Date: Fri, 4 Jun 2010 20:22:39 +0530
From: sysman01@mtnl.net.in
Subject: [CCCNews] CCCNews Newsletter - dated 2010 June 07
To: sysman01@mtnl.net.in
June 07, 2010
Editor - Rakesh Goyal (rakesh@sysman.in)
In today's Edition - (This is a news-letter and not a SPAM)
UNSAFE : Hackers of Passport Office website held
RETALIATE : Nato warns of strike against cyber attackers
SECURITY : China Gets A Peek At Microsoft Source Code
BEWARE : Dark Side Arises for Phone Apps
IT Term of the day
Quote of the day
* Direct Circulation in 4 Google groups (control-computer-crimes@googlegroups.com and IT-Sec-NSE@googlegroups.com) and 2 more groups
--
You received this message because you are subscribed to the Google Groups "control-computer-crimes" group.
To post to this group, send email to control-computer-crimes@googlegroups.com.
To unsubscribe from this group, send email to control-computer-crimes+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/control-computer-crimes?hl=en.
--Forwarded Message Attachment--
IT and Related Security News Update from
Centre for Research and Prevention of Computer Crimes, India
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
June 07, 2010
Today�s edition ��
UNSAFE : Hackers of Passport Office website held
RETALIATE : Nato warns of strike against cyber attackers
SECURITY : China Gets A Peek At Microsoft Source Code
BEWARE : Dark Side Arises for Phone Apps
(Click on heading above to jump to related item. Click on �Top� to be back here)
UNSAFE : Hackers of Passport Office website held
PTI
6 June 2010
HYDERABAD � Local police here have arrested a seven-member gang in Hyderabad for allegedly hacking the website of the Regional Passport Office.
As the persons hacked the website and illegally uploaded about 3,000 passport applications by hacking the site, other applicants failed to secure slot, police said. �By hacking the site, they illegally uploaded about 3,000 passport applications online under �Tatkal� scheme so far�, Hyderabad Police Commissioner A K Khan said.
The gang leader was identified as Lathadhar Rao, a PG Diploma holder in Computer Applications, he said.
Regional Passport Office authorities of Hyderabad are officially releasing online slots for confirmed dates of appointments to the applicants in obtaining passports under �Tatkal� scheme.
But, Lathadhar Rao, entered the website and gained access to the server of NIC and succeeded in submitting the passport applications with confirmed dates under �Tatkal� scheme, Khan said.
�The applicants who are in urgent need of passports approached the agents for submitting their applications who in turn were selling these slots to applicants by collecting huge amounts,� Khan added.
RETALIATE : Nato warns of strike against cyber attackers
Michael Smith and Peter Warren
The Sunday Times
June 6, 2010
http://www.timesonline.co.uk/tol/news/world/article7144856.ece
NATO is considering the use of military force against enemies who launch cyber attacks on its member states.
The move follows a series of Russian-linked hacking against Nato members and warnings from intelligence services of the growing threat from China.
A team of Nato experts led by Madeleine Albright, the former US secretary of state, has warned that the next attack on a Nato country �may well come down a fibre-optic cable�.
A report by Albright�s group said that a cyber attack on the critical infrastructure of a Nato country could equate to an armed attack, justifying retaliation.
�A large-scale attack on Nato�s command and control systems or energy grids could possibly lead to collective defence measures under article 5,� the experts said.
Article 5 is the cornerstone of the 1949 Nato charter, laying down that �an armed attack� against one or more Nato countries �shall be considered an attack against them all�.
It was the clause in the charter that was invoked following the September 11 attacks to justify the removal of the Taliban regime in Afghanistan.
Nato is now considering how severe the attack would have to be to justify retaliation, what military force could be used and what targets would be attacked.
The organisation�s lawyers say that because the effect of a cyber attack can be similar to an armed assault, there is no need to redraft existing treaties.
Eneken Tikk, a lawyer at Nato�s cyber defence centre in Estonia, said it would be enough to invoke the mutual defence clause �if, for example, a cyber attack on a country�s power networks or critical infrastructure resulted in casualties and destruction comparable to a military attack�.
Nato heads of government are expected to discuss the potential use of military force in response to cyber attacks at a summit in Lisbon in November that will debate the alliance�s future. General Keith Alexander, head of the newly created US cyber command, said last week there was a need for �clear rules of engagement that say what we can stop�.
The concerns follow warnings from intelligence services across Europe that computer-launched attacks from Russia and China are a mounting threat. Russian hackers have been blamed for an attack against Estonia in April and May of 2007 which crippled government, media and banking communications and internet sites.
They also attacked Georgian computer systems during the August 2008 invasion of the country, bringing down air defence networks and telecommunications systems belonging to the president, the government and banks.
Alexander disclosed last week that a 2008 attack on the Pentagon�s systems, believed to have been mounted by the Chinese, successfully broke through into classified areas.
Britain�s Joint Intelligence Committee cautioned last year that Chinese-made parts in the BT phone network could be used to bring down systems running the country�s power and food supplies.
Some experts have warned that it is often hard to establish government involvement. Many Russian attacks, for example, have been blamed on the Russian mafia. The Kremlin has consistently refused to sign an international treaty banning internet crime.
SECURITY : China Gets A Peek At Microsoft Source Code
Government review stems from an agreement which allows China access to the source code for Windows 7 and other software.
By Mike Clendenin
InformationWeek
June 4, 2010
Microsoft is giving the Chinese government access to the source code for Windows 7 and other key products in an effort to head off any concerns about the security capabilities of Microsoft products.
The review is an extension of an agreement signed in 2006 which enables China immediate access to the source code for Windows 7, Vista, XP, Server 2008 R2, Server 2003, and 2000, and the embedded software CE 6.0, 5.0, and 4.2. Also included is the source code for Microsoft Office 2003 Professional Edition and most other Microsoft products.
The agreement comes on the heels of a recent and somewhat controversial interview in which Microsoft chief Steve Ballmer downplayed the importance of China to Microsoft because of its poor IP protection and said India was a better market, irritating some Chinese.
"China is in a class by itself: There is no software market to speak off. China is a lot less interesting market to us than India or Indonesia," Ballmer said in an interview with Bloomberg. "We do seven times better in India. China can't get a lot worse. We haven't given up on China, but from a Microsoft perspective, we do more business in India; we do more business in Korea."
Though China's authorities have pressured big PC makers like Lenovo to bundle products with genuine copies of Windows, the reality is it still doesn't happen in many cases. China sold more than 40 million PCs in 2009 and is on track to become the largest PC market, yet it accounts for less than one percent of Microsoft's revenue. (Asia, excluding Japan is only 3 percent.)
The government's technical review of Windows source code is one tool the company uses to help Chinese authorities feel at ease using its products and is a key component of a memorandum related to raising software industry cooperation. The government is one of the biggest buyers of information technology in China.
Xu Jiancheng, deputy inspector of the China Information Technology Security Evaluation Center's Department of High-Tech Industry, said: "This � signals the cooperation between the two sides and a step forward. I hope that the partnership between China and Microsoft leads to greater cooperation in the area of information security based on the principle of mutual benefits."
Microsoft calls the program "a global initiative that provides national governments with controlled access to Microsoft Windows source code and other technical information they need to be confident in the enhanced security features of the Windows platform."
The software giant announced the program in early 2003. In a statement, it said: "The GSP is a no-fee initiative that enables program participants to review Windows source code�In addition to source access, the GSP provides for the disclosure of technical information about the Windows platform, enhancing governments' ability to build and deploy computing infrastructures with strong security technologies in place."
BEWARE : Dark Side Arises for Phone Apps
Security Concerns Prompt Warnings
By SPENCER E. ANTE
JUNE 3, 2010
http://online.wsj.com/article/SB10001424052748703340904575284532175834088.html
As smartphones and the applications that run on them take off, businesses and consumers are beginning to confront a budding dark side of the wireless Web.
Mobile applications may be all the rage, but they could pose a serious security threat. WSJ's Spencer Ante joins Simon Constable on Digits to talk about the rise of fraudulent mobile apps, and what consumers can do to keep their private data safe
Online stores run by Apple Inc., Google Inc. and others now offer more than 250,000 applications such as games and financial tools. The apps have been a key selling point for devices like Apple's iPhone. But concerns are growing among security researchers and government officials that efforts to keep out malicious software aren't keeping up with the apps craze.
In one incident, Google pulled dozens of unauthorized mobile-banking apps from its Android Market in December. The apps, priced at $1.50, were made by a developer named "09Droid" and claimed to offer access to accounts at many of the world's banks. Google said it pulled the apps because they violated its trademark policy.
The apps were more useless than malicious, but could have been updated to capture customers' banking credentials, said John Hering, chief executive of Lookout, a mobile security provider. "It is becoming easier for the bad guys to use the app stores," Mr. Hering said.
Unlike Apple or BlackBerry maker Research In Motion Ltd., Google doesn't have employees dedicated to vetting applications submitted to its Android store. Google said it removes apps that violate its policies, but largely relies on users to alert it to bad software. "We check reactively," said a Google spokesman. "There is no manual bottleneck."
As more companies, governments and consumers use wireless gadgets to conduct commerce and share private information, computer bad guys are beginning to target them, according to government officials and security researchers.
"Mobile phones are a huge source of vulnerability," said Gordon Snow, assistant director of the Federal Bureau of Investigation's Cyber Division. "We are definitely seeing an increase in criminal activity."
The FBI's Cyber Division recently began working on a number of cases based on tips about malicious programs in app stores, Mr. Snow said. The cases involve apps designed to compromise banking on cellphones, as well as mobile "malware" used for espionage by foreign nations, said a person familiar with the matter. To protect its own operations, the FBI bars its employees from downloading apps on FBI-issued smartphones.
The vulnerability of mobile computing is also a concern for the U.S. Air Force, which worries about theft of military information or the use of personal details to scam or extort airmen and women.
In March, the Air Force barred users of all service-issued BlackBerrys from downloading apps. Research In Motion said its technology allows customers to enforce such group-wide security measures.
The move followed a sharp rise in questionable activity aimed at Air Force smartphones, including attacks that tried to exploit mobile Web browsers, said a military official who helps oversee the defense of the Air Force's networks.
About a year ago, the Air Force saw fewer than a dozen attacks targeting its phones each month. In May, the Air Force saw more than 500, the official said, though none of the probes was successful.
Journal Community
"We all see this tipping point coming," said Peter Tippett, who oversees an investigative-response team that studies computer crime at Verizon Business, a unit of Verizon Communications Inc. that serves corporations. "There is a lot of activity to figure out how to make it less likely that a financial transaction would be exploited" on a mobile phone, he said.
The financial services industry says it is working with app-store operators to ensure mobile-banking apps are authentic. "Customers should be able to know who they are dealing with," said Leigh Williams, president of BITS, an arm of the Financial Services Roundtable, a banking industry advocacy group
Some security experts believe Google's Android Market is more vulnerable than other app stores since Google doesn't examine all apps before they are available for users to download.
A Google spokesman said the company has put in place security measures, such as remotely disabling apps found to be malicious and requiring developers to register with its Checkout payment service, and argued there's no evidence for claims that its store poses a greater risk than others.
Apple vets applications before they appear in its App Store, but risks still exist. In July 2008, Apple pulled a popular game called Aurora Feint from its store after it was discovered to be uploading users' contact lists to the game maker's servers. More recently, it yanked hundreds of apps it said violated its policies, some out of security concerns.
"Consumers should be aware that iPhone security is far from perfect and that a piece of software downloaded from the App Store may still be harmful," wrote software engineer Nicolas Seriot in a research paper detailing iPhone security holes that he presented at a computer security conference in February.
Apple CEO Steve Jobs, speaking at the All Things D conference this week, said his company's employees carefully curate the store. "We have a few rules: has to do what it's advertised to do, it has to not crash, it can't use private APIs," or application programming interfaces, he said, adding that 95% of submissions are approved.
"Apple takes security very seriously," a spokeswoman said. "We have a very thorough approval process and review every app. We also check the identities of every developer."
Apple's iPhone itself isn't immune to mobile threats, either. Since 2008, security experts have identified at least 36 security holes in the phone's software, according to a review of the National Vulnerability Database maintained by the Department of Homeland Security. One, identified in September 2009, could have allowed hackers to learn someone's username and password from messages sent to servers when browsing the Web.
Some victims are now more cautious. Sara Dellabella, a car saleswoman in Cuba City, Wisc., said she doesn't download as many apps on her Motorola Inc. Droid phone, which uses Google's Android software, after a malicious game her son downloaded from the Android Market wiped out all of her text messages and personal notes. "It just rips your heart out," she said. "I am being more vigilant now."
New IT Term of the day
UDDI
Short for Universal Description, Discovery and Integration. A Web-based distributed directory that enables businesses to list themselves on the Internet and discover each other, similar to a traditional phone book's yellow an white pages.
"From the saintly and single-minded idealist to the fanatic is often but a step."
Fredrich August von Hayek
(1899-1992)
Nobel Laureate of Economic Sciences 1974
Note -
- As a member of this group, you get useful information to protect yourself and your IT assets and processes from various Computer and Related Crimes.
- If you think that your other friends/colleagues/acquaintances/relatives/foes/enemies also needs this information, forward the mail to them and request them to send their e-mail addresses and names to us with subject as "Subscribe".
- If you or someone has become victim of Computer Crimes or has any query on prevention, you are welcome to write to us.
- If you are not interested in it and would like to unsubscribe - send a reply mail with subject as "Unsubscribe".
- Disclaimer - We have taken due care to research and present these news-items to you. Though we've spent a great deal of time researching these matters, some details may be wrong. If you use any of these items, you are using at your risk and cost. You are required to verify and validate before any usage. Most of these need expert help / assistance to use / implement. For any error or loss or liability due to what-so-ever reason, CRPCC and/or Sysman Computers (P) Ltd. and/or any associated person / entity will not be responsible.
Build a bright career through MSN Education Sign up now.
No comments:
Post a Comment