The DirectX API is available for Windows software and Xbox video games.



Quote of the day

That there are men in every country that get their living by war is as shocking as it is true


Rights of Man

English Edition



Note -

  1. As a member of this group, you get useful information to protect yourself and your IT assets and processes from various Computer and Related Crimes.
  2. If you think that your other friends/colleagues/acquaintances/relatives/foes/enemies also needs this information, forward the mail to them and request them to send their e-mail addresses and names to us with subject as "Subscribe".
  3. If you or someone has become victim of Computer Crimes or has any query on prevention, you are welcome to write to us.
  4. If you are not interested in it and would like to unsubscribe - send a reply mail with subject as "Unsubscribe".
  5. Disclaimer - We have taken due care to research and present these news-items to you. Though we've spent a great deal of time researching these matters, some details may be wrong. If you use any of these items, you are using at your risk and cost. You are required to verify and validate before any usage. Most of these need expert help / assistance to use / implement. For any error or loss or liability due to what-so-ever reason, CRPCC and/or Sysman Computers (P) Ltd. and/or any associated person / entity will not be responsible.