NATO Prepared Tallinn Manual -International Law Applicable to Cyber Warfare
NATO finally published the final version of a document expected to shape cyber warfare policies among Western nations was published last week, clarifying when and how countries can legally conduct online aggression against one another. The International law of Cyber Warfare have been published by the Cooperative Cyber Defence Centre of Excellence (CCDCOE) set up in Estonia, in 2008, the Tallinn Manual on the International Law Applicable to Cyber Warfare. Spanning 215 pages, the Tallinn Manual makes it clear that a full-scale war can be triggered by network-borne attacks on computer systems and that civilian activists that participate in those are considered legitimate targets. However, the manual specifically rules out state-sponsored attacks on critical civilian infrastructure. Nuclear power plants, hospitals, dams and similar are all out of bounds for cyber war, the manual states.
The Tallinn Manual:-
The Tallinn Manual on the International Law Applicable to Cyber Warfare, written at the invitation of the Centre by an independent ‘International Group of Experts’, is the result of a three-year effort to examine how extant international law norms apply to this ‘new’ form of warfare. The Tallinn Manual pays particular attention to the jus ad bellum, the international law governing the resort to force by States as an instrument of their national policy, and the jus in bello, the international law regulating the conduct of armed conflict (also labelled the law of war, the law of armed conflict, or international humanitarian law). Related bodies of international law, such as the law of State responsibility and the law of the sea, are dealt within the context of these topics.
The Tallinn Manual is not an official document, but instead an expression of opinions of a group of independent experts acting solely in their personal capacity. It does not represent the views of the Centre, our Sponsoring Nations, or NATO. It is also not meant to reflect NATO doctrine. Nor does it reflect the position of any organization or State represented by observers.
Couple of months ago we have talked about 'Pwn2Own 2013' hacking contest sponsored by HP TippingPoint, ZDI and Googlewhere the most famous and widely used browsers have to face challenges. Now the result of this long awaited security competition has came which is showing that the entire browser security landscape can change in a single day, as browsers thought to be secure are proven to be otherwise. Of the Big Four browsers, only Apple's Safari has so far survived the onslaught of the browser-breakers where Chrome, Internet Explorer 10 and Firefox all fell to the mercy of the hackers. Not only browsers but also three other popular applications that is Adobe Reader, Flash Player and yet again Java fallen victim to hackers at'Pwn2Own'. And for Java it was a true disaster as Java fell three times, though under the contest rules, only the first attacker was due to win the $20,000 prize. Vupen, a renowned security research firm based in France, cracked both Firefox and Internet Explorer. It roughly explained the attack in a tweet, “We’ve pwned Firefox using a use-after-free and a brand new technique to bypass ASLR/DEP on Win7 without the need of any ROP.” This bug hint leads them winning $100,000 for finding a huge hole. Again in a tweet, Security firm Vupen explained “We’ve pwned MS Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass.” Lastly, U.K.-based security firm MWR Labs cracked Chrome and also gained full control of the operating system, this time Windows 7. It also “demonstrated a full sandbox bypass exploit.” The company explained in a blog post that it found a zero-day in Chrome “running on a modern Windows-based laptop.” It was able to exploit the vulnerability by performing a very similar attack to what took down Facebook, Microsoft, and a number of other well-known companies: It had the laptop visit a malicious website.
Now lets take look at the final score board of Pwn2Own 2013:
The total damage to the prize fund comes out at a whopping $480k. With HP's announcement that everyone will get paid for each attack, the prize monies will be divvied up as follows:-
As you all know that the main motive of these contest is to make applications, software more safe and secure while figuring out hidden vulnerabilities Here also for Pwn2Own the security holes figured out by the above experts have already been submitted and taken carefully by those organization along with that, the expected patch for the browsers have already been released. Those who are still using the older version of those above applications are requested to update their system. So, stay tuned with VOGH and be safe on the Internet.
Australia Joined 38 Other Nations as Part of an International Cybercrime Treaty
Sitting at the edge of the latest technology, today we can easily separate our world into two parts. One is the real world where we live and another is the virtual or cyber world, in which we all are tightly attached. As these two fields are the prime factor where we have to stay happily so the matter of safety, security is highly required on the both said areas. Being one of the leading cyber media, our main concern is the cyber domain, so we are worried as well are responsible and committed to server our readers. In this period of time many of us feel terrified to engage themselves in the cyber space due to lack of security and privacy, and also keeping in mind the major disaster done by cyber criminals. But how long? To get rid of that not only we the media people but also the sincere government of several countries make themselves committed to prepare a safe cyber world for the people. Earlier we have seen several developed countries came under a shade, in order to make an united shield to protect this cyber domain and its people. Today that shield got a new member. Yes it is Australiawho has now formally joined 38 other nations as a party to the world's first international treaty on crimes committed via the internet. This deceleration came from the Attorney-General Mark Dreyfus. In his speech he said "Australia becoming a party to the Council of Europe Convention on Cybercrime will help combat criminal offences relating to forgery, fraud, child pornography, and infringement of copyright and intellectual property"
By joining the Convention, Australian law enforcement agencies will be able to rapidly obtain data about communications relevant to cybercrimes from partner agencies around the world. With the Convention now in effect, Australia's investigative agencies are able to use new powers contained in the Cybercrime Legislation Amendment Act 2012 to work with cybercrime investigators around the globe. The Act amended certain Commonwealth cybercrime offences and enabled domestic agencies to access and share information relating to international investigations. Dreyfus says the Act also created new privacy protections, safeguards and reporting requirements for the exercise of new and existing powers. "A warrant is always required to access the content of a communication whether the information is in Australia, or accessed from overseas under the Cybercrime Convention. The Cybercrime Act and the Cybercrime Convention do not impact in any way on the need to have a warrant to access content from a telephone call, SMS or e-mail." -Dreyfus said in his statement.
Apple Hacked, Macintosh Computers Infected By The Same Group Who Attacked Facebook
The month of February is not going good for cyber space, specially for giant organization. Last week the social networking giant Facebook fallen victim of a devastating cyber attack which did effected a number of systems. Facebook admitted that it faced a "sophisticated attack" on computers where it has been found the attackers used a zero-dayJava exploit to initiate the attack, but that no user data was compromised. The same thing happened to micro blogging site Twitter and New York Times. And now it was the turn for Apple. The California based multinational company acknowledged that recently their systems has been attacked by hackers who infected Macintosh computers of some employees. Like Facebook here also no data has been effected, "there was no evidence that any data left Apple." -said Apple.
According to an exclusive report of Reuters -some unknown hackers infected the computers of some Apple workers when they visited a website for software developers that had been infected with malicious software. The malware had been designed to attack Mac computers. The same software, which infected Macs by exploiting a flaw in a version of Oracle Corp's Java software used as a plug-in on Web browsers, was used to launch attacks against Facebook, which the social network disclosed on Friday. The malware was also employed in attacks against Mac computers used by "other companies," Apple said, without elaborating on the scale of the assault. Experts are presuming that all these cyber attacks of February, that is Twitter, New York Times, Facebook & Lastly Apple Inc was originated from China, and executed by the same hacker group. On the other side few experts are also saying that the group responsible for the hack, has been identified as "Unit 61398" of the People'sLiberation Army. But so far there is no proof.
Apple also revealed that it plans to release a software tool later Tuesday that will protect customers against the same type of software that was used against its employees.
Apple also provided a statement as follows:-
"Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers. The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple. We are working closely with law enforcement to find the source of the malware.
Since OS X Lion, Macs have shipped without Java installed, and as an added security measure OS X automatically disables Java if it has been unused for 35 days. To protect Mac users that have installed Java, today we are releasing an updated Java malware removal tool that will check Mac systems and remove this malware if found..."
Hidden Costs of 'Data Theft' A Serious Issue! What You Need to Know to Be Safe
Sitting at the edge of technology, we the people of this century are blessed with all the required equipment which makes our work so easy that one could have even imagined three hundred years ago. Along with these positive sides, we must have to keep in mind that, these technologies not only elaborating our effort making life easier, but also posing high level of threat. As the main concern of VOGH is cyber domain, so here w would like to share a fact which will make you think and even make your cyber life and your personal life too uncanny. Yes, I am talking about the rising cyber threats; the more we are shedding with technologies, the more we are involving our lives with some dangerous threats and challenges. Now a days cyber criminals are every where, you don't even know, what trap has already been set for you, that can ruin your happy life. One of the big example is "Data Theft" which becoming boomerang for us. In an age of fully digitized data, consumers and businesses can lose thousands of dollars in the blink of a hacker’s eye. The costs of data theft are well known to anyone who has ever found themselves victim to financial identity or medical record fraud. What few of us realize is that the procedures required to right a financial wrong are often costlier than the crimes themselves. Lets share some interesting statistic, which will surely put terror in your mind - the economy loses an average of $22,346 for every time an identity is stolen. And to fully recuperate losses, repair credit and prosecute fraudsters, consumers, accountants, lawyers and IRS officials can spend up to 5,000 hours, the equivalent of two years of full-time work on a single case. Even so, 60% of medical record fraud victims admit that they don’t monitor their medical statements for inconsistencies.
Shocking!! Why not?
For one, most consumers don’t have time every month to file through complex medical or financial statements and check for accuracy. And secondly, the image of thousands of evil savants working around the clock to hack BOA databases sure makes a consumer feel helpless. Identity theft seems random and unpreventable–a stroke of bad luck like getting struck by lightning. If we are struck, we tell ourselves, banks, credit agencies and insurance companies are legally bound to recover our funds and correct our records.
Now lets check out a fascinating video in our Hidden Costs Series to get a deeper look at how our high-cost, high-risk data management systems really work.
Hidden Costs of Data Theft (Statistic At a Glance):-
Data theft includes financial identity theft, identity cloning, and medical identity theft. The average cost per victim was $22,346 in 2012. And the total national cost of just medical identity fraud was $41 billion in 2012. The worst part – nearly 60% of reported victims say they don’t ever check their medical records for fraud. Depending on the severity of the case, it can take over 5,000 hours (the equivalent of working a full-time job for two years) to correct the damage.
Since 1935, over 435 million social security cards have been issued. That’s over 2,175 tons of paper issued as cards, or 52,200 trees and 5 million new cards are issued every year.
Worldwide, digital warehouses storing private information, like banking and personal history, use about 30 billion watts of electricity, which equals roughly the output of 30 nuclear power plants. Data centers in the US make up almost a third of that usage, and waste 90% of the electricity they pull off the grid.
On average, 47% of victims encounter problems qualifying for a new loan and 70% have difficulty removing the negative information from their credit reports.
Over the next five years, the IRS stands to lose as much as $21 billion in revenue due to identity theft, and worldwide, businesses lose close to $221 billion a year with the US, UK, Canada and Australia ranking the highest in reported fraudulent activity.
After reading the above story carefully, many of you will feel insecure and panic. But I would like to inform you that the main purpose of sharing such important information, is to enhance carefulness, to rise cyber awareness. Many people became victim, not because of less knowledge, but of less information, less awareness. So from now onward before connecting your self into the digital world make sure that the significant & the emergent knowledge and information you have gathered from the article, should remain intact inside your brain. Trust me, if you became a bit cautious, you can easily get rid of all those cyber threats, and can enjoy the bless of technologies to make your life prosperous and happy.
So stay tuned with VOGH and also be canny, be attentive and be safe inside the digital world.
We the Team VOGH heartily thanks one of our invaluable reader and friend Emily Stewart of Insurance Quotes for the statistic and the awesome video. We love you Emily :)
President Obama & Congress Will Issue Long Awaited Executive Cyber Security Order
Last week we reported that Pentagon has declared that they are moving toward a major expansion of its cyber security force to counter increasing attacks on the nation’s computer networks, as well as to expand offensive computer operations on foreign adversaries. Just one week after this declaration another crucial movement came from the U.S. government. A secret legal review on the use of America’s growing arsenal of cyber weapons has concluded that President Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad. According to sources President Barack Obama will issue a long-awaited cyber security executive order this week. Two former White House officials told the publication that the order is expected to be released after Tuesday night's State of the Union address.
Given his status as commander-in-chief, Obama seems to be the clear choice, but since cyber warfare is such a new and unknown thing, the government hasn't actually figured out the rules of engagement yet. In the past couple of decades, the power to use America's cyber weapons has been shared between the Pentagon and the various intelligence agencies. With the exception of a series of strikes on the computer systems that run Iran's nuclear enrichment facilities an attack that Obama ordered himself the U.S. hasn't launched any major cyber attacks in recent memory, however. This probably won't be the case in the future. So the government is working on new rules of engagement, as it realizes that the capabilities of cyber weapons are evolving at a startling rate. The rules will be not unlike the set that governs how drone attacks are ordered and who orders them. Cyber warfare certainly stands to affect the average American more, though. On Capitol Hill this week, Rep. Dutch Ruppersberger (D-Md.) and Rep. Mike Rodgers (R-Mich.) are set to reintroduce the Cyber Intelligence Sharing and Protection Act (CISPA) during a speech at the Center for Strategic and International Studies.
According to an exclusive report the bill would allow the government to share classified cyber threats with the private sector so that those companies can then protect their systems from cyber attacks. The bill was killed last year due to privacy concerns. Civil-liberty groups argued that the bill allows companies to exchange too much personal information back and forth without regulation.
Pentagon Assigning More Experts to Boost Cyber Security & Protect U.S. Computer Networks
Cyber security has become one of the most sophisticated area of National security and defense, and in order to implement that Pentagon has increased their estimated expense on cyber security. And this deceleration has been made while publishing the budget late in last year. Now that implementation is getting executed as the Pentagon is moving toward a major expansion of its cyber security force to counter increasing attacks on the nation’s computer networks, as well as to expand offensive computer operations on foreign adversaries. This confirmation has came from defense officials. The expansion would increase the Defense Department’s Cyber Command by more than 4,000 people, up from the current 900, an American official said. Defense officials acknowledged that a formidable challenge in the growth of the command would be finding, training and holding onto such a large number of qualified people. The Pentagon “is constantly looking to recruit, train and retain world class cyberpersonnel,” a defense official said Sunday.
As part of the expansion, officials said the Pentagon was planning three different forces under Cyber Command: “national mission forces” to protect computer systems that support the nation’s power grid and critical infrastructure; “combat mission forces” to plan and execute attacks on adversaries; and “cyber protection forces” to secure the Pentagon’s computer systems. Cyber Command’s connections to the NSA are also leading some officials to ask how much of the expansion will be focused domestically, especially considering the opening of the NSA’s new, $2 billion Utah Data Center, scheduled to go live later this year. An unnamed "senior defense official" said that the agency’s efforts would remain focused outside US networks, unless it were asked to assist "another agency with domestic authority, such as the FBI." There is significant overlap between Cyber Command and the NSA — until recently, some employees of the former had nsa.gov email addresses, for instance — and there is some doubt that the nascent offshoot of US Strategic Command will be able to achieve true independence under NSA Director Alexander.
Pwn2Own 2013 -Hack Major Web-browser, Adobe Reader, Flash or Java & Earn in Million Dollars
Since the last two years the Pwn2Own hacker contest has become an important fixture in the world of testing the security of software applications, operating systems and hardware devices. In last two years we have seen several hackers, security professionals have expressed their enthusiasm and joined Pwn2Own where four major and widely browser's security get compromised, in order to make applications, software more safe and secure. Last year we have reported how different hackers across the globe taken part in Pwn2Own and successfully hacked Google Chrome, IE & Firefox, and earned millions of dollars. But the contest of this year has some more twist than before as, HP TippingPoint and Google, sponsor of Pwn2Own, has made clear that it is expanding the focus of the competition beyond browsers. Also, Pwn2own 2013 will include $560,000 in prize money for demonstrations of exploits in the major web browsers, Adobe Reader, Adobe Flashor Oracle Java.
Contest Dates:-
The contest will take place the 6th, 7th, and 8th of March in Vancouver, British Columbia during the CanSecWest 2013 conference. DVLabs blog post will be updated as the contest plays out and get real-time updates by following either @thezdi or @Pwn2Own_Contest on Twitter or search for the hash tag #pwn2own.
Rules & Prizes:-
HP ZDI is offering more than half a million dollars (USD) in cash and prizes during the competition for vulnerabilities and exploitation techniques in the below categories. The first contestant to successfully compromise a selected target will win the prizes for the category.
Web Browser
Google Chrome on Windows 7 ($100,000)
Microsoft Internet Explorer, either
IE 10 on Windows 8 ($100,000), or
IE 9 on Windows 7 ($75,000)
Mozilla Firefox on Windows 7 ($60,000)
Apple Safari on OS X Mountain Lion ($65,000)
Web Browser Plug-ins using Internet Explorer 9 on Windows 7
Adobe Reader XI ($70,000)
Adobe Flash ($70,000)
Oracle Java ($20,000)
The targets will be running on the latest, fully patched version of the Windows 7, 8, and OS X Mountain Lion. All targets will be installed in their default configurations, as this is how a majority of users will have them configured. As always, the vulnerabilities utilized in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win. A given vulnerability may only be used once across all categories.
Upon successful demonstration of the exploit, the contestant will provide HP ZDI a fully functioning exploit and all the details of the vulnerability used in the attack. In the case that multiple vulnerabilities were exploited to gain code execution, details about all the vulnerabilities (memory corruption, infoleaks, escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prize money. The initial vulnerability utilized in the attack must be in the registered category.
Along with prize money, the contestant will receive the compromised laptop and 20,000 ZDI reward points* which immediately qualifies them for Silver standing.
Contestants are asked to pre-register by contacting ZDI via e-mail at zdi@hp.com. This will allow the organizer to ensure that they have the necessary resources in place to facilitate the attack. If more than one contestant registers for a given category, the order of the contestants will be drawn at random.
EU Opens The Door of European Cybercrime Centre (EC3) To Protect Europe From Cyber Threat
We all are aware of FBI's Internet Crime Complaint Center also known as IC3, which is protecting U.S. citizen from cyber criminals and attacks. But the cyber world is not limited to U.S. so as cyber criminals, and to get rid of this and while protecting every countries digital fence safe and secure there need to be organizations like IC3. All the growing and developing countries across the globe are in rush to ensue maximum digital and cyber security. This same rush and impact also applies for Europe countries and the result is in front of us. As the fight against cyber crime in Europe has got a new home. The European Cybercrime Centre (EC3) officially open its doors from this January 11, at the European Police Office, Europol in the Hague. In the middle of last year European Commission declared that are preparing a cybercrime center to fight against cyber threats. And after an effort of six months they made it possible and live for the people of Europe. Such organization will surely enhance the cyber security of European countries. In the official press release EUROPA said "EC3 will be up and running to help protect European citizens and businesses from cyber-crime."
EC3 officially commenced its activities on 1 January 2013 with a mandate to tackle the following areas of cybercrime:
That committed by organised groups to generate large criminal profits such as online fraud
That which causes serious harm to the victim such as online child sexual exploitation
That which affects critical infrastructure and information systems in the European Union
According to the press release of European Commission - "The Cybercrime Centre will give a strong boost to the EU's capacity to fight cybercrime and defend an internet that is free, open and secure. Cybercriminals are smart and quick in using new technologies for criminal purposes; the EC3 will help us become even smarter and quicker to help prevent and fight their crimes", said Commissioner Malmström.
"In combatting cybercrime, with its borderless nature and huge ability for the criminals to hide, we need a flexible and adequate response. The European Cybercrime Centre is designed to deliver this expertise as a fusion centre, as a centre for operational investigative and forensic support, but also through its ability to mobilise all relevant resources in EU Member States to mitigate and reduce the threat from cybercriminals wherever they operate from", said Troels Oerting, Head of the European Cybercrime Centre
Investigations into online fraud, child abuse online and other cybercrimes regularly involve hundreds of victims at a time, and suspects in many different parts of the world. Operations of this magnitude cannot be successfully concluded by national police forces alone.
The opening of the European Cybercrime Centre (EC3) marks a significant shift in how the EU has been addressing cybercrime so far. Above all, the approach of the EC3 will be more forward-thinking and inclusive. It will pool expertise and information, support criminal investigations and promote EU-wide solutions.
The EC3 will focus on illegal online activities carried out by organised crime groups, especially attacks targeting e-banking and other online financial activities, online child sexual exploitation and those crimes that affect the critical infrastructure and information systems in the EU.
The Centre will also facilitate research and development and ensure capacity building among law enforcement, judges and prosecutors and will produce threat assessments, including trend analyses, forecasts and early warnings. In order to dismantle more cybercrime networks and prosecute more suspects, the EC3 will gather and process cybercrime related data and will provide a Cybercrime Help desk for EU countries' law enforcement units. It will offer operational support to EU countries (e.g. against intrusion, fraud, online child sexual abuse, etc.) and deliver high-level technical, analytical and forensic expertise in EU joint investigations.
For Detailed Information Please Visit The Official Website of Europol's EC3
SQL InjectionVulnerability Affected All Versions of Ruby on Rails (CVE-2012-5664)
Developers at Ruby on Rails are warning its users regarding a Sql Injection flaws which has affected all the current version of Ruby on Rails web framework. While exploiting the vulnerability an attacker can inject and even execute malicious codes into the web application. "Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL," explained the Rails framework's developers. As soon as this vulnerability has been spotted in the wild, the maintainers of Ruby on Rails have released new versions that addresses the flaw, versions 3.2.10, 3.1.9 and 3.0.18. In their advisory Ruby on Rails team recommends that users running affected versions, which is essentially anyone using Ruby on Rails, upgrade immediately to one of the fixed versions mentioned earlier. "We're sorry to drop a release like this so close to the holidays but regrettably the exploit has already been publicly disclosed and we don't feel we can delay the release," Rails developer concluded.
The original problem was disclosed on the Phenoelit blog in late December where the author applied the technique to extract user credentials from a Ruby on Rails system, circumventing the authlogic authentication framework. While talking about the vulnerability discloser of Ruby on Rails, we would like to remind you that, this is not the first time, earlier in 2012 a Russian security researcher named Homakov has found that Github has succumbed to a public key vulnerability in Ruby on Rails which is allowing a normal user to gain administrator access into the popular Rails Git.
Brief About Ruby on Rails:- Ruby on Rails, often shortened to Rails, is an open source full-stack web application framework for the Ruby programming language. Ruby on Rails runs on the general-purpose programming language Ruby, which predates it by more than a decade. Rails is a full-stack framework, meaning that it gives the web developer the ability to gather information from the web server, talk to or query the database, and render templates out of the box. As a result, Rails features a routing system that is independent of the web server. Ruby on Rails emphasizes the use of well-known software engineering patterns and principles, such as Active record pattern, Convention over Configuration, Don't Repeat Yourself and Model-View-Controller.
Microsoft Security Advisory (2794220) Remote Code ExecutionVulnerability in Internet ExplorerFixed
The Redmond based software giant Microsoft issued an urgent security advisory to address vulnerabilities in its popular web-browser that is Internet Explorer. Few of days new “zero day” security hole in IE was discovered which could potentially allow hackers to take over control of your system when all you've done is visit an infected website. The vulnerability affects IE versions 6, 7 and 8. Though the latest versions of the browser, that means IE 9 and 10, are not affected. “An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.” Microsoft said in its statement. The statement went on to say, “an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability.”
On its advisory Microsoft first issued warning of the problem, which involves how IE accesses "an object in memory that has been deleted or has not been properly allocated." The problem corrupts the browser's memory, allowing attackers to execute their own code. Security vendor Symantecdescribed such a scenario as a "watering hole" attack, where victims are profiled and then lured to the malicious site. Last week, one of the websites discovered to have been rigged to delivered an attack was that of the Council on Foreign Relations, a renowned foreign policy think tank.
While talking about IE and its bugs, then we would like to remind you that couple of weeks ago, Spider.io a website analytics firm has discovered a security vulnerability in all current versions of Internet Explorer that allows attackers to trace mouse cursors anywhere on users' screens even if the Internet Explorer window is minimized. That time the software giant ignored that particular issue. But here they take this one bit seriously; So if you still using the older and affected version of IE, then its time to update your browser, in order to stay safe and secure on the Internet. To update your browser or to access the security fix click Here.
‘Pervasive Vulnerability’ Found in The Robotic Aircraft of Drone Fleet
Unmanned aerial vehicle (UAV), widely known as a drone has always been gone through with several controversies in case of both defense and cyber security. Yet again several question arises regarding the security system and the control algorithms of drone. According to the Pentagon’s premier science and technology division a a “pervasive vulnerability”have been found in the robotic aircraft of drone. The control algorithms for these crucial machines are written in a fundamentally insecure manner, says Dr. Kathleen Fisher, a Tufts University computer scientist and a program manager at the Defense Advanced Research Projects Agency. There’s simply no systematic way for programmers to check for vulnerabilities as they put together the software that runs our drones, our trucks or our pacemakers.
In our homes and our offices, this weakness is only a medium-sized deal: developers can release a patched version of Safari or Microsoft Word whenever they find a hole; anti-virus and intrusion-detection systems can handle many other threats. But updating the control software on a drone means practically re-certifying the entire aircraft. And those security programs often introduce all sorts of new vulnerabilities. “The traditional approaches to security won’t work,” Fisher tells Danger Room.
Fisher is spearheading a far-flung, $60 million, four-year effort to try to develop a new, secure way of coding and then run that software on a series of drones and ground robots. It’s called High-Assurance Cyber Military Systems, or HACMS. For detailed information about this story click Here.
While talking about drone and its security we would like to give you reminder that in 2011 we came to know that a stealthy key-logger has hit the U.S. Drone logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other war zones. Later Iran took responsibility of that cyber attack. Also in 2012 drone was in controversy where researcher have figured out that drone fleets are vulnerable to GPS spoofing and it can be hijacked by any malicious attacker or terrorist.
'Indian OS'DRDO Introducing It's Own Operating System to HardenCyber Security
On the 3rd Worldwide Cyber security Summit, Telecom and IT Minister of India, Kapil Sibal said the Indian Government will invest $200 million in coming 4 years. This high tech plan of Indian govt in now getting executed, as Defence Research and Development Organisation (DRDO) along-with other premier institutes is developing India's own operating system (OS), which is likely to be ready in next three years. One of the key purpose of developing this operating system named "Indian OS" to enhance cyber security and strengthen the cyber and digital fence of India. In September the Prime Minister of India Dr. Manmohan Singh said the government is working on a robust cyber security structure, and this project of introducing the own and secure OS can be calculated as one of the very major part of that very robust cyber security system.
Speaking to newsmen on sidelines of NAVCOM-2012', two-day international conference on Navigation and Communication that began here, Saraswat, Scientific Adviser to Defence Minister, said, "We have already started a major programme and are one-and-half-years into that programme. It (Indian OS) is a major effort requiring large number of software engineers working together." In his speech the Director-General of DRDO said "One of the major elements of cyber security is having our own operating system because today we are dependent on all OS systems which are imported whether it is based on Windows, Linux which is likely to be having malicious worms/things and hence it is essential that we have our own OS"
He also said that 150 engineers were working across the country on creating Indian OS, and added it will take at least three more years for getting the Indian OS ready.
So, till that time being, we have to keep patience and wait. We the Team VOGH congratulates DRDO for making such a fruitful Operating System (Indian OS). We strongly believe that day by day the cyber fence of India will be safer and secure. Along with this, the Indian OS will definitely strengthen the nation's cyber security.
Oracle Released Java 7 update 10 With Security Enhancements & Bug Fixes
This is the third time in a year when Oracle has updated the standard edition of Java platform. This release includes new security controls in addition to a bug fix and updated timezone data. This latest update also contains a number of security enhancements and is now certified for Mac OS X 10.8 and Windows 8. The security enhancements include the ability to disable any Java application from running in the browser and the ability to set a desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications. While keeping in mind the last security issues with Java, in the press release of this Java update Oracle said "if the JRE is deemed expired or insecure, additional security warnings are displayed. In most of these dialogs, the user has the option to block running the app, to continue running the app, or to go to java.com to download the latest release."
Security Feature Enhancements
The JDK 7u10 release includes the following enhancements:
The ability to disable any Java application from running in the browser. This mode can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.
The ability to select the desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications that run in a browser. Four levels of security are supported. This feature can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.
New dialogs to warn you when the JRE is insecure (either expired or below the security baseline) and needs to be updated.
The following are some of the notable bug fixes included in JDK 7u10.
Area:java command
Description:Wildcard expansion for single entry classpath does not work on Windows platforms.
The Java command and Setting the classpath documents describe how the wildcard character (*) can be used in a classpath element to expand into a list of the .jar files in the associated directory, separated by the classpath separator (;).
This wildcard expansion does not work in a Windows command shell for a single element classpath due to the Microsoft bug described in Wildcard Handling is Broken.
Internet ExplorerVulnerability Allowing Hackers to Track Your Mouse Cursor, Still Microsoft is Apathetic
Yet again MicrosoftInternet Explorer have fallen victim in front of hackers. Spider.io a website analytics firm has discovered a security vulnerability in all current versions of Internet Explorer that allows attackers to trace mouse cursors anywhere on users' screens even if the Internet Explorer window is minimized The vulnerability is particularly troubling because it compromises the security of virtual keyboards and virtual keypads. Spider.io said -The vulnerability is notable because it compromises the security of virtual keyboards and virtual keypads.
As a user of Internet Explorer, your mouse movements can be recorded by an attacker even if you are security conscious and you never install any untoward software. An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit. This is not restricted to lowbrow porn and file-sharing sites. Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector. Indeed, the vulnerability is already being exploited by at least two display ad analytics companies across billions of webpage impressions each month. As long as the page with the exploitative advertiser’s ad stays open—even if you push the page to a background tab or, indeed, even if you minimize Internet Explorer—your mouse cursor can be tracked across your entire display.
Vulnerability Disclosure Package: Microsoft Internet Explorer Affected: Tested on versions 6–10 BugTraq Link: seclists.org/bugtraq/2012/Dec/81
Spider.io has set a demo page to demonstrate how the vulnerability is working. According to sources, Microsoft Security Research Center has acknowledged the vulnerability, but unfortunate that Microsoft are not in a hurry to patch this vulnerability in existing versions of its popular browser. "There are no immediate plans to patch this vulnerability in existing versions of the browser." said MSRC
Hong Kong Govt Opens a New Cyber Security Center Worth $9 Million
Now a days cyber attack has became one of the most challenging issue for almost every country and its Government. Previously we have seen cyber awareness were mainly limited to the first world countries like USA, England, Australia and few other European countries. While keeping in mind the rising amount of cyber threats and its output, now both second world and the third world countries have also taken this issues very seriously. To get rid of this burring challenge and to make it's cyber fence safe and secure The Hong Kong Govt launched a Cyber Security Center on December 7 to enhance the city’s internet security and protection of critical infrastructure, and strengthen the defense against cyber-attacks. Hong Kong Govt has spent HK$9 million (£730,000) for this new Cyber Security Center in a bid to tackle the growing threat to critical infrastructure in the Special Administrative Region of China. The Center which will operate under the Technology Crime Division of the Commercial Crime Bureau, will start with a force of 27 police personnel, ranking from Police Constable to Chief Inspector. “The incidence of cyber-attacks is increasing,” said Tsang Wai-hung, Commissioner of Police, during the inauguration ceremony of the Center “Police recognize the need to respond to the worldwide cyber crime phenomenon, particularly cyber-attacks aimed at critical infrastructures, by enhancing our readiness and capability to counter such threats.
So far the Cyber Security Center has been given four main responsibilities as follows:-
It will strengthen collaboration with other government departments and stakeholders, both local and overseas, concerning cyber-attacks against critical infrastructures.
It will monitor the flow, but not the content, of data traffic of major infrastructure systems.
The Center will collect intelligence to analyse cyber-attacks, and provide an immediate response when necessary.
The Center will conduct research into cyber security and cyber-attacks, and perform security audits to maintain the protection of Hong Kong.
In addition to these key responsibilities, the Center will support the daily operations of the Technology Crime Division in the prevention and detection of technology crimes.
