Are Present Day Malware Beyond The Reach Of Cyber Security Products And Services?

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW CEO PTLBMalware are a big cyber security nuisance for long. Cyber security vendors have been trying to contain various sophisticated malware that come up from time to time. As the nations and state actors have become interested in these malware and some of them are even funding their development and exploitation, cyber security products and services are finding it difficult to match their capabilities.

Till the time a cyber security product or service is launched to contain a sophisticated malware, the havoc and damage is already done. In this article titled “Malware Are Defeating Cyber Security Safeguards With Ease“, this fight between malware and cyber security products has been aptly described.

Presently malware are clearly winning the fight between security and system infections as security products are inherently incapable of tackling zero day vulnerabilities and state sponsored cyber attacks.

In the research article titled “Prospective Cyber Security Trends In India 2015“, Perry4Law Organisation (P4LO) predicted that state sponsored cyber attacks would increase. This actually happened and even Twitter and Google issued warnings that state sponsored cyber attacks may be there for their products and services. The “Cyber Security Trends In India 2016” have also predicted the rise of botnet, malware and cyber attacks against critical infrastructures around the world.

It is a wake up call for the cyber security vendors to either improve their security products and services or become redundant and ready to be exiled. What is the purpose of an anti virus that cannot detect and remove a malware?

At the same time there is a need to change the attitude towards cyber security by individuals, companies and governments. At the organisation level, there must be a techno legal policy for cyber security that should be religiously followed. Any lapse in the policy may be lethal for the financial and brand value of the organisation.

As far as India is concerned, India is still struggling to establish the Chief Information Security Officer (CISO) culture. Even at the government level, CISO culture is still missing. For instance, recently the Prime Minister Office (PMO) of India appointed Dr. Gulshan Rai as the first CISO of India. Although this is a very good and pro active move yet we have seen little development in this regard so far. Similarly, appointing the Chief Information Officers (CIOs) was made mandatory for all banks in India in 2012 yet till 2016 banks have not done so. In fact, cyber security of banks in India is in a very poor condition.

Even the government projects like National Critical Information Infrastructure Protection Centre (NCIIPC), National Cyber Coordination Centre (NCCC), etc have failed to achieve for what they were contemplated. There are no cyber breach disclosure norms in India as well. As a result we have almost missing cyber security infrastructure in India that needs to be revamped and strengthened immediately. This is more so when India has introduced the “Digital India” project that would make Indian infrastructure vulnerable to sophisticated cyber attacks from around the world. When everybody is passing the buck who is going to bell the cat named malware.

Posted in Uncategorized | Comments Off

Blog On International Legal Issues Of Cyber Attacks

Blog On International Legal Issues Of Cyber AttacksAnybody who has dealt with international cyber law and cyber security related issues must be aware that it is really tough to solve such cases. Being transnational in nature, cyber law and cyber security issues require international cooperation among various nations and law enforcement agencies.

For instance, if a simple exercise of internet protocol tracking is undertaken, it takes months before any information is received from a foreign jurisdiction. Even in such cases, these are exceptional cases and not a general practice. In this process, the crucial digital evidence is lost forever and the cyber crimes investigation becomes a cold trail.

As there is a severe conflict of laws in cyberspace, it is very important to be aware of various technology related laws of various jurisdictions. However, it is not possible to be aware of all the laws of various jurisdictions. In order to spread public awareness in this regard, Perry4Law Organisation (P4LO) has been managing a dedicated blog on international legal issues of cyber attacks and cyber security. It is the exclusive techno legal blog on the topic not only in India but in entire world.

The blog has covered many techno legal aspects like use of cyber espionage malwares, need for the national security policy of India, legal immunity against cyber deterrent acts in India, open source intelligence through social media websites, protection of Indian cyberspace, national counter terrorism centre (NCTC) of India, cyber security challenges of India, cyber preparedness of India, the Wassenaar Arrangement and cyber security issues, intelligence agencies reforms in India, banking cyber security, techno legal analysis of Gameover Zeus, cyber crimes insurance in India, smart cities cyber security in India, etc.

As on date we have no dedicated cyber security laws in India. This is the reason why cyber security is more ignored than complied with in India. Even the blooming e-commerce industry of India is devoid of required cyber security practices and requirements. Cyber security of banks in India is also not upto the mark. This has forced the Reserve Bank of India to constitute a IT subsidiary that would consider, monitor and prescribe cyber security related rules, regulations and practices for banks in India. Even the Companies Act 2013 has prescribed cyber security obligations for the directors of companies. This is in addition to the cyber law obligations of banks and directors of Indian companies.

It is well understood that international legal issues of cyber attacks are not easy to handle. Nevertheless, Indian government cannot afford to ignore this situation and it must urgently work towards making Indian cyber security robust, resilient and effective. P4LO hopes that our readers would find our blog on international legal issues of cyber attacks, cyber law and cyber security useful.

Posted in Uncategorized | Comments Off

School Children In India Must Be Suitably Educated About Cyber Issues

School Children In India Must Be Suitably Educated About Cyber IssuesProtecting children in cyberspace is a collective responsibility of all stakeholders, including Indian government. At a time when Indian government is adopting Digital India project, our society at large is required to take care of our children while they use Internet and information and communication technology (ICT).

There is no second opinion that children dealing with cyberspace require special attention and safeguards. Indian government and various stakeholders are required to adopt and use both legal and technical measures to safeguard interests of children. On the legal side we must have strong cyber law to punish the offender. On the technical side we must have effective technology, including hardware and software, which can prevent potential abuse of children in cyberspace.

While dealing with cyberspace, children may be either perpetrator or victim of cyber crimes, cyber bullying, pornography, etc. They must be made suitably aware as well as protected from these cyber threats. After all, human rights protection in cyberspace also includes protection of children’s human rights.

Child pornography is an area that requires special attention of Indian government. As per the cyber law trends of India 2013 (PDF) by Perry4Law’s Techno Legal Base (PTLB), child pornography in India is becoming a big nuisance. An Advisory (PDF) by Home Ministry of India on Preventing and Combating Cyber Crime against Children in India has also been issued. Recently Interpol helped India in tracking child porn surfers. We also need such Techno Legal Framework so that child pornography can be curbed to the maximum possible extent in India.

Cyber law and cyber security awareness must also be made available to children at the school level itself. Schoolchildren must be made aware about the provisions of Information technology Act, 2000 (IT Act 20000 and other laws of India so that they are well aware of the consequences of their acts or omissions in the cyberspace. Similarly, cyber security related aspects must also be taught to them to keep their cyberspace behaviour and activities cyber safe.

At PTLB Virtual Campus we believe that online skills development and education initiatives can play a significant role in educating our young generation. Virtual campus and e-learning platforms can provide “learn as you wish models” to school students that they can access from both school and their homes.

PTLB’s Online Skills Development and Training Platform has dedicated separate skills development, education and training courses for school students in the fields like cyber law, cyber security, etc. More details and the enrollment procedure would be announced by us very soon. Till then please visit the website and its segments on a regular basis.

Posted in Uncategorized | 1 Comment

Cyber Security Challenges In India Would Increase

Cyber Security Challenges In India Would IncreaseCyber security is a complicated process to manage. It requires both technological expertise and legal compliances. Some developed nations have enacted cyber security regulations but they have outlived their natural lives. The present day cyber security regulations require a techno legal orientation that is a big challenged for legislators around the world.

India has enacted the information technology act, 2000 that governs legal issues of e-commerce, e-governance, cyber crimes, etc. However, techno legal experts believe that Indian laws like IT Act 2000 and telegraph act require urgent repeal and new and better techno legal laws must be enacted to replaces these laws.

There are no dedicated cyber security laws in India. Indian government has drafted the cyber security policy of India 2013 but the same has not been implemented so far. Further, the policy is also suffering from many shortcomings including lack of privacy and civil liberties protection and absence of cyber security breaches disclosure norms. The cyber security trends of India (PDF) have also shown poor cyber security preparedness of India to protect its cyberspace and critical infrastructures.

India has still to take care of issues like critical infrastructure protection (PDF), cyber warfare policy (PDF), cyber terrorism, cyber espionage, e-governance cyber security, e-commerce cyber security, cyber security of banks, etc. Companies and individuals are also required to cyber insure their businesses from cyber threats.

A cyber crime prevention strategy of India may be formulated very soon by Indian government. This has come in the wake of a public interest litigation (PIL) filed at the Supreme Court of India that has asked the centre to frame regulations and guidelines for effective investigation of cyber crimes in India. Simultaneously, the cyber crime investigation trainings in India are also needed.

The offensive and defensive cyber security capabilities of India are also required to be developed. A cyber attacks crisis management plan of India must also be formulated to tackle cyber attacks and cyber terrorism against India. The proposed National Cyber Coordination Centre (NCCC) of India is a good initiative regarding strengthening of Indian cyber security capabilities. The National Critical Information Infrastructure Protection Centre (NCIPC) of India would also come handy in protecting Indian cyberspace.

The ambitious project named Digital India would also required very robust and effective cyber security infrastructure and capabilities on the part of Indian government and its agencies. There is no international cyber security treaty (PDF) or cyber law treaty that can help in resolving conflict of laws in cyberspace. Even a simple task of obtaining digital information from foreign companies like Google takes months to achieve. Till that time the crucial evidence is already gone and the received information proves worthless.

We at Perry4Law Organisation and Perry4Law’s Techno Legal Base (PTLB) believe that the cyber security breaches have significantly increased world over.  The cyber security challenges in India are not easy to manage especially when India is a late entrant in this field. There is no doubt that Indian cyberspace must be protected on a priority basis as India would be relying more and more on digital services in the near future.

Posted in Uncategorized | Comments Off

India Is A Sitting Duck In The Cyberspace And Civil Liberties Protection Regime

PRAVEEN DALAL MANAGING PARTNER OF PERRY4LAW CEO PTLBIndian Citizens, Political Organisations and Government Departments have been systematically targeted for Cyber Attacks for long. India was least bothered about these issues as India lacked Cyber Security Capabilities to tackle these sophisticated cyber attacks. The Cyber Security Trends in India 2013 (PDF) and Global Cyber Security Trends and Updates 2014 by Perry4Law and PTLB have highlighted many “Shortfalls and Weaknesses” of Indian Cyber Security Efforts and Initiatives.

Amid all these chaos the Indian Government introduced the National Cyber Security Policy of India 2013 (NCSP 2013). The NCSP 2013 can be accessed Here (PDF) and an analysis of the same makes it clear that it failed to address many crucial Techno Legal Issues including Privacy and Data Protection.  We have no dedicated Privacy and Data Protection Laws (PDF) in India as on date despite the pressing requirement for the same.

India is a Sitting Duck in the Cyberspace and Civil Liberties Protection Regime. Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, Gameover Zeus (GOZ), etc cannot be tackled by India due to lack of Offensive and Defensive Cyber Security Capabilities. Cyber Security Breaches are increasing World over and India must be “Cyber Prepared” to deal with the same. The Cyber Security Challenges before the Narendra Modi Government are not easy to manage and Indian Cyberspace must be protected on a “Priority Basis”.

Civil Liberties like Privacy Rights must be respected by all. However, US FISA Court is a big trouble for Indian Privacy and Civil Liberties. For too long issues like Privacy Laws have been ignored in India and the Narendra Modi Government must ensure Privacy to Indians on a “Priority Basis”. The Policies in this regard must be changed urgently and work in the direction of enactment of dedicated Privacy and Data Protection Laws of India must be started as soon as possible. Intelligence Agencies Reforms in India must also be placed on the “Priority List” of Modi Government.

India must also stress upon “Indigenous Cyber Capabilities” to neutralise any isolation attempts through mechanisms like Wassenaar Arrangement. India has recently opposed the proposal to include Cyber Security Technologies under the Wassenaar Arrangement.

But the ultimate test for Modi Government is to “Stand Up” and show that India is not a Sitting Duck in the fields of Cyber Security, Civil Liberties Protection and Cyber Security Capabilities. Of course, India must make her “Own House in Order” before proving that “Character and Strength”.

Posted in Uncategorized | Comments Off

US Justice Department Charges Russian National For Creation Of Gameover Zeus (GOZ) Botnet

US Justice Department Charges Russian National For Creation Of Gameover Zeus (GOZ) BotnetThe Gameover Zeus or GOZ botnet is a well known malware that is capable of stealing sensitive banking and financial information and details. It fist appeared in the year 2007 and then changed its form from time to time. The second version of Zeus malware shifted its base from a centralised command and control server to peer-to-peer in September 2011. This has made it very difficult to apply countermeasures against Zeus that is now known as Gameover Zeus (GOZ) botnet.

It has been reported that the US Justice Department has indicted a Russian national with writing computer code used to compromise banking systems and assist others in stealing banking credentials. The government has unsealed a 14-count indictment accusing Russian national Evgeniy Mikhaylovich Bogachev, who authorities said is known online as Lucky12345, of involvement in the creation of the Gameover Zeus, or GOZ botnet. Authorities claim Bogachev and his group infected thousands of business computers with software that captured passwords, account numbers, and other information.

An international operation disrupted the crime ring. The European Cybercrime Centre also participated in the operation, along with Australia, Canada, France, Germany, Italy, Japan, Luxembourg, New Zealand, Ukraine and the United Kingdom. Intel, Microsoft, security software companies F-secure, Symantec, and Trend Micro, and Carnegie Mellon University also supported the operation.

Authorities used technical and legal tactics to interrupt the so-called botnet’s operations, shutting down the servers the criminals used to control infected machines and causing those machines to “phone home” to servers controlled by law enforcement.  As part of the cleanup effort, federal agents have redirected infected computers to Homeland Security servers to identify victims and provide information about how to remove the malware. Victims can head over to the DHS’s Computer Emergency Readiness Team (US-CERT) website for assistance.

In a separate action, U.S. and foreign law enforcement officials also seized control of the malware known as Cryptolocker, which locks victims out of their computer files until they pay a ransom.

“This operation disrupted a global botnet that had stolen millions from businesses and consumers as well as a complex ransomware scheme that secretly encrypted hard drives and then demanded payments for giving users access to their own files and data,” said Deputy Attorney General James M. Cole.   “We succeeded in disabling Gameover Zeus and Cryptolocker only because we blended innovative legal and technical tactics with traditional law enforcement tools and developed strong working relationships with private industry experts and law enforcement counterparts in more than 10 countries around the world”.

The Gameover Zeus botnet operates silently on victim computers by directing those computers to reach out to receive commands from other computers in the botnet and to funnel stolen banking credentials back to the criminals who control the botnet.  For this reason, in addition to the criminal charges announced today, the United States obtained civil and criminal court orders in federal court in Pittsburgh authorizing measures to redirect the automated requests by victim computers for additional instructions away from the criminal operators to substitute servers established pursuant to court order.   The order authorizes the FBI to obtain the Internet Protocol addresses of the victim computers reaching out to the substitute servers and to provide that information to US-CERT to distribute to other countries’ CERTS and private industry to assist victims in removing the Gameover Zeus malware from their computers.   At no point during the operation did the FBI or law enforcement access the content of any of the victims’ computers or electronic communications.

Posted in Uncategorized | Comments Off

Iranian Hackers Created False Social Networking Accounts And A Bogus News Website To Spy On Military And Political Leaders In The US

Iranian Hackers Created False Social Networking Accounts And A Bogus News Website To Spy On Military And Political Leaders In The USFake identities and pseudonymity is a common feature of Internet. The United States has been planning to use fake virtual people botnet and persona management software for long. Till now U.S. must actually be using these tactics. It has been alleged that radio waves and malware have been used by United State’s NSA for world wide e-surveillance.

The relationship between intelligence community, social media and open source intelligence is now well established. It is common practice among intelligence agencies around the world to use social media platforms and Internet for gathering intelligence related information and data. The cyberspace landscape of India is fast changing as is reflected in various cyber security and ICT trends. Keeping the contemporary requirements, the intelligence infrastructure of India needs transparency and strengthening.

It has been reported that the Iranian hackers created false social networking accounts and a bogus news website to spy on military and political leaders in the United States, Israel and other countries. ISight Partners, which uncovered the operation, said the targets include a four-star U.S. Navy admiral, U.S. lawmakers and ambassadors, and personnel from Afghanistan, Britain, Iraq, Israel, Saudi Arabia and Syria.

The firm declined to identify victims and said it could not say what data had been stolen by the hackers, who were seeking credentials to access government and corporate networks, as well as intelligence on weapons systems and diplomatic negotiations.

ISight dubbed the operation “Newscaster” because it said the Iranian hackers created six “personas” who appeared to work for a fake news site, NewsOnAir.org, which used content from the Associated Press, BBC, Reuters and other media outlets. The hackers created another eight personas that purported to work for defense contractors and other organizations, iSight said.

The hackers set up false accounts on Facebook and other social networks for these 14 personas, populated profiles with fictitious personal content, and then tried to befriend targets, according to iSight. The operation has been active since at least 2011, iSight said, noting that it was the most elaborate cyber espionage campaign using “social engineering” uncovered to date from any nation.

To build credibility, the hackers would approach high-value targets by first establishing ties with the victims’ friends, colleagues, relatives and other connections over social networks including Facebook Inc, Google Inc LinkedIn Corp and Twitter Inc. The hackers would initially send the targets content that was not malicious, such as links to news articles on NewsOnAir.org, in a bid to establish trust. Then they would send links that infected PCs with malicious software, or direct targets to web portals that ask for network log-in credentials, iSight said.

Iranian hackers stepped up their activity in the wake of the 2010 Stuxnet computer virus attack on Tehran’s nuclear program, widely believed to have been launched by the United States and Israel. Malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc have changed the way cyber warfare and cyber espionage battles are fought these days.

ISight said it could not ascertain whether the hackers were tied to the Tehran government, though it believed they were supported by a nation state because of the operation’s complexity.

Posted in Uncategorized | Comments Off

Joshua Rogers Detected SQL Injection Vulnerability In EBay’s Sub Domain

Joshua Rogers Detected SQL Injection Vulnerability In EBay’s Sub DomainEBay has been facing litigations in United States and Europe over the cyber breach of its computer systems. These investigations would analyse whether EBay has failed or not to adhere to proper cyber security practices and disclosure norms. Meanwhile, EBay is planning to boost the cyber security of its systems and this effort seems to be working.

Recently the IT security expert Joshua Rogers discovered SQL Injection vulnerability on eBay.com.au sub domain. Whilst looking for some bugs in EBay, he came across the domain http://3.ebay.com.au/. It appeared to be a domain for phone users on the old “Three” phone carrier/network that has been bought out by Vodafone awhile ago.

On the third tab of the page, there was a link to the “Categories section”. This is a list of categories as to where you can view items to buy or as was in this case, go into a sub-category. Joshua noticed that there were a few $_GET parameters being used. He just put a simple apostrophe into the end of the first parameter, “emv_CatParent”.
To his amazement, it came back with a half-completed page (Pretty much the poster-child of a blind SQL Injection).

He faced some trouble during his exploration as the Microsoft SQL Server was being used for the backend, not a unix-based one. He loaded the website into sqlmap and did everything through there. First, he scanned the parameter to see if my assumption was right. He found that 1 to 10 columns were injectable. He also found that the “Microsoft SQL Server/Sybase stacked queries” were also injectable. This meant possible file write/read and he did not look further into this research.

He intimated about this vulnerability to Ebay that was grateful to him for exposing this vulnerability. Very soon EBay patched the vulnerability and publicly acknowledged the efforts of Joshua. This is best step that Ebay team has done after the recent cyber breach.

Posted in Uncategorized | Comments Off

Three U.S. States Are Investigating EBay’s Cyber Security Standards And Cyber Security Breach Disclosure Practices

Three U.S. States Are Investigating EBay’s Cyber Security Standards And Cyber Security Breach Disclosure PracticesCyber security breaches are very common and are increasing world over these days. Cyber criminals are targeting companies possessing and storing sensitive information about people. These include banks, law firms, e-commerce companies and many more such institutions that are retaining other’s sensitive information.

However, these institutions are also required to ensure robust cyber security and effective data protection of the information and data submitted to them. We at Perry4Law believe that these institutions hold the information about their customers/clients in a fiduciary capacity and they are under legal obligation to protect this information as far as and as much as possible.

We also believe that not only the obligation is regarding protecting the information but there is also an obligation to report any potential and actual cyber security breach that has taken place and that has endangered or had the potential to endanger the information of the customers/clients.

World over companies are not complying with the cyber security breach notification requirements. For instance, Target Corporation was attacked by cyber criminals and as a result of that Target Corporation faced litigation threats around the world. Similarly, EBay was also attacked recently and it has asked its customers to change their passwords.

Now it has been reported that three U.S. states has initiated investigation about EBay’s cyber security practices.  Connecticut, Florida and Illinois said they are conducting a joint investigation of the matter. New York Attorney General Eric Schneiderman requested eBay provide free credit monitoring for everyone affected, according to a person familiar with the matter.

Details about what happened are still unclear because eBay has provided few details about the attack, which is under investigation by the FBI and a cyber forensics firm. It is also unclear what legal oversight the states had to respond to eBay`s handling of matter.

The states` quick move to investigate the attack shows that authorities are serious about holding companies accountable for securing consumer data following high-profile breaches at other companies, including retailers Target Corp, Neiman Marcus and Michaels Stores and the credit monitoring bureau Experian Plc. Congress and the Federal Trade Commission are already investigating the Target breach, which resulted in the firing of the company’s chief executive and chief information officer.

The investigation by the three states will focus on eBay`s measures for securing personal data, the circumstances that led to the breach, how many users were affected and the company’s response to the breach, said Jaclyn Falkowski, a spokeswoman for Connecticut Attorney General George Jepsen. His office, which is also investigating breaches at Target Corp, Neiman Marcus and Experian, has already contacted eBay.

Several security experts said the best practices in responding to a breach of this type would be for eBay to have a message pop up when victims log in, telling them about it and forcing them to change their passwords.

EBay spokeswoman Amanda Miller declined to comment on the investigation by the three states or Schneiderman’s request for credit monitoring, but said the company was working with governments around the globe in the wake of the attack. “We have relationships with and proactively contacted a number of state, federal and international regulators and law enforcement agencies”, she said. “We are fully cooperating with them on all aspects of this incident”.

Indian customers of EBay can also take appropriate action against EBay under Indian laws especially under the Information Technology Act, 2000. Indian regulatory authorities and law enforcement agencies must also initiate their own investigations in this regard to safeguard Indian customer’s interests.

Posted in Uncategorized | 2 Comments

U.S. Public Utility Cyber Attacked And Its Control System Network Compromised Reports ICS-CERT

U.S. Public Utility Cyber Attacked And Its Control System Network Compromised Reports ICS-CERTMalware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, etc have been targeting virtually everything worth money or strategic importance. They are also been used to indulge in cyber warfare and cyber espionage activities. They are stealth in nature and till they are detected much damage is already been done.

The supervisory control and data acquisition (SCADA) systems may be the new cyber attack priority for cyber criminals and rouge nations. Internet is full of unprotected and unsafe devices, SCADA systems and computers. India is also required to protect critical ICT infrastructure (PDF) and SCADA systems.

The Department of Homeland Security (DHS) has reported that a sophisticated hacking group recently attacked a U.S. public utility and compromised its control system network, but there was no evidence that the utility’s operations were affected. The DHS also warned public utilities and critical infrastructure operators about the dangers of not using a firewall and allowing remote access to Internet facing devices.

As per the ICS-CERT report (PDF), the public utility was penetrated by a group of hackers that gained access to its control system network; although it found no evidence that the utility’s operations were affected. The agency said the utility was using a simple password mechanism, which hackers can easily bypass using a standard brute-forcing technique by trying on various passwords until they hit the right one.

“It was determined that the systems were likely exposed to numerous security threats and previous intrusion activity was also identified. This incident highlights the need to evaluate security controls employed at the perimeter and ensure that potential intrusion vectors (ex: remote access) are configured with appropriate security controls, monitoring and detection capabilities” the ICS-CERT report claims.

The second threat involved an Internet-connected control system attached to a “mechanical device”, which was accessed by a hacker using SCADA protocol. ICS-CERT said the device can be accessed directly through the Internet and is not protected by a firewall or authentication access controls. The device, however, was disconnected for maintenance at the time of the attack, said the report.

ICS-CERT said that the use of tools such as SHODAN, Google and other search engines to look for and identify devices that were not meant to be Internet facing, as well as the emergence of vulnerabilities such as Heartbleed continue to provide a threat to the Internet.

Posted in Uncategorized | Comments Off