Information Security Blog | Cyber Security Blog

Sreejith C

Information Security Blog | Cyber Security Blog
Read More

SWIFT has issued its first-ever information security guidance to banks, telling them to get their act together.

The guidance was issued as finger-pointing has intensified over who's responsible for the failures that led to the theft of $81 million from the Bangladesh central bank's New York Federal Reserve account in February.

Bangladeshi police have publicly blamed Brussels-based SWIFT, a bank-owned cooperative founded in 1973, for introducing vulnerabilities into its IT infrastructure that attackers later exploited. But SWIFT, which stands for the Society for Worldwide Interbank Financial Telecommunication, says in a statement that those are "baseless allegations" and that the bank is responsible for the security of all systems that interface with its network, "starting with basic password protection practices."

As part of the audacious online heist - one of the largest in history - hackers attempted to transfer $1 billion out of Bangladesh Bank's account at the Federal Reserve Bank of New York and successfully transferred about $100 million. Most of that money was then laundered via casinos in the Philippines and disappeared, investigators say, although about $20 million has since been recovered.

SWIFT Guidance

In the wake of the theft, SWIFT acknowledged that Bangladesh Bank wasn't the first user to be targeted with malware that was designed to subvert the cooperative's messaging platform (see SWIFT Confirms Repeat Hack Attacks).

And for the first time in the cooperative's history, earlier this month SWIFT issued information security guidance to all of its users, urging them to review their security policies and procedures, Reuters reports. "SWIFT is not, and cannot, be responsible for your decision to select, implement (and maintain) firewalls, nor the proper segregation of your internal networks," according to a copy of the letter, dated May 3, and shared by a bank with Reuters for review on May 10.

"As a SWIFT user you are responsible for the security of your own systems interfacing with the SWIFT network and your related environments," the letter says. "We urge you to take all precautions."

SWIFT confirmed the authenticity of that report but declined to share a copy of the letter.

Greater Cooperation Pledged

Bangladesh officials had previously stated that they believe that the New York Fed and SWIFT share at least some responsibility of the February attacks. Of 35 transfer orders created by the hackers and submitted to the New York Fed, the Fed stopped most for being suspicious, but did let five through.

But on May 10, representatives from SWIFT met with the Bangladesh Bank, including its governor, and the New York Fed, including its president, to discuss the February attack, and they agreed to work more closely together. "The parties also agreed to pursue jointly certain common goals: to recover the entire proceeds of the fraud and bring the perpetrators to justice, and protect the global financial system from these types of attacks," the three parties said in a jointly issued statement.

FBI investigators now suspect that at least one bank employee acted as an accomplice, Bangladesh Bank officials say they have received no related intelligence from the bureau.

Meanwhile, an investigation by digital forensic investigation firm FireEye, which was hired by the bank to investigate the breach, found evidence that three different hacking groups had penetrated the bank's system, Bloomberg reports. Two of those groups have suspected ties to nation states - one to North Korea, the other to Pakistan - but FireEye said it suspects that a third, as yet unidentified group of hackers committed the heist.

FireEye didn't immediately respond to a request for comment about that report.

Read More

Drone Tracker

Wednesday, 25 May 2016 05:30

Camera drones certainly are growing in popularity -- or further polluting the sky, depending on your perspective. A new model plans to follow your every move, thanks to a tracker on your wrist.

After you throw Lily, it will fly up to 50 feet in the air and 100 feet away from you, knowing where you are and keeping its lens focused on whatever you're doing. A smartphone app helps you adjust the camera angle, and has two cameras to boost the number of possible angles.

Lily also uses an accelerometer on the tracker to recognize when your motion shifts suddenly -- like if you're a BMX addict jumping off a ramp -- and will momentarily switch to slow motion footage to give your moment of glory a little more shine. Rad.

I would have loved to have something like Lily when I walked in the Scottish Highlands to capture myself in the majesty of that natural beauty -- well, at least in the early part of the trek, before every step felt like the last I'd ever take.

We've seen auto-follow drones before, and the Nixie is certainly more portable -- and perhaps more practical, since it wraps around the owner's wrist when not in use. Also, there's no collision detection in Lily, so it might not be best suited to parkour aficionados.

Lily is an impressive little package, though, and I want one. Thanks to the apparent robustness, waterproofing, and adorable Wall-E-style "face," I have a gut feeling this will be the first commercial drone to really, er, take off.

Read More

Fake Chargers can be risky!!

Wednesday, 25 May 2016 05:30

Phones, MP3 players, designer bags, artwork, money…. anything with value will bring out the counterfeiters looking to make a quick buck. Sometimes the product being counterfeited isn’t even necessarily expensive. For example, an Apple iPad Charger, so got a hold of a counterfeit iPad Charger, took it apart, and did some testing.

So why would someone buy a counterfeit product? To save some money! The counterfeits are usually cheaper to reel the potential buyer in thinking they are getting a deal. In this case, the Apple product costs $19 and the knock-off is $3, that’s a huge difference.

A charger has one function; take household AC voltage and convert it to the 5v DC the device can use. Ken measured a few aspects of the electrical output of these two chargers. The Apple’s is narrow and flat and the counterfeit’s has a huge amount of noise. [Ken] actually had to change the scale on the ‘scope when measuring the counterfeit’s voltage so it is actually twice as bad as it looks visually. The orange lines show the frequency spectrum of the output. Lower is better. Overall, the counterfeit output is much higher with a consistent spike at the switching frequency. 

[Ken’s] article is extremely detailed and contains a lot of photos of inside both chargers so head over and check it out. You’ll be able to see where the knock-off cut corners to keep the price down. If you are interested in more counterfeit Apple chargers, check out the investigation that the Raspberry Pi Foundation did.

Read More

Allo to soon hit the market- Google's chatting app

Monday, 23 May 2016 05:30

With the announcement of Google’s new communication tool Allo, Google is reclaiming its profile on the messaging apps platform.

Facebook owns WhatsApp and Messenger, Apple has Messages, and Microsoft has Skype. What separates the new messaging app Allo from all the others? That it is exclusively Google’s creation.

Previously, Google has offered messaging apps like Google Messenger and Hangouts, but Allo goes several steps further. Because artificial intelligence technologies already support numerous Google Services, with Allo, you can chat with other people while using the search engine. For example, you can buy your girlfriend Coldplay tickets while you respond to her text, “I can’t believe you forgot my birthday” to make up for the fact that you did forget her birthday.

Allo’s Smart Reply feature auto generates replies for the user by recognizing and analyzing common phrases and frequently shared pictures. The same machine-learning network that powers Google Photos is able to make this possible. It suggests answers you can simply tap instead of typing them out.

The app is powered by Google’s AI chat bot Google Assistant and Google’s Knowledge Graph.

“The new conversational interface you can use to get information from Google. You can set up a conversation with @google and ask it all sorts of questions. It’ll respond with the information you’ve come to expect from typing into a Google search box — but it’ll also engage in a bit of a conversation with you. It’ll suggest further searches, and give you ways to do things that Google can do — like book a table with OpenTable.

“And Google’s chat bot is smarter than other chat bots. It has the power of Google’s Knowledge Graph, which understands many thousands of ‘entities’ and how they relate to each other. So you can ask more complicated questions that couldn’t be resolved just by crawling the web. And if you get bored, you can ask @google to start a game like ‘guess the movie based on a string of emoji.'”