Issue No. 1, January 2014 Monthly newsletter

სტატია

Issue No. 1 | January 2014

Monthly newsletter

10 January

RF Cybersecurity Strategy Concept

On 29 November 2013, the Russian Federation Council held parliamentary hearings on the draft concept of a national cybersecurity strategy. Recognising the pressing nature of cyber threats on national, organisational and personal levels, participants proposed an online discussion of the draft.

27 January

Transactions in virtual currencies such as Bitcoin

According to the Bank of Russia, there has been a rise in transactions that use virtual currency such as Bitcoin. Virtual currencies are neither backed nor are they a legally binding contract. Transactions in virtual currencies are speculative in nature and carried out as so-called virtual stock exchanges, involving rather high devaluation risks.

30 January

Bank of Russia to come up with recommendations on monitoring social network content

As part of its standardisation efforts based on Technical Committee 122, the Bank of Russia is working on draft recommendations to monitor social network content related to financial institutions," said Artyom Sychov, deputy head of the bank’s Central Administration for Information Security and Protection, at Infoforum, a Russian information security forum.

Legislative news and regulatory recommendations

22 January

Spying LG Smart TVs: The end of the Story

 An article published by Habrahabra.ru on 19 November 2013 told the world about how advanced TV sets can secretly collect and send certain information about TV users. The article immediately triggered several reposts that were then followed by heated debates in user comments both on Habrahabra.ru and the reposting websites.

It made me curious about how regulatory authorities would respond to this situation and whether they would take the consumers' side. So, I went to the website of the Federal Antimonopoly Service for Stavropol and filed an application summarising the case and attaching a link to the article. The response from the FAS came in about several weeks.

9 January

Protecting children from harmful information

When I saw that the post on protecting children from harmful information had attracted a lot of attention, I decided to take a deeper look into it. I was curious better understand current thinking on why children should be protected from information in the first place and, if so, what protective measures have been implemented in other countries and what more could be done. 

Secure yourself/ Be on the alert

Finance sector

 

9 January

Ukrainian hacker who stole $9 million from bank accounts identified

According to news published on its official website, the Ukrainian Security Service has identified a person in Kiev who was allegedly involved in a hacker attack that resulted in $9 million being stolen from the bank accounts of foreign and Ukrainian customers.

10 January

Moscow police suspects in bank card theft

Moscow police have arrested two people involved in an organised group, accusing them of using skimming devices to steal money from bank cards, according to a report from the press service for the Internal Affairs Division for the southwestern district of Moscow. On 4 January alone, the group stole 4.5 million rubles from a self-employed entrepreneur’s bank account. A criminal case has been opened into the theft under Article 150 (Stealing) of the Russian Criminal Code.

13 January

More than 70 million rubles stolen from individual bank accounts

Police have disrupted an organised gang accused of stealing money from deposit accounts with Russian banks. According to the press service of the Central Criminal Investigation Department of the Russian Ministry of Internal Affairs, the losses are estimated at more than 70 million rubles. Four people involved in the group, active in the Moscow region and St. Petersburg, have been arrested. The suspects have been detained and a criminal investigation has been launched into the fraud.

13 January

Sberbank: bank cards double-charged due to error by acquiring bank

Sberbank cards were double-charged last week as a result of an incorrect file being sent from a third-party acquiring bank to Sberbank, one of Russia’s largest lending institutions, Sberbank’s press service told Banki.ru.

14 January

Russia may pass law permitting pre-trial freeze of websites containing misleading information about banks

Natalia Burykina, the chairman of the State Duma Committee for Financial Markets, and Alexey Mitrofanov, chairman of the State Duma Committee for Information Policy, have prepared a draft law to help prevent distribution of misleading information about banks. According to Vedomosti, state Duma deputies have proposed blocking websites that contain misleading information about banks, the banking system and public entities - namely lenders, insurers, and other entities operating in the securities market and subject to financial reporting requirements.

15 January

Man from Chelyabnisk returns 10 billion rubles mistakenly credited to account by Alfa Bank

Alfa Bank mistakenly credited 10 billion rubles to the account of Timur Fatkullin, a citizen of Chelyabinsk, ZNKAK.com reported .

21 January

South Korean programmer steals banking data from 20million fellow citizens

According to a report from the BBC, a programmer in South Korea stole credit card and social insurance data from 20 million South Koreans –  40 percent of the country’s population.

26 January

U.S. sees new large credit card data leak

Following the hacking scandal around Target, Neiman Marcus, another network retailer, confirmed a credit card data theft that occurred in mid-December last year. The theft targeted POS payments, but did not affect the retailer’s online customers of the retailer. As reported today, Michaels, another large network retailer, has launched an investigation into credit card data theft. Banking security services have already recorded hundreds of fraud attempts to access the credit card data stolen from Michaels.

31 January

Hackers get data on 49,000 bank cards in 11 countries

As reported by Reuters, hackers obtained data from 49,000 customer bank cards from small-size retailers in 11 countries.

 

Internet and telecommunications

2 January

Syrian cyber-army hacks Skype

A Syrian cyber-army launched an attack on Skype's blog and Twitter account, telling people not to use Microsoft email services such as Outlook and Hotmail and claiming "they are monitoring your accounts and selling it to the U.S. government." There is no information yet on whether the criminals got access to user data or other Skype services. By the time of this report, the hackers' messages had been removed from the blog. However, Skype still has no control over its Twitter account, where the messages still remain.

3 January

Snapchat: user data leak confirmed, but no apologies offered

Snapchat sees the recent leak of user names and telephone numbers  of 4.6 million of its users as an "abuse" of the API service. However, TechCrunch reported, the company has actually admitted that its approach to storing data made it possible to match user names to telephone numbers.

Snapchat says it will fix its applications and service to prevent future leaks. In particular, it will add an option enabling users to opt out of the friend search function based on telephone numbers.

10 January

Openly examining public website vulnerabilities

About a month ago Joshua Rogers, a 16-year old student from Australia, got the idea to test for vulnerabilities in the Public Transport Victoria (PTV) website (ptv.vic.gov.au), Melbourne's official authority responsible for all public transport. While it is not quite clear what the youngster used as his testing tool, some believe that the device was simply a vulnerability scanner downloaded from the Internet that was designed specifically for a certain URL. 

12 January

Dropbox service failures

On 11 January 2014, many Dropbox users started to get error messages from the service, which returned a 500 code error when they tried to perform various actions. Customers also encountered service failures when using the iOS application with Dropbox's API.

13 January

Computer virus disrupts photo and video control systems in Moscow region

A virus knocked out over 100 photo and video systems in the Moscow region, Gazeta.ru reported.

17 January

U.S. Congressmen turn to Bruce Schneier for NSA secrets

On January 16, Bruce Schneier, one of the leading experts in information security, participated in an hour-long discussion with six U.S. Congressmen after the lawmakers sought him out for information about the NSA's activities - something they have been unable to obtain from official sources. While the National Security Agency (NSA) is tight-lipped about its activities, even when it comes to requests from the U.S. Congress, Schneier is a prominent expert on cybersecurity and one of the few people with access to Edward Snowden's database.

28 January

U.S. arrests man allegedly behind SpyEye

According to a report from krebsonsecurity, federal authorities in Atlanta will soon make an official announcement about the arrest of and charges against Alexander Panin, a Russian citizen from Tver. Panin, allegedly also known as Gribodemon, is said to be among those behind SpyEye, one of the most harmful Trojan banking malwares.

 

Industry and services

20 January

Last update on Target hacking story

It’s been several weeks since the story about a large-scale hacker attack on retailer Target. Hackers installed a malicious code on computers connected with POS credit card terminals, resulting in data from 50 million users being compromised. It became known later on that the hackers got access to confidential information such as the  e-mails and telephone contacts of Target's customers and employees.

21 January

Russian Consumer Rights Protection Association urges Russians to start a boycott on eBay and PayPal

The Russian Consumer Rights Protection Association reports that it has joined the protest against limiting free e-commerce, urging Russians to begin a boycott on those lobbying this initiative.

Articles

3 January

NSA working on a quantum computer to break any cryptographic algorithms – still far from success

According to a document reported by The Washington Post, the NSA is financing a project to build a new quantum computer that can crack any cypher existing today. There are still no signs that the NSA has been progressing faster than other researchers working in the field.

The document, unveiled by Edward Snowden, discusses the NSA's research program Penetrating Hard Target,  which has a budget of $79.7 million. One of the program’s objectives is to build a quantum computer that could be used for codebreaking. According to the document, the research is largely based at a physics lab at Maryland University, however, it does not provide any information about the status of the project.

8 January

DARPA launches project to create biodegradable electronics capable of "physically disappearing in a controlled manner"

The U.S. Defense Advanced Research Projects Agency (DARPA) is working on an interesting project to design electronic components capable of physically disappearing when sent an externally-initiated command. The project is not just a pure flight of imagination: DAPRA has already transferred $4.7 million to SRI, a nonprofit independent researcher, for the initiative, on which it’s collaborating along with Honeywell, an electronics producer.

15 January

Blackphone becomes first-ever smartphone protected from wiretapping

Silent Circle, an encrypted communications firm, has designed a new smartphone in collaboration with Geeksphone that comes with an integrated cryptographic module which provides encrypted protection for voice data, text messages, video chats and files when stored or exchanged. The device, called Blackphone, is the first of its kind.

Blackphone runs PrivateOS, a privacy-oriented fork of Android. The cell phone will not be tied to any particular carrier or producer.

20 January

Botnet of smart TV sets, media centers, a PC and a fridge detected...

Habrahabra often tells its users about smart houses, Internet devices, etc. With an ever-increasing number of new devices capable of communicating with each other and connecting to the Internet, it’s quite possible that we will see houses getting smarter about several years from now. It’s exciting to have a fridge that knows whether you’re short on any food items and automatically places an order within a budget allocated by its owner.

21 January

2013 trend in malware threats reinforced

Each year global threats increase in number and activity, with new malware programs, modifications of the old ones, and other similar hacking tools emerging every day. The last year has just reinforced a continuing major trend defining two basic types of malware. The first type is programs that are used by hackers for personal gain. The second is malware for watering-hole attacks designed to compromise a particular company, industry or geographic region.

24 January

Progress in deciphering Voynich Manuscript

The Voynich Manuscript, a famously mysterious hand-written codex known to almost any cryptography enthusiast, has started to yield its secrets to the world.

24 January

Win32/Boaxxe.BE as a click fraud tool

This analysis is a discussion of an interesting malware species — Win32/Boaxxe.BE, which employs various click frauds designed to channel traffic to advertising websites, allowing hackers to obtain per-click payments from an advertiser. The first part discusses the infrastructure of the partner network that is used to distribute the malware, while the second part addresses technical aspects of this malicious code.

29 January

Cryptographic analysis competition for hash-function GOST R 34.11-2012

At the end of 2013, the Technical Committee for Standardisation "Cryptography and Security Mechanisms" (TC 26), the Russian Cryptography Academy and OAO Infotecs, announced a competition to analyze the cryptographic properties of a hash-function algorithm based on GOST R 34.11-2012. Please visit  www.streebog.info for details about the competition. This contest shows that existing research results for this cryptographic standard, which provide a springboard for further research into the algorithm covered by GOST R 34.11-2012, have attracted heightened attention from cryptoanalysts.

Cybersecurity technology updates

January 24

Register for licenses for technical protection of confidential information

This register contains information about the activities of government bodies and local administration entities. It is published online as arrayed data and is formatted to enable automatic data processing for further reuse without the need for any preliminary manual modification (i.e. machine-readable form). This data is available for free.

To be added to bookmarks

January 05

VSAT terminals are opened for targeted cyber attacks (CIO.com)

Security researchers from IntelCrawler, a Los-Angeles based cyber intelligence company, announced that very-small-aperture terminal (VSAT) used for satellite communications are exposed to external cyber attacks, especially, on distributed critical infrastructures and network environments.

January 26

Spear Phishing attack was used in CNN Blogs hack

Some of CNN's social media accounts and blogs were compromised Thursday. The affected accounts included CNN's main Facebook account, CNN Politics' Facebook account and the Twitter pages for CNN and CNN's Security Clearance. Blogs for Political Ticker, The Lead, Security Clearance, The Situation Room and Crossfire were also hacked.

January 17

IntelCrawler: "The teenager is the author of BlackPOS/Kaptoxa malware (Target), several other breaches may be revealed soon"

The massive data breach at Target during the 2013 holiday shopping season which the retailer now admits affected 70 million customers used an inexpensive "off the shelf" malware known as BlackPOS. The same malware may have also been involved in the Neiman Marcus attack.

Foreigner corner

იყო თუ არა ინფორმაცია სასარგებლო?