Cyber Security


March 29, 2017

Developments this week revived a heated debate on needs of national security and protection of privacy on internet domain. Following the terror attack on British Parliament House, its Home Secretary Amber Rudd demanded access to encrypted messages of suspected terrorists. WikiLeaks exposure of CIA surveillance tools generated a debate between the security agencies and the industry on how to balance the requirements of national security and privacy.

The George Washington University in Washington DC held a two-day symposium on March 27-28. “Toward a Global Partnership to Counter Online Radicalization and Extremism”. In her key note address, Baroness Joanna Shields, Minister for Internet Safety and Security, UK, reiterated Amber Rudd’s call for greater access while stressing the need for a new model of shared responsibility to prevent extremists’ use of the internet. Anwar Gargash, UAE Minister of State for Foreign Affairs, echoed similar sentiments while drawing a link between extremism and terrorism. As part of preventive measures, he highlighted the example of India’s pluralistic society where the messages of IS have least impact despite its huge Muslim population.

Senior officials from the US agencies of FBI, Home Land Security, Dept of Justice and State Department and European Union besides industry representatives participated in the debate. While the Agency officials understandably emphasized the need to have the tools to access communications of suspected terrorists to protect their citizens, technology companies maintained that they do not have foreign policies but do have values on combating terrorism. Twitter and Facebook representatives narrated their measures to identify and remove extremist content but said terrorists were able to create new accounts at much faster pace. The consensus is to have a joint effort between policy makers and industry leaders to balance security with privacy.

India also witnessed a similar debate following Supreme Court decision against insistence of AADHAR card (Unique Identification Card) for transferring subsidy benefits to weaker sections of people. Questions were raised on lax security of data collected and its easy access to hackers, thus compromising privacy of public.

National Security vs Privacy
How WhatsApp encryption works – and why there shouldn’t be a backdoor – March 28, 2017 – A battle between national security and privacy is brewing. Governments and secret services are asking encrypted messaging services such as WhatsApp to allow them access to users’ data. Most recently, in the wake of the March attack at Westminster, Amber Rudd, the U.K. home secretary, said it was unacceptable that the government couldn’t read the encrypted messages of suspected terrorists. The main argument behind this request is that access to messages will allow authorities to thwart future terror attacks. On the other hand, there are many ordinary people who use messaging apps for daily communication and this request would be a direct breach of their privacy. But this isn’t the only problem – creating a way for the authorities to read encrypted messages would also make the system vulnerable to cyberattacks from criminals and other hackers, removing what makes it a secure way to communicate in the first place.

Related: – Ending Whatsapp encryption to stop terrorism would actually make people `less safe’. Privacy advocates have criticized U.K. Home Secretary Amber Rudd after she called for security services to be able to access encrypted messaging services like WhatsApp in order to fight terrorism. WhatsApp said in a statement it was “horrified” by the attack and is cooperating with law enforcement as they continue their investigations. The Facebook-owned messaging platform, which has more than 1 billion users worldwide, introduced end-to-end encryption last year to protect people from “cybercriminals,” “hackers,” and “oppressive regimes.” Responding to Rudd’s statement, privacy advocates and online safety groups tell Newsweek that it would be dangerous to create security loopholes that would allow intelligence services to bypass encrypted services.

US House kills web privacy protections; ISPs free to collect, sell customers’ information
March 29, 2017 – The House of Representative on Tuesday voted 215 to 205 kill the privacy rules, formulated by the FCC, which were aimed at preventing internet service providers (ISPs) from selling their customers’ web browsing histories and app usage to advertisers. Without these protections, Comcast, Verizon, AT&T, and other ISPs will have complete freedom to collect information about their customers’ browsing and app-usage behavior, then sell this information to advertisers. The congressional vote means that customers can no longer control what personal information the ISPs collect – and what the ISPs do with this information.

Related:,1 – Protecting web users’ privacy. At the USENIX Symposium on Networked Systems Design and Implementation next week, researchers from MIT’s Computer Science and Artificial Intelligence Laboratory and Stanford University will present a new encryption system that disguises users’ database queries so that they reveal no private information. The system is called Splinter because it splits a query up and distributes it across copies of the same database on multiple servers. The servers return results that make sense only when recombined according to a procedure that the user alone knows. As long as at least one of the servers can be trusted, it’s impossible for anyone other than the user to determine what query the servers executed.

Related: – US Vote to Repeal Broadband Privacy Rules Sparks Interest in VPNs. VPNs cloak a customer’s web-surfing history by making an encrypted connection to a private server, which then searches the Web on the customer’s behalf without revealing the destination addresses. VPNs are often used to connect to a secure business network, or in countries such as China and Turkey to bypass government restrictions on Web surfing.

Related:,1 – Repealing FCC’s privacy rules: A serious blow to privacy, cybersecurity. the cybersecurity implications of repealing the FCC’s privacy rules come from simple logic. If the privacy rules are repealed, Internet providers will resume and accelerate these dangerous practices with the aim of monetizing their customers’ browsing history and app usage. But in order to do that, Internet providers will need to record and store even more sensitive data on their customers, which will become a target for hackers. Internet providers will also be incentivized to break their customers’ security, so they can see all the valuable encrypted data their customers send. And when Internet providers break their customers’ security, you can be sure malicious hackers will be right on their heels. The net result is simple: repealing the FCC’s privacy rules won’t just be a disaster for Americans’ privacy. It will be a disaster for America’s cybersecurity, too.

Related: – Encryption Won’t Stop Your Internet Provider From Spying on You. Earlier this month, a lobby group for major internet providers like Comcast and Verizon attacked a set of online-privacy regulations that they believe are too strict. In a filing to the Federal Communication Commission, the group argued that providers should be able to sell customers’ internet history without the customers’ permission, because that information shouldn’t be considered sensitive. Besides, the group contended, web traffic is increasingly encrypted anyway, making it invisible to providers. But even if 100 percent of the web were encrypted, ISPs would still be able to extract a surprising amount of detailed information about their customers’ virtual comings and goings. This is particularly significant in light of a bill that passed Congress this week, which granted the lobby group’s wish: It allows ISPs to sell their customers’ private browsing history without their consent.

Proposed ‘big data’ law will empower Russians in the digital realm March 28, 2017 – Russian users might soon have the chance to prohibit companies from collecting and storing data about themselves, said Igor Schegolev, an advisor to President Vladimir Putin, reported (in Russian) RBK. “People should have an understanding of what’s going on [with their information] and for what purposes it’s used,” Schegolev said, adding that the government is not in favor of imposing a ban on such practices, but “for allowing the user to have more opportunities to influence the fate of the data about him or her.”

Data Security & Privacy Concerns of India’s Unique Identification Card
The world’s largest biometric ID programme is a privacy nightmare waiting to happen – March 28, 2017 – The Unique Identification Authority of India (UIDAI) is an agency of the Government of India responsible for implementing the envisioned AADHAAR a unique identification project in India. The authority will aim at providing a unique number to all Indians and would provide a database of residents containing very simple data in biometrics. At its heart, the ongoing tussle over Aadhaar is all about information. How much of it should a government collect? Where is it stored and under what safeguards? Who gets to use it and how? And what happens when someone screws up?

Related: – Privacy, security and legality are not the only serious problems with Aadhaar. Here are four more. Most debates around the Unique Identification Authority of India and Aadhaar focus on privacy concerns, security of the database and on the legality of making Aadhaar mandatory. But even if these three concerns are sorted out, there are four other concerns that need attention. In all four, you will see common themes. But the Unique Identification Authority of India will not address them as solving them may reduce the usage and acceptance of Aadhaar.

Related: – Central Ministry, State Government Departments Publicly Expose Personal Data of Lakhs of Indians. A simple Google search shows that the personal information, including Aadhaar numbers and bank account details, has not been secured properly. At least one central government ministry and multiple Indian state government departments currently expose the personal information of thousands of Indian citizens through their websites – information that shouldn’t actually be available so freely. The personal data in question, in some cases, includes names, addresses, date of birth, Aadhaar card numbers, PAN card details, religion and caste. All of this information, which should be securely and safely stored, is available in the form of Microsoft Excel sheets and can be obtained by a simple Google search. This issue was first pointed out by Twitter user St_Hill, who posted an article detailing the dangers of identity theft and how personal data is improperly stored.

Cyber Warfare
Democrats step up calls that Russian hack was act of war – March 26, 2017 – Democratic lawmakers are publicly calling out Russia for engaging in war by meddling in the U.S. presidential election. The Democrats have been particularly bullish in the wake of FBI Director James Comey’s disclosure that the bureau is investigating whether there was coordination between President Trump’s associates and Russia in the influence campaign, which involved leaking hacked personal emails from Democratic operatives to damage candidate Hillary Clinton. Former Vice President Dick Cheney said Russia’s interference in the 2016 U.S. presidential election could be considered “an act of war.” Cheney said there was “no question” that Vladimir Putin had attempted to influence the election outcome. “There’s no question there was a very serious effort made by Putin and his government, his organization, to interfere in major ways with our basic fundamental democratic processes,” Cheney said during a speech at a business conference in New Delhi, India.

White House extends Obama executive order on cyber threats – March 25, 2017 – President Trump will continue a 2015 state of national emergency that President Obama used as a basis for freezing the assets of Russians tied to a hacking campaign aimed at disrupting the presidential election. In a letter to Congress titled “Message to the Congress Regarding the Continuation of the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities,” Trump renewed the order signed in April 2015. The executive order would have expired without renewal.

Cyber Firm Rewrites Part of Disputed Russian Hacking Report March 25, 2017 U.S. cybersecurity firm CrowdStrike has revised and retracted statements it used to buttress claims of Russian hacking during last year’s American presidential election campaign. The shift followed a VOA report that the company misrepresented data published by an influential British think tank.

This Is How Russian Hackers Will Attack the US Next – March 24, 2017 – Russia has been the subject of much American press speculation this spring, as questions and suspicions swirl regarding its involvement in alleged hacks during the U.S. presidential election. While the details of these specific attacks remain unclear, what is clear is the danger posed by the superpower’s well-established hacking prowess. The question is not if Russia will conduct another major cyberattack on the U.S., but when.

Russian APT29 Used Domain Fronting, TOR to Execute Backdoor – March 27, 2017 – The Russian APT29 group, a/k/a Cozy Bear, has been utilizing a technique called domain fronting in order to secure backdoor access to targets for nearly two years running, experts said Monday. The nation state attackers have reportedly been pairing the anonymity software Tor with a Tor plugin that specializes in domain fronting in order to make it seem as if their traffic was going to a legitimate website, such as Google. Matthew Dunwoody, principal consultant at Mandiant, described the technique in a FireEye blog post on Monday.

How can America win the Cyber war? – March 23, 2017 – At a testimony to the Senate Commerce Committee, the author laid out five recommendations that the federal government can do to win the upcoming cyber wars. 1) Modernize government procurement systems so as to access best technologies; 2) Setting standards around cyber-hygiene; 3) Enable legal frameworks for companies to share and exchange data; 4) Create a generation of cyberwarriors; and 5) Use cyber insurance to pool and minimize existential risk. Comment: The recommendations are equally valid for Indian context.

The Next Big War Will Turn on AI, Says US Secret-Weapons Czar – March 28, 2017 The first day of the next major conflict shouldn’t look like war at all according to William Roper, who runs the Pentagon’s Strategic Capabilities Office, or SCO. Instead, imagine a sort of digital collection blitzkrieg, with data-gathering software and sensors setting of alarms left and right as they vacuum up info for a massive AI. Whoever collects the most data on Day One just might win the war before a single shot is fired.

DHS Cyber Strategy Delayed for Trump Team Review – March 29, 2017 – A congressionally mandated Homeland Security Department cybersecurity strategy is waiting to be reviewed by Trump administration officials and the agency’s new leadership, DHS’ acting cybersecurity lead told lawmakers on March 21. Manfra highlighted a $1.5 billion investment in President Donald Trump’s budget blueprint to protect federal networks and civilian critical infrastructure from cyberattacks. “The department views the IT modernization effort as an opportunity to review the current approach to federal network security and potentially make generational advances in the capabilities we offer,” she said.

Why do Beijing and Moscow embrace cyber sovereignty? – March 22, 2017 China has called on Russia and other BRICS nations to commit themselves to the concept of cyber sovereignty, which would allow governments to control their national cyber space in a manner that only they deem appropriate. The concept of cyber sovereignty, however, is not new. In December 2015, Chinese officials at the Wuzhen World Internet Conference defined their line of thinking: since the Web is a reflection of “physical space” it should be treated as sovereign territory; consequently, it cannot be the object of “foreign interference.”

New WikiLeaks Dump

WikiLeaks Exposes more CIA’s Device Sureveillance Tricks – March 23, 2017 – WikiLeaks on Thursday announced that it had released more Vault 7 documentation online, including details about several CIA projects to infect Apple’s Mac computer firmware and operating system. The newly released files shone a spotlight on the CIA’s efforts to gain “persistence” in Apple devices, including Mac computers and iPhones, via malware designed to attack their firmware. One of the documents highlighted in Thursday’s data dump exposes the “Sonic Screwdriver” project, which likely was named for the handheld tool wielded by the science fiction character “Doctor Who,” as the device seemingly can bypass any digital or mechanical lock.

Related: – New WikiLeaks Dump Shows CIA Interdiction of iPhone Supply Chain. Today’s Vault 7 Dark Matter release shows an unsurprising interest from the intelligence agency in tracking iPhone users, as well as capabilities in developing implants and exploits targeting Mac firmware running on Macbooks. The iPhone attack documentation for the CIA’s NightSkies tools describes a beacon dating back to 2008, purpose-built for factory iPhones, indicating the CIA’s ability to interdict the Apple supply chain and install this tool.

Apple Fixes 223 Vulnerabilities across Macos, IOS, Safari – March 28, 2017 – Apple fixed hundreds of bugs, 223 to be exact, across a slate of products including macOS Sierra, iOS, Safari, watchOS, and tvOS on Monday. More than a quarter of the bugs, 40 in macOS Sierra, and 30 in iOS, could lead to arbitrary code execution – in some instances with root privileges, Apple warned. The lion’s share of the vulnerabilities patched Monday, 127 in total, were fixed in the latest version of macOS Sierra, 10.12.4.

A scramble at Cisco exposes uncomfortable truths about U.S. cyber defense, March 29, 2017 – The Wikileaks documents described how the Central Intelligence Agency had learned more than a year ago how to exploit flaws in Cisco’s widely used Internet switches, which direct electronic traffic, to enable eavesdropping. Senior Cisco managers immediately reassigned staff from other projects to figure out how the CIA hacking tricks worked, so they could help customers patch their systems and prevent criminal hackers or spies from using the same methods, three employees told Reuters on condition of anonymity.

Related: – Cisco Patches Critical IOx Vulnerability. Cisco Systems patched a critical vulnerability Wednesday that could allow an unauthenticated, remote attacker to execute remote code on affected hardware and gain root privileges. The bug is in Cisco’s Data-in-Motion (DMo) process, part of the company’s IOx application environment that marries its IOS networking software with Linux. According to a Security Advisory on Wednesday the vulnerability affects Cisco 800 series industrial integrated service router models IR809 and IR829.

Cyber Crimes

Group Demands Apple Pay Ransom for iCloud Credentials – March 24, 2017 – Apple has received a ransom threat from a hacking group claiming to have access to data for up to 800 million iCloud accounts. The hackers, said to be a London-based group called the “Turkish Crime Family,” have threatened to reset passwords and remotely wipe the iPhones of millions of iCloud users if Apple fails to hand over a total of US$700,000. They have given the company an ultimatum to respond by April 7. However, the Turkish Crime Family strongly denied that in a message to TechNewsWorld on Friday.

Related: – How To Protect Your iCloud Account Against Hackers. A hacker group called Turkish Crime Family says that it can access 250 million iCloud accounts, and will do so on April 7 to reset the password, locking people out of their accounts. They’ve even threatened to wipe people’s linked iPhones if Apple doesn’t pay up. And while it’s hard to tell how legitimate the threat is, their assertions make now as good a time to lock down your iCloud as ever. – Experts Doubt Hackers’ Claim Of Millions Of Breached Apple Credentials. Security experts say they are skeptical that a group of hackers called Turkish Crime Family actually possess a cache of hundreds of millions of Apple iCloud account credentials. A more plausible explanation, they say, is that crooks used credential stuffing attacks to amass a limited number of valid Apple usernames and passwords in attempt to extort money from Apple.

First woman arrested under new cybercrime law in Pakistan: Mar 26, 2017 – The woman, Sadia Mirza, has been accused of blackmailing Ahsan Rana. a resident of London. Hassan Rana, brother of Ahsan, filed the complaint and alleged that Mirza had sent messages to Ahsan over social networking website Facebook demanding money. As per the FIR, Mirza has been charged with sending threatening abusive and lewd messages.

The Disturbing Cyber Threat Targeting Medical Devices – March 21, 2017 – Hackers have found another way to extort the medical community and their patients. There’s a disturbing trend of cyber-thieves targeting medical devices in doctors’ offices and hospitals. The very medical devices that provide life saving treatment are now being targeted by hackers – for profit. Just recently, researchers discovered a new version of MEDJACK, which is leaving medical devices, like x-ray machines and MRI scanners, vulnerable for cyber-criminals. Initially discovered in 2015, the MEDJACK malware was developed as an intentional and organized initiative targeting hospital networks. The latest version to be discovered allows the threat actor to steal patient data, exfiltrating it from the network.

Vulnerabilities & Patch Ups

Malware That Targets Both Microsoft, Apple Operating Systems Found – March 23, 2017 – Researchers came across a malicious Word document last week that doesn’t discriminate between OS platforms. The malicious Word document is designed to spread malware on either Mac OS X or Microsoft Windows, depending on where it’s opened. Like many other strains of malware these days, the sample, which researchers at Fortinet observed on March 16, relies on tricking users into enabling macros. For victims running Mac OS X, the script, is fairly straightforward. It downloads a malicious file containing another script, written in python, that’s executed and attempts to communicate with the attacker’s server. The downloaded script is a modded version of a Python meterpreter file, researchers say.

Fintech—A Brave New World for the Financial Sector? – March 22, 2017 – Christine Lagarde, Managing Director at International Monetary Fund, outlines benefits and risks of adopting new technologies in the financial sector. Financial technology, or fintech—a term that encompasses products, developers and operators of alternative financial systems—is challenging traditional business models. And it is growing rapidly. According to one recent estimate, fintech investment quadrupled from 2010 to 2015, to $19 billion annually. Fintech innovation has come in many shapes and forms—from peer-to-peer lending, to high-frequency trading, to big data and robotics. All this calls for more creative thinking. How exactly will these technologies change the financial world? Will they completely transform it? Will banks be replaced by blockchain-based systems that facilitate peer-to-peer transactions? Will artificial intelligence reduce the need for trained professionals? And if so, can smart machines provide better financial advice to investors?

Encryption requirements to change P25 CAP approved equipment list – March 28, 2017 – The U.S. Department of Homeland Security on Monday announced a change in the Project 25 Compliance Assessment Program (P25 CAP) listing of grant-eligible radio equipment for first responders. In order to be fully compliant with all P25 CAP requirements, radio equipment that requires encryption must use Advanced Encryption Standard (AES) 256. Equipment that uses proprietary or other non-standard encryption capabilities without also providing the standard encryption (AES 256) capability does not meet the requirement specified in the Project 25 Compliance Assessment Program Encryption Requirements Compliance Assessment Bulletin (CAB).

Instagram introduces two-factor authentication – March 24, 2017 – Instagram has become the latest social network to enable two-factor authentication, a valuable security feature that protects accounts from being compromised due to password reuse or phishing.

Research & Development

Facial-Recognition Tech May Turn Life into a Perpetual Police Lineup – March 29, 2017 – Police body cameras are widely seen as a way to improve law enforcement’s transparency with the public. But when mixed with police use of facial-recognition tools, the prospect of continual surveillance comes with big risks to privacy. The interest in this technology extends internationally. NTechLab, which is located in Cyprus and in Russia, and which claims to make the world’s most accurate facial-recognition technology, has pilot projects in 20 countries, including the U.S., China and Turkey. The company says it uses machine learning to “build software that makes the world a safer and more comfortable place.”

Digital linguist translates on the spot – March 28, 2017 – In “Star Trek,” the “universal translator” allowed members of alien species to talk directly without a lot of awkward pauses. It saved the writers grief and gave Capt. Kirk a tactical advantage. The Army isn’t there yet, but it recently took a step in that direction. The service rolled out the Machine Foreign Language Translation System, or MFLTS, system to some 700 users. Army leaders plan this summer to deploy the software across the Project Manager Distributed Common Ground System — Army (PM DCGS-A) portfolio.

Don’t Let the Next Catastrophic Phishing Scandal End Your Career – March 27, 2017 – For every email, customer record, or financial theft in the news, there likely are hundreds that remain in the shadows. This problem is huge and yet another incident came to light last week. A clever Lithuanian individual was able to pull a whopping US$100 million from a bunch of unnamed Internet companies using a combination of phishing tactics and fake vendors spread across a multitude of companies.

Red Hat Pilots New Program to Ease Digital Transformation – March 28, 2017 – Red Hat on Monday announced a new Application Platform Partner Initiative at its North America Partner Conference in Las Vegas. The goal is to provide a more robust ecosystem for companies engaging in digital transformation. The company has started conducting tests in a pilot program with a small number of solutions-oriented consulting partners in North America.

Elon Musk Plans to Build a Human-AI Interface – March 29, 2017 – Tech visionary Elon Musk, who currently helms both Tesla and SpaceX, has launched a startup, Neuralink, dedicated to developing technology that will connect human brains directly to a computer. This venture is in its very early stages, according to a report in The Wall Street Journal that Musk confirmed via Twitter. Treatment of brain damage perhaps tops the list of reasons to pursue such a connection between brain and computer. What Musk is attempting, in essence, is basic medical research backed by new computational science methods. However, it likely will be a long time before anyone’s brain can be “plugged” directly into a computer — at least in the way it’s suggested in the works of science fiction writers William Gibson and Bruce Sterling.

New Clues Surface on Shamoon 2’s Destructive Behaviour – March 27, 2017 – Researchers on Monday reported progress in piecing together some of the missing pieces of the Shamoon 2 puzzle that have been eluding them when it comes to lateral network movement and execution of the Disttrack malware component used in past campaigns. Shamoon has been blamed for nearly a decade of destructive campaigns against organizations based in Saudi Arabia. Disttrack is the Shamoon malware component and is known for its hallmark destructive behavior, where it spreads through the company’s network and overwrites the Master Boot Record on every computer it finds.