Simulating visitors to a website who click on advertisements, a botnet named “Chameleon” is reported to have stolen around US$ 6 million in the form of false clicks on advertisements. The botnet used about 120000 hosts simulating the ad-clicking.
About 5000 IP addresses participating in the botnet have now been disabled.
South Korean networks were down in what is believed to be a Cyber Attack from North Korea.
The attack has crippled Bank transactions including the ATM networks.
In an interesting evelations, it is stated that CISCO has recently started using a different method for storing user’s passwords which involves shifting from MD5 to SHA 256 which makes passwords more vulnerable to cracking.
We are aware that MD5 is reportedly compromised and in fact Indian CCA has dis-accredited MD5 algorithm for DigitalSignature purpose and shifted to SHA256/512.
According to security experts the new password storing system converts passwords into SHA256 hash code using a single iteration and without any cryptographic salt(Randaom data input).
The earlier methodis reported to have used 1000 iterations of MD5 hash with a cryptographic salt to each password. This is said to make cracking slower and requiring more tries.
Security specialists have also pointed out that at present relatively inexpensive systems outfitted with 2 AMD Radeop 6990 graphic cards and working with “Hashcat password cracking program can make 2.8 billion cracking tries per second.
CISCO is reported to have acknowledged the issue and stated that adoption of the low security method was forced by certain implementation problems.
Hopefully CISCO is working on setting right the weakness.
Delhi High Court has recently held that “Dissemination of ball by ball information of a cricket match” is not included in “Press Freedom”. In a strange decision the Court has held that Press should confine its activities to report only after 15 minutes.
The order grants “A limited interim injunction restraining the defendants from disseminating contemporaneous match information in the form of ball-by-ball or minute-by-minute score updates/match alerts for a premium, without obtaining a license from the plaintiff”
However “There shall be no restriction upon the defendants to report noteworthy information or news from cricket matches as and when they arise, because stale news is no news.”
also, “There shall be no requirement for the license if the defendants do it gratuitously or after a time lag of 15 minutes”
The judgement also has many other debatable decisions such as distinguishing the rights of the “Free” vs “Premium” recipients of information.
According to observers, STAR has already issued notices to service providers as if they have “Absolute Rights” instead of the 15 minutes rights.
The decision is a set back for “Press Freedom” and in particular for digital media including SMS, Blogging etc and needs a serious review.
Naavi
According to a report from Brazil, 5 doctors in a hospital in Sao Paulo were discovered to have bogus silicone digits and recorded the presence of some of their friends. It is estimated that there were around 300 bogus doctors present in the hospital whose attendance was being marked through such bogus methods.
The system also reveals that ordinary finger print scanners which don’t detect the pulse or don’t scan “below the skin level” are vulnerable to this type of attacks.
It is stated that the biometric scanners used and approved by the UIDAI in India are “Touch Scanners” which are susceptible to this kind of attack.
It is also known that even those scanners which try to read the finger print along with additional features such as temperature etc to detect if the print is from a live person can be fooled. More details are available here
Naavi
A new system of online payment authentication through “missed Calls” has been launched by a company in India and is being suggested as a system of Two Factor Authentication which is better than the OTP system now being used.
According to NetCore the company which is proposing this service, “Spoofing of number” in an SMS system is easy but not in the missed call system.
However security experts don’t agree with the view of the company that the system is anymore secure than the OTP system. They point out that with services such as Skype calls, it is easy to send a missed call without access to the Telco network. The claim of the company therefore appears to be incorrect.
It is also to be reiterated that there is no legal support for authentication of an electronic transaction in India except with some form of digital/electronic signature. Any other method is “Ultra-Vires” the law and requires a binding from the service provider that the loss arising out of the failure of the authentication has to be borne by the concerned service provider such as the Bank. Any marketing suppressing this fact in the disclosure would amount to a fraud.
Naavi
