This case study is a combination of two attacks password and phishing. Password attack is one of commonly happen attack in our society due to lack of awareness about cyber security. In today’s time, technology is growing rapidly but still our society’s major chunk is deprivedfrom the knowledge of how to use technology securely. In this case study the attacker first performs password attack to get an access to an email account and then performs phishing attack further.
The incident happened in one of the well-known academic institution. The incident consisted of emails received from a very senior and high profile person to other users. The suspected emails contained a malicious executable as reported by the other users. After investigation regarding the emails it was found the senior person had not sent any such emails to others which could compromise of the user’s credentials .During investigation, “Last account Activity” details were monitored which showed the particulars of last ten logins of the persons Gmail account such as location, IP, method and time. From the particulars it was identified that last logins details were suspicious. So it was basically the crime against individuals targeting the users from the persons address book to access their data which includes personal details, banking information, login credentials etc. The incident happened with motives to steal user’s credentials and conduct further targeted social engineering attacks against affected people. Here the attacker was from the organization itself who tried to steal the credentials of the users by misusing other persons email address. Here the attacker wanted to satisfy two goals one is defaming the senior employee as he was having some personal grudges with him and second one is misusing user’s credentials.
The incident happened due to common type of vulnerability i.e. weak password. The following Figure 1.1 shows the different stages of attacks in present case study.
The case study suggests there is a necessity of spreading more awareness about end users best practices. Specifically with using strong password protection and authentication which any common person can easily do it at entry level.
This Article is written by Ms. Sampada Margaj, Member Digital Security Program as part of Monthly assignment for Month of May 2019. This Article is selected as best article for the month. Sampada is Asst. Professor, Computer Science at Kitti College, Dadar, Mumbai
Yet another four-letter buzzword is charming the industries & Information Technology Industries. Latest four letter thrill is called GDPR (General Data Protection Regulation)
Due to drastic changes in technologies European Union has initiate the new data privacy law. European regulation for Data protection that is GDPR
The GDPR will replace the current Data Protection EU Directive 95/46/EC. It also will also replace EU national legislation on data protection, such as the UK’s Data Protection Act 1998.
GDPR is the most important change in data privacy. Like earlier Data Protection; This not a Directive; this is Regulation.
What is the main purpose of GDPR?
To protect and provide rights to European Union data subjects (individuals whose data is being captured by organizations).
Giving regulatory authorities power to take action against companies that breach the new regulations. In this digital economy, it should be no surprise that these regulations also apply to global enterprises outside the EU.
Core Value of GDPR
GDPR builds on existing data protection principles, under the data protection principles set out the main responsibilities for organisations.
Who will follow & implement GDPR?
Any company (EU and foreign) that processes the personal data of individuals residing in the European Union must adhere to these regulations, regardless of the company’s location. For non-EU businesses processing the data of EU citizens, this includes the requirement of appointing a representative in the EU.
Less than 250 employee’s organization need not comply with GDPR. If companies processing special categories of data … or critical personal data relating to criminal convictions and offences they need to comply with GDPR”
GDPR Article 37: Designation of the data protection officer (DPO)
Are there any penalties?
Fine: 10,000,000 Euros or 2% Global Turnover, for offenses related to:
Fine: 20,000,000 Euros or 4% of Global Turnover, for offenses related to:
What is Personal Data?
Definition under the GDPR: Data from which a living individual is identified or identifiable (by anyone), whether directly or indirectly. Any information relating to an identified or identifiable natural person. Like IP Address, Mobile Phone, Physical, physiological, genetic, mental, economic, cultural or social identity of that person. While earlier under DPA
Personal Data under Data Protection Act 1998 (DPA1998): data which relate to a living individual who can be identified: (a) from those data; or (b) from those data and other information which is in the ownership of,
Definition of a Personal Data Breach in GDPR: or what Personal Data breach in GDPR??
What will happened in case of Data Breach?
In the case of personal data breach, data controllers must notify the supervisory authority (SA) “Notice must be provided “without undue delay and, not later than 72 hours” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.
In the current Privacy and Electronic Communications Regulations (PECR) all company addresses are considered to be “opt out” This means you can send an email to a company address without permission, provided you include an option to unsubscribe.
In the new regulation this won’t be the case. This has been removed as all consent must be explicit. This means that you must be able to prove that the customer agreed to receive the emails (by a selection action, not just a disclaimer).
Moving forward, everybody will have the right to be forgotten. No longer can you mark the contact as “do not contact” in your CRM database. All personal details will have to be deleted.
GDPR is on the way. We have to be ready now!
While there are still 11 months before the grace period expires, organisations need to start taking action now, or they may well find themselves with inadequate time to take the necessary steps to action everything required?
Google.co.in, EU GDPR journal, Seminar on GDPR
Introduction to Blockchain
Blockchain is a decentralized distributed database (ledger) system. It is distributed because there is not a single repository held or owned by one person (Parties or Miner). All of them have their own copies of committed transactions of the block. Blockchain is not a drop box of transactions on the contrary it is a vault of hashed value of an asset which is tagged to its latest owner. Transactions being the trail of quantity and change of ownerships since it was the first time introduced in the Blockchain.
Blockchains can be applied to any concept which requires digital security for maintenance and management and currently Blockchains version 3.0 is the latest release. Some of the applications of Blockchains in financial domain are Crypto currency (the famous Bitcoin), Escrow transaction, Bonded Contracts, Smart Contracts, and Intellectual Property etc. One can also conceive that a voting right can also be put on a political Blockchain of a national electorate (electorate being a vote exchange) also a physical housing property can be converted into a hashed digital asset traded on Blockchain of a real estate exchange and there are endless possibilities one think of. With the advancement in IoT, a Blockchain is a perfect combination to launch smart contracts.
To understand more on Blockchain one needs to understand its building blocks, let’s see one by one:
Unit: It is a digital intangible or tangible asset which can be converted into a hashed value e.g crypto-currency, a vote, digital property, intellectual property etc…
Transaction: No of Units that can be exchanged in one single go
Block: Stack of authorized transactions
Blockchain: Irreversible blocks (ledger)
Miners: Nodes that work as authenticators and validators of transaction and forms block in a chain.
The next question comes into the mind is how transactions are executed on the Blockchain. Assume that there are two parties A & B and they want to execute a transaction between them by exchanging certain number of Units (assume a crypto currency unit such as Bitcoin). Both the parties have to be on the same Blockchain network and application but on separate node (computer). This is important because a common platform is needed for transfer and communication of protocol for request and response. In order to execute a transaction both will require keys (randomly generated encrypted/hashed values to be kept confidential). The keys can be common session keys or public and private keys. Usually it is public and private keys combination and per transaction a unique set of pairs of keys are generated. “A” (initiator with address N) will pledge a transaction with certain number of Units with his key. “B” (receiver with address M) will acknowledge this transaction with his key. Now the transaction is in the executed stage but not validated and authorized. These Transactions flow into the distributed network and remain in the queues of Miners for validation and authorization and once done the transaction is connected to a chain and chain into a block of irreversible transaction. The blocks are formed after a suitable time lets us say that number of transactions validated in 10 secs will form a block. These blocks are then stored into a decentralized distributed database/ledger (Blockchain) i.e the copy of the block will be replicated into a database maintained with A, B and the Miner (who authorized the transaction) so that none of them can deny the execution of transaction. This replication is done to address the conflict between parties should it arise. The chain is actually the quantity and trail of tag of the unit associated with the ownership. During entire transaction anonymity of both A & B is maintained because they are identified by their keys and these keys cannot be reverse engineered to identify the owner as the keys are random values generated using trusted and certified algorithms.
Miners are available in Public Blockchain (Bitcoin), they validate and authorize a transaction and convert it into a chain but only when they have completed their workloads (proof of work) between chains. The workloads are nothing but complex numerical problems which require huge computation processing and time. It is a huge investment to become a Miner. One may be wondering then why to become a Miner. For validating and authorizing each transaction the Miner is paid a fee/commission in form of Units of the Transaction. Some Miners also act as exchange house to buy and sell the Unit (Bitcoin) with fiat currency (USD) this is also called an Offchain.
Just to revise the layers of a Blockchain are the Units that are executed over a transaction which are further validated and verified by Miners to convert into chain and then into a block and finally stored into a decentralized distributed ledger.
There are different types of Blockchain:
Public Blockchain: In this type anyone, individual or a group can be a part of a Blockchain to execute a transaction or become a Miner. Example can be Bitcoin Blockchain.
Permissioned Blockchain: Consortium of entities form the Blockchain and only permissioned or licensed individual or a group can be a part of this Blockchain to execute a transaction but there are no Miner. In this type the transactions are auto validated and authorized as the parties are trusted. This is a more secured network and example can be consortium of banks or financial institutions forming a Permissioned Blockchain and parties can be legitimate entrusted customers of the bank.
Sidechain (Interchain) Blockchain: When one or more unique Blockchains interlink to form a complex set of Blockchain.
Enterprise Risk Management
One common mistake that people make when the topic of a computer virus arises is to refer to a worm, Bot or a Trojan horse as a virus. While the words Trojan, worm and virus are often used interchangeably, they are not exactly the same thing. Viruses, worms and Trojan Horses are all malicious programs that can cause damage to your computer, but there are differences among the three, and knowing those differences can help you better protect your computer from damaging effects. Different classes of malicious software are described below.
A computer virus is a type of malware that propagates by inserting a copy of itself into and becoming part of another program. It spreads from one computer to another, leaving infections as it travels. Viruses can range in severity from causing mildly annoying effects to damaging data or software and causing denial-of-service (DoS) conditions. Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious host file or program. When the host code is executed, the viral code is executed as well. Normally, the host program keeps functioning after it is infected by the virus. However, some viruses overwrite other programs with copies of themselves, which destroys the host program altogether. Viruses spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected e-mail attachments.
Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate. To spread, worms either exploit vulnerability on the target system or use some kind of social engineering to trick users into executing them. A worm enters a computer through vulnerability in the system and takes advantage of file-transport or information-transport features on the system, allowing it to travel unaided.
A Trojan is another type of malware named after the wooden horse the Greeks used to infiltrate Troy. It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). Trojans are also known to create back doors to give malicious users access to the system.
Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. Trojans must spread through user interaction such as opening an e-mail attachment or downloading and running a file from the Internet.
A botnet is a number of Internet-connected computers communicating with other similar machines in which components located on networked computers communicate and coordinate their actions by command and control (C&C) or by passing messages to one another (C&C might be built into the botnet as P2P). Botnets have been used many times to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robot and network. The term is usually used with a negative or malicious connotation.
Bots can be used for either good or malicious intent. A malicious bot is self-propagating malware designed to infect a host and connect back to a central server or servers that act as a command and control (C&C) centre for an entire network of compromised devices, or “botnet.” With a botnet, attackers can launch broad-based, “remote-control,” flood-type attacks against their target(s). In addition to the worm-like ability to self-propagate, bots can include the ability to log keystrokes, gather passwords, capture and analyse packets, gather financial information, launch DoS attacks, relay spam, and open back doors on the infected host. Bots have all the advantages of worms, but are generally much more versatile in their infection vector, and are often modified within hours of publication of a new exploit. They have been known to exploit back doors opened by worms and viruses, which allows them to access networks that have good perimeter control. Bots rarely announce their presence with high scan rates, which damage network infrastructure; instead they infect networks in a way that escapes immediate notice.
How Bots Work
Bots sneak onto a person’s computer in many ways. Bots often spread themselves across the Internet by searching for vulnerable, unprotected computers to infect. When they find an exposed computer, they quickly infect the machine and then report back to their master. Their goal is then to stay hidden until they are instructed to carry out a task.
After a computer is taken over by a bot, it can be used to carry out a variety of automated tasks, including the following:
|Sending||Stealing||DoS (Denial of Service)||Clickfraud|
|They send – spam – viruses – spyware||They steal personal and private information and communicate it back to the malicious user: – credit card numbers – bank credentials – other sensitive personal information||Launching denial of service (DoS) attacks against a specified target. Cybercriminals extort money from Web site owners, in exchange for regaining control of the compromised sites. More commonly, however, the systems of everyday users are the targets of these attacks — for the simple thrill of the botherder.||Fraudsters use bots to boost Web advertising billings by automatically clicking on|
Best Practices for Combating Viruses, Worms, Trojans, and Bots
The first steps to protecting your computer are to ensure that your OS is up to date. This means regularly applying the most recent patches and fixes recommended by the OS vendor. Secondly, you should have antivirus software installed on your system and download updates frequently to ensure that your software has the latest fixes for new viruses, worms, Trojans, and bots. Additionally, you want to make sure that your antivirus program can scan e-mail and files as they are downloaded from the Internet. This will help prevent malicious programs from reaching your computer. You may also want to consider installing a firewall.
Technical Definition Sites
The Signaling System No 7 (SS7), also known as Common Channel Signaling System 7 (CCSS7) or Common Channel Interoffice Signaling 7 (CCIS7), is a set of protocols developed in 1975 that allows the connections of one mobile phone network to another. The information passed from a network to another are needed for routing calls and text messages between several networks.
The SS7 performs out-of-band signaling in support of the call establishment, billing, routing, and information exchange functions of the public switched telephone network (PSTN).
When users access a PSTN, he constantly exchanges signaling with network elements, for example, signaling information are exchanged between a mobile user and the telephone network.
Information includes dialing digits, providing dial tone, sending a call-waiting tone, accessing a voice mailbox, etc.
The term Out-of-band signaling is used to specify that signaling that does not take place over the same path as the conversation. The digital channel used for the exchange of a signaling information is called signaling link, when a call is placed, the dialed digits, trunk selected, and other information is sent between switches using their signaling links, rather than the trunks used to carry the conversation.
Out-of-band signaling has the following advantages:
• It allows for the transport of more data at higher.
• It allows for signaling at any time in the entire duration of the conversation, not only at the beginning of the call.
• It enables signaling to network elements to which there is no direct trunk connection.
The SS7 is also used to implement the network roaming when users need to use different network providers.
A hacker accessing the SS7 system can snoop target users, locate them, and transparently forward calls.
The access to the SS7 system is possible by using any number of networks.
In response to the disclosure of security issues related to the SS7 protocol, telco bodies, and operators, including the GSMA, have introduced monitoring services to prevent intrusions or abuse.
Recently a group of hackers demonstrated how spy on mobile users simply using their phone numbers; they have chosen as a target complacent US Congressman.
The group is led by the popular German security expert Karsten Nohl; the researchers demonstrated they were able to eavesdrop and geographic track the politician just knowing his phone number.
There is nothing new in the revelation because the telco community was aware of the technique adopted by security experts, the same team illustrated in the past the technique that exploits security flaws in the Signalling System No. 7, also known as an SS7 protocol.
An attacker can exploit security issued in the SS7 protocol to spy on private phone calls, record them and monitor target’s movements.
Exactly one year ago, Channel Nine’s 60 Minutes reported the existence of a security hole in modern telecommunication systems that could be exploited by cybercriminals to listen in on phone conversations and read text messages.
Karsten Nohl and his team investigated the presence of security flaws in the SS7 system back in 2014.
In that occasion, Nohl and his colleagues were able to intercept data and geo-track every mobile user by exploiting a flaw in the SS7 signaling system.
In December 2014, a group of German researchers at the Chaos Communication Hacker Congress revealed the existence of serious security issues in the protocol used by a large number of carriers of mobile telephony. Despite the huge investment in security made by telco companies, the adoption of flawed protocols exposes customers to serious privacy and security risks.
“It’s like you secure the front door of the house, but the back door is wide open,” said Tobias Engel, one of the German researchers.
Figure 1 – Tobias Engel Slides presented at CCC Berlin
What does the network know about your location?
Tobias explained that the network knows the location of the cell tower that could be used to have a pretty good approximation of a user’s location. Despite the access to the information managed by operators is restricted to the technical operation of the network, voice calls, and short messages can be initiated to your phone number from almost anywhere in the global SS7 network.
Figure 2 – Tobias Engel Slides presented at CCC Berlin
Below the presentation made by the expert Tobias Engel:
Attacks relying on these security issues already happened in the past, one of the major incidents was registered by the NKRZI (which is the National Commission for the State Regulation of Communications and Informatization in Ukraine) and involved Russian addresses back in April 2014.
The expert noticed that many Ukrainian mobile phone holders have been targeted by SS7 packets sent from Russia to track them and steal information from the mobile devices.
According to the security firm AdaptiveMobile who analyzed the case, a number of Ukrainian mobile subscribers “were affected by suspicious/custom SS7 packets from telecom network elements with Russian addresses over a three day period in April 2014. The packets were revealing the subscribers location and potentially the contents of their phone calls to be obtained.”
A series of SS7 packets were sent to the MTS Ukraine’s SS7 network that caused the modification of the control information stored in network switches for several MTS Ukraine mobile users. The effect was that one of the affected MTS used tried to call someone else, their call would be forwarded to a physical land line number in St. Petersburg, Russia allowing the interception of the communication.
“In the document, the investigation stated that the custom SS7 packets themselves came from links allocated to MTS Russia, the parent company of MTS Ukraine. The Ukrainian regulator then assigned responsibility for the nodes that generated the SS7 based on the origination addresses in the SS7 packets received. According to the report, some of the SS7 source addresses that originated the attack were assigned to MTS Russia, while others were assigned to Rostov Cellular Communications.” stated the AdaptiveMobile.
The incident was not isolated, other cases were observed in different countries, let’s consider for example that the same protocol is being used by major Australian providers, this means that Aussies data could be exposed to hackers. Names, addresses, bank account details and medical data stolen due to a security vulnerability that could give hackers the access to their mobile devices.
Another case was reported by the Guardian that revealed security tests conducted by an operator in Luxembourg took Norway’s largest network operator Norway offline for over three hours due to an “unexpected external SS7 event.”
A preliminary report issued by Telenor states the problem was caused by the reception of “unusual signaling” from another international operator into their networks. Software from Ericsson misinterpreted this very rare signaling messages stopping parts of mobile traffic up.
Ericsson identified how the misperception of signaling occurred and applied the necessary correction to fix the issue.
The reality is that old and insecure protocols could harm our privacy dramatically enlarging our surface of attack.