Naavi.org

I had pointed out through my earlier article “Beware of this Call from 90699 35661” about the calls that threaten the victim that there is a Consumer Court complaint against him/her in Delhi Consumer court and if help is required they may contact some person.

Yesterday I got the call again and I was referred to contact a person named Veerendra Singh Yadav at 08586067445.  When I searched the web for this number, I found a series of complaints of similar nature already noted at  the consumer forum website . I also saw one case reported by a consumer of Bajaj Finserv which has been promptly responded by a customer service executive indicating that event the organization Bajaj Finserv is unable to identify that this is part of a scam in which their name has been misused.

When I called back to this number, again a lady picked up and said that she was the assistant of Mr Veerendra Singh Yadav. When I insisted that I want to speak only to him, she said she will call back.  I suppose she is hunting for a male voice amongst her colleagues who all are part of a fraudulent organization and deserve to be in jail. Perhaps I may not get any call back.

From the background noise we get from these calls, it appears that the gang is operating like a call center with several persons engaged only in making such calls.

While these are criminals and chosen to be so, I take serious objection to the Police in and around Delhi who are letting such frauds continue to happen. If the information about these frauds are already available on the web, it is presumed that it is also known to the Police. (If not, they donot deserve to be called the “Police”).

Intelligence agencies including CBI should be not only aware of such frauds but also aware that most of these fraudsters raise money for terrorist organizations.  Hence the silence of Police could only mean “Complicity” to crimes including funding of terrorist activities.

I am sure that some of my Police friends may get annoyed with this comment but I would like them to realize that this is what the ordinary person on the street would think. Public think Police are incompetent, donot care about law and order in Cyber Space or are corrupt.

Being a friend of many policemen, I consider that this would be an unfair perception about the Police. Police in India are quite capable and if they want, they can take action to bring down such frauds. In this case I donot think  that inaction is a result of corruption. It could however be due to apathy and a belief that they need to act only when a complaint is registered.

I request Police who have jurisdiction on the phone numbers mentioned above to trace these calls and punish not only the proprietor of this business, but every one of these callers and also the Mobile Service Providers who have provided them the facilities to cheat public.

Let’s hope this criticism galvanise Police into action.

Naavi

More cases reported : board reader thread

The Symantec study on Internet threats has some interesting findings on the threats arising out of Mobile devices which needs some deep analysis.

The first alarming aspect thrown open by the study is that of the 6.3 million apps observed by the study, about 1 million apps have been classified as “Malware Apps” . (we shall call this MalApps). These are Programs and files that are created to do harm and includes  viruses, worms, and Trojan horses. 2014 is considered the 10th anniversary of the MalApps since the first worm on a Mobile App is said to be SymbOS.Cabir found in 2004. The 1 million new MalApps found in 2014 consists of 46 new families of Android malware. The study says that this 1 million MalApps does not include about 2.3 million “grayware” which represents Apps that display undesirable behaviour such as advertising.

Symantec expects the growth in mobile malware to continue in 2015, becoming more aggressive in targeting a user’s money. It is estimated that 51 percent of U.S. adults bank online and 35 percent use mobile phones and hence are prime targets for MalApps writers. The study records that  malware can intercept text messages with authentication codes from the bank and forward them to attackers. Fake versions of legitimate banks’ mobile applications also exist, hoping to trick users into giving up account details.

The study notes what it calls as “MadWare” which use aggressive techniques to place advertising in  mobile device’s photo albums and calendar entries and to push messages to the  notification bar.Madware can even go so far as to replace a ringtone with an ad.

An analysis of threats by platform indicates that out of the total of 48 threats (by families ignoring the variants), 45/46 were identified on Android platform and 3 on iOS.

As regards vulnerabilities, 168 mobile vulnerabilities were disclosed in 2014 compared to 127 in the previous year. It is surprising to note that 84% of these vulnerabilities are from iOS system and only 11% are from Android systems. Blackberry counts for 4% and windows 1%.

Probably the documentation of vulnerabilities in Apple could be better organized than the Android and hence there could be a skewed finding about the security of IOS phones vs Android phones. This is an interesting observation and leaves both equally vulnerable to risks.

As of today, Android appears to have a lead in market share of around 51.2 % as against iOS which is around 43.5% Cumulative global shipment of Android phones was around 1644 million units from 2010 to 2014 while the cumulative sales of Apple iOS devices since its launch in 2007 is around 600 million.

This indicates that relatively there were more vulnerabilities in iOS systems than the Android though  there are more threats on Android platform than in iOS.

The type of threats that the MalApps pose is reflected in the following chart.

It may be expected that in the coming years these mobile threats would increase and create more risks for the users since the App Ecosystem is difficult to monitor. The security industry needs to do some thing specific to improve the reliability of mobile platforms so that it can support the market developments in the coming days.

Naavi

Symantec Internet Security Threat report 0f 2015 has provided some interesting insights into the current trends in threats and vulnerabilities in the Cyber space.

One of the interesting findings of the study is the raise of ransomware as a major threat.

Ransomware is malicious software that locks and restricts access to infected computers. The malicious software then displays an extortion message using a social engineering theme that demands a ransom payment to remove the restriction.

In 2014, the ransomware attacks more than doubled from 4.1 million in 2013 to 8.8 million (approximately 24000 per day). The file encryption attacks leading to ransom demands expanded from 8274 in 2013 to a whopping 373,342 in 2014 showing a nearly 20 times jump in the threat. The actual ransom demands on an average was around US$ 1000 to 2000. However, since we have seen ransom demands of upto $5 million in India during the last year, it can safely be said that if the victim is a corporate entity, the damage could be significant.

Yet another point worthy of noting is the use of watering hole strategy for distributing the malware. This strategy plants the trojans in a popular website such as that of a news paper which is both respected and also has high traffic. (The name is taken from the strategy used by hunting animals which wait near water resources in a forest and catch their prey). The downloaded trojans are used for identity theft and other malicious purposes. The advantage of such watering hole attacks is that in corporate networks which maintain restricted internet access, the popular sites may be provided access and hence can reach out to the employees.

The threats analysed in the report give directions to the information security managers to check the effectiveness of their controls. The study also provides some guidelines on best practices which are a good starting point to evaluate the security systems of user organizations.

Naavi

The Norton/Symantec Cyber Crime study of 2014 has tried to provide an insight into the Underground Cyber Crime economy that drives the growth of financial crimes.

Spamming and Phishing continue to be the major tools through which frauds are committed on Cyber Space. Spamming with malicious links and attachments are used to drop Trojans and Phishing is used to make the spam look like a message from a known person.

According to the study, approximately 28 billion spam mails were in circulation worldwide each day in 2014 compared to 29 million in 2013. Overall, for 2014, 60% of email traffic was identified as spam compared to 66.4% in 2013 representing a decrease.

According to the India specific information available from Norton study, an estimated Rs 16558/- was lost on account of Cyber Crimes by Indian consumers on an average. The study estimates that approximately 113 million Indians were affected by Cyber Crimes which constituted around 48% of the Indian online population. There is a little ambiguity on the way the loss is being estimated and hence we shall leave it for analysis at a later time when more information is available while we revert to the figures available in the global study.

The Cyber Crime market has evolved like any other business where the crime ware is being developed by one set of people and exploited by another. There are people who specialize in developing malware, other people who specialize in identity theft and another set of people who drop the malware using spam techniques and yet another set of people who actually draw fraud money out of the victims. Certain trojans are available on lease for a specific period making it all look like an organized business.

The study estimates that a A drive-by download web toolkit, which includes updates and 24/7 support, can be rented for between $100 and $700 per week. The online banking malware SpyEye (detected as Trojan.Spyeye) is offered from $150 to $1,250 on a six-month lease, and DDoS attacks can be ordered from $10 to $1,000 per day. The value of information sold in the market for Cyber Crime is indicated by the following table.

If Cyber Crime has to be curtailed, then it is important to recognize the existence of this chain of actors and eliminate the participants at each of these levels.

Naavi

The Symantec Internet Security Threat report of 2014 released recently indicates that in 2014 6549 new vulnerabilities were reported as compared to 6787 in 2013.

Out of these,  there were 891  Web Browser vulnerabilities which  are a serious threat to ordinary Netizens.

As can be observed from the above table, the total number of vulnerabilities in the 5 major browsers declined from around 891 in 2012 to 591 in 2013 and again went up to 639 in 2014. Internet explorer recorded the highest number of vulnerabilities at 282 while Opera appeared to be the most secure browser.

Browser plug ins including Adobe Reader, Flash Player, Apple Quicktime, Microsoft Actve X as well as Firefox extensions and Java constituted additional vulnerabilities.

Inference is that using Opera web browser and avoiding plug ins could reduce the risks of being exploited by these vulnerabilities.

The study has also tried to track what it calls as ICS vulnerabilities. These represent the vulnerabilities with Industrial Control Systems including SCADA (Supervisory control and data acquisition) systems of the type attacked by Stuxnet virus in the past.

ICSs are typically used in industries such as electrical, water, oil, and gas. Based on data received from remote stations, automated or operator-driven supervisory commands can be pushed to remote station control devices.

This is of special interest to non IT manufacturing companies who have a huge stake in terms of exploitation particularly by Cyber terrorists. It is also of relevance to Secure Digital India where stakes are being placed on Smart Cities.

Siemens products continue to find a place in the list of such vulnerabilities along with Advantech WebAccess and Schneider electric products. A total of 35 such vulnerabilities have been disclosed in the report.

Industries using such products should pay special attention to these vulnerabilities and Cyber Insurers and CISOs also need to take special note of such vulnerabilities.

Naavi

The Symantec Internet Threat Study indicates that in 2014, there were 24 Zero day vulnerabilities as compared to 23 in 2013.

Zero-day vulnerabilities are vulnerabilities against which the vendor has not released a patch. The absence of a patch  presents a threat to organizations and consumers alike, because in many cases this type of threat can evade purely signature-based detection techniques used by Anti malware software until a patch is released.

The zero day vulnerabilities if found by the fraudsters, will be exploited by them more easily than otherwise.  Some times the vendors come to know of the vulnerabilities but are unable to release a patch and for fear of reputation and business loss remain silent and  not announce the presence of unpatched vulnerabilities. This makes them complicit to the frauds that occur and should make them legally liable if law takes its normal view on such “negligence”.

When a Cyber Insurer has provided a liability insurance, he is also at a great disadvantage when Zero day vulnerabilities are exploited since security professionals may find it difficult to counter threats targeting such vulnerabilities.

The Study lists the 24 Zero day vulnerabilities found in 2014 and it is observed that 16 of them relate to Adobe. It includes vulnerabilities in Adobe Flash player as well as Reader. Microsoft accounts for 7 and the other is on Linux.

The study notes that their data base has over 62300 vendors of whom 62400 recorded vulnerabilities have been found.  It also states that the top 5 vulnerabilities were exploited for a combined period of 295 days during the year highlighting the risks that we are facing.

Naavi