LUCKNOW: In an effort to tighten noose around cyber criminals, the district police recently organised a slide-show presentation in which a private software firm displayed biometric technology tools to control this growing menace. Around 150 cyber cafe owners were also present at the presentation.
Titled 'Cyber Cafe Monitoring System (CCMS)', the technology comprises of a biometric system for recording fingerprints of persons who use a workstation. This potent system has some other features like facility to take live snapshots, public IP address and MAC address (used to keep record of computer systems used in a crime).
According to the firm's director Anuj Kacker, who displayed the technology in front of cyber cafe owners, it will have a US-made thumb scanner device for recording fingerprints of a user. The software will also record photographs along with the name and others details of the user.
However, in a survey of some cyber cafes in the city it came to light that small owners were apprehensive of the technology. Talking to TOI, Rajendra, a cyber cafe owner in Aliganj, said, "if we use this technology we will be under constant watch of the cops as the main server of the system will be connected to that of the cops."
A Hazratganj cyber cafe owner was bold enough to admit that since most of the people who visit his cafe surf pornographic websites, adopting the technology will hit his business and "intrude into the privacy of the user".
Allaying fears, Anuj told TOI that the technology will not record the content of the website or an email. "It will only record the public IP address. The police will only intervene if it comes to light that a crime has been committed on a particular IP," he added.
Anuj added that since cyber cafe owners were not aware about the technology and its use, the firm was planning to conduct regular such presentations. According to Anuj, the software is designed in such a manner that the data base will be recorded for a period of two months. In case a cyber crime is committed using a particular computer system, and it comes to the knowledge of cops, a tracker will be put on the user's name and if on any later date the culprit again uses any other computer system attached to the CCMS main server with the police, his identity will be revealed.
Talking to TOI, senior superintendent of police (SSP) Akhil Kumar said, "it is solely at the discretion of the cyber cafe owners to use this technology or use close-circuit television cameras for maintaining a record. The technology is in no way being endorsed by the district police but it is a good system that will help in controlling cyber crime in a big way." The SSP also assured that if a cyber cafe owner adopts CCMS, police will only intervene in case of complaint lodged for a crime.
The news system will alert police officials of a particular area where a cafe is situated within seconds of any violation and display a status column which will define whether a particular computer system is being used or not by the culprit.
The technology will cost Rs 6,800 along with an additional charge of Rs 200 for the services. According to the technology providers, the cost is less when compared to installing close circuit television cameras (CCTVs) which cost around Rs 14,000 per unit.
So far six cyber cafes out of a total of 3,000 in the city have installed the system and according to Anuj, another 35 proposals are in the pipeline
Wednesday, July 16, 2008
Five Things Kevin Mitnick Knows About Security - PCworld.com - 15 Jul 2008
Reformed hacker-turned-security-consultant Kevin Mitnick served five years in federal prison for breaking into phone and software company networks. He talks about his past hacking exploits, computer security, and how he turned an illegal hobby into a useful career.
Hacking wasn't always illegal. I started off in what they call "phone phreaking" in the late 70s. This is the same hobby Apple founders Steve Jobs and Steve Wozniak had. At this time, 1978, there were no laws against hacking. The first law that criminalized hacking was passed in 1980 in California. I was doing this before it was illegal. And my interest was entertainment -- the pursuit of knowledge, challenge and the trophy of the stolen information. There was no motive for money or malicious intent to use, disclose or destroy the data.
Learn the rules before you play the game. I knew hacking was sneaky when I started, but I didn't think it would get me into trouble. Back in my day, they didn't teach us about ethics in respect to hacking or using computers. Now, I tell kids to not follow in my footsteps. As computers become more accessible, there are more ethical ways to learn about computer security. Plus, there are laws now.
Not everyone takes security seriously. I've been testing a company -- a financial institution -- and they are governed by Sarbanes-Oxley and other regulations. I've done their security assessments for the last four years and each time I get in the same way. It's surprising that these companies do security audits to find their vulnerabilities but don't do much about them. They are required by law to do the audits so you'd think the auditors would require them to fix the issues, but in a lot of cases they don't.
Use your powers for good, not evil. When I was released from custody in 2000, the U.S. government asked for my help. U.S. senators Fred Thompson and Joseph Lieberman invited me to testify before Congress about the government's computer security vulnerabilities. Once the restrictions of my release were up, I went into full-fledged security work, such as training, security assessments and product evaluations. It's a reversal of fortune. Before, I was doing something exciting -- but it was unauthorized and illegal. Now, I do the same thing that got me in trouble, except I do it with authorization. Clients hand me their network and tell me to break in so they can fix security vulnerabilities. To me, it's the same act but it helps my clients and it's legal and ethical, so it's a win-win situation. It's interesting that you can take a criminal activity like hacking and make it into a legitimate enterprise. I can't think of any other illegal activity you can do that with.
Even hackers get hacked. Attackers found a way onto my Web server. However, my website is hosted by a third-party hosting company, so when my site gets hacked it's the hosting service's security shortcomings, not my own. Of course it's embarrassing and I don't like it. Fortunately, I don't have any proprietary information on my public-facing servers. The downside is that people think my company was hacked, but it was really this hosting company's network and not my own site that was breached.
By Jarina D'Auria, CIO.com
Hacking wasn't always illegal. I started off in what they call "phone phreaking" in the late 70s. This is the same hobby Apple founders Steve Jobs and Steve Wozniak had. At this time, 1978, there were no laws against hacking. The first law that criminalized hacking was passed in 1980 in California. I was doing this before it was illegal. And my interest was entertainment -- the pursuit of knowledge, challenge and the trophy of the stolen information. There was no motive for money or malicious intent to use, disclose or destroy the data.
Learn the rules before you play the game. I knew hacking was sneaky when I started, but I didn't think it would get me into trouble. Back in my day, they didn't teach us about ethics in respect to hacking or using computers. Now, I tell kids to not follow in my footsteps. As computers become more accessible, there are more ethical ways to learn about computer security. Plus, there are laws now.
Not everyone takes security seriously. I've been testing a company -- a financial institution -- and they are governed by Sarbanes-Oxley and other regulations. I've done their security assessments for the last four years and each time I get in the same way. It's surprising that these companies do security audits to find their vulnerabilities but don't do much about them. They are required by law to do the audits so you'd think the auditors would require them to fix the issues, but in a lot of cases they don't.
Use your powers for good, not evil. When I was released from custody in 2000, the U.S. government asked for my help. U.S. senators Fred Thompson and Joseph Lieberman invited me to testify before Congress about the government's computer security vulnerabilities. Once the restrictions of my release were up, I went into full-fledged security work, such as training, security assessments and product evaluations. It's a reversal of fortune. Before, I was doing something exciting -- but it was unauthorized and illegal. Now, I do the same thing that got me in trouble, except I do it with authorization. Clients hand me their network and tell me to break in so they can fix security vulnerabilities. To me, it's the same act but it helps my clients and it's legal and ethical, so it's a win-win situation. It's interesting that you can take a criminal activity like hacking and make it into a legitimate enterprise. I can't think of any other illegal activity you can do that with.
Even hackers get hacked. Attackers found a way onto my Web server. However, my website is hosted by a third-party hosting company, so when my site gets hacked it's the hosting service's security shortcomings, not my own. Of course it's embarrassing and I don't like it. Fortunately, I don't have any proprietary information on my public-facing servers. The downside is that people think my company was hacked, but it was really this hosting company's network and not my own site that was breached.
By Jarina D'Auria, CIO.com
Researchers Trace Structure of Cybercrime Gangs - PC World.com - 15 Jul 2008
The chain of command of a cybercrime gang is not unlike the Mafia, an evolution that shows how online crime is becoming a broad, well-organized endeavor.
The latest research from Web security company Finjan, released on Tuesday, outlines a pyramid of hackers, data sellers, managers and malicious programmers, all working in a fluid management structure in order to profit from cybercrime.
Finjan researchers joined forums where credit card details and other data is sold, knowns as "carding sites." They impersonated interested data buyers while collecting intelligence on the operations' management hierarchy, said Yuval Ben-Itzhak, Finjan's CTO.
"We kind of had a feeling that something had changed there," Ben-Itzhak said. "There is something even more organized there."
When a person's credit card details are stolen, the details are sold on the carding Web sites, where salespeople offer a menu of available information. Those salespeople don't exploit the data they possess but rather seek to sell it to someone who does. Those salespeople also aren't responsible for the hacking.
The data is supplied by affiliate networks, or groups of hackers who get paid to infect machines with malicious software and steal data. Those networks often have a campaign manager, someone who oversees a particular set of attacks.
At the top of the hierarchy are the boss and his deputy, who handle the distribution of crimeware kits used for hacking. The boss doesn't engage in hacking and acts as an administrator for all of the activity.
Finjan's map of the cybercrime gang comes from chatting with data sellers on ICQ and asking them where the data originates, Ben-Itzhak said. ICQ was one of the first instant messaging programs. Participants are often only know by a number.
"We managed to build up trust," Ben-Itzhak said. "Of course, they don't know we are from Finjan."
Sellers offered "dumps" or batches of credit card numbers: MasterCard Standard and Visa Classic card numbers and security codes go for $15 each, with Visa Gold or Corporate details going for up to $90.
Data often comes with a guarantee, with many data sellers offering to replace cards that don't work or are reported as stolen. But Finjan and other security vendors have said that the price of a credit card number has been falling as the market as the amount of sensitive data on the market has increased.
Finjan broke off contact with the data sellers and hasn't reported it to the authorities, although Finjan does report if researchers come across servers where the stolen data is stored, as the company revealed last month.
The company doesn't have much of an idea where the cybercriminals are physically located. The touch-and-go game on instant messenger is one way to gain intelligence: "It's really about knowing your enemy," Ben-Itzhak said.
By Jeremy Kirk
The latest research from Web security company Finjan, released on Tuesday, outlines a pyramid of hackers, data sellers, managers and malicious programmers, all working in a fluid management structure in order to profit from cybercrime.
Finjan researchers joined forums where credit card details and other data is sold, knowns as "carding sites." They impersonated interested data buyers while collecting intelligence on the operations' management hierarchy, said Yuval Ben-Itzhak, Finjan's CTO.
"We kind of had a feeling that something had changed there," Ben-Itzhak said. "There is something even more organized there."
When a person's credit card details are stolen, the details are sold on the carding Web sites, where salespeople offer a menu of available information. Those salespeople don't exploit the data they possess but rather seek to sell it to someone who does. Those salespeople also aren't responsible for the hacking.
The data is supplied by affiliate networks, or groups of hackers who get paid to infect machines with malicious software and steal data. Those networks often have a campaign manager, someone who oversees a particular set of attacks.
At the top of the hierarchy are the boss and his deputy, who handle the distribution of crimeware kits used for hacking. The boss doesn't engage in hacking and acts as an administrator for all of the activity.
Finjan's map of the cybercrime gang comes from chatting with data sellers on ICQ and asking them where the data originates, Ben-Itzhak said. ICQ was one of the first instant messaging programs. Participants are often only know by a number.
"We managed to build up trust," Ben-Itzhak said. "Of course, they don't know we are from Finjan."
Sellers offered "dumps" or batches of credit card numbers: MasterCard Standard and Visa Classic card numbers and security codes go for $15 each, with Visa Gold or Corporate details going for up to $90.
Data often comes with a guarantee, with many data sellers offering to replace cards that don't work or are reported as stolen. But Finjan and other security vendors have said that the price of a credit card number has been falling as the market as the amount of sensitive data on the market has increased.
Finjan broke off contact with the data sellers and hasn't reported it to the authorities, although Finjan does report if researchers come across servers where the stolen data is stored, as the company revealed last month.
The company doesn't have much of an idea where the cybercriminals are physically located. The touch-and-go game on instant messenger is one way to gain intelligence: "It's really about knowing your enemy," Ben-Itzhak said.
By Jeremy Kirk
Police may offer 18-year-old computer hacker a job - Telegraph.co.uk - 15 Jul 2008
New Zealand police are so impressed by the skills of a teenager at the centre of a global credit card scam worth millions of pounds that they are considering offering him a job fighting cyber-crime.
In a surprising development, Owen Thor Walker, 18, who used the online name 'Akill', was discharged without conviction in the High Court at Hamilton after admitting his role in a sophisticated operation by a worldwide group of criminals calling themselves the 'A-Team'.
Detectives were astonished last November when, at the culmination of a year-long investigation involving the FBI and authorities in the Netherlands, they discovered that the 'mastermind' they were seeking was Walker, who was using a computer in his bedroom in the small rural town of Whitianga.
They described him as a 'botherder', the controller of a 'botnet' in which more than a million computers around the world were infected with a virus that gave him control over them.
Software he designed and sold to the criminal gang allowed members to steal user names and passwords, as well as credit card details.
The FBI estimated the combined economic losses from the 'skimming' activities and damage caused to computer systems by the group at more than $20 million (£10 million).
The crime came to light after one attack caused computers to crash at the University of Pennsylvania in 2006.
In court yesterday, Walker, who has Asperger's syndrome, a mild form of autism, smiled as he heard the prosecution describe how international investigators considered his programming to be 'amongst the most advanced' they had encountered.
Judge Judith Potter described him as a young man with a bright future and ordered him to pay damages and costs of £5,500, but did not record a conviction.
She said that Walker was immature and unable to set proper boundaries for himself in relation to his 'undoubted expertise' in computers.
If he had been convicted, he could have faced five years' imprisonment on each of the charges.
Both the prosecution and defence counsels said in court that police were interested in talking to him about a job 'on the right side of the law'.
Detective Inspector Peter Devoy said that while 'there is no offer on the table, the option is being kept open'.
Maarten Kleintjes, head of the police e-crime laboratory, said the self-taught Walker had a unique ability and was 'at the top of his field'.
Outside the court, Walker, who is also being headhunted by several computer programming companies, said he would be very interested in putting his skills to use for the police.
By Paul Chapman
In a surprising development, Owen Thor Walker, 18, who used the online name 'Akill', was discharged without conviction in the High Court at Hamilton after admitting his role in a sophisticated operation by a worldwide group of criminals calling themselves the 'A-Team'.
Detectives were astonished last November when, at the culmination of a year-long investigation involving the FBI and authorities in the Netherlands, they discovered that the 'mastermind' they were seeking was Walker, who was using a computer in his bedroom in the small rural town of Whitianga.
They described him as a 'botherder', the controller of a 'botnet' in which more than a million computers around the world were infected with a virus that gave him control over them.
Software he designed and sold to the criminal gang allowed members to steal user names and passwords, as well as credit card details.
The FBI estimated the combined economic losses from the 'skimming' activities and damage caused to computer systems by the group at more than $20 million (£10 million).
The crime came to light after one attack caused computers to crash at the University of Pennsylvania in 2006.
In court yesterday, Walker, who has Asperger's syndrome, a mild form of autism, smiled as he heard the prosecution describe how international investigators considered his programming to be 'amongst the most advanced' they had encountered.
Judge Judith Potter described him as a young man with a bright future and ordered him to pay damages and costs of £5,500, but did not record a conviction.
She said that Walker was immature and unable to set proper boundaries for himself in relation to his 'undoubted expertise' in computers.
If he had been convicted, he could have faced five years' imprisonment on each of the charges.
Both the prosecution and defence counsels said in court that police were interested in talking to him about a job 'on the right side of the law'.
Detective Inspector Peter Devoy said that while 'there is no offer on the table, the option is being kept open'.
Maarten Kleintjes, head of the police e-crime laboratory, said the self-taught Walker had a unique ability and was 'at the top of his field'.
Outside the court, Walker, who is also being headhunted by several computer programming companies, said he would be very interested in putting his skills to use for the police.
By Paul Chapman
Banks should be liable for e-fraud - vnunet.com - 11 Jul 2008
A House of Lords committee has called on the government to make banks, not customers, legally liable for internet fraud.
The House of Lords Science and Technology Committee called for legislation to force banks to cover customer losses incurred through e-crimes in its follow-up report into personal internet security published in August 2007.
The report claims that, under the current system, banks often deny liability for password and Pin fraud, claiming customer negligence or even complicity in the fraud.
"We reiterate our strongly held view that the current reporting sequence is wholly unsatisfactory and that it risks undermining public trust in the police and the internet," says the report.
The committee also recommended that victims of cyber-crime should be able to report incidents directly to the police, reversing the current process which requires them to report incidents to their bank.
The peers also called for a data breach notification law that would require organisations publicly to acknowledge breaches when customer security has been compromised.
The report acknowledged recent proactive moves in terms of protecting UK citizens from online crime, following the government's embarrassing data breaches.
"A level of indifference on the part of the government has now been dispelled only as a result of recent incidents involving serious losses of personal data, " the report said.
The call was backed by Bill Beverley, security technology sales manager at F5 Networks.
"If people were to adopt best practices, many of these data breaches would not have occurred," he told vnunet.com.
Beverley believes that this move would "add some teeth to the legislation" and help spur complacent companies into action when it comes to the protection of data and the liabilities involved when breaches occur.
He added that it is imperative that government agencies are held to the same standards at private companies.
by Guy Dixon and Ian Williams
The House of Lords Science and Technology Committee called for legislation to force banks to cover customer losses incurred through e-crimes in its follow-up report into personal internet security published in August 2007.
The report claims that, under the current system, banks often deny liability for password and Pin fraud, claiming customer negligence or even complicity in the fraud.
"We reiterate our strongly held view that the current reporting sequence is wholly unsatisfactory and that it risks undermining public trust in the police and the internet," says the report.
The committee also recommended that victims of cyber-crime should be able to report incidents directly to the police, reversing the current process which requires them to report incidents to their bank.
The peers also called for a data breach notification law that would require organisations publicly to acknowledge breaches when customer security has been compromised.
The report acknowledged recent proactive moves in terms of protecting UK citizens from online crime, following the government's embarrassing data breaches.
"A level of indifference on the part of the government has now been dispelled only as a result of recent incidents involving serious losses of personal data, " the report said.
The call was backed by Bill Beverley, security technology sales manager at F5 Networks.
"If people were to adopt best practices, many of these data breaches would not have occurred," he told vnunet.com.
Beverley believes that this move would "add some teeth to the legislation" and help spur complacent companies into action when it comes to the protection of data and the liabilities involved when breaches occur.
He added that it is imperative that government agencies are held to the same standards at private companies.
by Guy Dixon and Ian Williams
2 Malaysians Nabbed For Credit Card Fraud In Bangkok
Thursday for credit card fraud in the latest incident involving Malaysians.
Hua Mark district police chief Vatana Ejin said the suspects, aged 31 and 33, reportedly told police they were part of a group headed by a China national who was detained by police last week.
The man's five accomplices were also picked up.
Vatana said the duo were nabbed after a commercial bank reported that they used fake credit cards to carry out transactions at several shopping complexes here.
"Following information from the public, we traced one of them shopping at a mall in Ramkamheang area and another one in Ekkamai," he told a press conference Friday.
According to Vatana, the duo told investigators that the China national had given them fake credit cards and fake passports to go shopping for expensive items like mobile phones, electrical products, whisky and cigarettes.
Prior to their arrest, one of them was shopping for a mobile phone worth 11,900 baht (about RM1,200) while his colleague was buying some products worth 50,000 baht (about RM5,000).
Vatana said the duo had continued their activities even after the arrest of their accomplices, adding that investigations revealed each group member received a five per cent commission from the total value of the products they had bought.
Last year and early this year, several Malaysians were arrested by Thai police for using fake credit cards to buy goods at popular shopping malls in the capital.
In one case, a Malaysian was caught stealing credit card information from a local bank here.
In April, three Malaysians, including a woman, were charged in a Thai court for using forged credit cards to buy air tickets to Athens, Greece and Kuala Lumpur.
Due to the rampant credit card cases involving Malaysians, banks have tightened procedures, including asking Thailand-based Malaysian businessmen to change their credit cards upon returning from their homeland.
Hua Mark district police chief Vatana Ejin said the suspects, aged 31 and 33, reportedly told police they were part of a group headed by a China national who was detained by police last week.
The man's five accomplices were also picked up.
Vatana said the duo were nabbed after a commercial bank reported that they used fake credit cards to carry out transactions at several shopping complexes here.
"Following information from the public, we traced one of them shopping at a mall in Ramkamheang area and another one in Ekkamai," he told a press conference Friday.
According to Vatana, the duo told investigators that the China national had given them fake credit cards and fake passports to go shopping for expensive items like mobile phones, electrical products, whisky and cigarettes.
Prior to their arrest, one of them was shopping for a mobile phone worth 11,900 baht (about RM1,200) while his colleague was buying some products worth 50,000 baht (about RM5,000).
Vatana said the duo had continued their activities even after the arrest of their accomplices, adding that investigations revealed each group member received a five per cent commission from the total value of the products they had bought.
Last year and early this year, several Malaysians were arrested by Thai police for using fake credit cards to buy goods at popular shopping malls in the capital.
In one case, a Malaysian was caught stealing credit card information from a local bank here.
In April, three Malaysians, including a woman, were charged in a Thai court for using forged credit cards to buy air tickets to Athens, Greece and Kuala Lumpur.
Due to the rampant credit card cases involving Malaysians, banks have tightened procedures, including asking Thailand-based Malaysian businessmen to change their credit cards upon returning from their homeland.
Europol busts European credit card scam - focus-fen.net – 12 Jul 2008
The Hague. Officials bust a European syndicate Friday responsible for the large-scale forgery of credit cards, arresting five people in Italy and two in Greece, policing agency Europol said, AFP reported.
"The perpetrators skimmed and cloned credit cards, originating from countries all over Europe," it said in a statement.
"The data was then utilisedproduce counterfeit payment cards which were subsequently used for illegal cash withdrawals and payments in Greece and Italy."
The syndicate is believed to have siphoned off more than one million euros (1.5 million dollars), said the statement.
Investigators dismantled a counterfeit card production site in the Italian city of Livorno.
"The operation can be considered as a great success since this significant criminal group, producing and using counterfeit payment cards, was disrupted from the bottom up," said Europol director Max-Peter Ratzel.
The operation, dubbed "Plastik", was carried out by Italian policing agencies and Europol.
"The perpetrators skimmed and cloned credit cards, originating from countries all over Europe," it said in a statement.
"The data was then utilisedproduce counterfeit payment cards which were subsequently used for illegal cash withdrawals and payments in Greece and Italy."
The syndicate is believed to have siphoned off more than one million euros (1.5 million dollars), said the statement.
Investigators dismantled a counterfeit card production site in the Italian city of Livorno.
"The operation can be considered as a great success since this significant criminal group, producing and using counterfeit payment cards, was disrupted from the bottom up," said Europol director Max-Peter Ratzel.
The operation, dubbed "Plastik", was carried out by Italian policing agencies and Europol.
Subscribe to:
Posts (Atom)