Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

India routinely intercepts internet communications of several large ISPs

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

September 9, 2013

India's government authorities are carrying out wide-ranging and indiscriminate internet surveillance and spying of their citizens with the help of secret communications snooping systems located at the international gateways of several of the country's large ISPs, according to The Hindu Newspaper.

The Chennai-based paper claims that after an investigation that Lawful Intercept and Monitoring (LIM) systems had been deployed by the Centre for Development of Telematics (C-DoT), in violation of the government’s own communications and privacy rules.

The LIMs are fully owned and operated by the government, unlike similar systems deployed by mobile operators which have to comply with Section 5 (2) of the Indian Telegraph Act and Rule 419 (A) of the IT Rules, it said.

Seven years ago, the government of India apparently released “Instructions for ensuring the privacy of communications”, which forced all ISPs to employ “nodal officers” to regularly liaise with the authorities on interception requests.

But in reality, just a few ISPs have such staff and the LIMs are operated without any consultation with them in any case, The Hindu suggests.

As a result, no ISP contacted by the paper was able to confirm if it had ever received an authorization letter for the monitoring of internet content or not.

The LIMs in question are apparently installed between the edge router and core network and have 100 percent indiscriminate access to the online activity of India’s 160 million internet users with an “always live” link, so spooks can operate without legal oversight or ISP knowledge.

The government authorities are therefore able to monitor not just by email address, URL or IP address but by broad keywords or text searches, the paper added.

Overall, no less than nine security agencies are apparently involved in the scheme including the Intelligence Bureau (IB) and the Research and Analysis Wing (RAW).

The Indian government wasn't able to provide any clarity around who, if anyone, sends the interception requests, or who authenticates them and implements the system.

The news comes as New Delhi finalizes a much more widely publicized surveillance system, the Rs.4 billion Centralized Monitoring System (CMS).

The CMS, which has been branded as chilling by Human Rights Watch and is the subject of a popular Stop ICMS campaign, has hit several delays due to missing software and gaps in its coverage, but is expected to be pushed through, nevertheless.

The Indian government has shown itself to be pretty uncompromising when it comes to matters of “national security”, as BlackBerry can attest to after its long battle over providing spooks with access to customer communications in and out of the country in 2011.

In other internet security news

Kaspersky Labs just reported what appears to be the first sighting of mobile malware that piggybacks on a separate mobile botnet and uses the resources of other malware once it's installed. For now, the malware currently only seems to affect smartphones running on Android.

"For the first time, malware is being distributed using mobile botnets that were created using completely different malware," said Kaspersky Lab expert Roman Unuchek in a filed report.

The malware is actually a trojan called Obad.a, which the company has already branded the most sophisticated piece of mobile worm it has spotted so far.

For now, it comes in about twelve flavors and usually spreads via SMS, hacked apps websites, or in the dodgier end of the Android market scene.

Now it appears that the Obad boys have teamed up with the makers of malware called Opfake.a, which uses a separate method of propagation by exploiting a security hole in Google Cloud Messaging (GCM).

GCM was designed to ping out updates and repair phone settings remotely, and allows the sending of 4 Kb messages to anyone using a specific mobile app.

And Kaspersky Lab has discovered more than a million installers of Opfake in circulation to this date. The code sets up a backdoor communications channel to C&C servers, then starts pinging out premium text messages, stealing contacts, and spamming itself outwards. But now, some copies are carrying Obad as an extra payload, further complicating matters for mobile users.

Once Opfake is installed, it uses GCM to send out a message of an update. In one case, 600 were sent in just a few hours and loaded Obad.a under the names of mms.apk or mmska.apk.

Once installed, the pernicious malware gains Device Administrator privileges and hides itself from file searches, before contacting its C&C servers and spamming itself out in a splurge of activity.

"These peaks are the result of using third-party botnet resources-– ie, mobile devices infected with other malware," said Unuchek. "That means that the owners of Backdoor.AndroidOS.Obad.a not only command their own software to spread itself, they also take advantage of Trojans operated by other cybercriminals as well."

The Obad payload isn't carried on all Opfake samples, and Unuchek concludes that the malware team "rented part of a mobile botnet to spread their brainchild."

So far, 83 percent of Obad infections have come from Russia, with outbreaks reported in Kazakhstan, Uzbekistan, Belarus, and Ukraine.

After consultations with Google, Kaspersky reports that the security hole that allows Obad to embed itself has been patched, but only in the Android 4.3 build, meaning that unless you have one of a very few Nexus devices, you're wide open to several attacks.

In other internet security news

New hacking software has just been discovered that's linked to several attacks against governments and organizations involved in high-tech industries such as space exploration and nuclear power.

And the malware has been adapted to exploit a recently uncovered Java security flaw. NetTraveler has been outfitted to exploit a recently patched Java security flaw as part of a watering-hole-style attack involving compromised websites that redirects victims to an attack site hosting exploit code and viruses.

Surfaced a few days ago, the latest variants of the malware appear to be targeting dissident Uyghur activists from China, internet security firm Kaspersky Lab warns.

The company was first to warn about the cyber attack back in June but subsequent checks revealed that the malware has been silently doing the rounds since 2004!

NetTraveler (also known as “Travnet”, “Netfile” or Red Star APT) is an advanced persistent threat that has infected hundreds of high profile victims in more than forty countries. Known targets of NetTraveler include Tibetan/Uyghur activists, oil industry companies, scientific research centres and institutes, universities, private companies, governments and their institutions, embassies and military contractors.

Immediately after the public exposure of NetTraveler's operations in June 2013, the attackers shut down all known command-and-control systems and moved them to new servers in China, Hong Kong and Taiwan.

After the switch, the attacks continued more or less unabated. Over the last few days, several spear-phishing emails were sent to multiple Uyghur activists. The Java exploit (CVE-2013-2465) used to distribute this new variant of the Red Star APT was only patched by Oracle less than two months ago.

Earlier attacks have used Office exploits (CVE-2012-0158) that were patched by Microsoft in April of last year.

More details on the evolution of the threat can be found in a blog post by Costin Raiu, director of global research at Kaspersky Lab.

The Uyghur community is an ethnic group who mostly live in Eastern and Central Asia. The community has long desired independence, or at the very least greater autonomy, from Chinese rule.

In other internet security news

Citadel, the nasty botnet at the very heart of a widely criticized takedown by Microsoft in June of this year, has made a comeback and it's stealing banking credentials again, this time mostly from Japanese users, according to Trend Micro.

The security vendor claims to have found at least nine IP addresses, mostly located in Europe and the United States, functioning as the botnet’s command and control servers.

About 96 percent of the overall connections to these C&C servers come from Japan, proving that most of the banking Trojan infections are from that country alone, suggested Trend Micro.

The security firm added the following in a blog post-- "During a six-day period, we detected no less than 20,000 unique IP addresses connecting to those infected servers, with only a very minimal decrease from beginning to end. This means that there is still a large number of infected systems stealing online banking credentials and sending them to the cybercriminals responsible for the botnet."

The banks and financial institutions targeted in this campaign have already released warnings and advisories to their customers regarding the attack itself.

Users are reminded to read those warnings properly before logging into their online banking accounts. As well as Japanese financial and banking organizations, the botnet has also been targeting popular webmail services such as Gmail, Hotmail and Yahoo Mail, Trend Micro added.

Overall, Citadel was the subject of Operation B54, what Microsoft described back in June as its "most aggressive botnet operation to date".

Working closely with the FBI, financial institutions and other technology firms, Microsoft said it disrupted some 1,400 botnets associated with the Trojan malware, which still managed to grab more than $500 million from several bank accounts around the globe.

But the initiative was slammed by the security community after Microsoft allegedly seized hundreds of domains as part of its swoop which were already being sinkholed by researchers to find out more about the botnet.

Additionally, British security vendor Sophos claimed at the time that the takedown wasn’t nearly as successful as was initially made out.

Threat researcher James Wyke said in a blog post that only half of the 72 Citadel C&C servers Sophos was tracking appeared on Microsoft’s list.

Worse, about 21.4 percent of those on Microsoft’s list failed to point to a sinkhole, implying “either that the sinkholing was unsuccessful or that the domains have already been re-appropriated by the Citadel botnet owners”, he added.

“Overall, takedown efforts such as this can provide immediate benefit to the public by effectively disabling the control channels used to administer a very dangerous piece of Trojan or malware,” said Wyke.

“But the long-term effect of this particular takedown on Citadel is unlikely to be significant. It looks as though many of the botnets weren't knocked out, and rebuilding those that were taken down will not take too long, I would say.”

It now appears that those concerns were well founded. We will keep you updated on this and on other stories.

In other internet security news

Over the weekend, internet users in China were met with very slow response times or no response at all as the country's .cn domain extension came under severe DDoS (distributed denial of service) attacks from many parts of the world.

The attacks were the largest of its kind ever in the history of that country's internet communications, according to the China Internet Network Information Center, a state agency that manages the .cn country TLD (top level domain).

To be sure, the double-barreled attacks took place at around 2.00 AM Sunday, and then again at 4 AM. The second attack was long-lasting and large-scale, according to state media, which said that internet service was slowly being restored in some parts of the country.

Official state media said the attacks targeted websites with the .cn country domain, as well as the popular microblogging site Sina Weibo.

Distributed Denial of Service (DDoS) attacks aren't technically hack attempts per se, since they can be done without breaking into any server systems.

Typically, DDoS attacks overwhelm a website's servers by flooding them with hundreds of thousands of requests per minute. That makes websites either unreachable, extremely slow or unresponsive.

To bring down larger sites, attackers will sometimes organize large numbers of infected computers to send requests all at once.

Chinese authorities closely regulate content and websites available to internet users in the country. The restrictions are extremely sophisticated, leading some to call it "The Great Firewall."

It's still unclear whether the attack is related to political events in China, which appears to be in the midst of carrying out a big crackdown on internet dissent.

The Chinese government is also wrapping up the trial of former political kingpin Bo Xilai, leading some Web users in China to note the timing of the attack.

".Cn domain names under attack?," one user said on Weibo. "Saw this news and laughed. On every 'festive occasion' doesn't China's internet become paralyzed?"

Another user lodged a more practical complaint, noting that the sluggish internet would probably leave many Chinese without sleep.

In other internet security news

Microsoft's new Windows 8 operating system is so vulnerable to the average hacker that Germany's businesses and government workers should not use it, the country's top authorities have warned in a series of leaked documents.

According to several files published in the German weekly 'Der Zeit', the Euro nation's officials fear Germans' data is not secure thanks to the OS' Trusted Computing technology-– a set of specifications and protocols that relies on every computer having a unique cryptographic key built into the hardware that's used to dictate what software can be run.

Authorities at Germany's Federal Office for Information Security (BSI) later clarified that it was the Trusted Computing specs in Windows 8 in conjunction with the Trusted Platform Module (TPM) chip embedded in the hardware that creates the alleged security issues.

BSI released a statement that backtracked slightly, insisting that using Windows 8 in combination with a TPM may make a system safer, but noting that it is investigating "some critical aspects related to specific scenarios in which Windows 8 is operated in combination with a hardware that has a TPM 2.0".

Trusted Computing is a controversial large set of specifications developed by a group of companies including AMD, Cisco, Fujitsu, Hewlett-Packard, IBM, Intel, Microsoft and Wave Systems Corp.

The technology is designed to stop the use of software and the files which do not contain the correct digital rights permissions (thus protecting the property of vendors behind the protocols), including "unauthorised operating systems" (a specific function of the much-maligned Secure Boot).

Microsoft argues that Secure Boot protects users from rootkits and other malware attacks. The set of permissions is automatically updated online, outside of the control of the user.

A machine that contains a Trusted Platform Module and runs software adhering to the Trusted Computing specifications is, arguably, under the control of the vendor-– in this case Microsoft.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: The Hindu Newspaper.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

















Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer






Click here to order our special clearance dedicated servers.


Get your Linux or Windows dedicated server today.





Click here to order our special clearance dedicated servers.





Click here to order our special clearance dedicated servers.