Naavi.org

The Symantec Internet Threat Study indicates that in 2014, there were 24 Zero day vulnerabilities as compared to 23 in 2013.

Zero-day vulnerabilities are vulnerabilities against which the vendor has not released a patch. The absence of a patch  presents a threat to organizations and consumers alike, because in many cases this type of threat can evade purely signature-based detection techniques used by Anti malware software until a patch is released.

The zero day vulnerabilities if found by the fraudsters, will be exploited by them more easily than otherwise.  Some times the vendors come to know of the vulnerabilities but are unable to release a patch and for fear of reputation and business loss remain silent and  not announce the presence of unpatched vulnerabilities. This makes them complicit to the frauds that occur and should make them legally liable if law takes its normal view on such “negligence”.

When a Cyber Insurer has provided a liability insurance, he is also at a great disadvantage when Zero day vulnerabilities are exploited since security professionals may find it difficult to counter threats targeting such vulnerabilities.

The Study lists the 24 Zero day vulnerabilities found in 2014 and it is observed that 16 of them relate to Adobe. It includes vulnerabilities in Adobe Flash player as well as Reader. Microsoft accounts for 7 and the other is on Linux.

The study notes that their data base has over 62300 vendors of whom 62400 recorded vulnerabilities have been found.  It also states that the top 5 vulnerabilities were exploited for a combined period of 295 days during the year highlighting the risks that we are facing.

Naavi

The recently released Cyber Crime study released by Symantec captures the status of the Internet risks in 2014. Titled Internet Security Report (ISTR 20), the report with its annexures provides an indepth insight into the threats and vulnerabilities that most of us face on a day to day basis.

The first thing that any observer of Internet should note is that the study points out that in 2014, there were more than 317 million new pieces of malware created during the year meaning that there were nearly 1 million each day (leaving Sundays).

What is equally alarming is that the study points out that Symantec data base of vulnerabilities consist of 66400 recorded vulnerabilities from 21300 vendors representing over 62300 products.

With such a huge number of vulnerabilities in genuine software and the vast number of threats, the Cyber Risk poses an enormous challenge to everybody.

The report in fact marks that the year 2014 was notable because of the high profile “Vulnerabilities” such as “Heartbleed”, “ShellShock” and “Poodle”.

Another interesting observation that the study points out that apart from focussing on exploitation of Zero day Vulnerabilities, attackers moved much faster to exploit published vulnerabilities than the defenders moving in to release patches.

During the year 24 Zero Day vulnerabilities were discovered. Vendors took 204 days, 22 days and 53 days to release patches for the three top Zero day vulnerabilities. Top 5 Zero day vulnerabilities were used by attackers actively for a combined 295 days before patches were available. In 2013 this period on an average was only 4 days highlighting the increasing risk that the community faced during the year due to the inefficiency of the software industry.

These findings indicate that there is a lot of ground that the industry has lost to the Cyber Crime industry and this needs to be recovered.

We need to analyse the report in greater depth to understand how the growth of Mobile apps on the one hand and Cyber terrorism on the other has contributed to the growing insecurity in the Cyber world.

The findings of this report will inevitably have an impact on the Cyber Insurance industry which needs to take a re-look at its policies. premia etc.

(More details of the report would be discussed in the forthcoming articles)

Naavi

Today, I received a telephone call from the mobile number 90699 35661 which appears to be an attempted fraud. I am placing this for public attention so that people donot respond to the call. At the same time, the Internet Service Provider involved namely, Videocon is being notified for necessary corrective action.

The caller who was a lady made a call to my mobile at 14.50 hours and stated that she was calling from Consumer Court in Delhi and was informing that a 420 case has been filed on me. When I asked for the name of the person and further details of which court, she disconnected.  Afterwards, when I tried to call back, there was no response.

Some of my friends have subsequently informed me that they are aware of such calls and in one case the caller suggested help to resolve the case through a lawyer and wanted the person to contact the lawyer.

I would like the public to be informed of such fraudulent calls and request them not to respond.

I also hereby give public notice to the Mobile Service Provider which according to information taken from the web appears to be Videocon in Himachal Pradesh that this incident indicates that they are abetting a crime by providing facilities of telephone connectivity to the fraudster.

I am expecting them to take action to deactivate the account to prevent any further frauds.

I also expect Police in the relevant area to take suo moto action since this is not an isolated attempt but is an organized syndicate that is running a call center to commit such frauds. I wish some responsible police officer takes up this case and busts the racket.

Naavi

As could be expected after any global catastrophic event, the ISIS attack in Paris has also given raise to fraudulent e-mails. Some of them could be hoax emails and some could be carrying malware prompting the receiver to click on a link.

Public should be careful not to fall prey to such e-mails.

Some of these e-mails or messages are also circulating in WhatsApp.

Some of the reported hoax mails/messages  are:

1. Singapore  PoliceNotice

2. We All Paris Hoax

These may be considered as indicators of what is to be expected. Some of the fraudsters will include spear phishing mails which may say some thing as follows :

” Police in Paris identify an employee of xxx company as a suspect of Paris attacks. Click here for the photo released by the Police.”

Such an email may be sent to all employees of an organization named in the e-mail prompting them to immediately open the e-mail and see which of their colleague is a suspect and invite a malware.

Public should therefore be extremely careful to avoid opening any attachments in an e-mail and also avoid circulating hoax mails in the belief that it is true. Such forwards may entrap the receivers since they would consider it as a message coming from a known person.

Naavi

The Paris Attack of 13/11 (2015) by ISIS would be an event which will change the face of earth. On the one hand, it has galvanized France and other nations including Russia which suffered an attack a few days back in the form of a bomb on a plane, into an all out war on ISIS on ground. At the same time it has galvanized the powerful group of Anonymous Hacker Group to take down the Cyber Assets of ISIS.

It looks a little strange that one group of mercenaries who have enemies all around them including the neighboring Muslim states of Syria and Iraq can threaten the whole world and challenge countries such as France, UK, USA and Russia all at one time. But the power of “Terrorism” is such that as an asymmetric warfare  it has the power to challenge the conventional forces with greater fire power. The difference lies in the motivation to fight and the unconventional methods used to strike.

For these countries who fought two world wars as allies, this is the “Third World War” unfolding in the form of ISIS. It appears that they have a renewed resolve to fight ISIS after the Paris attack. But one has to wait and see how long this enthusiasm lasts. Will the allies go for the complete control of the ISIS controlled land like what Sri Lanka successfully did against LTTE or back off at some point of time for their own reasons, is difficult to foresee. But it can be expected that as the Allied forces succeed in pushing back the ISIS in the physical world, they will increasingly go underground, spread out and start attacking the world in a series of terrorist attacks.

Breaking the link to the command and control center over such distributed terrorists and starving them of money and ammunition would be an important requirement if these terrorists  need to be neutralized. It is in this context that winning the Cyber war against ISIS is as important as winning the war on land.

It is therefore interesting for us to watch the Cyber War that is unfolding between the Anonymous Hacker Group and ISIS. The Hacker Group has issued a statement that they would hunt down and destroy the ISIS on Cyber Space. (Read article here). It is reported today that the Hacker group has already brought down over 5500 twitter handles in the last two days. But this should be only the starting point. What is important is whether the terror plans can be disclosed before execution and forced into failed or abandoned missions.

The Group has also released a guideline on how to proceed hacking into ISIS assets. (See the report here)

During the Post Paris attack investigations, it has been speculated that the terrorists might have used Sony Play Station 4  game console for in-game communication to plan and execute the attacks. It is given that execution of any major coordinated terror attack (which some have called the Wolf pack attack) requires extensive planning and therefore a good stealth communication channel that can be sustained over a period of time.

Some experts donot agree that PS4 was used for communication in this case. It does not actually matter if PS4 was used or not used in this attack for communication. But the possibility of the “Video Gaming” platform being used for communication cannot be ruled out. In future these communication channels need to be monitored by the intelligence agencies to get the scent of what is brewing in the terror camps. Apart from the Sony Play Station or X-Box type of gaming consoles, there are many online gaming sites where groups can be formed apparently for a gaming situation and messages exchanged. It would be a near impossible task for the intelligence agencies to monitor such communication on real-time.

However, it should be possible to develop necessary algorithms to monitor the pattern of group formation and communication in these game situations to flag any suspicious activities that can be taken up for monitoring on an exception basis. Probably the companies such as Sony and Microsoft themselves may develop such tools to monitor the misuse of their properties.

Presently Sony Play Station privacy statement does provide that it retains the right to monitor and record the communication between the users of Play Station Network. This indicates that they do have the necessary backdoors that can be activated for monitoring user’s activities.

Creating an automated system of analytics is a logical step ahead given the fact that there are over 110 million users of which 65 million are active at any point of time. This is a Big Data challenge that needs to be overcome and would be over come perhaps in the immediate future.

It is also considered possible that terrorists may super impose cryptographic techniques to hide their messages. But such techniques  can hide the messages but not the suspicious pattern.

Breaking the communication network of ISIS is an important step in winning the Cyber War and whether the Anonymous Hackers can go beyond the taking down of twitter accounts into monitoring and revealing terror plans in advance to the law enforcement will determine to what extent the Hackers can help destroy ISIS as an organization that can survive beyond the physical annihilation that the Allies can inflict on ground.

Another significant part of the Cyber Warfare is to trace the monetary assets of ISIS on the cyber space and destroying them.  It is worth watching if Anonymous Hackers can attack the financial assets of ISIS and starve them of their funds.

While the Allies are expected to fight the war both in the physical space and the cyber space, the Anonymous hackers will fight only on the Cyber Space. But their contribution to winning this war for the sake of humanity in general is very important and history will recognize this contribution if it succeeds.

Technology is known to create problems and it is time technology also finds solutions to benefit the mankind. Hactivists now have a point to prove. Let’s see whether they can walk the talk.

Naavi