From: sysman01@mtnl.net.in
To: sysman01@mtnl.net.in
Subject: [CCCNews] CCCNews Newsletter - dated 2012 July 09
Date: Mon, 9 Jul 2012 21:25:08 +0530
July 09, 2012
Editor - Rakesh Goyal (rakesh@sysman.in)
In today's Edition - (This is a news-letter and not a SPAM)
PROTEST : India protests European Union study of data laws
EDUCATION? : Telecom portal shut after 70% users found using default passwords
LAW : UK MP recommend jail sentence for data protection offences
TREND : 6 new ways hackers are using malware
IT Term of the day
Quote of the day
* Direct Circulation in 4 Google groups (control-computer-crimes@googlegroups.com and IT-Sec-NSE@googlegroups.com) and 2 more groups
--
You received this message because you are subscribed to the Google Groups "control-computer-crimes" group.
To post to this group, send email to control-computer-crimes@googlegroups.com.
To unsubscribe from this group, send email to control-computer-crimes+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/control-computer-crimes?hl=en.
--Forwarded Message Attachment--
IT and Related Security News Update from
Centre for Research and Prevention of Computer Crimes, India
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
July 09, 2012
Today�s edition �
PROTEST : India protests European Union study of data laws
EDUCATION? : Telecom portal shut after 70% users found using default passwords
LAW : UK MP recommend jail sentence for data protection offences
TREND : 6 new ways hackers are using malware
����������������������������������������������������������������������������������������������
(Click on heading above to jump to related item. Click on �Top� to be back here)
PROTEST : India protests European Union study of data laws
AMITI SEN,
ET BUREAU
9 JUL, 2012
NEW DELHI: India has protested against a European Union decision to study India's data protection laws to find out if they are in conformity with those in the 27-nation grouping.
The EU wants to ensure that the Indian laws meet its directive before it makes a commitment on the issue in the bilateral free trade agreement being negotiated between the two.
The EU has not accepted India's assertion that it was a 'data secure' country. This has affected the EU's plan to double the flow of outsourcing business from the region.
"We will not tie our demand for data secure status to any study from the EU side," a commerce department official told ET. "We do not want a situation where we are told just days before signing the deal that the study results were not positive."
Commerce and industry minister Anand Sharma had in a recent meeting with EU trade commissioner Karel De Gucht stressed India be given the status of a data secure country before the two sides sign the FTA.
According to the EU law, European nations outsourcing business to countries that are not certified as data secure have to follow stringent contractual obligations, which increases operating costs and affect competitiveness. Several European companies hesitate in doing business with India as they do not want to invite trouble by unwittingly failing to fulfill the conditions laid down by the EU.
"If India is given data secure status, not only will Indian firms save on costs but EU companies will also have increased confidence in doing business here," said Kamlesh Bajaj, chief executive of Data Security Council of India, an independent self-regulatory organization set up by IT body Nasscom.
Outsourcing business from the EU could jump to $50 billion annually from $20 billion in a short span once India is recognized as a data secure destination, Bajaj said.
India amended the Information Technology Act in 2006 after some cases of fraud came to light in the BPO sector. Two years later, the law was amended again and made compliant with the EU law on data protection.
India, however, continues to be among the countries not considered data secure by the EU. This obstructs flow of sensitive data, such as intellectual property or patient information for telemedicine, to India under data protection laws in the EU.
"India has already given the EU enough material to show how the IT Act 2006 meets the requirements of their data protection directive. We have incorporated the kind of privacy principles and enforcement mechanism that the EU asks for," Bajaj said.
The Data Security Council works with the government in ensuring that the IT industry adheres to the laid down security and privacy norms.
"We have told the EU that our law may not be worded exactly in the way the EU directive is, but it essentially is the same," the commerce department official quoted earlier said.
India will continue giving the issue priority in the on-going negotiations, in addition to other services related concerns like movement of professionals, the official said.
EDUCATION? : Telecom portal shut after 70% users found using default passwords
Top Dutch telecom firm shuts its customer self-service portal after discovering users not bothering to change default password.
By John Fontana
Identity Matters
July 6, 2012
The Netherlands leading telecommunications company closed its customer self-service management portal Thursday after discovering that nearly 70% of its users had not changed the default password after they opened their accounts.
KPN said 120,000 of the 180,000 users of its Business Z-ADSL self-care portal were using the password �welkom01,� which is automatically set when an account is created. Another 20,000 users had user names that were also their passwords.
KPN customers were not required to change the default password, even though the portal was used for account management, including contact details, bank account numbers, and� subscription services. The portal also allowed users to change their passwords, an option hackers could have used to easily hijack accounts.
It is not uncommon for computer hardware to ship with default passwords already installed, but online services typically let users create their own usernames and passwords.
The situation was reported to KPN by the IDG Netherlands web site Webwereld, which was tipped off by Robert 4U IT, an IT services firm, and a subsequent story was posted by IDG�s ComputerWorld.
The company said it was not aware of the issue and praised Webwereld for informing KPN of the situation. KPN said the portal was immediately �slammed shut� and registration procedures were altered to make the site more secure.
The company said no accounts were hacked, but all 140,000 were automatically reset. Customers were sent an email telling them how to reset their passwords.
The site is now back online and KPN apologized to its customers.
LAW : UK MP recommend jail sentence for data protection offences
Home Secretary should introduce jail sentence punishment for some data protection offences, committee of MPs recommends
Individuals should face jail sentences for unlawfully obtaining, disclosing or selling personal data, a committee of MPs has recommended.
OUT-Law
06 Jul 2012
The House of Commons' Home Affairs Select Committee said that the typical penalties that are currently levied for breaching Section 55 of the Data Protection Act do not put people off illegally trading personal information.
The Home Secretary should introduce jail sentences as a possible punishment for data protection offenders, the committee said.
"We recommend that the Home Secretary exercise her power under section 77 of the Criminal Justice and Immigration Act 2008 to strengthen the penalties available for offences relating to the unlawful obtaining, disclosure and selling of personal data under section 55 of the Data Protection Act," a report by the committee into the business of private investigators said. "The current fine � typically around �100 � is derisory. It is simply not an effective deterrent."
The Home Affairs Select Committee is the latest Parliamentary committee to recommend that data protection offers go to jail. Last year the Justice Committee made the same recommendation to Government.
Section 55 of the Data Protection Act (DPA) states that is generally unlawful for a person to "knowingly or recklessly without the consent of the data controller obtain or disclose personal data or the information contained in personal data, or procure the disclosure to another person of the information contained in personal data" without the consent of those who control the data.
The current penalty for committing a section 55 offence is a maximum �5,000 fine if the case is heard in a Magistrates Court and an unlimited fine for cases tried in a Crown Court.
Under the Criminal Justice and Immigration Act the Justice Secretary has the power to introduce new regulations that would allow a custodial sentence penalty to be available for the offences under Section 55 of the DPA, but those powers have yet to be used. In 2008 the Act came into force without those powers being immediately available.
The UK's data protection watchdog, the Information Commissioner's Office (ICO), has long called for the new powers to be introduced. It previously said that a Government consultation on "increasing penalties for wilful misuse of personal information" held in 2006 had prompted overwhelming support for jail sentences to be handed out as part of the new laws.
Earlier this year Information Commissioner Christopher said that "chicken feed fines" were insufficient to deter individuals from 'blagging' information.
In its report the Home Affairs Select Committee said that personal data was "easier than ever" to access and that there were "new and unscrupulous suppliers" of the information that "may not be registered with the Information Commissioner and are unlikely to understand the rules under which they ought to operate."
The MPs said that private investigators and private investigation firms should both be regulated. It has recommended that individuals who breach data protection laws should have their licence suspended, should be barred from "engaging in investigation activity" and face "meaningful penalties for the worst offences."
Nobody should be able to call themselves a 'private investigator' without a licence to do so and their activities, and those of private investigation firms, should be governed by a new 'code of conduct', the Parliamentary committee said. The code should also apply to businesses that carry out "in-house investigation work" whose activities are "already subject to regulation, such as solicitors and insurance companies." Those businesses would not require "full licensing" but would need to be "registered" to do investigatory work, it said.
A new Security Industry Authority should regulate the private investigation industry, the MPs said.
"Both should be governed by a new Code of Conduct for Private Investigators, which would also apply to sub-contracted and part-time investigators," the report said. "A criminal record for breach of section 55 should disqualify individuals from operating as private investigators."
The Parliamentary committee said that although licensing would "impose an additional regulatory burden on the industry", the sector may be able to obtain "increased access" to some databases as a result of the "new safeguards" introduced through regulation.
"We recommend that the Government analyse the risks and benefits of granting increased access to certain prescribed databases for licensed investigators, in order to facilitate the legitimate pursuit of investigation activities," it said. "For example, a licence may confer the right to access the on-line vehicle-keeper database in certain circumstances."
"It should consider how this would interact with the changes proposed to data protection laws by the European Commission. The United Kingdom has rightly moved to a situation of information management rather than merely looking at data protection. We also recognise that appropriate sharing of data can prevent crime and contribute significantly to other outcomes that are in the public interest. However, any new access should be carefully monitored," the report said.
The MPs called on the Government to press ahead with plans to reform the private investigation industry and said a new licensing and registration regime could be implemented before the end of 2013.
The Parliamentary committee also called on the Government to do more to "sever the links between private investigators and the police forces". Among the actions it called for was a ban on retiring police officers working in private investigation for at least a year. It also said that "any contact between police officers and private investigators should be formally recorded by both parties, across all police forces".
The Government should also seek to merge the functions of the Information Commissioner, the Chief Surveillance Commissioner and the Interception of Communications Commissioner into a single 'Office of the Information and Privacy Commissioner' in order to ensure better protection for individuals' personal privacy, the MPs recommended.
TREND : 6 new ways hackers are using malware
By Matthew Black
CBC News Jul 5, 2012
http://www.cbc.ca/news/technology/story/2012/07/05/f-malware-hackers.html?cmp=rss
Malware, the malicious viruses and bugs employed by computer hackers to con and annoy, has become more prevalent in Canada than ever before, according to computer industry research.
In fact, the volume of malicious software detected in 2011 was up 41 per cent over the previous year, said Dean Turner, director of Symantec Intelligence Group.
At the same time, the complexity of computer viruses is also increasing. Long gone are the days when they were nuisances that scuttled Word documents.
"The long and short of it is that today's malware is incredibly sophisticated," said Turner, who estimated that 90 per cent of it is used for cybercrime, aimed at banks and businesses as well as personal computers.
Among the more prominent attack points these days:
Break into your (Android) phone
When it comes to today's smartphones, Malware is still a relatively new phenomenon but one that Turner says is growing rapidly.
There are currently 67 malware "families," groupings for malicious software, for mobile phones now, compared to fewer than 10 in January 2010, Symantec reports.
Turner notes that Android's open-source model for phone apps � compared to Apple's heavily vetted system �makes the Google devices a particular target.
"Trying to create malware for any mobile device is difficult," said Turner. "It's more about Trojan applications � apps purporting to be one thing but that are actually stealing your data.
"That's much more difficult to do in the Apple world than in the Android world."
In December 2011, Google removed 22 apps from the Android market on the grounds they were scamming users into paying premium SMS charges for texts.
Target you via social media
Social media is also proving to be fodder for hackers who use sites like Facebook and Twitter to target who they will send their malware to next.
In 2010, hackers found a loophole in Adobe's software and sent a number of golf-playing executives a malware-ridden pdf file claiming to contain tips from noted golf instructor David Leadbetter.
"Want to improve your score? In these golf tips, David Leadbetter shows you some important principles," the message read. Turner said that the executives were likely targeted because of social media profiles that highlighted their enthusiasm for golf.
Hold your computer ransom
"Ransomware" has emerged as a popular scam for small-time hackers. It typically involves holding a computer hostage with the threat to erase the data unless a payment is made.
The RCMP just issued a warning this week about the so-called Revton Trojan, a recent example of ransomware that freezes a computer and demands payment for a supposedly illegal activity.
In Canada, this malware was employed to freeze computers and send a pop-up message, purportedly from the Canadian Security and Intelligence Service claiming that the address had been linked to downloading child pornography and would remain frozen unless the user made a $100 payment through an online payment site.
Other variants of the scam have accused users of illegally downloading music, viewing pornographic videos or sending spam messages.
A Trojan is software that appears to be a legitimate program, but is in fact malware capable of stealing information or endlessly replicating itself.
Direct you to money-making sites for hackers
Another malware virus called DNSChanger may end up closing a portion of the internet for a time on July 9 as the FBI shuts down a series of servers deployed in the wake of a massive international fraud.
In November 2011, a two-year international investigation called Operation Ghost Click revealed that over 25,000 computers in Canada were infected with the DNSChanger virus.
The malware redirected web browsers to sites of the hackers' choosing and netted the scammers nearly $20 million over four years in "per-click" advertising revenue for those behind the virus, according to Paul Vixie, chairman and founder of the Internet Systems Consortium.
The virus originated in Estonia and was distributed through emails, websites and malware scripts.
The number of computers affected worldwide, estimated to be over 650,000 computers, was enough to convince the FBI to establish temporary "clean" DNS servers that would allow users of infected computers time to rid their computers of the virus and still access the internet. But those temporary servers go offline permanently on July 9.
Espionage
In 2010, a powerful virus known as Stuxnet targeted Iranian nuclear centrifuges, reportedly shutting down over 1,000 of the machines used to refine uranium.
Eight months later, a second virus known as Stars attacked the same country's nuclear facilities.
Then, two months ago, cybersecurity experts uncovered a worm capable of mining vast amounts of data from infected machines. Known variously as Flame, Flamer or Skywiper, the malware uses a variety of tactics to steal sensitive information, including, surveying network traffic, taking screenshots, including during instant messaging programs, recording audio conversations via an infected computer's internal microphone and collecting passwords.
Because of its sophistication and geographic targets, primarily in the Middle East, the malware is believed to be work of government spy agencies.
"Now we've found what might be the most sophisticated cyberweapon yet unleashed," Alexander Gostev wrote in May on the website of Kaspersky Lab blog. "Flame is one of the most complex threats ever discovered."
Hacktivism
While most malware is rooted in cybercrime, some hackers are increasingly attaching a political or activist message to their work.
"This is a pitched battle over the terrain of democracy on networks, freedom of expression in the internet age," Dwayne Winseck, a professor at Carleton University's school of journalism and communications, said to CBC News last year. "So it ain't gonna stop."
Data breaches in the name of a social or political cause were responsible for 58 per cent of stolen data in 2011, according to the Verizon 2012 Data Breach Investigations Report.
Recent high-profile incidents of hacktivism include the hacking of the websites for the U.S. Department of Justice and the FBI by the group Anonymous in January 2012, in response to the shutdown of the file sharing Megaupload; and the takeover of the Fox News politics Twitter account on July 4 (Independence day), 2011, in which hackers posted false tweets claiming President Barack Obama had been assassinated.
In October 2011, Anonymous claimed to have uncovered and taken offline more than 40 child pornography sites. The group also posted a list of over 1,500 of the sites' usernames.
New IT Term of the day
time-out
An interrupt signal generated by a program or device that has waited a certain length of time for some input but has not received it. Many programs perform time-outs so that the program does not sit idle waiting for input that may never come. For example, automatic bank-teller machines perform a time-out if you do not enter your password quickly enough.
It also gives us a very special, secret pleasure to see how unaware the people around us are of what is really happening to them.
Adolph Hitler
Note -
- As a member of this group, you get useful information to protect yourself and your IT assets and processes from various Computer and Related Crimes.
- If you think that your other friends/colleagues/acquaintances/relatives/foes/enemies also needs this information, forward the mail to them and request them to send their e-mail addresses and names to us with subject as "Subscribe".
- If you or someone has become victim of Computer Crimes or has any query on prevention, you are welcome to write to us.
- If you are not interested in it and would like to unsubscribe - send a reply mail with subject as "Unsubscribe".
- Disclaimer - We have taken due care to research and present these news-items to you. Though we've spent a great deal of time researching these matters, some details may be wrong. If you use any of these items, you are using at your risk and cost. You are required to verify and validate before any usage. Most of these need expert help / assistance to use / implement. For any error or loss or liability due to what-so-ever reason, CRPCC and/or Sysman Computers (P) Ltd. and/or any associated person / entity will not be responsible.
No comments:
Post a Comment