Thursday, December 11, 2014

Cyber Security: Build a Culture of Prevention in Your Organisation


Cyber Security:  Build a Culture of Prevention in Your Organisation
Prashant Mali, 
Cyber Security Policy & Law Expert - India

“You cannot buy the revolution. You cannot make the revolution. You can only be the revolution. It is in your spirit, or it is nowhere.” 
― 
Ursula K. Le GuinThe Dispossessed

Today all organization’s need “Cyber Security Revolution”  i.e they need to bring in culture of cyber security within their organization. A strong cyber security culture is both a mindset and mode of operation. One that’s integrated into day-to-day thinking and decision-making can make for a near-impenetrable operation. Conversely, a security culture that’s absent will facilitate uncertainty and, ultimately, lead to security incidents that you likely can’t afford to take on. This is also brings us to have Cyber Insurance as part of the organisations culture.

What is a organizations cyber security culture?
An organisation's cyber security culture is the styles, approaches and values that it wishes to adopt towards cyber security.

The lack of robust security protocols and standards for data exchange between enterprise systems, devices and personal/home devices can put organizations at increased risk and exposure. However, by employing a comprehensive threat intelligence strategy, organizations can more effectively, proactively and sustainably defend against threat adversaries. The development of policies, procedures and training can further prevent attacks and raise user awareness to be mindful of clicking links, executing files or sharing account information. “When building cyber security capabilities, a Chief Security Officer must be able to identify data in an organizational environment, know the systems, devices and networks on which they are located, and build a security profile around them that addresses potential vulnerabilities,”
A strong cyber defense strategy should address how to prepare and monitor attacks, respond and ultimately recover from breaches. At a minimum, security architecture should be able to stall adversarial efforts, thwart attacks at each phase and facilitate a rapid response. Today, there are several cyber security frameworks that organizations may use as guidelines - such as ISO, COBIT and NIST - to develop security architecture. By overlaying these with counter-responses to the tactics, techniques and procedures that a threat adversary may employ, CISO’s can develop a robust defensive infrastructure. 
Many of these defensive strategies can be broadly characterised into the following three classifications:
1. Mitigate threats before they enter a network by having the basic controls in place -such as ensuring that operating systems and anti-malware, web filtering and antivirus software on servers and endpoints are updated and patched to reduce the risk of vulnerabilities and infections. At a primary level, preventive measures can be employed by implementing layers of firewall technology to stop known attacks. At a secondary level, the potential damage of a breach can be mitigated through automated alerts and notifications that quickly activate appropriate response measures according to security protocols. By training employees and building a culture of cyber security from top management to workers on ground, many breaches can be prevented upstream through user awareness of potentially malicious links, emails, websites, advertisements and files. As Kevin Mitnick notes in his book, The Art of Deception: Controlling the Human Element of Security, these technological methods of protecting information may be effective in their respective ways; however, many losses are not caused by a lack of technology or faulty technology but rather by users of technology and faulty human behavior. It stands to reason then that people not only can be part of the problem, but also they can and should be part of the solution.
2. Discover threats that have entered or tried to enter systems. No organization can prevent every cyberattack, but it is important to build a response system that can alert your security staff, rapidly identify a breach and its scope, and notify other enforcement points so that a breach can be contained without extensive collateral damage. Depending on the adversary, an organization may be better served by disrupting and throttling an attack rather than responding with a knee-jerk reaction that tips off an adversary to engage in additional attacks.
3. Respond to any threats that have breached the network. In addition to deploying sandbox appliances which can test and detect novel threats, it may be recommended for some organizations to deploy internal network firewalls and mitigate an attack once a network has already been breached. Depending on the extent to which data is stored on internal or external servers, organizations may need to develop coordinated responses to a breach with other entities.
The risk of cyber attacks is no longer limited to the IT desk, it is a key business issue that must be addressed by the Board. No organization can be completely immune from cyber attacks and adversaries. However, they can take appropriate measures to erect defenses and integrate cyber security into the business environment and culture. Management buy-in, establishing policies and updating them regularly, identifying and communicating the security awareness goals and message clearly and often, and performing assessments are crucial to a successful cyber security awareness program. By implementing some of these changes, organizations can achieve higher levels of cyber security awareness maturity and benefit from a stronger cyber security culture. 




Tuesday, December 2, 2014

Definitions for Cyber World

Definitions for Cyber World

Cyberspace 
Cyberspace is the total landscape of technology-mediated
communication. This includes not only the internet and the World Wide
Web but also mobile and fixed phone networks, satellite and cable
television, radio, the Global Positioning System (GPS), air traffic control
systems, military rocket guidance systems, sensor networks, etc. As more
devices become interlinked through the processes of digital convergence,
cyberspace is rapidly covering more of our physical world and channels of
communication and expression. Importantly, cyberspace also includes the
people that use these devices and networks.

The Internet 
A subset of cyberspace, the internet is a system of
interconnected computer networks. The internet is comprised of both
hardware and software that facilitate data transfer across a network of
networks, ranging from local to global in scale, and encompassing private,
public, corporate, government and academic networks. Functioning
primarily as a global data exchange system, it carries a wide range of
resources such as email, instant messaging, file transfer, virtual worlds,
peer-to-peer file sharing, and the 

World Wide Web(WWW)
The Web The World Wide Web (or, simply, web) is a more recent
development than the internet, with its origins in the European academic
community of the late 1980s. The web is one of the many services reliant
on the internet. It consists of an assemblage of files (audio, video, text,
and multimedia), each assigned an address, which are connected to one
another through the formation of hyperlinks (more commonly, links). The
contents of the web are (usually) accessed via the internet using software
known as browsers.

User-generated Content 
User-generated content (also usercreated
content) is an umbrella term referring to a wide range of
online materials that are created by internet users themselves. Usergenerated
content has blurred the distinction between the ‘producers’
and ‘consumers’ of information. It is thought to be behind the massive
expansion of the internet in recent years, which now encompasses a wide
variety of blogs, discussion and review sites, social networking sites, and
video and photo sharing sites. Radicalisation Most of the definitions currently in circulation
describe radicalisation as the process (or processes) whereby individuals
or groups come to approve of and (ultimately) participate in the use of
violence for political aims. Some authors refer to ‘violent radicalisation’ in
order to emphasise the violent outcome and distinguish the process from
non-violent forms of ‘radical’ thinking. 

Extremism 
Extremism can be used to refer to political ideologies
that oppose a society’s core values and principles. In the context of liberal
democracies this could be applied to any ideology that advocates racial
or religious supremacy and/or opposes the core principles of democracy
and universal human rights. The term can also be used to describe the
methods through which political actors attempt to realise their aims, that is,
by using means that ‘show disregard for the life, liberty, and human rights
of others’.

Monday, November 17, 2014

Cyber Pornography in India – Sprouting of a Hydra’s head

Cyber Pornography in India – Sprouting of a Hydra’s head
By Adv. Prashant Mali, Cyber Law & Cyber Security Expert, Author, Speaker
Email : prashant.mali@cyberlawconsulting.com | Mobile : +919821763157

The etymology of pornography can be traced to graphos (writing or description) and porneia (prostitutes) and hence it means the description of the life, manners, etc. of prostitutes and their patrons. The first known use of the word to describe something similar to pornography as understood today was in eighteenth century, when the city of Pompeii was discovered. The entire city was full of erotic art and frescoes, symbols, inscriptions and artifacts that were regarded by its excavators as ‘pornographic’. One of the commonly accepted definitions of “pornography” in modern times defines it as sexually explicit material that is primarily designed to produce sexual arousal in viewers. In India, pornography is seen as an aggravated form of obscenity.
In the India Amateur pornography production with or without consent from women is higher than the consumption of industry-produced porn.
There needs to be an amalgamation of Education, Law, Technology and Governance for effective control of pornography over the Internet. The law alone will be toothless if not enforceable.

Now, if rightly said 2/3 part of India’s population is below 35 years, that also signifies a sexually active population in a timid culture of India where anything related to sex itself is a taboo. Watching Cyber pornography is the way out for these sex oppressed minds to exercise their Right to Privacy and feed their information related hungry minds.

Digression is synonymic with excursion then yes the age we are discussing have all right to do so. Distortion, if you believe cyber pornography as “act committed by real humans” is a wrong word in the context itself. Distress if synonyms to pain and suffering then it only signifies to the petitioners feelings coz audience to the cyber pornography never feel the distress unless physically incapacitated. Seeing Cyber Pornography as Manoranjan itself is a half cooked thought. I feel Cyber pornography is viewed for pleasure (i.e for prasannata, Khushi, anannd) . To argue further, I would refer to Freudian psychology, the pleasure principle is the instinctual seeking of pleasure and avoiding of pain in order to satisfy biological and psychological needs. Specifically, the pleasure principle is the driving force guiding the individual identification or id. Epicurus in the ancient world, and Jeremy Bentham in the modern laid stress upon the role of pleasure in directing human life, the latter stating:"Nature has placed mankind under the governance of two sovereign masters, pain and pleasure. Cyber pornography has grown so much coz it is associated with pleasure and not with manoranjan  (entertainment) as claimed by petitioner.
Manobhanjan(Destruction of Mind), some gurus have said that to attend Samadhi, Manobhanjan that is destroying the mind is also another path, so this theory and idea becomes debatable.    

The statistics used in the said petition under discussion are based on News Paper reports, never a credible evidence in any courts of Law, it states that 70% of the traffic online is connected to pornography. The survey done by the company in 2010 namely ExtremeTech reveals that it is exactly the opposite that only 30% of the internet traffic relates to pornography. India now has over 20 crore Internet users in around 121 crore population and labeling 14 crore people as cyber pornography watchers is more than ambitious.

Concerns raised by the petitioner with regards to Child pornography are justified but I think around 120 countries including India has strong laws related to child pornography due to the ratification of the Optional Protocol on Child Pornography.  Section 67B of The IT Act, 2000 deals with child pornography and not only watching or transmitting child pornography is a crime but even searching for child pornography related material on Google is a Non-Bailable and Cognizable offence. So it is clear when it comes to child pornography India already has Law, the question is of equal enforcement throughout the country and effective preemptive measures. Indian ISP association along with police should have a monthly review meeting to ban certain branded websites spreading child pornography and some types of extreme porn. Even though I sympathize with the view of Government that not all porn sites can be banned due to technological issues, but I strongly suggest that there has to be concerted efforts by the stake holders to show some action which can serve as detrimental to child porn industry operating or exhibiting within cyber boundaries of India. Action speaks louder than thousand words that is what is missing when it comes to banning few known websites, even if websites sprout like Hydras head  .

With almost negative or miniscule amount of sexual education across the country, limited pornography also serves as a tool to sexual education for information seekers. If pornography is a threat to women then I feel  they should be protected by better implementation of legal reforms and stronger rights against invasion of their privacy, this includes exploitation of her body by taking image or video without her consent. Sexually explicit material has been around in India in the form of temple statues, Kamasutra e.t.c. but that was what we call soft porn (and should not be confused with violent porn). Even print porn has only been around in India for last 2 decades or so and is strictly censured, again to soft porn levels. What India is being exposed to right now, all of a sudden, is violent porn from the west.

Law as it stands :
Pornography or obscenity is very sensitive issue all over the world yet there is no settled definition of the word under any law. Whether a given pornographic ‘work’ may be termed obscene will be determined by applying what is known as the Miller test (the three-prong obscenity test), which was developed by the US Supreme Court in the landmark case of Miller v. California. This test poses three fundamental questions about the work under scrutiny:
§  Whether the average person, applying ‘contemporary community standards’, would find that the work, taken as a whole, appeals to the prurient interest
§  Whether the work depicts or describes, in a patently offensive way, sexual conduct specifically defined by applicable state law
§  Whether the work, taken as a whole, lacks serious literary, artistic, political, or scientific value
Section 292 of the Indian Penal Code (IPC) defines obscenity as that which is
‘lascivious or appeals to the prurient interest or tends to deprave or corrupt persons’. In recent supreme court judgment  Aveek Sarkar & Anr Versus State of West Bengal & Ors on obscenity, it was held that nude picture of women is not obscene per se. This judgment overruled the Hecklin test which was used to interpret obscenity by courts till date for deciding cases on obscenity.

Besides shunning the temptation of sharing salacious videos, the mobile user should be wary of misusing his mobile to invade somebody's privacy. Section 66E, one of the amendments made to the IT Act, 2000, introduced punishment up to three years for whoever "intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person".

Under S.354C of the Indian Penal Code on voyeurism, the offences included are capturing the image of a woman in a private or sexual act with a hidden camera or device, without the consent of the woman. If the woman consents to the capture of the images but not to its dissemination, then it is still an offence under the same law and the imprisonment is from three to seven years. Forcibly showing pornography to a woman is also included under sexual harassment under S.354A of the Indian Penal Code.
Summing up Section 66E,67,67A,67B of The IT Act, 2000 addresses issues of pornography and Child Pornography along the lines of POCSO. 


Cyber Pornography and Right to Privacy
Canadians have the right to be anonymous on the internet, and police must obtain a warrant to uncover their identities, Canada's top court has ruled in R. v. Spencer, 2014 SCC 43. The landmark decision from the Supreme Court  bars internet service providers from disclosing the names, addresses and phone numbers of their customers to law enforcement officials voluntarily in response to a simple request .
In India, our Constitution does not contain a specific provision as to privacy but the right to privacy has been spelt out by our Supreme Court  from the provisions of Art. 19(1)(a) dealing with freedom of speech and expression, Art. 19(1)(d) dealing with right to freedom of movement and from Art. 21, which deals with right to life and liberty In Govind v. State of MP, Mathew J. developed the law of privacy. The learned Judge held that privacy claims deserves to be denied only when important countervieling interest is shown to be superior, or where a compelling state interest was shown If the court then finds that a claimed right is entitled to protection as a fundamental privacy right, a law infringing it must satisfy the compelling state interest test. Then the question would be whether the state interest is of such paramount importance as would justify an infringement of the right. In Naz Foundation v. Government of NCT of Delhi, the Delhi High Court took the right of privacy the Delhi High Court took the right of privacy to new level. The Court held that privacy recognises a right to a sphere of private intimacy and autonomy which allows us to establish and nurture human relationships without interference from the outside community. The way in which one gives expression to one’s sexuality is at the core of this area of private intimacy. If, in expressing one’s sexuality, one acts consensually and without harming the other, invention of that precinct will be a breach of privacy. Now, since manufacturing and viewing of pornography are medium of expression of one’s sexuality, it must fall within the ambit of right to privacy, provided it is manufactured and viewed privately by consenting adults and thereby not causing any harm to the others.
Conclusion
The line demarcating the ‘decent’ from the ‘obscene’ is still vague, and the distinction is purely ambiguous as it is based on individual interpretation. The concept of only ‘Violent Pornography’ which includes (rape, fetish, kinky, sadomasochism) needs to be adequately defined  in any existing  Law, to enable insertions of  new sections competent to deal with it, or modify the existing provisions in law to effectively tackle the problem. The restriction on ‘Violent Pornography’ via using” Intelligent Filters “ linked to globally available databases or self created updatable databases at ISP levels can prove as an efficacious remedy to arrest it in some proportions as completely eradicating cyber pornography would be like plucking out hydra’s sprouted heads which are known to regenerate.


Tuesday, July 22, 2014

How Phishing is Done via Malicious Code

Hackers to phish out your personal data  very easily as it is to sit in a canoe on a still pond, cast the bait and wait for the fish to bite.
So many people fail to learn about phishing scams, a favorite and extremely prevalent scam among cybercriminals.
A type of phishing scam is to lure the user onto a malicious website. ZeuS (Zbot) is such an example, planted on websites; visit that site and it will download a virus to your device that will steal your online banking information, then forward it to a remote server, where the thief will obtain it. Very clever.
But that ingenuity is contingent on someone being gullible enough to open a phishing e-mail, and then taking that gullibility one step further by clicking on the link to the malicious site.
10 Phishing Alerts
  • An unfamiliar e-mail or sender. If it’s earth-shaking news, you’ll probably be notified in person or via a voice phone call.
  • An e-mail that requests personal information, particularly financial. If the message contains the name and logo of the business’s bank, phone the bank and inquire about the e-mail.
  • An e-mail requesting credit card information, a password, username, etc.
  • A subject line that’s of an urgent nature, particularly if it concludes with an exclamation point.
Additional Tips
  • Keep the computer browser up-to-date.
  • If a form inside an e-mail requests personal information, enter “delete” to chuck the e-mail.
  • The most up-to-date versions of Chrome, IE and Firefox offer optional anti-phishing protection.
  • Check out special toolbars that can be installed in a web browser to help guard the user from malicious sites; this toolbar provides fast alerts when it detects a fraudulent site.

Wednesday, May 21, 2014

How NSA Allegedly Hacks into your Network ?

How NSA Allegedly Hacks into your Network ?

The United States' National Security Agency succeeded years ago in penetrating the company's digital firewalls. An NSA division called ANT has burrowed its way into nearly all the security architecture made by the major players in the industry -- including American global market leader Cisco and its Chinese competitor Huawei, but also producers of mass-market goods, such as US computer-maker Dell.
The specialists at ANT, which presumably stands for Advanced or Access Network Technology, could be described as master carpenters for the NSA's department for Tailored Access Operations (TAO). In cases where TAO's usual hacking and data-skimming methods don't suffice, ANT workers step in with their special tools, penetrating networking equipment, monitoring mobile phones and computers and diverting or even modifying data. Such "implants," as they are referred to in NSA parlance, have played a considerable role in the intelligence agency's ability to establish a global covert network that operates alongside the Internet.
Some of the equipment available is quite inexpensive. A rigged monitor cable that allows "TAO personnel to see what is displayed on the targeted monitor," for example, is available for just $30. But an "active GSM base station"  a tool that makes it possible to mimic a mobile phone tower and thus monitor cell phones costs a full $40,000. Computer bugging devices disguised as normal USB plugs, capable of sending and receiving data via radio undetected, are available in packs of 50 for over $1 million.
The ANT division doesn't just manufacture surveillance hardware. It also develops software for special tasks. The ANT developers have a clear preference for planting their malicious code in so-called BIOS, software located on a computer's motherboard that is the first thing to load when a computer is turned on.
This has a number of valuable advantages: an infected PC or server appears to be functioning normally, so the infection remains invisible to virus protection and other security programs. And even if the hard drive of an infected computer has been completely erased and a new operating system is installed, the ANT malware can continue to function and ensures that new spyware can once again be loaded onto what is presumed to be a clean computer. The ANT developers call this "Persistence" and believe this approach has provided them with the possibility of permanent access.
Another program attacks the firmware in hard drives manufactured by Western Digital, Seagate, Maxtor and Samsung, all of which, with the exception of the latter, are American companies. Here, too, it appears the US intelligence agency is compromising the technology and products of American companies.

Other ANT programs target Internet routers meant for professional use or hardware firewalls intended to protect company networks from online attacks. Many digital attack weapons are "remotely installable"  in other words, over the Internet. Others require a direct attack on an end-user device , an "interdiction," as it is known in NSA jargon,  in order to install malware or bugging equipment.

Wednesday, May 14, 2014

Court in EU Backs 'Right to be Forgotten on Google"

Court in EU Backs 'Right to be Forgotten'

European Union Internet users now can ask Google and other search engines to remove certain sensitive information from Internet search results, Europe's highest court ruled on May 13,2014.
The ruling, handed down by the Court of Justice of the European Union, states the "operator of the search engine ... is, in certain circumstances, obliged to remove links to Web pages that are published by third parties and contain information relating to a person from the list of results displayed following a search made on the basis of that person's name."
The court's ruling on the "right to be forgotten" stems from a case involving a man in Spain who argued that Google's search results disclosed details about the auction of his repossessed home over unpaid debts. "[The man] stated that the proceedings concerning him had been fully resolved for a number of years and that reference to them was now entirely irrelevant," the ruling states.
Google, in a statement provided to Information Security Media Group, said: "This is a disappointing ruling for search engines and online publishers in general. We now need to take time to analyze the implications."

EU Justice Commissioner Viviane Reding, the European Commission's vice president, said on her Facebook page May 13 that the judgment is a "clear victory" for the protection of Europeans' personal data.

"Companies can no longer hide behind their servers being based in California or anywhere else in the world," she wrote. "Today's judgment is a strong tailwind for the data protection reform that the European Commission proposed in January 2012 as it confirms the main pillars of what we have inscribed in the data protection regulation. The ruling confirms the need to bring today's data protection rules from the 'digital stone age' into today's modern computing world."

The Implications

This judgement should make it easier for individuals who seek the removal or blocking of links to information that they find offensive, irrelevant or obsolete to obtain redress if the search engine ignores their request.This is finding a balance between the public's right to have access to any information that has been legally published, and the individual's right to obtain the blocking of data that might be inadequate, not relevant or no longer relevant, or excessive in relation to the purpose for which they were processed, and in the light of the time that has passed.
The ruling changes the risk landscape for not only services that are publishing information as first-party original content, but any service that aggregates data from other websites, such as Facebook, Twitter and search engines, This is an incredibly significant decision for all of them.
In India some one has to file a writ in any Courts of jurisdiction and get the same judgement passed here.

DDoS Analysis for 2014-A Serious Risk

DDoS Analysis for 2014
DDoS attacks are evolving in complex, dangerous ways. Companies assessing their risk and protection should consider:
• Nearly twice as many companies (60 percent) report being attacked in 2013.
• Almost 92 percent of those attacked were hit repeatedly.
• 57% of DDoS targets were victims of theft: funds, customer data or intellectual property.
• Though attack duration is down, the number of attacks between 1–5 Gbps shot up nearly three times.
• DDoS drains manpower: over half of businesses (57 percent) need 6 or more people to mitigate DDoS attacks.
• Risks of $1M a day (estimated outage losses) are common: 4 in 10 companies would suffer this much or more.
• DDoS is costly across the enterprise. Customer service and other public-facing areas now take as large a hit as IT/Security.
In protecting against DDoS attacks, companies must ask: What do they stand to lose if they’re hit hard? Rigorous risk, threat and cost analysis is in order. 
Predicting DDoS is as unpredictable as the attacks themselves.

Sunday, April 27, 2014

2014 Internet Security Threat Report

2014 Internet Security Threat Report

Highlights from the 2014 Internet Security Threat Report

Key Findings
91% increase in targeted attacks campaigns in 2013
62% increase in the number of breaches in 2013
Over 552M identities were exposed via breaches in 2013
23 zero-day vulnerabilities discovered
38% of mobile users have experienced mobile cybercrime in past 12 months
Spam volume dropped to 66% of all email traffic
1 in 392 emails contain a phishing attacks
Web-based attacks are up 23%
1 in 8 legitimate websites have a critical vulnerability

Monday, March 3, 2014

Citadel : The Banking Trojan for Cyber Attacks on Banks

Citadel : The Banking Trojan wanna buy one ..

Citadel is a banking trojan based on the Zeus source code. A few months after the Zeus source code was leaked, a threat actor using the moniker "AquaBox" was observed on a Russian-language eCrime forum offering Citadel 1.1, a new derivative of Zeus malware. Citadel retained basic Zeus functionality but added modifications to improve the functionality and security of this banking trojan.
Citadel developed a community of customers and contributors around the globe that suggested new features and contributed code and modules as part of an ad hoc criminal social network. Capabilities included AES encryption of configuration files and communications with the C2 server, an ability to evade tracking sites, the capacity to block access to security sites on victims' systems, and the ability to record videos of victims' activities. The network of Citadel contributors continued adding innovative features to the trojan, making it more adaptive and faster, until the trojan became ubiquitous and criminals began using it for all types of credential theft.
The Citadel toolkit is made up of three parts: a builder, the actual trojan, and a C2 web panel. The builder allows the attacker to edit and compile the configuration file and to build the actual trojan that is delivered to victims' systems. The trojan modifies the compromised computers and steals information. The C2 server monitors and controls the trojan and stores all stolen data.
Citadel infects computers through many different methods. The attackers behind the Citadel trojan have made concerted efforts to spread Citadel using spam campaigns and drive-by download attacks using different exploit kits. Table-5 shows the statistics for the Citadel samples and configurations analyzed in 2013.
ATTRIBUTE
COUNT
C2 servers
905
Configuration files
2,296
Samples
21,716
Encryption keys
311
Versions
5
Targets
1,170 (unique); 137,000 (total)
Citadel samples and configuration files analyzed in 2013.
Architecture
Citadel's C2 design is simple. Each trojan is programmed to connect to one or more C2 servers. Attackers can dynamically update the C2 server options from a configuration file. Cybercriminals may rent individual servers to orchestrate their banking campaigns.
The Citadel trojan running on an infected system has two primary functions:
  • Passive function: automatically executed on the infected system through application programming interface (API) hooking. The hooked code embedded in network and other APIs performs the following tasks:
    • HTTP session redirection
    • Web injections (MITB attack)
    • FTP credential theft
    • POP3 credential theft
    • Flash files control
    • Keystroke logging
    • Screen capture
    • Video recording of activities
  • Active function: executed upon receipt of a command from the C2 server. Citadel supports the following commands, organized by category:
    • OS — shutdown, reboot
    • FS — search, download, upload
    • Bot — install, uninstall, add, remove, httpinject enable/disable
    • User — logoff, url_block, certs_get, homepage_set, execute, destroy
    • DDoS — start, stop
    • Module — execute enable/disable, download enable/disable
    • Info — system info
Webinject module
Citadel introduced a new feature called "dynamic webinjection." This feature is implemented through an entry in the configuration file and a command issued to the bot from the C2 server. The new dynamic webinject feature is triggered by a command called "webinjects_update", which takes two arguments. A typical command uses the following syntax:
               webinjects_update dual "webinjects/new.js"
The first option can be "dual," "single," or "disabled," and the second option is a file path. "Dual" indicates that this webinject file should be used in conjunction with existing webinjects contained in the configuration file; "single" instructs the bot to use the listed webinject file instead of the data in the configuration file; and "disabled" turns web injection off. The second argument is the full path to the server file that contains the webinject code.
When the bot receives this command, it issues an HTTP POST request for the specified webinject file. The C2 server replies with the relevant file. The request and the reply are formatted and scrambled using the AES+RC4 encryption scheme.
Citadel has emerged as a popular choice in the underground economy for use in financial fraud. Its improved feature list suggests that the Citadel authors continue to innovate and improve the overall quality of their product by adding functionality that their competitors do not offer. Citadel has allowed attackers to expand their reach and target a larger variety of web browsers. It provides a platform for additional criminal revenue opportunities, such as installation of ransomware.
Improvements
The Citadel authors created a crowd sourced model for feature improvement by allowing customers and prospective users to propose features. Citadel has built upon the base capabilities of Zeus by introducing the following improvements:
  • Google Chrome support — Citadel added support for hooking and monitoring Chrome activity.
  • Revised cryptography — Citadel's encryption routine changed from standard RC4 to 128-bit AES. Citadel also modified the RC4 implementation slightly by adding an XOR operation with the original seed string. This custom RC4 implementation is also used to encrypt stolen data sent to the C2 server.
  • Sandbox detection — Citadel can detect if it is running within a virtualized environment. If yes, Citadel alters its behaviour, generating a random "decoy" domain name and URL path for the C2 URL rather than connecting to its typical C2 server.
  • Video capture — The video capture plugin is typically downloaded from the C2 server when the malware connects for the first time. The ability to capture video allows a threat actor to monitor portions of a victim's entire browsing session.
  • Denial of service — Citadel included the capability for infected systems to participate in a distributed denial of service (DDoS) attack against a specified target. The botmaster initiates this command via the Citadel control panel.
  • Automated command execution — Citadel improved Zeus's ability to execute an arbitrary command on an infected system by introducing a series of pre-defined commands.
  • Aggressive DNS filtering — Citadel introduced a capability to alter the domain name resolution to prevent antivirus (AV) and security companies from resolving domain names, block AV software from receiving updates, and prevent victims from visiting AV or other security sites to download removal tools and obtain mitigation advice.
In May 2013, the Citadel 3.1 variant was first identified as introducing the ability to spread via external devices, such as USB, by taking advantage of the "autorun.inf" functionality. It also introduced a "port scan" command and added a new encryption layer for both communication and the configuration file. Compared to the last known Citadel version 1.3.5.1, the encryption scheme was modified slightly with an added XOR layer and a fixed constant value included in the binary and 32 random bytes.


Navy man in Jail for 2 years for Child Pornography, cyber crime in India

Navy man gets 2 years Jail for Child Pornography, cyber crime in India : Cyber crime conviction By Prashant Mali In the case of D...