A Broker for Zero Day Vulnerabilities?

The way the underworld for Cyber Crime tools has developed indicates how complicated is the world of Cyber Crimes from the law enforcement issue. Cyber Criminals are difficult to catch both because they are anonymous and spread across the globe and also because they are technically a step or two ahead of the best of the law enforcement. Also the Cyber Criminal has lot of time at his disposal to plan and commit a crime while law enforcement has only a limited time before the evidences start fading. Additionally the law enforcement has to deal with issues of Privacy and Freedom of Expression while the criminal is not bound by any norm or ethics.

One manifestation of this asymmetric warfare is the announcement of an open price list for Cyber Crimeware by a firm which is considered as a “Broker” for buying and selling  Cyber Crimeware. A company called Zerodium has put up a price list for different categories of exploits that people can buy. At the same time if there are any sellers, they can also use the chart for valuing their exploits.

The following is the chart published in an article at wired.com that indicates the current price of crimeware.


The pricelist indicates prices of upto $500,000 (Rs 3 crores) as annual subscription. It is unfortunate that the global law enforcement agencies have admitted their inability to control Cyber Crime or the illegal trading of such Crimeware by themselves subscribing to such services.

Zerodium proclaims itself to be a firm that pays premium rewards to security researchers to acquire and previously unreported zero day exploits affecting widely use operating systems, software and/ devices. Zerodium claims that normal Bug Bounty programs pay a smaller reward while it pays high rewards and focusses on high-risk vulnerabilities.

What is disturbing however is that Zerodium may also sell these by subscription. Though the company claims that it would not sell the exploits to oppressive Governments, the very fact that it is in the business of selling crimeware indicates that it is primarily prepared to sell for money.

It is possible that in due course ISIS may be able to infiltrate this organization or even force it to part with exclusive exploits that can be used against humanity. It is interesting to note that Zerodium is funded by a French firm Vupen and if for some reason the exploits fall into the wrong hands, then it would be ironical that a French firm itself would be responsible for the growth of ISIS.

While the concept of providing an appropriate reward for researchers is fine and I have also advocated it in the recent past (See: Bug Bounty Program from Government is required) ,my recommendation is that it has to be maintained by the Government agencies. (The fact that agencies like NSA have used it as Cyber war weapon is known and needs to be prevented separately by the checks and balances built in the system).

At the international level, a consortium of few countries need to manage such a program so that the exploits donot fall into wrong hands.

I suggest Prime Minister Mr Narendra Modi to start a discussion with global leaders and just has he has mooted the idea for Solar Energy consortium and Counter Terror Consortium, he can promote the concept of “Cyber Defense Consortium” which can operate this buying of exploits as a Bug Bounty program. The exploits however should be neutralized by quick patching so that they should never be available as a Zero day exploit.


Related Article in infosecurity-magazine

Share Button
Print Friendly

Delhi Consumer Court Fraud..Why Police are silent?

I had pointed out through my earlier article “Beware of this Call from 90699 35661” about the calls that threaten the victim that there is a Consumer Court complaint against him/her in Delhi Consumer court and if help is required they may contact some person.

Yesterday I got the call again and I was referred to contact a person named Veerendra Singh Yadav at 08586067445.  When I searched the web for this number, I found a series of complaints of similar nature already noted at  the consumer forum website . I also saw one case reported by a consumer of Bajaj Finserv which has been promptly responded by a customer service executive indicating that event the organization Bajaj Finserv is unable to identify that this is part of a scam in which their name has been misused.

When I called back to this number, again a lady picked up and said that she was the assistant of Mr Veerendra Singh Yadav. When I insisted that I want to speak only to him, she said she will call back.  I suppose she is hunting for a male voice amongst her colleagues who all are part of a fraudulent organization and deserve to be in jail. Perhaps I may not get any call back.

From the background noise we get from these calls, it appears that the gang is operating like a call center with several persons engaged only in making such calls.

While these are criminals and chosen to be so, I take serious objection to the Police in and around Delhi who are letting such frauds continue to happen. If the information about these frauds are already available on the web, it is presumed that it is also known to the Police. (If not, they donot deserve to be called the “Police”).

Intelligence agencies including CBI should be not only aware of such frauds but also aware that most of these fraudsters raise money for terrorist organizations.  Hence the silence of Police could only mean “Complicity” to crimes including funding of terrorist activities.

I am sure that some of my Police friends may get annoyed with this comment but I would like them to realize that this is what the ordinary person on the street would think. Public think Police are incompetent, donot care about law and order in Cyber Space or are corrupt.

Being a friend of many policemen, I consider that this would be an unfair perception about the Police. Police in India are quite capable and if they want, they can take action to bring down such frauds. In this case I donot think  that inaction is a result of corruption. It could however be due to apathy and a belief that they need to act only when a complaint is registered.

I request Police who have jurisdiction on the phone numbers mentioned above to trace these calls and punish not only the proprietor of this business, but every one of these callers and also the Mobile Service Providers who have provided them the facilities to cheat public.

Let’s hope this criticism galvanise Police into action.


More cases reported : board reader thread

Share Button
Print Friendly

Mobile threats in Symantec Study-1 million Malware Apps identified

The Symantec study on Internet threats has some interesting findings on the threats arising out of Mobile devices which needs some deep analysis.

The first alarming aspect thrown open by the study is that of the 6.3 million apps observed by the study, about 1 million apps have been classified as “Malware Apps” . (we shall call this MalApps). These are Programs and files that are created to do harm and includes  viruses, worms, and Trojan horses. 2014 is considered the 10th anniversary of the MalApps since the first worm on a Mobile App is said to be SymbOS.Cabir found in 2004. The 1 million new MalApps found in 2014 consists of 46 new families of Android malware. The study says that this 1 million MalApps does not include about 2.3 million “grayware” which represents Apps that display undesirable behaviour such as advertising.

Symantec expects the growth in mobile malware to continue in 2015, becoming more aggressive in targeting a user’s money. It is estimated that 51 percent of U.S. adults bank online and 35 percent use mobile phones and hence are prime targets for MalApps writers. The study records that  malware can intercept text messages with authentication codes from the bank and forward them to attackers. Fake versions of legitimate banks’ mobile applications also exist, hoping to trick users into giving up account details.

The study notes what it calls as “MadWare” which use aggressive techniques to place advertising in  mobile device’s photo albums and calendar entries and to push messages to the  notification bar.Madware can even go so far as to replace a ringtone with an ad.

An analysis of threats by platform indicates that out of the total of 48 threats (by families ignoring the variants), 45/46 were identified on Android platform and 3 on iOS.

As regards vulnerabilities, 168 mobile vulnerabilities were disclosed in 2014 compared to 127 in the previous year. It is surprising to note that 84% of these vulnerabilities are from iOS system and only 11% are from Android systems. Blackberry counts for 4% and windows 1%.

Probably the documentation of vulnerabilities in Apple could be better organized than the Android and hence there could be a skewed finding about the security of IOS phones vs Android phones. This is an interesting observation and leaves both equally vulnerable to risks.

As of today, Android appears to have a lead in market share of around 51.2 % as against iOS which is around 43.5% Cumulative global shipment of Android phones was around 1644 million units from 2010 to 2014 while the cumulative sales of Apple iOS devices since its launch in 2007 is around 600 million.

This indicates that relatively there were more vulnerabilities in iOS systems than the Android though  there are more threats on Android platform than in iOS.

The type of threats that the MalApps pose is reflected in the following chart.


It may be expected that in the coming years these mobile threats would increase and create more risks for the users since the App Ecosystem is difficult to monitor. The security industry needs to do some thing specific to improve the reliability of mobile platforms so that it can support the market developments in the coming days.


Share Button
Print Friendly

Ransomware and Watering hole strategy

Symantec Internet Security Threat report 0f 2015 has provided some interesting insights into the current trends in threats and vulnerabilities in the Cyber space.

One of the interesting findings of the study is the raise of ransomware as a major threat.

Ransomware is malicious software that locks and restricts access to infected computers. The malicious software then displays an extortion message using a social engineering theme that demands a ransom payment to remove the restriction.

In 2014, the ransomware attacks more than doubled from 4.1 million in 2013 to 8.8 million (approximately 24000 per day). The file encryption attacks leading to ransom demands expanded from 8274 in 2013 to a whopping 373,342 in 2014 showing a nearly 20 times jump in the threat. The actual ransom demands on an average was around US$ 1000 to 2000. However, since we have seen ransom demands of upto $5 million in India during the last year, it can safely be said that if the victim is a corporate entity, the damage could be significant.

Yet another point worthy of noting is the use of watering hole strategy for distributing the malware. This strategy plants the trojans in a popular website such as that of a news paper which is both respected and also has high traffic. (The name is taken from the strategy used by hunting animals which wait near water resources in a forest and catch their prey). The downloaded trojans are used for identity theft and other malicious purposes. The advantage of such watering hole attacks is that in corporate networks which maintain restricted internet access, the popular sites may be provided access and hence can reach out to the employees.

The threats analysed in the report give directions to the information security managers to check the effectiveness of their controls. The study also provides some guidelines on best practices which are a good starting point to evaluate the security systems of user organizations.


Share Button
Print Friendly

The Underground Cyber Crime Economy

The Norton/Symantec Cyber Crime study of 2014 has tried to provide an insight into the Underground Cyber Crime economy that drives the growth of financial crimes.

Spamming and Phishing continue to be the major tools through which frauds are committed on Cyber Space. Spamming with malicious links and attachments are used to drop Trojans and Phishing is used to make the spam look like a message from a known person.

According to the study, approximately 28 billion spam mails were in circulation worldwide each day in 2014 compared to 29 million in 2013. Overall, for 2014, 60% of email traffic was identified as spam compared to 66.4% in 2013 representing a decrease.

According to the India specific information available from Norton study, an estimated Rs 16558/- was lost on account of Cyber Crimes by Indian consumers on an average. The study estimates that approximately 113 million Indians were affected by Cyber Crimes which constituted around 48% of the Indian online population. There is a little ambiguity on the way the loss is being estimated and hence we shall leave it for analysis at a later time when more information is available while we revert to the figures available in the global study.

The Cyber Crime market has evolved like any other business where the crime ware is being developed by one set of people and exploited by another. There are people who specialize in developing malware, other people who specialize in identity theft and another set of people who drop the malware using spam techniques and yet another set of people who actually draw fraud money out of the victims. Certain trojans are available on lease for a specific period making it all look like an organized business.

The study estimates that a A drive-by download web toolkit, which includes updates and 24/7 support, can be rented for between $100 and $700 per week. The online banking malware SpyEye (detected as Trojan.Spyeye) is offered from $150 to $1,250 on a six-month lease, and DDoS attacks can be ordered from $10 to $1,000 per day. The value of information sold in the market for Cyber Crime is indicated by the following table.


If Cyber Crime has to be curtailed, then it is important to recognize the existence of this chain of actors and eliminate the participants at each of these levels.



Share Button
Print Friendly

639 Web browser vulnerabilities and 35 SCADA vulnerabilities found in Symantec Study

The Symantec Internet Security Threat report of 2014 released recently indicates that in 2014 6549 new vulnerabilities were reported as compared to 6787 in 2013.


Out of these,  there were 891  Web Browser vulnerabilities which  are a serious threat to ordinary Netizens.


As can be observed from the above table, the total number of vulnerabilities in the 5 major browsers declined from around 891 in 2012 to 591 in 2013 and again went up to 639 in 2014. Internet explorer recorded the highest number of vulnerabilities at 282 while Opera appeared to be the most secure browser.

Browser plug ins including Adobe Reader, Flash Player, Apple Quicktime, Microsoft Actve X as well as Firefox extensions and Java constituted additional vulnerabilities.

Inference is that using Opera web browser and avoiding plug ins could reduce the risks of being exploited by these vulnerabilities.

The study has also tried to track what it calls as ICS vulnerabilities. These represent the vulnerabilities with Industrial Control Systems including SCADA (Supervisory control and data acquisition) systems of the type attacked by Stuxnet virus in the past.

ICSs are typically used in industries such as electrical, water, oil, and gas. Based on data received from remote stations, automated or operator-driven supervisory commands can be pushed to remote station control devices.

This is of special interest to non IT manufacturing companies who have a huge stake in terms of exploitation particularly by Cyber terrorists. It is also of relevance to Secure Digital India where stakes are being placed on Smart Cities.

Siemens products continue to find a place in the list of such vulnerabilities along with Advantech WebAccess and Schneider electric products. A total of 35 such vulnerabilities have been disclosed in the report.

Industries using such products should pay special attention to these vulnerabilities and Cyber Insurers and CISOs also need to take special note of such vulnerabilities.


Share Button
Print Friendly