Date: Wed, 30 Jun 2010 20:18:00 +0530
From: sysman01@mtnl.net.in
Subject: [CCCNews] CCCNews Newsletter - dated 2010 June 30
To: sysman01@mtnl.net.in
June 30, 2010
Editor - Rakesh Goyal (rakesh@sysman.in)
In today's Edition - (This is a news-letter and not a SPAM)
AWARELESS : Indian embassy site becomes porn site
PLAN : U.S. unveils plan to make online transactions safer
LAW : Rs 1cr fine for UID data theft?
UNSAFE : Reliance on passwords is biggest security threat
IT Term of the day
Quote of the day
* Direct Circulation in 4 Google groups (control-computer-crimes@googlegroups.com and IT-Sec-NSE@googlegroups.com) and 2 more groups
--
You received this message because you are subscribed to the Google Groups "control-computer-crimes" group.
To post to this group, send email to control-computer-crimes@googlegroups.com.
To unsubscribe from this group, send email to control-computer-crimes+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/control-computer-crimes?hl=en.
--Forwarded Message Attachment--
IT and Related Security News Update from
Centre for Research and Prevention of Computer Crimes, India
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
June 30, 2010
Today�s edition ��
AWARELESS : Indian embassy site becomes porn site
PLAN : U.S. unveils plan to make online transactions safer
LAW : Rs 1cr fine for UID data theft?
UNSAFE : Reliance on passwords is biggest security threat
(Click on heading above to jump to related item. Click on �Top� to be back here)
AWARELESS : Indian embassy site becomes porn site
A web portal which once belonged to the Indian Embassy in Bahrain has now become a porn site
PTI,
Jun 25, 2010
DUBAI: A Web portal which once belonged to the Indian embassy in Bahrain has now turned into a porn site with a local telecom services provider blaming the mission for the lapse.
The Teen Porn website, located at www.indianembassy-bah.com, was used by the Indian embassy before they moved to www.indianembassybahrain.com last year.
"The embassy should not have let the name go and should have secured it, even if they had to change the administrator," said an official of Batelco, the local telecom services provider.
The official told the Gulf Daily News that Batelco was powerless to help, since it was only responsible for registering domain names ending in .bh.
A spokesperson of the Indian embassy said they simply stopped using the old website when it changed administrators and was shocked to discover the old address was now being used to peddle porn.
"We stopped using this address in July last year after we were not satisfied with the service we were provided by the administrators. Ever since we changed to the new address, www.indianembassybahrain.com," the spokesperson said.
"But since we have had scores of calls from people complaining about the old address being used for pornography."
He said the embassy had tried contacting those behind the Teen Porn site, but had received no response. "When they contacted Incarnate (ME), the company that used to administer their website, they were told the person responsible for looking after their old site had moved to India. However, we (the embassy) and the company are unable to get in touch with him," the spokesman told the paper.
"Under the circumstances, there is nothing we can do but keep telling people about the new address," he said. However, they never realised that it would resurface as a site selling pornography. Since it is an unregistered free domain, it is unclear who owns it, the paper said.
The official from Batelco also advised institutions to register their internet domain names to protect their rights and privacy, as well as to prevent misuse.
For the moment though, anyone searching Google for "Indian embassy Bahrain" will find the Teen Porn website listed first, above the official Indian embassy site.
PLAN : U.S. unveils plan to make online transactions safer
by LOLITA C. BALDOR
AP
June 26, 2010
WASHINGTON � In the murky world of the Internet, how do you ever really know who you're talking to, who you're buying from or if your bank can actually tell it's you when you log in to pay a bill?
Amid growing instances of identity theft, bank account breaches and sophisticated Internet scams, the government is looking for ways to make those transactions in cyberspace more secure.
But officials must tread carefully, as efforts to create identity cards, personal certificates or other systems of identifiers raise privacy worries and fears of Big Brother tracking its citizens online.
In a draft plan released Friday, the White House laid out an argument for a yet-undeveloped, voluntary identification system and set up a website to gather input from experts and everyday Internet users on how it should be structured.
The website was already getting votes, snipes and suggestions Friday afternoon � underscoring the incendiary nature of any discussion of Internet regulation or formal structure.
"The technology that has brought many benefits to our society and has empowered us to do so much has also empowered those who are driven to cause harm," said White House cyber coordinator Howard Schmidt in a blog posting Friday outlining the need for better security online.
The plan, he said, envisions a future in which people would be able to get a secure identifier � such as a smart identity card or a digital certificate � from a variety of service providers. Customers could then use the card or identifier to prove who they are as they make their online transactions.
"Digital authentication has been the holy grail of Internet security policy since the early '90s," said James Lewis, cyber security expert and senior fellow at the Washington-based Center for Strategic and International Studies. This latest effort, he said, has a better chance of succeeding than previous tries, "but we need to see how much opposition it runs into and whether people will actually use it even if it gets deployed."
Ari Schwartz, vice president at the Center for Democracy and Technology, said the unfettered openness of the Internet is what allowed it to grow and prosper but also created security gaps that need to be addressed. But any move to improve identity systems raises many concerns.
"The whole thing is very difficult to do and privacy is one of the more difficult pieces of it," said Schwartz, adding that the system has to balance efforts to maintain privacy while still finding out enough about someone to ensure his identity.
The government, he said, is correct to try to plan ways to move toward better security, rather than letting it just happen with no coordination.
But cyber security experts also argued that the technologies for creating such identifiers already exist and are already used in different ways by businesses, particularly banks.
"The vision they put forth is already realized and commercially available," said Roger Thornton, a cyber security expert and chief technology officer for California-based Fortify Software.
He noted that banks already use sophisticated fingerprinting processes to identify a customer who signs in. The system knows if a customer is using a different computer and will often require additional identification if that computer has not been used for the banking website before.
But many companies don't bother with the more expensive or complex identification systems.
So, said Thornton, "the opportunity is there to make things more interoperable and more uniform."
The draft plan is part of an administration effort to promote cyber security both within the government and among society as a whole. Lawmakers have introduced a number of bills aimed at furthering those goals, and the White House plan was met with initial support from one of the authors of Senate computer security legislation
LAW : Rs 1cr fine for UID data theft?
Mahendra Kumar Singh
TNN,
Jun 30, 2010
http://timesofindia.indiatimes.com/india/Rs-1cr-fine-for-UID-data-theft/articleshow/6108500.cms
NEW DELHI: With the UPA government keen to roll out its ambitious plan of giving unique identity numbers to nearly a billion people, the Unique Identification Authority of India (UIDAI) is ready with a draft legislation to ensure data security and confidentiality of information. It has also proposed strict punishment for impersonation and breach of privacy, with fines ranging upto Rs 1 crore.
The draft bill proposes to make UIDAI a statutory body and provides for strict penalty for offences like disclosing identity information, impersonation, giving wrong biometrics and unauthorised access to data.
The draft law says that if any person "intentionally discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication to any person not authorised", he will be punished by imprisonment for a term which may extend to three years or with a fine which may extend to Rs 10,000.
In the case of a company, the fine may extend to Rs 1 lakh. Any person not authorised by UIDAI caught accessing Central Identities Data Repository (central databank) will be punished with imprisonment for a term which may extend to three years and will be liable to a fine which shall not be less than Rs 1 crore.
UNSAFE : Reliance on passwords is biggest security threat
Warwick Ashford
29 June 2010
Passwords are fundamentally insecure and represent the biggest security threat facing organisations, says Jason Hart, senior vice-president for Europe at security firm Cryptocard.
Hart, a former ethical hacker, is able to demonstrate how easily available software can be used by hackers to capture every username and password of any user on a network.
Hackers are able to view the username and password victims type in to access e-mail systems, business systems and cloud services, even those using a secure internet protocol (https) or encryption.
It is impossible to protect anything that connects with the internet through any means against this kind of attack at the protocol level, he said.
Hart also showed how Google search can be used to find the administrator's password for the database of a cloud-based service or back-ups that contain usernames and passwords.
Another common way of stealing usernames and passwords is to install invisible keyloggers on victim's computers.
"Because the hacker activity is invisible and may never be discovered, many people believe passwords are secure," said Hart.
Invisible keyloogers are in effect zero-day attacks that will by-pass most security software to steal user names and passwords, no matter how long or complex, he said.
"Complex passwords may take longer to guess, but offer no defence against keyloggers and other capturing tools," he said.
There are step-by-step guides available on YouTube on how to do this through legitimate-looking e-mails, said Hart.
Hackers can also use various simple social engineering techniques to target victims by posing as a member of a company's IT security team.
In this scenario, hackers send e-mails to new employees directing them to legitimate-looking web pages, where they are asked to type in and confirm their username and password.
"A simple search on Twitter is a very easy way to identify potential victims, with millions of people talking about new jobs with big-name organisations," said Hart.
Once a hacker has a valid username and password, they are able to access business IT systems undetected and then elevate user privileges to access sensitive information, he said.
Despite the threat, less than 5% of organisations around the world have adopted two-factor authentication methods, which can be rolled out easily for less than �2 a month, said Hart.
The threat will become even greater, he said, as more organisations start using cloud-based computing services that continue to rely entirely on passwords for protection.
Using passwords can result in a degree of complacency, according to William Beer, director of information security in the risk assurance practice at PricewaterhouseCoopers.
"There are ways around passwords and encryption, so they are by no means a silver bullet," he told Computer Weekly.
Organisations also typically confuse password protection with encryption, but if something is password protected, it does not necessarily mean it is encrypted, he said.
New IT Term of the day
release candidate
Abbreviates as RC, a release candidate is a version of a program or software that is functional but not quite ready to be released to the consumer market. Often, glitches and issues with the software are known to the developer, and those issues need to be fixed before the developer releases the product to a sample of consumers for the next phase of development, beta testing. Some developers, such as Microsoft, have a special technical service users group to which they offer a release candidate for trial before a more open public beta test.
Time is one of the most democratic resources we have; everybody has 24 hours each day.� So, use your time efficiently and make most and best of that which is available.
Today, identify how you waste your time eg: surfing on the net, being indecisive or sifting through the office desk chaos and then work on halving it.
Note -
- As a member of this group, you get useful information to protect yourself and your IT assets and processes from various Computer and Related Crimes.
- If you think that your other friends/colleagues/acquaintances/relatives/foes/enemies also needs this information, forward the mail to them and request them to send their e-mail addresses and names to us with subject as "Subscribe".
- If you or someone has become victim of Computer Crimes or has any query on prevention, you are welcome to write to us.
- If you are not interested in it and would like to unsubscribe - send a reply mail with subject as "Unsubscribe".
- Disclaimer - We have taken due care to research and present these news-items to you. Though we've spent a great deal of time researching these matters, some details may be wrong. If you use any of these items, you are using at your risk and cost. You are required to verify and validate before any usage. Most of these need expert help / assistance to use / implement. For any error or loss or liability due to what-so-ever reason, CRPCC and/or Sysman Computers (P) Ltd. and/or any associated person / entity will not be responsible.
The dark side of terrorists revealed in MSN Internal Security Get it now.
No comments:
Post a Comment