Monthly Archives: March 2013

Malware Dump Memory Grabber Targeting POS Systems And ATMs Of Major US Banks

Malware Dump Memory Grabber Targeting POS Systems And ATMs Of Major US BanksRussian malware Vskimmer has the capability to steal credit card information from windows systems. Now a new malware is targeting point-of-sale (POS) systems and ATMs. The malware scans the memory of POS systems and ATMs looking for credit card data. It is claimed to have stolen payment card information from several US banks.

Unlike the existing banking malware that infect individual user computers and intercepts online banking credentials and credit card details, attacks on POS systems and ATMs are far more sophisticated.

The modus operandi of this type of malware attack involves infecting of ATMs and physical POS systems, such as stand-alone kiosks and modern cash register systems, to collect secret and sensitive information of debit and credit cards.

Most of the POS/ATM attacks relied on the “help of insiders,” such as the employees in charge of maintaining POS systems and authorised to update the software. A few POS systems running Windows XP or Windows Embedded with Remote Desktop or VNC software were infected remotely, and in some cases, attackers exploited vulnerabilities in ATM networks connecting to the bank’s VPN or GSM/GPRS networks.

The Dump Memory Grabber malware collects Track 1 and Track 2 data and transfers the collected data to a remote command-and-control server. The Track 2 refers to data encoded into the magnetic stripe on the physical credit and debit card, and includes information such as the primary account number, first and last name, and expiration date. Criminals use the collected data and information to create cloned physical cards.

The malware adds itself to the system registry so that it will automatically run whenever the system boots up. The malware’s payload program lists all the processes running on the system and then searches memory for sensitive data. The malware operator can limit the search to the memory of a specific application process or scan across all applications.

Honeypot Launched Offensive Cyber Attack Upon Crackers And Cyber Miscreants

Honeypot Launched Offensive Cyber Attack Upon Crackers And Cyber MiscreantsOffensive and defensive cyber security capabilities are in much demand these days. While defensive cyber security capabilities can keep the cracker at bay to great extent yet offensive cyber security strikes can eliminate the possibilities of continuous cyber attacks by such crackers to a greater extent.

If we adopt defensive cyber security capabilities alone, that would not serve the purpose at all. For instance, malware are comfortably evading anti viruses as browser based malware are growing. In fact, we cannot rule out the use of anti virus updates as a potential tool to install malware, steal information and launch cyber warfare attacks.

A basic analysis of cyber security vulnerability has revealed that internet is full of unprotected and unsafe devices, SCADA systems and computers. Anybody can take advantage of these unsecured systems and it is very difficult to pin point to a particular individual, company or nation behind such cyber attack.

We cannot label China as the cyber attacks and cyber crimes villain of the world for every sophisticated cyber attack that takes place in the cyberspace. The issues of cross border cyber attacks, authorship attribution and cyber crimes convictions must be resolved first before blaming a person, organisation or nation.

In the absence of any  international harmonisation and regulatory framework for areas like cyber law, cyber security, cyber terrorism, cyber warfare, cyber espionage, etc. Even the Tallinn manual on the international law is not applicable to international cyber warfare attacks and defence.

In these circumstances, offensive cyber security or counterstrike through aggressive defence becomes a good option. One such idea was recently implemented by a Russian researcher who built an aggressive honeypot to test the ability to hack back and reverse penetrate the cyber attackers. The researcher found that it is not only easy to build a honeypot that attacks back but it was also relatively simple to gather the attackers’ network adapter settings, trace routes, and login names.

The trap was specifically set for SQL injection attacks. The researcher used two basic lures for potential attackers on the site: a PHP-based honeypot server that included a social engineering element and an automated attack that grabbed the attackers’ email addresses if he or she used two Russian email services, mail.ru and yandex.ru, exploiting now-patched vulnerabilities in those services.

While it is possible to grab the attackers’ internal IP addresses and resources, scan for his files, BSSIDs, and make audio and video recordings from his laptop, among other things, is also possible with the attacking honeypot.

At Perry4Law Organisation and Perry4Law’s Techno Legal Base (PTLB) we believe that the concepts of counterstrike through aggressive defence and private defence in cyberspace presupposes the adoption and use of information technology to produce legitimate and legalised disabling and reasonably destructive effects. Some adopted measures completely destroys the functioning of the offending computer while others simply disable the computer for the time being by either shutting it down or making it temporarily non-functional.

Thus, the adopted measure to gain public support and legitimacy must be “proportionate” to the harm that could have caused had that measure not been adopted. For instance, the shutting down of the computer of the person using the malware is permissible whereas the destruction or procurement of data and information stored in such computer, having no connection and association with that malware, may not be commensurate with the protection requirements.

Such destruction or procurement of data may be unlawful and perhaps exceed the limits of self-defence. Thus, technology adopted must not only be safe and effective, but it must also be “legal and law-abiding”.

A countermeasure, which is not very accurate, and law abiding would be a remedy worst than the malady and hence it should be avoided. For instance, if a virus has been launched by using a public server, then by disabling that server the genuine and legitimate users will be unnecessarily harassed and they would be denied the services which they are otherwise entitled to. Thus, the countermeasure measure adopted must be job specific and not disproportionate to the injury sought to be remedied.

The Computer Fraud And Abuse Act 2013 Of US: A Journey To Draconian Terrains

The Computer Fraud And Abuse Act 2013 Of US A Journey To Draconian TerrainsThe Computer Fraud and Abuse Act of 1984 (CFAA) is a United States legislation aimed at curbing the cracking of computer systems and to address federal computer-related offenses. However, it has always been considered to be a troublesome law by various stakeholders in US.

Many lawyers and academics in the US have termed the CFAA as overly expansive and sweeping as it lets the government incarcerate any Internet user they want. It is also termed as one of the most outrageous criminal laws of US.

Now the House Judiciary Committee has proposed a number of expansions to the law in a new draft that may be considered by the in the middle of April. Among many additions, the new CFAA draft expands the number of ways a person could be prosecuted by punishing anyone who “conspires to commit” violations just like those that have already “completed” the offense.

The proposed legislation also mandates that even if you have the right to access the information in the first place, it is still considered a crime if someone deems you are misusing your access in some way.

According experts, the language in the new CFAA would make it a felony to “lie about your age on an online dating profile if you intended to contact someone online and ask them personal questions,” or if you violate the terms of service on a government website.

Malware Are Comfortably Evading Anti Viruses As Browser Based Malware Grow

Malware Are Comfortably Evading Anti Viruses As Browser Based Malware GrowSignature based anti virus protection is of little use in the present ear of sophisticated malware. Specially designed malware can fool any anti virus and firewall and these basic level cyber security mechanisms cannot protect the systems form getting infected. In fact, anti virus updates can be used as a potential tool to install malware, steal information and launch cyber warfare attacks.

As per a recent study, a majority of malware variants have been delivered through the web browsing, going completely undetected by anti-virus solutions. As per the report, web browsing is responsible for 90 percent of the fully undetected malicious files, taking anti virus vendors four times as long to detect the malware from web-based applications compared to emails.

If the crackers make a small change in the code of an existing malware, the signature based anti virus fail to detect the same. This is because the signature of such variant malware is not available in the virus definition database of anti virus and therefore these malware cannot be detected by these anti virus products.

Sophisticated malware like Stuxnet, Duqu, Flame, etc are well beyond the reach of these anti virus products. No matter whatever these anti virus products do, these malware cannot be detected in real time. They can be detected only after years of their use and some times they even remain operational as undetected malware.

At Perry4Law Organisation and Perry4Law’s Techno Legal Base (PTLB) we believe that companies must formulate a comprehensive and holistic cyber security policy. Cyber security cannot be left at the mercy of anti virus and firewall but it must be performed on a continuous basis. Incidence response and taking curative action is need of the hour.

Vskimmer Trojan Capable Of Stealing Credit Card Information From Windows Systems In Circulation

Vskimmer Trojan Capable Of Stealing Credit Card Information From Windows Systems In CirculationA Trojan is openly available for sale in the underground market that can steal credit card information from computers using Windows operating system.

The malware named vSkimmer can detect the card readers, grab all the information from the Windows machines attached to these readers, and send that data to a control server.

The malware has capabilities similar to Dexter but has certain additional functions as well.

Botnet like Zeus and SpyEye can perform financial fraud using extremely sophisticated techniques including intercepting the victims’ banking transactions. Vskimmer, on the other hand, directly targets card-payment terminals running Windows.

This malware uses a standard installation mechanism and copies itself as svchost.exe into %APPDATA%, modifies the registry key to add itself under the authorised list of apps, and runs ShellExecute to launch the process.

In a computer is not connected to the Internet, the malware would wait till a USB device is connected to the infected machine and would copy the card info collected from the victim to the USB device.

vSkimmer can also grab the Track 2 data stored on the magnetic strip of the credit cards. This track stores all the card information including the card number.

Is China Really The Cyber Attacks And Cyber Crimes Villain Of The World?

Is China Really The Cyber Attacks And Cyber Crimes Villain Of The WorldIt has now become a standard practice to blame China for all sorts of cyberspace evils. Whenever a sophisticated cyber attacks occurs, most of the time China is blamed for the same. This seems to be not only self contradictory but also adopting a double standard as the most sophisticated malware like Stuxnet, Duqu, Flame, etc are not works of China but other countries. In short, cyber terrorism and cyber warfare activities can be primarily attributed to nations other than China or India. Even the recent cyber attack upon South Korean banks and broadcasters was initially attributed to China but on subsequent and detailed investigation the hand of China was ruled out.

Although China is blamed for almost each and every sophisticated cyber attack, the reality is that China or India has still to match the cyber attack capabilities of United States and other countries. As per media reports, none of the top 10 malicious hosting providers on the Web are located in China. In fact, the United States and Russia have many more bad hosting providers in the top 20 than China does. Clearly, the hosting of malicious servers is not a localised problem but a global one.

We are living in an age of cyber warfare, cyber terrorism, cyber espionage, etc. We cannot take cyber intrusions and cyber attacks lightly. We have no international harmonisation and regulatory framework for areas like cyber law, cyber security, cyber terrorism, cyber warfare, cyber espionage, etc. Even the Tallinn manual on the international law is not applicable to international cyber warfare attacks and defence.

In these circumstances attributing a particular cyber attack to a particular country with absolute certainty is next to impossible. Cross border cyber attacks, authorship attribution and cyber crimes convictions issues need to be sorted out at both national and international levels. We must also stop blaming a particular country for any cyber attack or cyber crime till we have conclusive evidence in this regard.

Cross Border Cyber Attacks, Authorship Attribution And Cyber Crimes Convictions

Cross Border Cyber Attacks, Authorship Attribution And Cyber Crimes ConvictionsWho are behind a cyber attack or cyber crimes is a very crucial aspect to decide to punish the guilty. Of course, this requires tremendous cyber forensics capabilities and cyber crime investigation capabilities.

Cyber crimes and cyber attacks are increasing world over. The semi anonymous nature of Internet has also encouraged these criminal activities. Besides there are many methods to conceal the identity of an accused and mixing within the crowd is one such method.

In many cases the offender hides himself among law abiding and legitimate Internet users. Many times even the identity of such law abiding users is stolen to commit the crime or launch a cyber attack.

Even worst, many computers are compromised and made part of the botnet that are used for all sorts of illegal activities over the Internet. For instance, for online advertisement industry alone, botnet are causing losses upto the extent of $6 million a month.

Even sensitive government secrets are not spared. Recently the computer systems of DRDO and security officials breached and sensitive information was leaked on the Internet. In fact, Internet is full of unprotected and unsafe devices, SCADA systems and computers.

When an accused commits a cyber crime by mixing among the legitimate and law abiding crowd, it becomes imperative to ascertain, with great certainty, that a particular culpable act has been committed by a particular person alone.

We at Perry4Law Organisation and Perry4Law’s Techno Legal Base (PTLB) believe that “authorship attribution” is an important aspect of “determining the culpability” of an offender where the means to commit the offence are common and accessible to many people simultaneously. Data mining and profiling of the accused to “attribute culpability” to him/her alone is an emerging area of cyber crime investigation and India must pay more attention to this branch.

India is still struggling to achieve these capabilities. Further, regulations and guidelines for effective investigation of cyber crimes in India are still missing. Cyber crime investigation in India is still not mature and cyber crime cases are still not handled properly in India.

There is an urgent need on the part of Indian government to ensure techno legal skills development in India for law enforcement agencies. Further, modernisation of law enforcement agencies of India is also required. Parliamentary oversight of law enforcement agencies and intelligence agencies of India is another crucial factor this has been missing for decades in India.

Fortunately, Indian government is planning a legislation mandating strict cyber security disclosure norms in India. This is an essentially required legislation as companies and banks in India are not reporting cyber attacks, cyber crimes and cyber frauds.

Indian government must also make it sure that the cyber security infrastructure in India must be established as soon as possible. The critical information infrastructure protection agency of India must also be established as soon as possible. The cyber security policy of India must be formulated as soon as possible and all the abovementioned aspects must be made part of the same.

Critical Information Infrastructure Protection Agency Of India

Critical Information Infrastructure Protection Agency Of IndiaCritical infrastructure protection in India is of utmost importance in the present times. The critical ICT infrastructure protection in India is an essential part of critical infrastructure protection policy of India.

If we do some research in this regard it is very clear that internet is full of unprotected and unsafe devices, SCADA systems and computers. The healthcare and medical/life sciences industries are under cyber attack and anti virus updates have become a potential tool to install malware. We are living in a very vulnerable cyberspace and India must be well prepared to deal with the same.

There is no doubt that cyber security infrastructure in India is urgently needed. India has declared few initiatives to strengthen its offensive and defensive cyber security capabilities. For instance, a national critical information infrastructure protection centre (NCIPC) of India has been proposed. Similarly, a national cyber coordination centre (NCCC) of India has been proposed to be established by Indian Government. It has also been reported that a cyber security council for India has been formulated. However, till now there is no sign of actual implementation of these ambitious projects.

Further, Indian government is also not getting the correct and true picture of cyberspace anomalies happening in India. For instance, companies and banks in India are not reporting cyber attacks, cyber crimes and cyber frauds to Indian government. Faced with a very fragile situation, Indian government is planning a legislation mandating strict cyber security disclosure norms in India.

We are living in an age of cyber warfare, cyber terrorism, cyber espionage, etc. We cannot take cyber intrusions and cyber attacks lightly. We have no international harmonisation and regulatory framework for areas like cyber law, cyber security, cyber terrorism, cyber warfare, cyber espionage, etc. Even the Tallinn manual on the international law is not applicable to international cyber warfare attacks and defence.

Perry4Law Organisation and Perry4Law’s Techno Legal Base (PTLB) strongly recommend that the critical information infrastructure protection agency of India must be constituted as soon as possible. Further, we also recommend that sector specific computer emergency response teams (CERT) must be constituted in India as soon as possible.

We hope that Indian government would consider these recommendations of Perry4Law and PTLB and do the needful as soon as possible.

Companies And Banks In India Are Not Reporting Cyber Attacks, Cyber Crimes And Cyber Frauds

Companies And Banks In India Are Not Reporting Cyber Attacks, Cyber Crimes And Cyber FraudsCyber crimes, cyber attacks and cyber frauds are engulfing India and we are not in position to tackle these incidences. There are many causes for this situation. Firstly we have no dedicated cyber security laws in India and there is no deterrent whatsoever while committing these criminal activities. Secondly we have a weak cyber law and the present cyber law of India must be repealed. Thirdly, the cyber security infrastructure of India is still missing. Finally, we have no mandatory legal requirements that companies and banks must report to their clients and Indian government about any cyber breach. It is only now that Indian government is planning a legislation mandating strict cyber security disclosure norms in India.

Obviously, these conditions are very suitable for increased corporate financial frauds and IT related frauds in India. In fact, IT and cyber frauds in Indian companies are increasing at an alarming rate. Similarly, banks in India are openly flouting the cyber law due diligence and cyber security requirements prescribed by Reserve Bank of India (RBI). Banks in India are not at all following the cyber security due diligence for banks in India prescribed by RBI. On the contrary, the way RBI senior official are releasing statements exempting the accused banks of most severe accusations, it seems RBI is encouraging banks in India to commit crimes and flout regulations. The situation has become so worst that RBI governor Duvvuri Subbarao stressed upon a need to take steps against money laundering in India.

It seems Indian government is well aware of what is happening at the corporate and banks level. The Serious Fraud Investigation Office (SFIO) of India got more powers to deal with white color crimes and serious frauds in India. The government is also planning to bring a fraudulent multi level marketing companies’ regulation in India. It is also contemplating blocking of multi level marketing (MLM) companies website in India.

At Perry4Law Organisation and Perry4Law’s Techno Legal Base (PTLB) we welcome these initiatives and efforts of India government. We also strongly recommend that all the aspects discussed in this work must be made part and parcel of proposed legislations in this regard.

Indian Government Is Planning A Legislation Mandating Strict Cyber Security Disclosure Norms In India

Indian Government Is Planning A Legislation Mandating Strict Cyber Security Disclosure Norms In IndiaThe cyber security infrastructure in India is struggling hard to catch up the malware ridden Internet and growing cyber attacks against India. The negligent attitude of governmental, private and public sector institutions has further complicated the situation. As there is no requirement to inform about a cyber security breach and cyber security incidence, no private company or institution in India is reporting such crucial cyber security incidences.

Although we have no exclusive law that mandates disclosure of cyber security attacks and breaches to government or its agencies, concepts like cyber due diligence in India, cyber due diligence for companies in India, compulsory appointment of CIOs for banks in India, etc are well established. Still the respective stakeholders have failed to comply with these mandates. This has necessitated enactment of a dedicated law in this regard.

The Indian government is planning to bring a legislation that would ensure strict cyber security disclosure norms. If a company faced cyber attack or cracking incidence, the company would be required to disclose to its clients the impact of such an incident on the safety of their data and information. The company may also be required to inform government or its agency about such incidence.

This is nothing new in foreign jurisdictions like United States where companies are mandatorily required to disclose the nature and impact of any cracking incident. Such companies are also required under the laws of the land to inform the government along with their customers and clients.

Recently cyber security awareness brochures were made mandatory for hardware sale in India. However, the cyber security awareness in India is still not upto the mark. Social media regulation in India is another area of concern for Indian government.

At Perry4Law Organisation and Perry4Law’s Techno Legal Base (PTLB) we welcome and strongly recommend that Indian government must formulate a legislation that mandates compulsory disclosure on the part of Indian companies. The sooner it is done the better it would be for the cyber security of India.