Pulkovo Airport's air-traffic control system malfunctioned after receiving threatening emails from Hackers

On August 8th, the Air-Traffic control system "Galaxy" in the international airport "Pulkovo" (Saint Petersburg, Russia) is malfunctioned.  The system  controls the movement of aircraft in the area of approach to the airport.

An interesting fact is that the failure occurred not only on the server but also on all the computers in the control room. Suddenly, they were frozen.

At the time of the incident, four Airplane were in the air without control for about ten minutes.

Few days back (August 3rd) before this incident the Airport's Quality Control Department received threatening e-mail.  The Pulkovo airport received these threatening emails at least three times starting from July 30.

The Cyber Criminals demanded 200 Bitcoins (around 89 million rubles/90 million rupees) otherwise they will disrupt the navigation control system.  Employees assume that these threats and system failure have a direct connection.

Law enforcement agencies found that the letters were sent from Switzerland, and the SIM cards to which the addresses are linked are registered on British citizens. Most likely, hackers used fake IP-addresses to mislead the police.  The police said that no one can hack the air navigation system of the airport from external sources.

Could it be a just coincidence that the control system malfunctioned after these threatening letters? or the hackers really behind the attack? It is still unknown. The experts are trying to find the root cause of the failure. Thankfully, there was no damage.

The cyber criminals can be punished with three years imprisonments or can be fined up to 300 thousand rubles.

This is not the first time an Airport receiving threatening letters from cyber criminals.  But, it appears that this is first time a malfunctioning-incident reported after such kind of letters.  It should be noted that Airport "Domodedovo" (Moscow International airport) also received a threatening letter with a demand of several hundred in Bitcoins.  However, there was no incident reported in this case.

UK Government to Fine Infrastructure Organisations up to £17m for Lax Cybersecurity

Industries running critical infrastructure in the UK will be facing fines as much as £17 million ($24 million), if they fail to put in strong cybersecurity measures as required by the NIS Directive.

NIS covers network and information security to be put into place by 9 May, 2018, and was announced by the UK government on Sunday.

The affected industries include transport, water, energy, and health businesses.

These fines are apparently as “last resort” if any of the above-mentioned businesses fails to follow the cybersecurity guidelines as required by all industries in the EU member states.

The government warned that a regulator will be able to assess the cybersecurity infrastructure of the country's critical industries and will have the power to issue legally-binding instructions to make sure the security is up to its mark — including imposing fines.

The Directive’s objectives are outlined as to manage security risk, ensure protection against cyber attacks, detecting cybersecurity events, and minimising the impact of cybersecurity incidents.

"We want our essential services and infrastructure to be primed and ready to tackle cyber attacks and be resilient against major disruption to services. I encourage all public and private operators in these essential sectors to take action now and consult NCSC's advice on how they can improve their cybersecurity,” said Margot James, Minister for Digital and Creative Industries.

According to the government, they are working on a “simple, straightforward reporting system” where it will be one can easily report cyber breaches and IT failures so they can be quickly identified and acted upon.

The National Cyber Security Centre (NCSC) website states that the first iteration of the Cyber Assessment Framework (CAF) will be available by the end of April 2018.

Russia, India and other Asian countries targeted by Chinese Hackers

According to the Kaspersky Lab's third quarter report, 10 out of the 24 targeted cyber attacks were organized by groups of Chinese speaking hackers.

Experts at Kaspersky said one of the main targets of these cyber criminals was Russian Federation.  They also have targeted other Asian countries which includes India, Mongolia.

In July, Kaspersky detected a cyber espionage campaign(referred as "IronHusky") targeting Russian and Mongolian government, aviation companies, and research institutes.  The incident happened shortly after both countries conducted talks on cooperation in several projects relating to the Air Defense of Mongolia.

Another cyber attack was discovered targeting the Russia and India.  This attack happened after India and Russia signed a much awaited agreement to expand a nuclear power plant in India, as well as further define the defense cooperation between the two countries.  Energy sectors of both countries were targeted with a malicious program named as "H2ODecomposition". 

The experts said that in some case, this malicious software was masquerading as a popular Indian anti-virus solution "QuickHeal".

Kaspersky also noted that Netsarang and CCleaner tools were also targeted by these Chinese-speaking hackers.  The attackers infected the installation packages with a malicious code and hosted on Netsarang distribution site.  Introduction of malicious code into the legitimate software would allow attackers to penetrate the networks of many organizations.

- Christina

UK spymasters suspect Russia is using Kaspersky to spy on people


British Intelligence service is reportedly worried that Kaspersky Antivirus offered by Barclays to its customers may be being used by Russian Intelligence agency to spy, according to The Financial Times.

An unnamed official told The Financial Times that GCHQ, British intelligence agency has concerns over widespread distribution of Kaspersky in the UK.

Intelligence officials fear that this might allow Russia to gather intelligence from the computers of Government employees members of the military who are customers of the Bank and have downloaded the software.

The Financial Times added that "No evidence suggests that any data of Barclays customers have been compromised by use of Kaspersky software on their computers."

However, the bank said they were planning to end the deal with Kaspersky for commercial reasons that doesn't have any connection with the GCHQ concerns.

Kaspersky denied the allegations and said the company does not have inappropriate ties with any government.

"No credible evidence has been presented publicly by anyone or any organization. The accusations of any inappropriate ties with the Russian government are based on false allegations and inaccurate assumptions, including the claims about Russian regulations and policies impacting the company." Kaspersky said.

Earlier this year, US Spymasters and FBI chief said that they do not trust software from Russian antivirus company Kaspersky.

- Christina

Russian Citizen suspected of cybercrime was arrested in Estonia

A 20-year-old Russian IT programmer is suspected of cyber espionage. He was traveling from Estonia to Russia and was detained at the border crossing in Narva.

According to the local media, the Estonian Security Police(KaPo) allowed the suspect to work for some time unhindered, as a result of which he was linked to the Security Service of Russian Federation.

Authorities said that he is a member of the FSB and was preparing a mass cyber attack on the computer systems of the Estonian State Institutions. According to them, the Russians was trying to make some device or computer program with which he can get access to local computer systems.

Elena Vladimirovna, mother of the suspect, told media that it is completely unexpected for her since her son was never seen in any unlawful actions.

"Of course, I hope that everything will end well and we will be able to prove his innocence." Elena was quoted as saying by Local Media Sputnik. "However, the services of a good lawyer cost a lot of money, which I do not have. Perhaps, the Russian embassy will be able to help us in some way, but I will not let my son to Estonia again never"

The Russian Embassy in Estonia is ready to help. The Embassy asked Estonian Foreign Ministry to give permission to meet the arrested person.

A criminal case has been instituted against the suspect under article 233 of the Penal Code of the Republic of Estonia "Non-violent acts of an alien directed against the Republic of Estonia" and article 216 "Preparing a computer crime". He faces up to 15 years in prison, if convicted.

- Christina

Putin signed a law to Protect Critical Information Infrastructure from Cyberattacks

On 27 July the President of Russia Vladimir Putin signed a new Law on the Cyber Security in order to protect Critical Information Infrastructure(CII) from hacker attacks.

The document published on the portal of legal information. According to the law, those who creates and distributes malicious programs to commit cyber attacks against Critical Information Infrastructure(CII) will face up to 10 years in Prison.

From now on, hacking or illegal access to computer information of Government Agencies is fraught with a five-year forced labour, 3, 5 and 10 years imprisonment, or a fine up to one million rubles. And after hacker got out of the jail, he may be deprived of the right to hold certain posts within five years.

The law defines that security services and a Federal Executive Authority will deal with the fight against hackers.

A law signed by the President will come into force on 1 January 2018.

- Christina


Putin Says Number of Cyber attacks against the Russia grew three times

The number of attacks launched against Russian Cyberspace has increased significantly in the recent years, President of Russian Federation Vladimir Putin said at the annual board meeting of the Federal Security Services on February 16.
"The Number of cyber attacks against official information databases has tripled in the past year compared to 2015", — said the President.

On 11 February, Oleg Salagai, the Director of the Department of public health & communications Ministry, said that unknown hackers attacked the official website of the Health Ministry. The attackers failed to gain access to any personal data or classified files.

Making Indian Cyberspace Secure!

At a time when Cyber attacks are increasing with every passing day, the Indian government on Tuesday (February 21) launched a Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre) which is a desktop and mobile security solution for maintaining a secure Cyber space in the country.

India’s IT and Electronics Minister, Ravi Shankar Prasad through its Computer Emergency Response Team (CERT-in) launched the M-Kavach tool in New Delhi which offers a comprehensive mobile device security solution for Android devices addressing threats related to mobile phones. The new solution will notify, enable cleaning and secure systems of end-users to prevent further infections.

"Launched 'Cyber Swachhta Kendra' (Botnet Cleaning and Malware Analysis Centre), an imp milestone in various initiatives taken on Cyber Security," tweeted Prasad. Botnets fundamentally is a program which is automated and runs on a computing device which can be any IoT/smart device. The attacks taking place using botnets are called Distributed Denial of Service (DDoS).

* Botnet Cleaning and Malware Analysis Centre (Cyber Swachhta Kendra) -

India has been ranked 3rd in bot-net distribution. Its a good move for Indian government to clean the computers.  CERTIn has chosen an Indian product for this.

Research by CSPF(Non profit organization) found that Malwarebytes / Avast anti-virus free anti-virus are more effective in removing viruses/bots.

The free product chosen by CERTIn also advertises that botnet cleaning tool is not replacement to anti-virus. "The vendor is trying to sell his other anti virus solutions which is totally unacceptable" according to an US based anti virus company.

"Antivirus and botnet cleaners should be constantly maintained,  Who is going to do this CERTIn or Indian vendor?" asks the US based anti-virus company.

According to CSPF "some samples of botnet were missed by this tool", the tool should have a facility to report malware missed by this tool.

"Launched USB Pratirodh, which will control the unauthorized usage of removable USB storage media devices like pen drives, external hard drives. Launched App Samvid, to protect Desktops from suspicious applications from running," the minister added.

USB Pratirodh is a desktop security solution that controls the usage of removable storage media like pen drives, external hard drives and other USB-supported mass storage devices.

AppSamvid is a desktop solution which protects systems by allowing installation of genuine applications through white listing. This helps in preventing threats from malicious applications.

According to Cyber Security & Privacy Foundation "Some of these tools developed by CDAC including white listing tool is far more complex for a normal user to understand.  White listing tool does not detect .msi files and other extension". 
Executable blocking / allowing has to be manually done. Most end users don't understand white listing, they don't know which to allow/block when there is an issue. users should not end up locking their own computers. Auto white listing that is available in some famous anti viruses should be included.
The reason cyber security is an issue among common man is because common man does not understand anything technical. If using the tool is more complex then the actual problem how are we going to solve the problem says a college student.

He also suggests "video should be released by CDAC showing what the tool is about and how to install and run" in multiple languages. 

During the launch, Prasad said that the 13 banks and Internet service providers are using this government facility presently and the government will co-ordinate with other ISPs and product/antivirus companies to spread its usage for a safer online space.

Prasad said that this Kendra will also enhance awareness among citizens regarding botnet and malware infection along with measures to be taken to secure their devices.

The minister also announced that the National Cyber Coordination Centre will be operational by June 2017 and CERT-Ins will be set up at state level as well.

"The government will set up 10 more STQC (Standardization Testing and Quality Certification) testing Facilities. Testing fee for any start-up that comes up with a digital technology in the quest of cyber security will be reduced by 50 per cent. We will also empower designated forensic labs to work as the certified authority to establish cyber crime," Prasad noted.

The move comes at a time when over 50,300 cyber-security incidents like phishing, website intrusions and defacements, virus and DDoS attacks have been observed in the country during 2016.

As per the information reported to and tracked by CERT-In, a total number of 44,679, 49,455 and 50,362 cyber-security incidents were observed during the years 2014, 2015 and 2016, respectively.

The Cyber Swachhta Kendra is part of the government of India’s Digital India initiative under the Ministry of Electronics and Information Technology (MeitY). The Cyber Swachhta Kendra complies with the objectives of the National Cyber Security Policy which aims at creating a secure cyber Eco-system in the country.

The botnet and malware cleaning analysis centre was announced in 2015 with an outlay of Rs. 100 crores.

Industry experts wonder about the 100 crore outlay if it is going to used for building antivirus/botnet cleaning software, honeypots to track bots and take down botnets.

The threat of Cyber security has become more serious and visible in the past few years in the country. There is a need to collaborate and come forth with more solutions like the Cyber Swachhta Kendra. It was a much-needed move by the government. It should not be just another public relation exercise but it should be effective.

You can download the tools from here:

CERT – In empanelment norms may be suboptimal for national cyber security

IT Security compliance is a mandatory requirement for the critical sector organizations. Due to a Government directive or prevailing legal / regulatory provisions, only CERT - In empanelled IT Security auditing organisations are eligible to carry out such IT Security audits - Guidelines for applying to CERT - In for Empanelment of IT Security Auditing Organisations

Indian Computer Emergency Response Team (CERT – In) no doubt had the best intentions in mind when it issued its guidelines. But as they say, the best laid plans sometimes go awry and such a result may arise as a consequence of some of the technical qualifications specified in the guidelines.

Why should CERT – In be in the business of empanelling organisations or pre-qualifying the security industry? Neither in the US or the UK, for example, do the respective CERTs get involved in such issues. Does a CERT – In empanelment guarantee anything or is it part of a bureaucratic check list? Such practises also fly in the face of the Government’s commitment to Less Government and More Governance. The empanelment norms may also result in regulatory capture.

Pre-qualification criteria including minimum number of technical manpower, formal qualifications, formal experience, number of formal audits in a specified time frame – may be acceptable for financial audits, medical audits, bridge inspection etc but do not make sense in the area of cyber security.

The best in cyber security in India, indeed the world over, are freelancers - young kids/hackers who are on the Hall of Fames of companies such as Google, Facebook, Microsoft for having discovered vulnerabilities which bypassed the expert eyes of hundreds of highly qualified and experienced domain experts in such organisations. These freelancers and individuals have no certifications, no formal qualifications, no formal audit experience and will never work formally with any organisation.

Countries like the US have realised this. Instead of concentrating on a few empanelled entities, organisations are more focused on 0 Day exploit finders and bug bounty hunters. These countries realise that the main threat comes from hundreds of highly motivated (if maliciously so), highly skilled, highly unconventional individuals either working alone or in informal partnerships. Cyber risks are asymmetrical, unconventional and global and as such need an appropriate response.

Empanelment can also breed complacency, a false sense of security. In contrast, what effective cyber security needs is a degree of paranoia. Will anyone get fired for ineffective cyber security if the security audit has been done by a firm empanelled by CERT – In? Will CERT-In formally certify an organisation’s cyber security preparedness if the security audit is done by an empanelled firm? Will CERT-In and the empanelled firms provide financial guarantees to back up cyber audits?

It is commonly known that ISO 270001 as implemented in India by auditors concentrates more on process, rather than ferreting out vulnerabilities. Out of the 25 organisations that CSPF has done security consulting with, 21 suffered a hacker attack despite being certified by auditors. The certification did not prevent hackers from gaining access to data in these organisations. All 25 organisations had IS0 270001 certification and were conducting vulnerability assessments and penetration testing every 3 months as is mandatory in ISO 270001. When CSPF did APT assessment post incident, it found websites even had had simple vulnerabilities like CSRF, Sql injection (almost 3/10 OWASP top10 vulnerabilities). In over 50 % of cases, formal discovery of APT attacks or cyber espionage was made only after 7-8 months of the actual event.

0 Day exploits or unknown vulnerabilities in software are amongst the most potent tools used by black hat hackers for cyber attacks. How many cases does one know of black hats revealing their secrets on 0 Days, especially to security auditors? They would make more money selling it to National Security Agencies or Governments for use as espionage tools.

To counter black hats, one needs equally motivated, unconventional and highly skilled white hats who are more often than not lone wolves. Some of the best white hats this writer knows of have not even passed Std 10, but are yet on the Google Hall of Fame. This is the talent India needs to leverage, and talent that India cannot afford to waste.

Critical infrastructure organisations and businesses in India need to look beyond CERT – In empanelled security auditors. Formal rules and norms apart, organisations need to set up liberal bugs bounty programs and invite independent bugs bounty hunters to take a crack. This alone will separate the men from the boys.

J Prasanna, Founder, Cyber Security & Privacy Foundation

Wassenaar Cybersecurity Rules – How India Must Respond

In December 2013, the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (“Wassenaar Arrangement”) extended its reach to the cyber world. The extension seemed to signal a broad attack on export of many categories of cyber security software including commercially available penetration testing and network monitoring products, zero days and other computer exploits. Interestingly, these changes have emerged after media reports of U.S. government purchases of zero day computer exploits or vulnerabilities, i.e., security vulnerabilities previously unknown, by the US National Security Agency (NSA) for use by its hacking team.

Cyber security experts around the world and large companies like Google have raised a banner of revolt against the Wassennar changes and the U.S. Department of Commerce’s Bureau of Industry and Security (BIS)’s proposals for the implementation of the Wassenaar changes. They have expressed serious concerns about the impact of these changes on discovery of new vulnerabilities that could pose a threat to the internet globally.
If anything, the general impression is that Wassenaar Changes and its implementation by the signatory countries would actually make the internet more dangerous to users around the world. Google has been quoted as saying that the rules “are dangerously broad and vague and would have a significant, negative impact on the open security research community. They would also hamper our ability to defend ourselves, our users and make the Web safer. It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure."
The fierce criticism and loud, public protest has had a temporary impact. The US Department of Commerce has now committed to drafting new rules to replace/amend the earlier draft.
It would be pertinent to note here that in response to the Wassenaar changes, VUPEN, a well known zero-day exploit firm (and also a supplier of exploits to the NSA), announced its decision to restrict exploit sales only to approved government agencies in approved countries
So what does all this mean for India? While the Wassenaar Arrangement might have worked in the physical world, will it work in the borderless cyber world? Will a country like Russia, a leading global supplier of cyber security software and tools implement rules to accommodate the Wassenaar changes, especially at a time when it is facing economic headwinds and under sanctions from the US and the EU? It does not seem to be in Russia’s interest at all, given its enormous strengths in the cyber security area and huge market for such products.
But India cannot afford to speculate on which way the wind will blow. The ongoing transformation of India into a Digital Economy implies the need for strong cyber security defences. Imagine a situation where a commercial or defence software is found to have vulnerabilities, whether accidental or deliberate, and the country lacks the tools to test for and mitigate such vulnerabilities? What if such vulnerabilities are discovered in software used in sectors such as Critical Infrastructure, Public Utilities, Financial Services, Health Information Systems? What if vulnerabilities are found in SCADA (industrial automation control systems) used by major industries and the energy sector?
Clearly, India needs to build its own cyber security defences and do it fast. Some expertise is available in the country, and needs to be complemented with global talent. 
The Government, leading software companies, defence companies and major users need to invest liberally in funding and supporting talented cyber security professionals. The Government should support some aggression in sourcing relevant tools, technology and talent from wherever required in the world. Israel’s export of cyber security software now exceeds that of physical weapons systems, and there’s a lesson for India here in the form of a Military/Industrial/Cyber Security Professionals complex to meet India’s needs.
As is known, India has faced serious problems in the past with respect to imports of critical technologies in the areas of defence, space and the nuclear sector. In the context of cyber security, we now have advance warning about problems that are around the corner. It makes no sense to run into a wall all over again and as such, a proactive and immediate national response is called for.
Prasanna J, Founder of Cyber Security and Privacy Foundation.

Chinese Hackers targeting Indian institution to steal information

If we had to believe FireEye Inc, a US-based cyber security firm, hackers based in China are now targeting India to steal information about its border disputes and diplomatic intelligence.

The relationship between these two countries once broke in 1962 when both of them fought with each other over border issues. However, the situations between these countries have become a bit cool when Modi government came in power.

It is also said that the hackers were also active a month before the PM Modi visit to China.   
Now, it seems the cyber threat would make the thing worse as it was before.   

As per the company, an advanced campaign over the past four years has targeted more than 100 people, 70 percent of whom are in India. Earlier this year it identified a decade-long cyber espionage operation against businesses and governments in Southeast Asia.

“These attacks on India and its neighbouring countries reflect growing interest in its foreign affairs,” Bryce Boland, FireEye’s chief technology officer for Asia Pacific, said in the statement.

Along with the Indian institutions, the hackers also targeted Tibetan activists and others in Southeast Asia, in particular government, diplomatic, scientific and educational organizations, the security company said.

According to a news report published in The Financial Times, the hackers sent so-called spear phishing e-mails with Microsoft Word attachments appearing to relate to regional issues. Those messages contained a script which would create a “backdoor” in infected machines, allowing access to programs without detection by security measures.

A Florida man sent to jail for accessing and removing information from Military computers

A 34-year-old man from South Florida was sent to prison for 120 months which would be followed by three years of supervised release by U.S. District Judge Kenneth A. Marra of the Southern District of Florida for accessing and removing classified information from Military computers.

The court found Christopher R. Glenn guilty on July 31 for willful retention of classified national defense information under the Espionage Act, computer intrusion under the Computer Fraud and Abuse Act and conspiracy to commit naturalization fraud.

The announcement was made on July 31 by Assistant Attorney General for National Security John P. Carlin, U.S. Attorney Wifredo A. Ferrer of the Southern District of Florida and Special Agent in Charge George L. Piro of the FBI’s Miami Field Office.

Glenn accessed a classified Department of Defense network without authorization and removed classified national defense information from Department of Defense and U.S. Southern Command’s (SOUTHCOM’s) Joint Task Force-Bravo, including intelligence reports and military plans while he was working as a computer systems administrator at Soto Cano Air Base in Honduras.

Glenn proceeded to encrypt the files and place them on an Internet-accessible network storage device located in his residence in Honduras.

“Christopher Glenn exploited his position as a cleared military contractor and systems administrator to steal classified U.S. military secrets,” said Assistant Attorney General Carlin in the announcement.

“In doing so, he violated the unique trust placed in him by the Department of Defense. Insider threats by trusted employees who exploit computer access are a significant danger to U.S. national security and this sentencing shows it will not be tolerated,” Carlin added.

According to the court reports, Carlin and Ferrer commended the investigative efforts of the FBI, U.S. Army’s 470th Military Intelligence Brigade, U.S. Army’s Criminal Investigations Division, SOUTHCOM, USCIS, IRS-CI, the Department of Homeland Security and the South Florida Joint Terrorism Task Force.

“The case is being prosecuted by Assistant U.S. Attorney Ricardo Del Toro of the Southern District of Florida and Trial Attorney Christian Ford of the National Security Division’s Counterintelligence and Export Control Section,” the report added.

Hacked documents: Headache of U.S. officials

United States officials are now worried about the hacked data may put their spies at risk. The hacked documents by the Chinese hackers has become a headache for the U.S. officials as they believe  Chinese government could use the stolen records of millions of federal workers and contractors to piece together the identities of intelligence officers secretly posted in China over the years.

However, some officials in the President Obama administration said that the theft was not as damaging as it might have been because the Chinese hackers did not gain access to the identities of American undercover spies.

Similarly, it is still unclear that how Chinese officials were using or might use the stolen files, which include personal information gathered during background checks of government workers.

According to a news report published in NYTimes, it would be a significant setback for intelligence agencies already concerned that a recent data breach at the Office of Personnel Management is a major windfall for Chinese espionage efforts.

In the days after the breach of records of millions of federal workers and contractors became public last month.

The C.I.A. officials said intelligence agencies were taking steps to try to mitigate the damage however, it is not clear what are they doing.

According to the news report, “The information that was exfiltrated was valuable in its own right,” said Representative Adam B. Schiff of California, the top Democrat on the House Intelligence Committee. “It’s even more compromising when it is used in combination with other information they may hold. It may take years before we’re aware of the full extent of the damage.”

“The C.I.A. and other agencies typically post their spies in American embassies, where the officers pose as diplomats working on political affairs, agricultural policy or other issues,” the report read.

It is said that even if the identities of the agency officers were not in the personnel office’s database, Chinese intelligence operatives could run searches through the database on everyone granted visas to work at American diplomatic outposts in China.

During an interview, the director of the National Security Agency, Adm. Michael S. Rogers, “From an intelligence perspective, it gives you great insight potentially used for counterintelligence purposes,”

 “If I’m interested in trying to identify U.S. persons who may be in my country — and I am trying to figure out why they are there: Are they just tourists? Are they there for some other alternative purpose?  There are interesting insights from the data you take from O.P.M,” he added.

Google protests against US government's new legislation "Wassenaar Arrangement"

Google has protested against the proposed legislation changes in the “Wassenaar Arrangement”  that would let the US government control the export of security research and technologies.

Google’s legal team member Neil Martin, and Tim Willis, Hacker Philanthropist, Chrome Security Team, opposed the proposed legislation by saying “it will hurt general web users” in a blog post.

Blog emphasized on how the proposed changes will directly affect the security research, “The time and effort it takes to uncover bugs is significant, and the marketplace for these vulnerabilities is competitive. That’s why we provide cash rewards for quality security research that identifies problems in our own products or proactive improvements to open-source products. We’ve paid more than $4 million to researchers from all around the world - our current Hall of Fame includes researchers from Germany, the U.S., Japan, Brazil, and more than 30 other countries.”

According to the blog post proposed legislation changes would apply Wassenaar Arrangement controls to software and tools, which will hamper the companies, who hire hackers to find vulnerabilities in their network and products.

If the proposed changes are approved then the companies operating in the US have to have a license to export their security technologies, or information on newly discovered vulnerabilities to anywhere other than Canada.

Google submitted their comments on the proposed rules to the United States Commerce Department’s Bureau of Industry and Security (BIS).

North Korean hackers, now have power to kill

Prof Kim Heung-Kwang, a defector from North Korea who escaped from the country in 2004, has revealed that North Korean hackers have enough control over infrastructure that they could theoretically even kill people.

The Professor revealed this piece of information to BBC and said that North Korea approximately had around 6,000 trained military grade hackers. He has urged international organizations to step in and defuse the threat North Korea's hackers are becoming.

Before defecting from North Korea, Prof Kim taught at the Hamheung Computer Technology University for 20 years in the field of computer science.

Bureau 121, North Korea's hacking unit, has been widely accused of being responsible for recent hacks like the Sony Pictures one that occurred last year.

Many of the attacks of North Korea seem to be focused on their immediate neighbor, South Korea.

South Korean Defense Ministry Bans Smartphones usage to prevent Military data leaks

South Korean Defense Ministry is banning their staffs from using the Interent connectivity and Camera functions inside the Ministry's building in a move to prevent the Military information leaks, according to the Yonhap News

According to the newly implement mobile device management plan, the employees will be required to install a smartphone app that deactivates the most of the smartphone features while they are inside building.

Employees will still be able to make phone calls or using the text messages but those who have Apple iPhone only allowed to do that.

Visitors won't be allowed to carrying any mobile phones inside the Ministry's building. The plan goes into effect from July 15. 

The defense ministry said a trial run will be held first and it would consider revising it if necessary.

Fingerprints may now needed to get new SIM cards in India

Fraudulent SIM cards being circulated through small retailers poses a potential risk to the National Security. To bring end to misuse of the SIM Cards and reduce security issues, the Home Ministry has asked the Department of Telecommunication(DoT) to make the Fingerprint verification or any other biometric scans mandatory when issuing new SIM Card.

"Sim cards are used for various authentication...if this is taken it can make sure the culprit cant claim i did not take the SIM. proving is easy if someone used fingerprint and took the SIM." Experts from Cyber Security &Privacy Foundation(CSPF) told EHN when we asked about the new verification method.

"It makes it in convenient for people to purchase SIM cards. people cant buy in small shops...may be we should go to showrooms of service providers and buy it."

EHN: Do you think it will stop the people who get sim card with forged doc?
CSPF: depends on how fingerprint is done and taken. lets us say if fingerprint is taken directly on the machine which processes application using fingerprint reader. the showroom people are involved issuing the sim card to a criminal. they can make another guy put his fingerprint for criminals sim card and issue....if its in a paper its more easy to do this

"I think this system wont work if insiders are involved. most black SIM gets sold with insider involvement." Says experts.

According to TelecomLead, the new initiative may be rejected by telecom operators, as it will be a lengthy and costly process.

Royal Thai Navy website hacked with SQL Injection vulnerability

Cyber space poses an important role in the national security. A country should also remember to provide security in cyber space.   But the government fails to concentrate on cyber security that lefts most of the government sites vulnerable to hack.

The security breach of Royal Thai Navy website(www.navy.mi.th) is best example for this - the navy of Thailand and part of the Royal Thai Armed Forces.

A hacker with twitter handle @WilyXem has discovered a SQL Injection vulnerability in the Thailand navy website.   He managed to exploit the vulnerability and compromised the target database.

Earlier today, the hacker posted a link to the dump in twitter(sprunge.us/YHHf). The dump contains database details including database name, version, table details.  He also provided a Proof-of-Concept of the SQL injection vulnerability.

The hacker also leaked 3 tables namely membern, personalacc, personalacc1 that contains username and passwords in plain-text format.

It is really sad to know that the passwords are being stored in plain-text format. But it won't take much time for a hacker to crack, even if there is an encryption.  Because they use very weak password. 

India will soon have National Cyber Security Policy

India will soon have National Cyber security Policy that will ensure appropriate measures to tackle cyber crime and cyber attacks, Indian Government officials said.

"We are working on a cyber security policy. We need more work to curb cyber crimes," SiliconIndia News quoted Minister for Communications and Information Technology Kapil Sibal as saying.

In a press report published today by NIC,Minister of State in the Ministry of Home Affairs Shri R.P.N.Singh in Rajya Sabha stated that Government is taking various measures to ensure necessary awareness and robust security system in all the critical Government agencies.

The officials advised All Central Government Ministries / Departments and State / Union Territory Government to do security auditing of entire IT infrastructure including websites.

To prevent Government websites are being hacked by cyber criminals, NIC will not host websites which are not audited with respect to cyber security.