ICICI Bank phishing fraud case

The Adjudicator of Tamil Nadu jolted Indian Bankers out of their cozy slumber by his decision on April 12, 2010 in the case of Umashankar Sivasubramaniam Vs ICICI Bank. In this case, the adjudicator PWC Davidar held ICICI Bank liable to pay damages to the extent of Rs 12.85 lakh on an alleged "phishing" fraud incident involving fraudulent transfer of an amount of Rs 6.46 lakh. In the ICICI Bank phishing fraud case, the Adjudicator clearly documents reasons why he considers it necessary to hold the bank liable not only to repay the involved amount, but also interest and other expenses.

In my opinion, ICICI Bank should be glad that it escaped with only a financial liability instead of also being held liable for criminal liabilities under several sections of the Information Technology Act 2000 (ITA 2000) and the Indian Penal Code (IPC). There was (and still is), a possibility that criminal liabilities would have stuck onseveral officials of the bank for this phishing fraud incident, including Managers of two of its branches, the CISO, the Directors and the Chairman of the Bank, as well as resulted in jail sentence for the officials.
 
The ICICI Bank phishing fraud case judgment is a landmark judgment in India for several reasons, some of which can be highlighted here.

1. It is a revelation for many in India to realize that there is a judicial office called the "Adjudicator", which it can deliver such decisions. Though Adjudicators are in place for every State and Union Territory in India since March 25, 2003, few have recognized their presence and role. There have been hundreds of phishing fraud cases involving banks over the past few years in India, and a few customers have tried to take legal action for recovery of their losses. However, most phishing fraud victims have approached the Banking Ombudsman or consumer courts in the past. The ICICI bank phishing fraud case was the first instance when a victim recognized the correct jurisdiction for such disputes, and approached the Adjudicator.

Read the complete article here.

China reports millions of Conficker worm infections

China last year hosted more than one in four of the world's computers infected with a major variant of the Conficker worm,
according to an official report, highlighting the wide reach of malware inside the country.

China had about 7 million Internet Protocol (IP) addresses infected with Conficker B at the end of last year, according to
a recent annual security report posted on the Web site of China's National Computer Network Emergency Response Technical Team
(CNCERT). The number of infections varied during the second half of the year, which the report covered, but was higher than
5 million during all but one week.

The huge figures gave China up to 28 percent of the world's Conficker B infections depending on the week, the report shows.

The controllers of Conficker so far have hardly used their network of infected computers, but they could potentially use it
to launch a crippling denial-of-service attack by ordering all of the computers to contact a victim server at the same time.

Read the Complete Article here.

How to capture data from remote Computer?

Wireshark Remote Capturing


This short tutorial is without screenshots but a slightly more advanced usecase of Wireshark, namely doing the capture on one box and visualize the captured data in realtime on another box.


Preliminary


The following article describes the way I installed and used the software, I do not issue any guarantee that the same way works for you. You should have some basic knowledge doing things in a shell. As Wireshark runs on a wide variety of platforms, this should work on nearly every platform which are supported by Wireshark and Open-SSH. In my case Debian and Ubuntu were involved.


1. The Problem


It happened that we had some subtle problems regarding DNS, namely regarding Reverse-DNS. Our setup is simple, we have local DNS Servers which forward all queries they can not resolve to an uplink DNS, which should take care for the further nameresolution. The uplink DNS is administrated by another organisation, which led to the usual fingerpointing "we are no guilty, our equipment performs well, we have to invoice you the costs, blabla ...". Sigh. So I thought about how this problem could be further analyzed, and quickly remembered my system described in http://www.howtoforge.com/trafficanalysis-using-debian-lenny. Perfect I thought, the box is already sitting next to the uplink, and it should easily be possible to monitor all traffic which rushes over the uplink, and to have a look on all DNS related traffic, to see what happens.


My first idea was to install Wireshark directly on this box, and with the help of a little X11-forwarding to see whats going on on the uplink. But there was not enough diskspace to install Wireshark and the whole X11 related libraries.


2. The Solution


My next idea was to capture the traffic on the probe into a file, copy this file to my normal box, and read it into Wireshark. But how cumbersome, long-winded, copying files around or at least mount drives over the net. But the solution is so simple. Install tshark (the textmode related little brother of Wireshark) on the probe, call it remotely with the help of ssh, and directly pipe the output of tshark into Wireshark! This solution is from the Wireshark Wiki, but the simplicity enthused and amazed me to write this short Tutorial.


* Setup passwordless ssh login on the probe like described for instance in here, and check that it's working.
* On your local box where your Wireshark sits and waits to do something beneficial simply call it by


wireshark -k -i <( ssh -l root IP-of-probe /usr/bin/tshark -i eth0 -w - port 53 )


and enjoy. The traffic is filtered on the probe, so that you are not knocked down by the vast amount of packages which may travel over your uplink. The captured traffic is transported over a safe, encrypted ssh connection from the probe to the visualization box and you can see in real time whats going on on the uplink.


In my case I did not need to filter out the ssh traffic (as in the example in the Wireshark Wiki), because the sniffing is done on eth0, and the ssh traffic runs over eth1.There are other methods described in the Wireshark Wiki using named pipes, but this method using ssh looked like the easiest to set up to me.


One little problem I had while doing this, that ending Wireshark did not end tshark on the probe, but a
kill tshark
on the probe helped, or, if you are not logged in into the probe


ssh root@probe pkill tshark
should also work.


Regarding our DNS problem I could immidiately see whats going on. ;-)
Find the updated article Here

Busy Start of the year in the area of Internet freedom and security

First, Google  reported that it, along with a bunch of other major companies, had been hacked, and pointed the finger at China.

Then Secretary of State Hillary Rodham Clinton gave a few "Remarks on Internet Freedom" in which she pushed for one Internet, without barriers.
Separately, the Federal Trade Commission notified about 100 companies that some of their secrets had been exposed by employees who were running peer-to-peer software.

Finally the Internet security firm NetWitness said that it had figured out that 75,000 computers at 2,500 companies had been compromised with the ZeuS Trojan starting in 2008.

Nope - not a good start to 2010. I would like to think that things will quiet down some for the rest of the year but it does not look like that will happen.

In early January, Google announced that it had been hacked from China, that the hackers seemed to be after the gmail accounts of Chinese human rights activists and that Google was going to review "feasibility of our business operations in China." .Well, that caused quite a splash. Google's accusation fit so well with the general public perception of China's approach to the Internet that it was easy to assume that the hacking was directed by the Chinese government.

Properly, she did not hide the fact that communication over the Internet can be used for good (human rights activists) and evil (terrorists).

But she said that "this issue isn't just about information freedom; it is about what kind of world we want and what kind of world we will inhabit. It's about whether we live on a planet with one Internet, one global community, and a common body of knowledge that benefits and unites us all, or a fragmented planet in which access to information and opportunity is dependent on where you live and the whims of censors."

She, clearly, was on the side of one Internet.

Meanwhile, ex-NSA director Mike McConnell, writing in the Washington Post, had a different take. He said that "we need to reengineer the Internet to make attribution, geolocation, intelligence analysis and impact assessment -- who did it, from where, why and what was the result -- more manageable."

Maybe companies that connect to the Internet need to be more careful  and, in particular, companies that sell computers that connect to the Internet need to actually make security a primary concern and post fixes to vulnerabilities a lot faster than they do now.

I'd rather Clinton's Internet than McConnell's, but I recognize that the latter seems attractive to those who only look at the security problem and ignore the freedom one.


Read Complete News