Microexpert

DarkMarket Mastermind Jailed

2010-03-08T11:40:00.003Z

The mastermind behind one of the most pernicious online criminal forums in the world has been jailed for 4 years and 8 months (26 Feb 2010). The site, DarkMarket, was a sophisticated, invitation-only service for buying and selling compromised credit card data and other information and equipment for committing financial fraud. It allowed criminals to collaborate on deals, which caused global losses worth tens of millions of pounds.

In the dock alongside Renukanth Subramaniam was 66 year old John McHugh, known online as 'Devilman'. McHugh was sentenced to 2 years of rigorous prison.

The trial is the latest stage in an international investigation by SOCA, the FBI and the USSS. So far 5 people have been charged in the UK, and there have been around 60 arrests around the world.

Key to the case against Subramaniam and McHugh was proving the link between the individuals and the virtual personas of JiLsi and Devilman.

Andy Auld of SOCA's E-crime team has rightfully said: “The legal system doesn’t work against nicknames and email addresses. It works against real names and real addresses”.

As Sharon Lemon, Deputy Director of SOCA has commented about the financial investigation that is now underway into the money these men made from their crimes. He believes that Subramaniam suffered a personal loss of £100,000 in one go linked to deals on a single lost memory stick. SOCA is also determined to recover what it can from them.

Smart Card Patent Up For Auction

2010-02-24T11:50:00.005Z

ICAP Ocean Tomo is said to offer sale of a patent portfolio of smart card technology at its upcoming Live Auction to be held in March 25, 2010 in San Francisco. The expected value of the sale of this patent portfolio is greater than $50,000, and the portfolio contains two U.S. issued patents, one non-U.S. patent, and three U.S. patent applications.

The smart cards described in the portfolio are considered of 'hybrid' design, as they incorporate integrated circuit and magnetic memories for storing data. The design of hybrid smart cards requires simple electronic circuitry for writing data.

As stated by inventor Josef Osterweil, "This technology allows for tomorrow’s security today as it introduces "Secure Swipe" technology to existing smart card infrastructure".

U.S. patent 7,591,427 describes this 'hybrid' design which utilizes a matrix of electronic conductors for writing data on magnetic stripes. Each electronic conductor can be used to write multiple bits, thus reducing the total number of electronic conductors needed on each smart card. U.S. patent 7,591,426 enables the reading and writing of data to take place on magnetic stripes using a similar matrix to the patent described above.

Approximately, 5 billion smart cards were shipped in 2008 worldwide, and the number is expected to grow by 11% annually through 2012. The portfolio will be of interest to companies manufacturing smart cards as those used by banks, retailers, security solution providers and such other end users.

Gmail blocked in Iran

2010-02-16T09:16:00.006Z

The Iranian government has blocked the search engine giant – Google. It has taken efforts to censor the Internet, blocking access to many popular sites, according to the U.S. State Department.

Google Inc.'s Gmail service is permanently suspended by Iran. The company has also faced off with China recently over Web censorship.

How could Iran block access to specific websites?

It's not clear as to how Iran is going to block every kind of proxy system. Moreover, it's not working perfectly. While an email usage drop has been experienced, Google's network is reported to be working flawlessly.

However, technology experts state that officials can easily program those filters so that computers in those countries cannot access certain web pages, such as Google.com, or use specific programs, such as eBay Inc's Skype, Twitter, or Activision Blizzard Inc's World of Warcraft online video game. Countries also usually choose to block entire websites because that is easier than trying to pinpoint objectionable content. An example is China's Web filters, which block sites deemed illegal or politically offensive in that country.

Why is Iran blocking Gmail now?

No one knows for sure, but Danny O'Brien, an international outreach coordinator for the Electronic Frontier Foundation, said that after Google said its popular Web email service had been attacked by Chinese hackers, the company began encrypting, or protecting, all of its email messages and chats. This makes monitoring more difficult.

Do the United States and European governments filter Web pages for people in their countries?

About a third of the world's citizens use the Internet through filters imposed by their local governments, including many schools and libraries in USA, according to Susan Crawford, a professor of law at the University of Michigan. Filtering software is often installed by parents to keep their kids from getting access to violent and illegal websites. Even many companies around the world filter their connections in order to keep an eye on their employees’ tasks.

Is it possible to get around those filters?

There are several ways of filters, some of which require the user to have some technical knowledge. One of the easiest to use is a program for personal computers called Tor (www.torproject.org). This program encrypts Internet traffic, effectively hiding it from filtering programs.

Has the government thought of any alternative of Gmail?

The Iranian government has asked the citizens to use a state sponsored national email service as a replacement to Google's email service.

Is there any opposition to Iran’s decision within the country?

Yes, the anti-government groups have protested strongly against the decision to ban Google completely in Iran. The opposition groups have even called for protests to be held on Thursday, February 11, when the country traditionally celebrates the 31st anniversary of the Islamic Republic.

Has Iran banned any website before?

There seems to be a long drawn tradition of bans and protests in this Islamic country. In recent times, a number of bans have been called, especially around social media tools like Gmail and Facebook. Last year summer, the state government banned FriendFeed and Facebook, two popular social network sites, near the election time. This sudden decision made many netizens choose to log on to Twitter to keep free flow of social media communication. It is believed that the bans and controls have been slapped, with the coming of the anniversary of the Islamic republic.

However, if the Iranian government continues to block social media tools like this then it is not very long that we will get to see the government choosing its next target been the social networking sites like Twitter.

Cyber Criminals: Needs a good thrash!

2010-01-19T11:21:00.007Z

A global legal framework is absolutely necessary in order to punish cyber criminals, by making it easier for evidence to be transferred between countries. In many cases, the cyber gangs roam free in the absence of any proper evidence or proof to put them behind bars.Interpol (the international police organisation), is voicing hard in support of a new global legislative framework that would enable countries to exchange data to bring a cyber thief to justice.

With the onslaught of phishing, pharming and malware attacks, there is an urgent need to enforce some new law, because still now, new technologies are being dealt with by old laws.

Bernhard Oputal, a crime intelligence officer with Interpol’s financial and high-tech crime division said: “We need an integrated legal framework to exchange data. A lot of legislation doesn’t consider a data stream as evidence, because the evidence is hidden behind 0s and 1s. We have to rethink the legislative framework”.

Police and the investigating organisations across the world are already aware of the increasing trend of cyber criminals confiscating personal accounts of individuals through the Internet. Phishers are asking for personal details such as full name, address, contact number and bank account number in a fake website or log-in form, and then using it to withdraw money from banks or ATMs.

According to experts, these gangs are based mostly in countries like Russia China and the U.S. but target Internet users spread across the globe. Interpol said it has experienced problems with the international transfer of evidence and said some Internet service providers are unwilling to provide data, a problem worsened by the speed with which phishing sites disappear after capturing information.

A global framework for legislation should be provided by the Council of Europe’s Convention on Cybercrime, according to Otupal. The Convention, ratified in 2001, is a European treaty designed to allow for a common criminal policy on cyber crime.

The software giant, Microsoft agreed that current legislation needed to be reformed in some countries, and it also said of prosecuting more than 100 phishers over the coming years and is involved in lobbying for stronger anti-phishing laws.

A seniour official said that The European Commission is also seeking ways to strengthen cooperation between law enforcement and private industry worldwide, and also increase penalties for those engaged in cyber offense.

Although countries like Estonia and Lithuania have reported of cyber attacks, they are unable to take steps against the offenders because of the lack of support from other nations, said Radomir Jansky, one of the top cybercrime officials within the Commission’s Directorate-General for Justice, Freedom and Security.

In lieu of the increasing series of attacks by cyber gangs, The European Commission is updating the Council Framework Decision on Attacks against Information Systems, which came into force in 2005.

Contactless Mobile Banking: Miles to Go?

2010-01-13T09:51:00.004Z

Contactless mobile banking is the latest buzzword in the online payment industry. Nowadays, a number of major retailers are refurbishing their point-of-sale systems to accept contactless cards. Also, with the NFC-enabled phones (mobile phones with embedded payment chips) released in the market, merchants, processors and card networks are anticipating big changes in consumer spending patterns and in their own business models.

While there is a bit of confusion as to when consumers will be able to purchase items with their phones, these early movers are putting pressure on smaller acquirers and independent sales organizations to equip their clients with the latest terminals as well.

Thomas A. Layman, a former chief economist at Visa Inc. and the founder and president of Global Vision Group in San Mateo, California thinks that due to economic recession, people have become more cautious about spending. However, he believes that with mobile payment technologies, people will get a better option in managing their expenditure. The economic turmoil in 2009 has prompted widespread changes in spending, as people got shifted from credit to debit and has even curtailed their purchases. But experts are hoping 2010 will surely bring some positive results in favour of contactless payments industry.

Speaking at the Strategic Leadership Forum in New York, Layman stated that less spending trends may stick even after the economy recovers, and mobile payments could play an important role in consumers’ altered habits. According to him, credit card transaction growth will probably level off at about 5% a year, and debit card gains will continue in double digits throughout 2012. And various forms of alternative payments, especially mobile, could account for 20% of transactions by 2012, up from 2% at present.

Damien Balsan, the head of NFC business development for the Americas at Nokia Corp., predicted that NFC-equipped handsets will begin arriving in the market in large numbers in 2010, enabling phones to be used for various contactless transactions.

Last year Nokia has revealed its "6216 Classic" NFC-equipped handset, offering Near Field Communication services integrated with the SIM to provide a hassle-free solution for payment and ticketing. It has also been reported that Citi has manufactured a NFC-Equipped Phone, with applications such as an MP3 player, and the built-in accelerometer. This NFC-based phone will allow users to make mobile payments when paired with a mobile banking account or credit card.

An analysis of the NFC mobile payments opportunity forecast that about 700 million mobile subscribers globally will have phones equipped with NFC contactless technology by the year 2013.

£12.7bn in Danger due to Smartcard Security Breach!

2010-01-08T11:00:00.011Z

An NHS (National Health Services) trust has called in the police after a massive breach of smartcard security compromised the confidentiality of hundreds of electronic records. This £12.7bn NHS IT scheme was illegally accessed by an unauthorised NHS employee, who has since then left. This local primary care trust, NHS Hull states that it is “shocked” at the breach of security by an ex-staff.

Details of the breach emerged, when the city health officials reported the journalists about the start of a roll-out of electronic records across London as part of the National Programme for IT. The roll-out is part of the plan taken up by the Department of Health to create for 50 million Britons, electronic "summary" medical record on a central database run by BT.

This smartcard beach has drawn the attention of security experts to a very important point - an insider with a smartcard can easily confiscate confidential electronic records without prior authorisation if the person is determined to do so. This revelation is of course, a serious blow to the popular skepticism that centrally-held medical records will remain confidential under the NPfIT.

Before the advent of NPfIT central databases, individual medical records were stored by GPs or by NHS trusts in specific areas. Hull has been working with NHS Connecting for Health and the NPfIT since 2004. Working on the pseudonymisation of the controversial Secondary Uses Service, has brought forth a case in which identifiable health records are partially anonymised so that they can be used for research purposes by non-medical staff as well.

Police is investigating in this smartcard security breach case and we hope they find the culprit soon. NHS Hull has discovered that a total of 358 patients registered at GP practices have been affected by this. The trust has written to the patients whose records were looked at to cooperate fully with a police investigation, which is underway.

Take a 3D Virtual Trip to Tokyo

2009-12-30T08:40:00.008Z

NTT DoCoMo, Japan's mobile telephone giant with 55 million subscribers, is imagining a world where a stressed-out man, just like you and me, may unwind from his hectic futuristic lifestyle by time-travelling back a few centuries and taking a virtual stroll through medieval Tokyo.

As he walks over the arched wooden bridges, the person will get to chat with the avatars of his real world friends, admire pollution-free views of Mount Fuji and perhaps do some cash-free souvenir shopping for a digital download of a woodblock print. He will travel through 'Edo' (the former name of the Japanese capital Tokyo) from the comfort of his beautiful living room, wearing 3-D glasses and moving about by waving a super-networked mobile phone that is attached to his wrist like a watch.

Seems surprised! It's really going to happen in Japan in 2020. Shangri-La is the ‘Future Station’, located in a skyscraper 29 floors above Tokyo. Here, visitors are taken on guided tours of the NTT DoCoMo's mobile phone marvels, and also given a glimpse of what's going to come next.

The company has imagined wearable phones of 2020 that will be fitted with a small flip-out screen and capable of projecting images onto a wall or into thin air in the form of a hologram. The device will act as an ID to enter the family home or to board a flight, a medium to video-chat with friends and colleagues, and a remote control to activate the robo-vacuum cleaner.

The phone will be made from recyclable materials and partially charged kinetically through body movements. The device will also be equipped with simultaneous translation software to connect the user to others, anytime, anywhere.

UK Government spending £20Million for Smart Ticketing!

2009-12-23T08:19:00.005Z

Within the next 5 years, passengers on public transport in the UK’s major urban areas will be able to travel without a paper ticket. The Transport Secretary Andrew Adonis has given a statement on this account.

England’s nine largest urban areas will receive £20million to bring smart and integrated ticketing to its people through the Smart and Integrated Ticketing Strategy. The strategy sets out the Government's goal for every area of England to have access to smart ticketing by 2020. It contains nearly 30 Government commitments to help make this happen.

Smart tickets include system where a ticket is stored on a microchip, on a smartcard (like Oyster) or even on a phone or bank card. Through the use of this ticket, travelling by bus, train and tram can be much easier and faster. The Government estimates that the benefits of ‘integrated smart’ ticketing, could be worth over £1 billion per year. The ministry has also announced a special 8% increase in the Bus Service Operator Grant (BSOG) if they have ITSO smartcard infrastructure on their buses.

The transport authority is highly optimistic about the use of this smart ticketing system. They believe that this technology on-board will help reduce congestion and pollution, and in turn improve the local environment.

The 9 cities who are going to get the new mode of ticketing are - Greater Manchester, West Midlands, Tyne and Wear, Merseyside, South Yorkshire, and West Yorkshire, Nottingham, Leicester and Bristol.

Bus operators will also receive a further 2% increase in their BSOG rate if they install in their buses, GPS technology. This technology will allow the operator to track the position of their bus, whenever required.

Five Million Contactless Cards issued in UK Alone!

2009-12-16T12:05:00.008Z

No longer, you have to wait in queues physically during the morning and lunch time rush hours for payment, as payment can now be done via contactless. Barclays and Barclaycard, the leaders in contactless payment in the UK who have been issuing contactless cards since 2007, have touched the 5 million mark of contactless card issuance in the country. Contactless payment technology has been pioneered by Barclaycard in the UK since 2007 with the launch of Barclaycard One Pulse, to make life easier for customers.The announcement of Five million Contactless Cards coincides with additional retailers accepting and rolling out, contactless payment facilities all over the UK. Caffe Nero, the largest independent coffee retailer in the country, has signed up to use contactless technology and completed its rollout across all 380 stores in October 2009. Caffe Nero first trialled the integrated EPoS contactless system in several outlets in central London in December 2008, and finally completed the rollout across the entire network in October this year.

With the help of these contactless cards, people can purchase items of £10 or under without the need to enter a PIN or sign. Sometimes, however, the customers may be requested to enter a PIN occasionally for added security reasons.

Pret A Manger, the high street food chain that started accepting contactless payments in November 2008, has also successfully rolled out the technology in all its 199 stores in the UK. Together, these retailers bring the number of outlets now accepting contactless payment through Barclaycard, to about 20,000.

Amer Sajed, Chief Executive of Barclaycard UK, Business and International at Barclaycard has expressed his rejoice stating that five million contactless payment cards issued is a significant milestone on the journey of how people will pay for goods and services in the future.

An Interesting 2009 Report on Today’s Changing Consumer Influence

2009-12-09T08:00:00.007Z

2009 Media Engagement Barometer commissioned by the global communications leader, Motorola’s Home & Networks Mobility business has revealed an interesting and significant report on today’s changing consumer influence. The report states that Age is no longer important in trying to dictate a consumer’s willingness or ability to use various media technology or services.

In fact, all generations, starting from Millennials (75 %) to Gen Xers (74 %) and Boomers (66 %), recognise the role entertainment technologies play in helping them keep their lives in order.

A 15-minute telephonic survey was conducted by StrategyOne, an applied research consulting firm among 1,000 Americans aged between 16 and 64. Interviews were taken between August 28, 2009 and September 11, 2009. The margin of sampling error at the 95 % level of confidence is ±3.1 for total respondents (1,000).

Human beings and technology is getting all the more intermingled with every passing day and hence we must look beyond age to predict influences.

Connectivity is more of a lifestyle issue now. Being accessible at all times is seen as a necessity across all generations (Millennials, 79 %; Gen Xers, 64 %; Boomers, 65 %)

With new-age technology, a two-way dialogue takes place between consumers of all ages, as they engage with various technology products and share their experiences

Parents, grandparents and children alike are actively engaged in the tech sphere of influence. Gen X and Boomer parents reveal that they are influencing their children’s tech habits (Gen Xers, 87 % and Boomers, 79 %) even more than their Gen X (62 %) and Millennial (76 %) children influence their habits

According to Dan Moloney, president of Motorola’s Home & Networks Mobility business, the main aim behind the study of changing consumer behaviour is that Motorola will try to develop products and services that will enable its customers to accelerate the delivery of personal media experiences.

“The barometer findings have demonstrated how networking technologies have had a really powerful impact in integrating the different facets of people’s lives, and the “digital generation divide” that we perceived to dictate technology is now shifting toward a usage-based definition”.

The purpose of this study was to explore: how different generations engage through technology products and services with family, friends and colleagues. However, it is believed that as technological innovations continue to progress, people’s lives can no longer be so easily segmented. Millennials, Gen Xers and Baby Boomers come together through technology, forming bonds based on usage habits rather than age group.

Service providers and technology companies have already started to deliver video, communications and information services more aggressively across multiple devices. Now the question lies regarding their acceptance by the general public, and on the basis of the study, Motorola can design products to align with consumer influences and habits.

Developments in Contactless Mobile Ticketing System

2009-12-02T08:11:00.002Z

Nowadays, manual collection of fare and ticketing system in various transports is been increasingly taken over by automated fare collection (AFC) systems, where smart cards are punched to get tickets easily and in less time. Contactless mobile tickets use the Near Field Communications (NFC) or RFID technology for mass transit ticketing.

Key technologies in contactless ticketing include FeliCa, MIFARE and NXP. MIFARE is being used in the London Underground Oyster Cards, whereas FeliCa is used for Hong Kong underground. News has started pouring in that London Midland rail service is set to trial its new smart card ticket. The passengers will soon be enjoying a contactless Oyster card-style ticketing system, which the rail service intends to roll out next year.

There’s yet another great option of using RFID technology, and that’s in mobile phone ticketing system. Shanghai World Expo has introduced mobile phone ticketing for its 2010 event, which is scheduled to start from May 1. Instead of the same old paper ticket, now the sports lovers can purchase “mobile phone tickets,” via their cell phones equipped with RFID enabled SIM cards.

Juniper Research has come up with an interesting report where it states that the Mobile Ticketing and Mobile Retail Services revenues are expected to generate over US $63 billion (38,026,107,000 GBP) by 2010. The study stated that mobile phone users, who are purchasing digital content such as ringtones and games and equipped with intelligent smartphones will use their devices for mobile commerce more.

The increasing use of radio frequency identification (RFID) technology has made Juniper Research to highlight a few other points:

By 2010, 32% of Japanese mobile users will be buying tickets using their mobile phone
Adoption rates in current mobile ticketing implementations is as high as 30% of the total tickets issued within the scheme
By 2010, 87 million European mobile users (15% of total) will be using their mobile devices for mobile ticketing purposes
The use of mobile barcodes is revolutionising the way we purchase and store tickets

U.S. Payments Fraud on the Rise

2009-11-25T09:45:00.008Z

In its 20th October 2009 whitepaper release, the Smart Card Alliance said that the U.S. payments fraud is expected to rise unless the industry looks towards new technologies, such as contactless chip cards. The Contactless and Mobile Payments Council developed the “Fraud in the U.S. Payments Industry: Fraud Mitigation and Prevention Measures in Use and Chip Card Technology Impact on Fraud”.

Much of the fraud on debit and credit cards in the United States results from activities like counterfeiting and card skimming. Credit and debit card fraud is possible because magnetic stripe cards use static data that can be easily copied and reproduced on fraudulent cards or used in an Internet purchase transaction.

The Alliance does not see protection of data or better fraud detection techniques as the solution to the fraud problem. Rather, the solution is to replace this static data with dynamic data, because it renders stolen account or transaction information useless.

To achieve this goal, the Smart Card Alliance recommends contactless chip cards, already implemented throughout the United States. Currently, contactless payment devices generate dynamic cryptograms, or encrypted codes similar to those generated by the EMV payment cards.

The authentication of the cryptogram assures the issuer that the card presented is genuine. If data is copied or intercepted at the reader, the data already gets obsolete for future transaction attempts, and cannot be used successfully to counterfeit cards or replay transactions. Importantly, the current U.S payments infrastructure can already handle the contactless payment dynamic cryptograms.

The white paper provides an overview of current fraud levels in the U.S. and of projected trends based on the move to EMV outside of the U.S. The different approaches used by the payments industry to combat fraud are described, with a discussion of how new technologies and processes, particularly chip card-based technologies and processes, help to mitigate card-based fraud losses.

Personal Data of more than 14,000 Voters Missing

2009-11-18T08:23:00.004Z

A laptop containing personal data of more than 14,000 voters has been stolen from St Albans City Council, UK. The confidential data stolen includes the names, addresses, dates of birth, signatures and copies of postal vote application forms of about 14,673 people in Hertfordshire.

What has been actually found is that 4 laptops are missing from the offices in St Peter's Street, St Albans. However, 3 of the laptops contain no personal information. The fourth one had the above mentioned personal data concerning residents who applied to cast their votes by post at the last elections held in the district on June 4, 2009.

The Council is working with the Police and Northgate Information Solutions which manages their IT services, to investigate the matter.

ID theft is now a real concern and we are at a higher risk than ever before. Now and then cases of personal data theft are registered and police is finding it quite difficult to trace criminals in many such incidents.

Seriously, you have to be more vigilant while dealing with bank accounts and credit cards and especially laptops. The hackers are out everywhere, and whenever they find a suitable target they spend no time in capturing their valuables and run away without leaving a trace whatsoever.

Sarah Blaney, ID theft expert from CPP (Certified Protection Professional Group Plc) said: "All a fraudster needs is your name, address and date of birth to steal your identity to take out loans or even fraudulent bank accounts in your name". Consumers need to consider their options to guard against taking out identity, and they should also push for change to ensure that government departments toughen up their act.

Research published by CPP found that 6 in 10 Britons have been put at risk of ID theft by their employers' negligent approach to data security. As a result, British workers are calling for their bosses to be punished for data breaches. Out of 10, every 4 workers want companies to be fined and more than a 5th want employers imprisoned for repeat offences.

Only last week, the Information Commissioner’s office reported a total of 434 data breaches from organisations in the past 12 months, up from 277 last year.

Open Road Tolling System soon to roll out in India

2009-11-11T07:07:00.008Z

(picture of Salik: toll road system in Dubai, United Arab Emirates)

The Indian government will soon introduce RFID open road tolling (ORT) system across the entire nation. News has come from reliable sources that RFID used open road tolling system will start operating across all Indian highways by next year.

It is very good news for the highway users, as no longer will they have to stop for payment at every toll plaza. The Indian government too expects the new toll system will relieve highway traffic and reduce the amount of time commercial vehicles spend at the toll booths.

In India, at present, tolls are collected using toll booths, but under the new system, tolls will be collected using radio frequency identification (RFID) devices such as smart cards that will be tagged on vehicles that avail the system. And just like mobile phones, the smartcards will also come with pre-paid and post-paid options.

Pilot projects have already begun from 31st October for a period of 6 months on tolled stretches between Gurgaon and Jaipur, Panipat and Jalandhar and Surat-Dasihar. After the test results are out, Indian government will decide which one is best suited for India.

The transporters are very happy on the news of implementing such a system. “It will be a very good thing. Separate lanes for the new toll system will result in significant saving of travel time”, said Anil K.G., resident consultant of Bangalore-based logistics company Transworld International, that runs a fleet of about 150 trucks on a daily basis across India.

Indian Multi-purpose National Identity Card: A Flop!

2009-11-05T12:07:00.002Z

Pithoragarh, lying in the foothills of the Himalayas, is favourite among the tourists from all over the world for its cascading waterfalls, beautiful lakes and the age-old Indian temples. Now, this place has recently been in news for the slump of the Multi-purpose National Identity Card (MNIC) pilot project that was launched in this district.

The project was taken up by the Indian government with lot of enthusiasm and fanfare. The centre launched this project not only in Pithoragarh, Uttarakhand, but also in Karimganj (Assam), Kathua (Jammu & Kashmir), Kachchh (Gujarat), Jaisalmer (Rajasthan), West Tripura (Tripura), Murshidabad (West Bengal), Ramanathapuram (Tamil Nadu), Punjab and Goa. The major reason behind the introduction of this MNIC project was “to act as a deterrent for future illegal immigration”.

In the Pithoragarh sub-division, the project ran for 5 years (2004-2009) and finally got winded up on March 31^st this year. More than 60,000 MNICs were issued to the Indian citizens living there, according to NS Negi, District Magistrate, Pithoragarh.

This digital, multi-purpose national identity card was launched by the Registrar, General (Population), Government of India, after amending the Citizenship Act of 1955, to make this card mandatory for every ‘genuine’ citizen.

The reason cited by Chief Secretary of Uttarakhand, Indu Kumar Pandey behind the pulling off MNIC project from Pithoragarh is that the authority is soon going to publish new guidelines for the states to implement this project. And because of this, the old pilot scheme seems likely to be of no use and hence called off.

Now, regarding the numbers that’s already issued in the MNIC cards, Mr. Pandey said that those will be merged with the UID (Unique Identification) number and the new number given in UID will prevail.

RC Tiwari, DDO, Pithoragarh in-charge of this scheme in the Pithoragarh sub-division said that they have stopped entertaining any more applications for new MNIC cards, as no fresh set of instructions has come from the Indian Government.

Increased Percentage of U.S. Payments Fraud in 2008: A Report

2009-10-28T10:10:00.016Z

According to the March, 2009 AFP Payments Fraud and Control Survey:

1) 71% of organisations experienced attempted or actual payments fraud in 2008
2) 30% of survey respondents report that incidents of fraud increased in 2008 compared to 2008
3) 38% of organisations experienced increased fraud activity during the second half of 2008 as economic conditions worsened in the U.S.
4) 9 out of 10 organisations (91%) that experienced attempted or actual payments fraud in 2008 were victims of check fraud
5) Fraud via other payment methods include:
- ACH debit (28%)
- Consumer credit/debit cards (18%)
- Corporate/commercial cards (14%)
- ACH credits (7%)
- Wire transfers (6%)

Since 2005, the AFP (Association for Financial Professionals) has been examining the nature and frequency of fraudulent attacks on business-to-business payments as well as the industry fraud-risk tools that organisations use to control payments fraud.

The 2009 survey revealed that the majority of U.S organisations experienced attempted or actual payments fraud in the last year. The report also stated that its usually the large organisations that were more likely to have experienced payments fraud than the smaller ones. 80% of organisations with annual revenues of over $1 billion were victims of payments fraud in 2008 compared to 63% of organisations with annual revenues under $1 billion.

The above figure shows: Attempted or Actual Payments Fraud and Percentage Change from Previous Year (Percent of Respondents)

The typical loss for organisations with annual revenues greater than $1 billion was 59% higher than that for the smaller organisations - $15,900 versus $10,000. While the estimated median value of payments fraud steadily declined from 2004 to 2007, it increased from $13,900 in 2007 to $15,200 in 2008.

Median Value of Payments Fraud and Percentage Change From Previous Year

To get the detailed report, click on:
http://www.afponline.org/pub/pdf/2009_Payments_Fraud_Survey.pdf

Is there any permanent solution to end Cyber Crime?

2009-10-21T12:07:00.003+01:00

Cyber crime cases in India:
In India the cases of cyber crime has seen a significant rise. For instance, from only 9 complaints of cyber crime reported in Pune in 2003, it has jumped to 2007 complaints in 2008. The condition is almost the same in every major city of India. This year, the country ranks fifth among countries reporting the maximum number of cyber crimes, according to a report released by Internet Crime Complaint Centre of the United States.

According to a study, conducted in the University of Brighton, India is fast emerging as a major hub of cyber crime, as recession is driving computer-literate criminals to phishing scams for easy money. In India, China, Russia and Brazil, there is a particular concern over the growing rate of email scams and account takeovers.

Reported cases of spam, hacking and fraud have multiplied 50-fold from 2004 to 2007 in India. One report ranked India in 2008 as the 14th country in the world hosting phishing websites. With the booming of call centres in various parts of India, cyber criminal activities have been on the rise. Study of cyber crime brings in another shocking truth - majority of offenders involved in illegal activities are under 30 years of age.

The maximum cyber crime cases, about 46%, were related to incidents of cyber pornography, followed by hacking. In over 60% of the cases, offenders were between 18 and 30, according to the "Crime in 2007" report of the National Crime Record Bureau (NCRB). The report further adds that 217 cases of cyber crime were registered under the IT Act in 2007 compared to 142 in 2006, which shows a sharp increase of 50%. 17 out of 35 mega Indian cities have reported nearly 300 cases of cyber crimes, leading to an increase of 32.6 percent in a year.

The report indicates the city of Bhopal in Madhya Pradesh registering the highest incidence of cyber crimes under IPC sections, accounting for 87.8% of the total crimes in the country. Websense Regional Director for India and SAARC, Mr Surendra Singh stated that 2009 alone saw an increase in the number of malicious websites by 233% (and that too in the first half of the year). Overall, there has been an increase in 671% over the last one year.

Cyber crime cases in Japan:
According to a survey released by the National Police Agency (NPA), cyber crime cases in Japan have increased at a whooping rate by 15.5 percent year-on-year to 6,321 in 2008. The number of cyber crimes cases in the last year, included internet-related cases of threat, libel, illegal access and fraud and it was three times as many as that of 2004, when it was only 2,081 cases. Incidents of threats and illegal access have leaped by 90 percent and 20 percent, respectively, to 112 and 1,740, according to the survey.

China:
Authorities in China are reported to have made a series of arrests following an investigation of an attack that resulted in widespread disruption of the internet for users across the country earlier this year. On May 19th 2009, internet users across 6 different Chinese provinces reported that they were facing difficulties using the internet, suffering from slow access speed and finding some sites completely impossible to reach.

The first cyber crime incident took place in China in the mid-1980s, when the Chinese banking system was attacked. Through the 1980s and 1990s the growth of cyber crime in China was slow, but steady. However, the emergence of an unknown computer virus in the form of a malware program named, “Ping Pong” finally drew cyber crime to newer heights in the country.

USA suspects that about a quarter of the 4 to 5 million PCs worldwide have been infiltrated by Chinese hackers. Five years ago, a Chinese government survey revealed that in 2003, 87.9% of Chinese PCs connected to the Internet were infected, and most were still infected in 2004.

Bangladesh:
Bangladesh is not lagging behind in the number of cyber criminal cases. The country’s government plans to prescribe 10 years of rigorous imprisonment for those involved in cyber crime. Besides, the proposed law also provides for a Taka ten million ($14,300 approximately or £8,708.37) in penalty for breaking into computer networks and putting false and indecent materials online.

Malaysia:
More than 4,000 cyber crime cases were reported in Malaysia in the past two years. Cyber complaints mostly consisted of hacking threats, fraud, and denial of services and other computer problems of files lost or corrupted by viruses. The Malaysian police has received about 2, 000 complaints in 2007. In 2008, a total of 2,123 cases were lodged with the Cybersecurity Malaysia.

Prominent Users of Smart Card Technology for Network Security

2009-10-14T11:36:00.011+01:00

We became familiar with the concept smart cards since the time it was first used in France for mass payment in French pay phones in as early as in 1983. With time, the usability and benefits of smart cards have increased in various sectors of life. Smart cards contain chips that are increasingly used to store and match biometric templates. They are widely used in diverse fields like banking, retail, Internet, travel and entertainment, healthcare and so on. European countries and USA were among the first to implement smart card technology on an extensive basis. Nowadays, countries of Asia-Pacific and Middle East are using smart cards to make various payments online and for other such purposes.

It is stated that some four million US federal government employees have either a Personal Identity Verification (PIV) Card or a Common Access (CAC) Card. Both of these cards have a smart card chip embedded in them in order to provide secure logon. Private sectors are also not far behind with many blue chip companies like Pfizer, Boeing, Microsoft, Chevron, Caterpillar, P&G, and J&J successfully implemented some form of smart card-based network security.

As said before, smart cards debuted as a stored value tool for pay phones to reduce theft. But with various technological innovations and advancements in the field of smart card and contactless payments, people found newer ways to use them, including charge cards for credit purchases and for keeping records in place of paper. In U.S.A, consumers are using chip cards for everything from visiting libraries to buying groceries, car parking, laundry and enjoying movies.

Smart cards can greatly improve the convenience and security of any transaction and hence are increasingly used for providing digital security and protecting computer password. Smart cards also offer vital components of system security for the exchange of data throughout virtually any type of network. With the use of a single card, multiple transactions can be done (mobile payments, transportation, access control, e-government) quite easily and safely.

People worldwide are now using smart cards for a wide variety of daily tasks, which include:
1. Loyalty programs and stored value
2. Securing Information and physical assets
3. E-commerce and micro-payments
4. Health care
5. Physical access for all business employees and school and university students

Sleek and Portable Blueberry Smart Card Reader for IT and Mobile Users

2009-10-07T12:39:00.011+01:00

Smart card users already know that Research In Motion (RIM) has introduced their new version of wearable and lightweight BlackBerry Smart Card Reader. This 3.98” x 2.4” x 0.57” sleek and 2.26 oz. weighed smart card reader includes an enhanced paring system that supports numerous pin combinations and codes. You can easily lock your card from your device or PC when it’s out of reach so as to prevent it from falling into wrong hands. This new model of smart card reader can work seamlessly with your BlackBerry using the latest Bluetooth technology. BlackBerry smart card readers have been in use in various government offices and other companies since the year 2005.

This BlackBerry Smart Card Reader is multi-functional. It can be used to meet the operational requirements for multi-factor authentication with Bluetooth-enabled Microsoft Windows XP and Microsoft Windows Vista computers, BlackBerry smartphones, and for PKI applications, and also for secure web browsing. The reader is especially designed to help preventing unauthorized access to computers and BlackBerry smartphones. This lightweight, portable BlackBerry Smart Card Reader will help to enhance the authentication model for access control by introducing an additional proximity-based factor through an AES-encrypted Bluetooth connection.

Essential components in this BlackBerry Smart Card Reader:

Smart card: The BlackBerry Smart Card Reader supports all ISO-7816 smart cards, Personal Identity Verification (PIV) cards, Common Access Cards (CAC) and Safenet 330 cards

Smart card drivers: Software drivers must be installed for the BlackBerry Smart Card Reader to communicate with any smart card. Smart card drivers are available for Personal Identity Verification (PIV) cards, Common Access Cards (CAC) and Safenet 330 cards

Public key infrastructure: Access to a Public Key Infrastructure (PKI) is necessary to generate the user certificates that are placed on the smart card using the BlackBerry Smart Card Reader. The PKI can be in-sourced or outsourced depending on the needs of an organization.

BlackBerry Smart Card Reader provides varied uses for both IT and mobile users:

Meets strict public sector and IT requirements: The BlackBerry Smart Card Reader allows companies using smart cards to add additional security features to their devices

Enables easy use: This sleek and lightweight Smart Card Reader comes with a durable battery and Bluetooth technology that allows users to comfortably wear it on a lanyard

Increases security policy compliance: Greater convenience and comfort of using the BlackBerry Smart Card Reader makes the users to easily comply with various organizational security directives.

Manages security keys wirelessly through BlackBerry Enterprise Server: With the use of this Enterprise Server, the system administrators can gain additional control over the wireless environment to manage the lifetime of the security keys on the BlackBerry Smart Card Reader

Celebrating 60 Years of Cryptography: 1949-2009!

2009-10-01T09:04:00.006+01:00

It was on October in the year 1949 that the famous mathematician Claude Shannon published a paper on Communication Theory of Secrecy Systems. According to his employer at that time, Bell Labs, it was this paper that transformed cryptography from a mere art to a science. The date of the publication of the declassified version of the paper (the original one got published in September, 1945 as “A Mathematical Theory of Cryptography”), is believed to be the starting point of modern cryptography in the world. The “Communication Theory of Secrecy Systems” was printed in the Bell System Technical Journal in 1949.

To know more on the advent of cryptography, you can check out the link:
http://www.cio.com.au/article/319119/slideshow_cio_blast_from_past_-_60_years_cryptography

It contains a beautiful pictorial representation in the form of slide show of the past 6 decades of research and development in encryption technology.

Best Ways to Protect your Laptop at the Airports

2009-09-23T11:32:00.012+01:00

Laptops are dearer to travellers, both business and leisure, as they help to carry whole lot of sensitive and personal information of companies and other crucial data. With the rising number of laptop thefts at the airports, as I have already mentioned in my earlier post (“Over 10,000 Laptops are stolen at the US Airports every Week”), we really need to find out some ways to protect the laptops from falling into wrong hands.

One such way of protecting laptops can be keeping the device close to you at the airports. The survey made by Ponemon Institute has stated that every week about 900 laptops go missing at the Heathrow Airport in London, UK alone! Often business travellers find their laptop lost while trying to catch a plane or waiting to board. In most cases, the laptops get lost at the security checkpoints. Hence, the best possible way to deal with laptop thefts is to take this portable device everywhere with you, even if you are planning to go to the washroom!

Listed below are some best practices that you can follow to avoid laptop thefts:

Never check your laptop in as luggage. Laptops should be taken onto a plane as a hand luggage
Don’t use a branded laptop bag to make it obvious you are carrying one. Instead you can use backpacks or tote bags
Add identification to your laptop. For example, adding barcodes or name and e-mail address onto the devices
Attach bells and whistles that sound off after detecting laptop motion, in case it is stolen or lost
Try to use security products such as asset tracking software to trace your missing laptop
Be extra careful at security checkpoints and gates, as most of the laptop theft seem to happen there

Another point which is equally important is how to get hold of or track down a thief once he is in illegal custody of your laptop. I think a heavily password-protected machine will be of great help. Also, through the use of biometric technology your laptop can be well protected. There are also lots of new and updated security services available in the market today that you can take help of to prevent any such laptop mishaps at the airport or elsewhere.

Over 10,000 Laptops are stolen at the US Airports every Week

2009-09-16T05:31:00.012+01:00

With the widespread use of laptops by business travellers across the world, the chances of laptop thefts are increasing immensely. In a study sponsored by Dell, the Ponemon Institute has published a report on June 30, 2008 named ‘Airport Insecurity: The Case of Lost Laptops’ to understand the current risks posed to sensitive and confidential data contained in the laptops of business travellers.

The report stated that every week, an average of more than 10,000 laptops is lost at airports in the United States of America. Approximately 40% of these laptops are left at the security checkpoints, with another 23% being left at the boarding gate. Recovery rates of lost laptops are very low in most cases. Again people do not even try to get back their laptops of which half contains confidential, sensitive corporate information.

The study has also revealed that most laptops found have no owner identification marks on them. As a result even if the laptops are found they cannot be returned back to their owners. In spite of the cases of laptop theft and data hacking by information-thieves at the airports earlier, the year 2008 has particularly seen a boom in the number of laptops theft cases and data loss at US and UK airports and around the world.

Key findings by Larry Ponemon, in the first half of 2008, at 106 United States airports and over 800 business travellers was done to understand the frequency with which laptops are lost at airports and steps taken to protect sensitive information on corporate systems by the business travellers.

The results of the report are just shocking!

• Up to 12,000 laptops are lost at United States airports each week
• Between 65 and 70 percent of lost laptops are never reclaimed
• Most laptops are lost at security checkpoints
• 53 percent of business travellers surveyed carry sensitive corporate information on their laptops
• 65 percent of those who carry confidential information have not taken steps to protect their laptop while traveling
• 42 percent of respondents say they do not back up their data

For any further queries please check out this link:

http://www.dell.com/downloads/global/services/dell_lost_laptop_study.pdf

Microexpert Products Page

2009-06-25T11:36:00.022+01:00

What is Internet Protective Monitoring?

It's every director's nightmare, your most valuable customer database has ended up in your competitors hands. Even worse it was sent out from a computer on your network by a disgruntled employee. It could have been credit card data or medical records, it might even have been leaked by mistake.

Do you remember the United States of America V Randall Edward Schuster case?

Schuster made an unauthorised copy of his employer's customer database and attempted to sell the database to a competitor. Schuster accessed the database, copied it, evaluated it and then decided what information would be valuable to the competitors. Schuster then researched the competitors, contacted the potential buyers and mailed a portion of the database before negotiating the final sale of the database. After pleading guilty upon arrest and after appealing to reduce his sentence for mail fraud, theft of government property, and stolen property, Schuster received four months imprisonment, four months home confinement and two years supervised release.

Schuster’s punishment pales into significance compare to the damage done to the organisation. The loss of these sensitive materials meant that they lost potential as well as existing customers, acquired a tarnished reputation and gave an advantage to their competitors. Don't let any thing like this happen to you.

Internet Protective Monitoring is the application of techniques that inspect the contents of the packets of data flowing in and out of your network to the internet looking for any form of unauthorised activity. This includes inbound malware attacks from corrupt web sites as well as the leakage of sensitive information, perhaps in emails, such as credit card numbers or customer data files. Having detected such undesirable behaviour an effective Protective Monitoring system will at least alert the system owners to the security problem and with more advanced systems will actually prevent malware getting into your system or sensitive data getting out.

There are three ways of applying such Protective Monitoring (PM) techniques,

Install PM Software modules onto each of your computers linked to a common management supervisor
Install PM appliances linked to a common management supervisor at the internet access points of your network system
Divert all your internet traffic through an external PM monitoring and supervision system

Each method has its advantages and disadvantages. Installing intensive monitoring systems onto all your computers is not ideal because of the processing overhead incurred, just think about the effects of typical anti-virus software, however some activities such as USB memory stick dumps cannot be easily detected any other way. Diverting all your traffic to an external PM supervision system may incur the penalty of a single point of failure whilst the installation of local appliances may be an expensive overhead for complex networks. Microexpert offers solutions that adopt the best characteristics of all these techniques to minimise costs depending on your particular network configuration.

Protective Monitoring systems are a form of Intrusion Detection and Prevention Systems (IDSs and IPSs) which are increasingly relied upon as malware becomes ever more prevalent. These devices are essential to prevent certain types of attacks as they work along side traditional security barriers, such as Firewalls and Anti-Virus software, adding to the effectiveness of the existing countermeasures provided. Protective Monitoring however goes a stage futher in that it can detect the loss of sensitive data as well as detecting patterns of data behaviour from multiple sources even at different times.

Protective Monitoring systems are also able to record the events of any attacks and provide audit trails, allowing further investigation as required.

Protective Monitoring devices can be configured to protect (detect and stop) against:

The attempted introduction of malware
Attempts to breach access control systems
Leakage of sensitive information from within a corporate or domestic network (DLP, Data Loss Prevention)
Attacks against servers and network devices such as routers and firewalls
Unauthorised data in email
Unauthorised data in social networking sessions
Unauthorised web activity
Sending or receiving of pornographic material
Behaviour consistent with racism, sexuality or bullying
Paedophile internet grooming through social networking

The MirKatz Network Defence Units are designed to provide a rich combination of signature and heuristic technologies for Protective Monitoring in government, commercial and domestic environments.

MirKatz Network Defence Units

One clear example of protective monitoring in a natural environment is the altruistic behaviour shown by meerkats. Meerkats demonstrate altruistic behaviour within their colonies on a day to day basis. One or more meerkats will stand sentry (on lookout) whilst other members of the clan forage or play, warning them of any dangers that are approaching.

When a predator is spotted, the meerkat performing as sentry gives a warning bark, alerting the other members of the apparent dangers, allowing the members of the gang to run and hide in one of it's many bolt holes across their territory. The sentry meerkat is the last to run down the bolt hole and is the first to reappear from the burrow and search for predators, constantly barking to keep the other members of the clan underground. If there is no threat, the sentry meerkat will stop signalling and the others feel safe to emerge from the bolt holes.

In the same way that the meerkat demonstrates this altruistic behaviour dail, MirKatz offer a range of products to protectivley monitor networks in the Commercial and Domestic environments.

The MirKatz NDU-330 (Enterprise)

The MirKatz Network Defence Unit-330 (NDU-330) is specifically designed to suit the requirements of a government, financial or commercial environment. Apart from protecting the organisation against internet malware attacks the unit is able to safeguard valuable data such as employee details, customer databases and income & revenue details. The MirKatz NDU-330 device also allows authorised users full management capability.

The MirKatz NDU-330 device can be tailored to suit the needs of organisations in the government, financial and commercial sectors. The devices are currently available in English only, however if additional or alternative languages are required, please contact one of our advisors at Microexpert, where we will be happy to help you further.

For further information about the MirKatz NDU-330 device, please click on the link below, where you will be redirected to our MirKatz website:

www.mirkatz.com

MirKatz NDU-007 (Domestic)

The MirKatz Network Defence Unit-007 (NDU-007) has been specifically designed for the needs of the family in a domestic environment by safeguarding family members from the threats of the internet across the whole home network. In the same way as a meerkat sentry, the NDU-007 will alert parents of any undesired or unauthorised content exchange on the internet including bullying and themes of a sexual nature as well as blocking the compromise of confidential information such as credit card numbers and personal address data. The NDU-007 is particularly configured to detect internet grooming attempts by paedophiles. Parents can be alerted by email or SMS messages.

The MirKatz NDU-007 device can be uniquely created to suit the individual requirements of parents and authorised users in the domestic environment. The devices are currently available in English only, however if additional or alternative languages are required, please contact one of our advisors at Microexpert, where we will be happy to help.

For further information about the MirKatz NDU-007 device, please click on the link below, where you will be redirected to our MirKatz website:

www.mirkatz.com

Halifax Ghostbust After Trial Closed

2009-06-08T14:26:00.003+01:00

After over a month of eagerly awaiting and nail biting, the case brought to Nottingham Crown Court on the 30th April earlier this year has finally come to a close. The case had all Chip and PIN holders everywhere listening and watching the updates of the story as the first UK case to question the strength of the bank's security measures unravelled.

Alain Job, the 40 year old football coach for Basildon Town Ladies Football Club, brought forward a lawsuit with Halifax Building Society challenging Chip & PIN security after claiming that £2,100 disappeared from his account. The hearing, held at Nottingham Crown Court on the 30th April, lasted a day, with Halifax building society claiming that Mr Job had used his real card at an ATM machine and inferring that Job was either trying to defraud the bank, or he was grossly negligent in handling his card and PIN. However, due to the complexity of the case heard by the judge, the verdict took over a month for the judge of the one-day trial to deliver.

The judge of the trial has ruled in favour of the high street bank, Halifax in the country's first ever phantom withdrawal lawsuit. The judge based his ruling on printouts from log files to show that Job's real card had been used for the transactions and that the machine had not defaulted to reading magnetic-stripe data.

The suit was filed after two critical piece of evidence once held by Halifax were destroyed, including the original ATM card and the Authorisation Request Cryptogram that could have proved that the card's Chip had been read and authenticated by the machine.

Mr Alain Job says that he is currently studying the judgement before deciding whether he wishes to appeal the ruling.

“Emotional Hub” Data Backup

2009-06-01T16:42:00.006+01:00

A new Symantec survey has revealed that people are more likely to check the oil in their car than they are to back up valuable data. When you consider that computers are much more than working machines, they have become very much woven into our everyday lives as both 'life storage' facilities and 'emotional hubs' that contain our digital souls, it is rather surprising that we are so lax about backing it all up.

Despite the admittance to feelings of anger and upset when data is lost, the survey participants are quite clear about it. 34% make regular data back ups, and only 22% back up all of their data. Of the 1000 people Symantec surveyed, 38% said that they had lost files and the average replacement cost cumulated for a UK user when it comes to all the data on their PC, was a hefty £1258.

The mostly costly data to replace was video, worked out to £158 for all recorded TV content on an average PC, with home videos adding another £108 and for downloaded movies, £101. Household information beat off the music data in the replacements costing, with £85 on average for documentation compared to £80 for the tunes.

A strong emotional connection has also been confirmed by the Symantec survey. The huge ranges of personally significant files stored on the PC's are emotionally sentimental, with the loss of photos, personal information, financial information and work or academic documents being the most impacting upon our emotions. Lost photos were top of the list with 82% saying that they would be upset at losing these memories which is a shame as this is the most likely type of data to be lost. The survey shows that of the 45% who had experienced data loss some 48% had lost digital images.

Con Mallon, director of product marketing at Norton told us “Our relationship with our computers has changed in recent years. We now use them as the storage vault for priceless, unique files with huge emotional value, replacing the treasured photo albums, or the stacks of love-letters tied with ribbon. This is why I am concerned at people’s complacency: only 22 per cent of people surveyed backup all of their files.”

Laptop Owners Have "Gadget-Obsessed Lives"

2009-06-01T15:49:00.005+01:00

A recent study conducted by Credant Technologies has found that many people who own a laptop are browsing the web in their pyjamas for more than six hours a week. The survey revealed that more than half of UK workers are taking their laptop or other mobile devices to bed and are using them before going to sleep.

Credant Technologies, a data protection company, undertook the survey on 300 workers to uncover patterns of laptop use and security implications.57% of these confessed to spending at least six hours a week working on their laptops from their bed before they go to sleep. Most of them suggested that their partners found the habit "very annoying", with 8% of the offenders admitting to spending more time on mobile devices than talking to their partners each night.

44% of the respondents admitted to storing important work documents on their mobile devices and 54% of those devices lacked encryption, whilst one-fifth of the respondents acknowledged using wireless networks that aren't secure while they work in bed. The survey also revealed that 87% of respondents favour connecting to the Internet via wireless networks while in bed and 47% said they connect to wireless networks in hotels without thinking about security.

Michael Callahan, Vice President at Credant, said, “This survey confirms that there is a growing population that is no longer restricted by working hours or confined to the office building itself.” Callahan remarks, “People are mobile and will work anywhere -- even in bed. Therefore, when sensitive and valuable data is being held on these devices and they get lost, it can have pretty detrimental and far-reaching consequences to both the worker and their employer.”

Credant advised the 4 per cent of respondents who said the last thing they do before going to sleep is to check their e-mail messages and complete work to "take a long, hard look at their gadget-obsessed lives." The company also advised encryption of data stored on mobile devices, the use of strong passwords, awareness of all points of connection, turning off unsecured Bluetooth and Wi-Fi devices, and leaving the laptops behind at bedtime.

Phantom Withdrawals Halifax Nightmare

2009-04-28T14:10:00.018+01:00

Hundreds of Millions of bank account details have been captured over the last year. Now for the first time in the UK, a man will challenge Chip&PIN security over a phantom withdrawal. A new report has exposed the ongoing data-loss crisis has been helped along by criminal masterminds using increasingly innovative and sneaky methods of attack.

Alain Job, a 40 year old football coach, saw money disappearing from his account but maintains he always had possession of his card and didn't make a withdrawal. His original claim made to the Financial Ombudsman Service (FOS), which mediates disputes between banks and customers was unsuccessful back in 2007. Now, Job has decided to sue over the phantom withdrawal, questioning Chip&PIN security.

"Criminals have re-engineered their processes and developed new tools – such as memory scraping malware and have successfully executed complex attack strategies previously thought to be only theoretically possible and are actively cracking PIN encryption." revealed Verizon's 2009 Data Breach Investigations Report. The news is a result of its Underground Intelligence Unit's operations.

Personal Identification Number's (PIN's) are now the high value target of cyber criminals. Criminals implant internal rogue software to accumulate million's of PIN's an hour and often PIN and account information are sold over the internet to the highest bidder.

One of the methods being used according to the report to collect PIN's is to exploit the financial networks Hardware Security Module (HSM) switches. Worryingly the fraudster requires physical access to one of these switches to be able to collect PIN's.

Usually there is not a direct link between the ATM and the card-holders bank's verification system. The transaction data is bundled up in a encrypted data block and hops along HSM switches on way to the bank. To ensure no single party knows an overall encryption key a different key is used between switches and so the encrypted data block is decrypted and re-encrypted at each switch. Also the data block can be re-formatted at the switch to suit different financial devices and network schemas.

An attack has been documented by a computer student of Tel Aviv University as part of his masters thesis entitled "The unbearable lightness of PIN cracking". The author Omer Berkman describes exploiting the 'Translate' functionality of the box. This is a standard operation of the HSM and part of the Financial PIN Processing API, a 30-year old standard including all the functions for PIN verification, changing and reformatting.

The HSM hack

Prerequisites

Access to the HSM Switch
Non-EMV compliant operating ATM (magnetic stripe operation ATM)

The attacker makes transactions with any account number yet at this time he knows the value of the PIN. Once the encrypted PIN and account number data block reaches the HSM, he uses the translate function to change to a weaker data block format using a fixed account number. The attacker only needs 100 transactions and by using a cryptographic flaw in the new format the attacker can build a 10,000 entry look-up table. The attacker uses this table at the HSM to work out any subsequent PIN number.

Military grade encryption specialists, Credant Technologies have suggested a solution, this is to double the encryption by further encrypting the PIN between both end-points (ATM & Bank verification system). Vice President Michael Callahan said; "There is nothing to stop banks adding military grade encryption as an underlay to their existing HSM-based network encryption system and so ensuring their cardholders are safe from this new type of hacking exploit".

The Liability Shift

A lot of documentation on hacking payment systems has become available because of anger at the banks shifting the cost of fraud to the card-holder as a result of Chip&PIN.

Before Chip and PIN, magnetic stripe cards and signatures were used for authorisation, if a fraudulent transaction took place a cardholder could ask for the signature on the receipt be examined against a sample of their own.

Now banks refuse liability. "If you act without reasonable care, you may be responsible for them". Banks now can easily stamp card-holders with not taking enough care in keeping their PIN secret. Now only CCTV can refute the customer's involvement.

Academic institutes have been investigating Chip&PIN attacks. In the UK, Professor Ross Anderson of Cambridge University has been the most vocal, capturing the most media attention on this subject. Anderson and his team have been reverse engineering and documenting attacks on financial security systems for years. In the case of Chip&PIN they have even set-up a dedicated website to highlight the raw-deal card-holders are getting from Chip&PIN. (www.chipandspin.co.uk)

The Cambridge team's work includes;

(May 2005)- Chip and Spin;

The Fall-back Hack

Prerequisites

Non-EMV compliant operating ATM (magnetic stripe operation ATM)
Tampered PIN Pad

When a card is presented at an ATM or POS terminal whose chip has been damaged, or which never had a chip, then the device falls back to magnetic stripe operation.

Magnetic stripe card skimming is used to make a clone card, and a tampered PIN Pad records the PIN. The fraudsters then use the half-baked cloned card at an ATM which allows fall-back to magnetic stripe or in a foreign country where EMV is not supported.

The Offline POS Hack

Prerequisites

Offline Point of Sale Terminal

The fraudster goes to a POS which is not directly connected to the bank's verification system. The fraudster creates a half-baked smartcard using previously stolen account details. The fraudster's card is programmed with any PIN he likes. The card's authenticity is not checked until the POS goes online, in which time the fraudster is long gone.

Modern DDA (Dynamic Data Authentication) cards, have a challenge-response mechanism in which the offline POS can test for card authenticity.

(February 2006) - Phish and Chips;

The Smartcard Relay Hack

Prerequisites

Tampered PIN Pad/POS
A fake card with Bluetooth or similar

The victim pays for a small value item at the tampered POS;

"The smartcard data stream would go maybe via GPRS to a PDA in the crooks pocket, then to his fake card, and the captured PIN read out via a headphone in his ear. You think you're paying for lunch, but in fact you're buying the crooks a diamond!"

(February 2009) - Optimised to Fail;

Exploiting Card Readers for Online Banking

Prerequisites

Hostage

Card Readers for Online Banking may be used to assist during a mugging. Previously, muggers marched a victim to an ATM to ensure he gave them the right PIN. Now, with potable card readers, criminals have a portable device that will tell them if their victim is lying about their PIN.

Many of the more practical attacks exist because many foreign countries are not compliant with EMV and financial systems can be fooled into operating in a non-EMV fall-back mode.

Perhaps the solution would be to apply more pressure to speed up EMV migration and stop legacy payment methods.

One thing is for sure criminals are using ever more sophisticated ways of committing fraud. Banks should be more open to the more far-stretched hacks, especially as insiders are helping the fraudsters and older style cards without the necessary anti-counterfeiting measures are in circulation.

Alain Job, will challenge chip and pin security in the UK in a lawsuit with Halifax building society. This will be the first UK case to question the strength of the bank's security measures. Alain Job claims that £2,100 disappeared from his account whilst Halifax allegedly has evidence that Job's real card was used at a ATM.

The Hearing will be held at Nottingham County Court on 30th April, where many will be eagerly awaiting to hear the outcome of this case, and the conclusions resulting from the questioning of bank security.

Job v. Halifax plc (case number 7BQ00307) Trial Update

Halifax have refused to comment on the case, other than maintaining that it was Mr Job's exact card that was used to withdraw the money, inferring that either Mr Job tried to defraud the bank, or he was grossly negligent in handling his card and PIN. Halifax also highlighted that it would "vigorously defend" itself in court.

As a result of the complexity of this case, the Judge of the one-day trial said that it will take at least one month to deliver his verdict.

1st June 2009: There has been no further reports as yet to the Alain Job vs Halifax plc, however the Judge of the one-day trial is due to deliver his verdict in the next few weeks

6th June 2009: See "Halifax Ghostbust After Trial Closed"

From Playground to Internet

2009-04-22T15:44:00.011+01:00

It was discovered today that school children are being bullied not only in the school playground, but on the internet as well.

Cyberbullying is becoming increasingly worrying for teenagers worldwide as the numbers of those seeking help increase as the bullies take to the net.

Cyberbullying is a form of bullying that is caried out through electronic media by a minor to torment, threaten, harass, or otherwise target another minor. Internet services such as e-mail, chat rooms, discussion groups or instant messaging are among the key types of bullying seen, however Cyberbullying can also include bullying through mobile phones, text messages, pagers or belittlement through WebSites.

It has been revealed today that nearly 10,000 children each week are seeking help to cope with Cyberbullying. Backed by PM Gordon Brown, charity Beatbullying have recently launched a website aimed at children seeking support websites for advice after being subjected to abusive forms of Cyberbullying. The shocking results from the site, http://www.cybermentors.org.uk/ show the true scale of the cyberbullying problem for the first time.

Spokeswoman Emma Jane Cross said: "We are experiencing an overwhelming response to the launch of our peer mentoring social networking site - these are serious alarm bells we must act on." Emma then went on to say "bullyiing in any form is unacceptable, but sadly it is an issue that has only been propogated by digital innovations."

More than 600 teenagers have now been trained as CyberMentors to help their fellow classmates on-line. In the website's first breakdown of feedback, the charity have found that 52% of users stated that they had not had their problems listened to by anyone before, 64% of the users believed they felt better after using the website's mentoring system.

BeatBullying has revealed that a third of children are being CyberBullied, or which most of the victims are in the 11-18 year old age range with girls being four times more likely to be bullied than boys.

MoD Admit SAS Data Disappears

2009-04-14T09:13:00.021+01:00

The Ministry of Defence announced yesterday that details about SAS soldiers has gone missing after a laptop without encryption went missing during a recent exercise in Britain.

The laptop (similar to that above) was being used by the Signals Regiment, who are attached to the elite force based in Hereford. The discovery of the missing laptop was revealed by Military chiefs during a routine audit kit check, who also identified that details of top secret anti-terror training exercises were contained on the PC, and it is believed to hold information about the names of personnel taking part.

Sources have revealed that the computer holds sensitive information about the military and counter-terrorism manoeuvres within the Signals Regiment. In a statement, the source, who cannot be named for reasons of security, has added that "the soldier in charge of the computer is panicking. It is very embarrassing because keeping tabs on kit is the most important part of working with the SAS."

The Ministry of Defence have insisted that the missing laptop does not hold information about operations or details of weapons. A spokesman from the MoD has given a press statement revealing the opening of an inquiry into the possible theft of the computer and has also added "We can confirm that we are investigating the possible loss of a hard drive, containing only unclassified information which was being used on a training exercise." The spokesman then added, "We are carrying out our inquiries into what happened."

After the loss of many laptops last year, realisation that the British Parliament and the Ministry of Defence should put better enforcement in to place, or actually follow what they have promised to implement into their data security for the last four years. Whilst promising to fortify the measures of security, the MoD information is said to be protected and encrypted. However, it came to light that the Ministry of Defence loses around 15 laptops per month, through the loss or theft of computers and laptops.

At the beginning of October 2008, the UK Minstry of Defence acknowledged that three hard drives containing personal data of over 50,000 current and former Royal Air Force service personnel had been stolen on the 17th of September from a "double-secured" area of the Service Personnel and Veterans Agency's offices at Innsworth Station, Gloucestershire. These were also believed not to be encrypted, as the MoD had placed them in a supposedly secure facility.

Another investigation then was launched a week later, after the MoD acknowledged another loss of a hard drive, this time by the contractor EDS (now a Hewlett-Packard company), providers of IT services through the Department for Work and Pensions (DWP), the Ministry of Justice and the MoD. The hard drive lossed in this instance contained data on 100,000 members of the Britsih armed forces, including the details of next of kins, passport and National Insurance numbers, drivers' licence and bank details and NHS numbers. The hard drive also held the details of 600,000 potential recruits, including their names, addresses, date of birth and telephone numbers of the applicants. The details given by the MoD on the loss of the hard drive revealed a concerning uncertainty to whether the data had been encrypted.

On the 14th October, the Ministry of Defence admitted yet another lost computer. The lost drive's data held not "just" 600,000 potential recruits, but 1.7 million of them. In addition to this, the Mod also worryingly confessed that they were faily certain, like the other losses over the last 6 months, that this computer was not encrypted.

Although the Mod have insisted that the latest of data losses did not contain the details of the operations or weapons within the SAS, Shadow Defence Secretary Liam Fox said that the loss was "deeply concerning". He expressed this in a further statement: "Any loss of data of this nature is deeply concerning, especially if there are security implications." The Defence Secretary then went on to say, "We will want to know the full picture from the Ministry of Defence as soon as possible to ensure that neither civilians nor military personnel are at risk."

GhostNet Haunts Government Offices

2009-03-30T16:22:00.010+01:00

After a request to check whether computers from the Tibetan exile network were being accessed, the IWM acted by opening an investigation on Cyber Espionage.

The report conducted by the Information Warfare Monitor (IWM) comprised of researchers from SecDev Group based in Ottawa, Canada and the University of Toronto's Munk Centre for International Studies has been given the title of “Tracking GhostNet”. The researchers have revealed that over 1295 computers in 103 countries have been infiltrated by a suspected electronic spy network after carrying out a 10 month investigation into allegations that China were cyber spying against Tibetan Institutes.

Documents are being removed by the GhostNet spy network without any of the targets' knowledge. Methods of data penetration have included taking control of computers belonging to several foreign ministries around the world using malicious software, (a.k.a malware). This has enabled hackers to trigger microphones and webcams to gain access to sensitive information.

The troubling report reveals that the GhostNet has infiltrated government offices around the world, including that of Britain's Indian High Commission, news agency Associated Press and the International Chamber of Shipping. More shockingly, embassies of countries including India, Indonesia, Romania, Germany and Pakistan have also been targeted.

Evidence has suggested that an alarming 30% of the hosts infected by GhostNet are considered to be “high value” targets including those of international organisations and has also compromised that Tibetan Computer Systems seem to have the most amounts of hits, including documents of sensitive data extracted from the private office of Tibet's spiritual leader, the Dalai Lama.

Intellegence Chiefs in Britain are also warning of the exposure of our vital services the GhostNet has revealed. The cyber spy network have the capability to shut down Britain by brining a halt to critical services such as the power, water and food supplies. Alex Allan, chairman of the Joint Intelligence Committee (JIC), briefed members of the ministerial committee of the national security threat from China in the Whitehall meeting in January. Whitehall sources from the meeting led by home secretary Jacqui Smith, revealed that ministers "had not paid sufficient attention to the threat in the past", despite the warnings given from the intelligence services. The Whitehall report impacts the message by highlighting that although there is a low risk of China exploiting the capabilities, the impact of China shutting down Britain would be very high, and is "likely to bring Britain to a complete stand still."

The Tracking GhostNet report has gained no conclusive evidence that China's government are behind the cyber attacks, however the analysis from the IWM reveals that “numerous politically sensitive and high value computer systems were compromised in ways that circumstantially point to China as the culprit.” Beijing has also denied being connected or any involvement with GhostNet.

Attack Codes Breach Our Browsers

2009-03-27T16:18:00.009Z

Firefox browser's vulnerability has just been published by the Security researcher Guido Landi after an attack code was released on to several security sites on March 25th, revealing details of a malicious bug, targeting critical and unpatched flaws in Firefox.

It is believed that these flaws can allow attackers to modify the coding and use it to push unauthorised software onto Firefox user's computers, allowing more attackers to load themselves into Firefox as they have done in the past, prior to the release of the code earlier on this week.

Andrew Brandt, threat expert at Webroot, has been commenting on the recent attacks against Firefox. In a statement given to SC Magazine earlier on the week, Brandt expressed: “In the past few weeks, we've seen malware writers up the ante in their bets against Firefox.” Brandt later added that “two new spies came across the transom in the past week, and easily managed to load themselves into a freshly installed copy of Firefox 3.0.7.”

Developers at Mozilla have reportedly taken immediate reaction to amend the flaws uncovered by the newly published code and are expecting to place a patch for the flaw in the new forthcoming Firefox 3.0.8. However, the new 3.0.8 release of Mozilla Firefox is not due to be published until sometime next week, leaving users vulnerable to the hacker's modified codes and allowing unauthorised software to seep into PCs, damaging any applications that are on the station.

The news of the malicious bug in the code is one of many reports to hit the headlines in technology today, highlighting the issues that even web browsers are not as secure as users believe them to be. The last outbreak of hackers hitting web browsers was back in November last year, where Thunderbird 1.5.0.8 and SeaMonkey 1.0.6 were also affected alongside the Firefox 1.5.0.8 release. As shown in the November attacks, hackers are finding stronger ways to attack the internet, including that of crafting authentication certificates and impersonating as websites, email systems and browsers.

The security chief for Mozilla, Window Snyder, is now urging for Firefox users and those of similar browsers to upgrade to the newest versions to prevent user's PCs from being affected from the recent attacks. The new release of the Firefox is due to be released on 1st April, with a further upgrade, Firefox 3.0.9, looking to be released on 14th April.

Concerns over Child Protection Brought to Life

2009-03-26T16:05:00.010Z

Resulting from the meetings held yesterday (Wednesday 25th March 2009) in Brussels, the European Commission are setting out plans to toughen the existing legislation already in effect, from 2004 and 2002 respectively, for human trafficking and child sexual abuse.

The intentions announced by European Commission Vice President Jacques Barrot, responsible for justice affairs, regard adapting the 2004 legislation to include child sex abuses on the internet in a bid to punish those who are luring children through the internet with the purpose of sexually abusing them and watching child pornography on the web.

However, with 89% of the world population using the internet and over 92% of the world's children having on-line access, increasing numbers of parents are beginning to become more worried about their children surfing on-line today as new figures reveal the true extent and seriousness of these offences and many feel that little is being done to protect their children through monitoring the sites that they are visiting.

According to the International Labour Organisation, over 1000 commercial and over 500non-commercial child abuse content websites were found world wide in 2008, and an estimated 25% of these are mostly Peer-to-Peer (P2P). These numbers are said to be constantly increasing with the rapid changes to technologies available in the cyberspace, enabling more ways for Paedophiles and Human Traffickers to target and groom the internet today.

As reported from a survey run by security firm Symantec, UK parents alone are truly unaware how many hours children are spending on the net, underestimating the average per week by over 22 hours. The 2009 Norton On-line Living Report revealed that parents in Britain are among the worst to grasp how long children spend on-line, identifying that parents believed that their children spent less than 20 hours per week surfing the internet, where as the survey actually revealed that children are spending over 43.5 hours per week on-line.

With the internet looking evermore like the future for family communication and news, more and more children are looking and using unsuitable websites. With this key factor increasing the amount of time children are using the internet, parents are putting their children at higher risk by failing to monitor their on-line usage and safety.

America's Most Wanted host and co-founder of the National Centre for the Missing and Exploited Children, John Walsh (left), has been educating American parents on how to protect children from the dangers lingering on the internet. In a statement featured on The Balancing Act, an American Lifetime Television program, Walsh highlights the reasoning for bringing to light the education of parents to internet safety. "Children spend hours everyday on the Internet," says Walsh. "But most parents have no idea the scope of dangers that are lurking behind the computer screen." Walsh then adds: "It is imperative for parents to become security savvy and to know how to protect their child from unwanted contact by strangers, cyber bullying and more."

Another recent survey uncovered that 62% of parents today are unable to identify the contacts that their children talk to on-line, with 68% of those surveyed not even knowing which sites their children are visiting. These figures are alarmingly high in the UK, as many British parents are failing to supervise their offspring when they surf the net.

With little numbers of protective monitoring methods available today, social networking sites are being targeted by abusers and human traffickers to a greater extent, with a soaring concern for the amounts of personal details that are freely being given out on-line. The amounts of personal and highly intimate questions being asked to the nation's youth, along with unsolicited pictures breaching through children's profiles, are progressively on the rise. This is endangering our children further by allowing personal details to be freely handed out to absolutely anyone, including the strangers that these children are contacting on a daily basis.

With new found technology today, solutions are available (but the one I would like to mention) is the PM-007 protective monitor. This has come in the form of a small device which attaches on to the home network rather than computer software, which can bloat and cause instability on your computer. By actively monitoring internet traffic, one can block private data from leaving the home . Over time, analysis logs can be used to spot the coercion of paedophiles and other internet nasties, that may be trying to access and gain personal data from your network.

For more information about the PM-007 protective monitor device, or for any issues or queries you may have, please contact the Microexpert team.

Corporate Data Leaks Through Former Employees

2009-03-26T15:52:00.012Z

Through a current survey conducted by Ponemon Institute and supported by Symantec Corporation in February 2009, it has been revealed that 60 percent of former employees keep corporate data after employment has been terminated.

The results presented by Dr Larry Ponemon, rightfully titled “Data Loss Risks During Downsizing- As Employees Exit, so does Corporate Data”, disclosed that of the sample population surveyed, 20 percent of recipients are employees who left or had their job terminated in the past 12 months. After asking “Did you have access to your former company's computer system or network after departure or termination of employment?” alarmingly over 25 percent of respondents can regain access to their former employer's computer networks.

A similar survey composed by Cyber-Ark, the IT security group, also worryingly reveals that 58 percent of British workers are prepared to acquire confidential company data if faced with possible job termination and 40 percent of the people surveyed said that they were already removing confidential data.

Those that have responded to the surveys have also identified that the data being accessed after employment are being used to aid finding a new job, starting their own business or to accomplish revenge through the means of leaking company sensitive data to competitors and customers.

The databases of client and customers are the most likely forms of data to be stolen, but along with the financial services sector, business proposals and product information, they are at the most highest risk from employee data theft.

Many employees have many different methods for removing data from companies, the numbers increasing as the years go on. The opportunities for data removal are made easier on a day to day basis with an ever increasing amount of small devices, each having the capacity to hold many gigabytes of data and work.

The Ponemon Institute survey reveals that the main four means of information transfer used by employees when keeping proprietary data include taking and hand carrying files, downloading documents onto CD or DVD, downloading electronic files onto a USB memory stick or sending documents as an e-mail attachment. These are the most occurring methods used by former employees to gain corporate information, with 61 percent hand carrying the information upon leaving work, 53 percent downloading the information onto CD or DVD and 41 percent of data removal being USB Memory Sticks or access through the company networks.

The surveys that have been published of late all demonstrate the risks of trusted insiders using corporate and sensitive data, highlighting the importance for all businesses to use and become more responsible for information security management, as well as increasing the security of sensitive information by protecting more files from employees.

Without hardening the security surrounding these files, more employees and insiders are going to be able to leak information through the company to customers and competition, causing business reputations and e-assets to be blundered.

Products

2009-01-01T15:36:00.020Z

What is Protective Monitoring?

Protective Monitoring is where IT systems are protected with monitoring arrangements that are able to alert administrators of any unauthorised access. Protective monitoring can range from the appointment of team supervisors to technically sophisticated protective monitoring systems. Commercially sold protective monitoring systems automatically detect unusual patterns of information being retrieved or proprietary information included in outgoing (external) E-mail messages.

Protective Monitoring devices are being increasingly relied upon more as viruses and spyware (malicious codes) are developed further. These devices are essential to prevent certain types of attacks as they work along side traditional security barriers, such as Firewalls and Anti-virus software, adding to the effectiveness of the existing countermeasures provided. Through by passing or defeating the countermeasures in place, the protective monitoring system is able to record the events of any attacks and provide evidence trails, allowing investigation into any attacks that are suspected.

Although Firewalls and Anti-virus software are effective, the use of a protective monitoring system can prevent any new malicious code from entering your network or can prevent outsiders from accessing and withdrawing data on the network.

Protecive Monitoring devices have been designed to protect against unauthorised:

breaches of the network (computers linked to one area through internet)
attempts to access information within a network
exportation (withdrawal) of information from a network
import (entry) of information on to the network
breaches of integrity of information and services
breaches in availability of information
renunciation of action and responsibilities

D-007 (domestic):

The D-007 is a small protective monitoring computer appliance that plugs in to your internet broadband connection. This one device will not only save your computer from being cluttered by another piece of software, that may cause instability, but will monitor your whole home network, whether it is just one PC or even a home wireless network.

The D-007 has been specifically designed to analyse traffic on your network, detecting forms of unacceptable behaviour, such as exploiting personal data that leaves the network and prohibiting access by any means to undesirable content, whether it is copyright materials, violent or sexually explicit, and using behavioural algorithms that can detect possible grooming used by paedophiles.

The D-007 has been programmed to also alert authorised controllers about possible dangers such as children giving out personal information and can also notify when suspect “friends” start to home in on children. These alerts are sent to the authorised controllers by means of either E-mail messaging or through SMS text messaging.*

PM-012 (industrial):

The PM-012 runs the same way as the D-007 device works, however it has been more specifically designed for use in a business environment. The PM-012 has been programmed to monitor the usage of personal or sensitive data and prohibits this information from being accessed and withdrawn from outside the network or from being used undesirably by those inside the company network. The PM-012 monitors the usage of copyright materials and will prevent any data from these materials from being used outside of the network, enabling data to be kept more secure and prohibited from those who may try to gain this information.

As with the D-007, the device is able to notify the authorised controllers of any unwanted behaviour on the network, including that of indecent and explicit content and the removal of sensitive and corporate data. This device can be configured to block activities that are deemed to be unacceptable within the company, such as the use of FaceBook or Twitter, to which alerts will be sent to the authorised controllers when an attempt to participate in these activities occurs. These alerts are also sent through messaging via E-mail and SMS text* to the authorised controllers.

How Protective Monitoring Can Benefit You

Although Protective Monitoring could be implemented using software modules added to your computer, they can present significant problems to the machine and are vulnerable to the attacks from internal and external threats. This software can often clutter up PCs to the extent that the software in turn creates instability throughout the computer, causing your computer to crash or run inefficiently.

With the use of an attachable device, there is no need to have the software on a computer, allowing more stability to be kept, and also preventing the vulnerability caused by attacks from internal and external threats. Through having only one device installed on to computer networks, the protection of more than one PC can be increased and monitored, enabling the whole network, however large, to be safe from the risks of computer failure or attack. The Protective Monitoring devices are available for domestic and industrial usage, with an option to be connected with Tamper-proof connectors.

Please note that the D-007 and PM-012 are currently available only in English (UK). If any additional or alternate languages are required, please contact one of the consultants at Microexpert, where we will be happy to help.

How to Gain More Details and How to Order

For more information about the D-007 and PM-012 products, please contact one of our consultants via E-mail or Telephone on the contact details below:

E-mail: info@microexpert.com

Telephone: (+44) 1903 721 668

Alternatively, you can write to us at:

Microexpert Ltd

Suite 3, Anchor Springs,

Duke Street, Littlehampton,

West Sussex, BN17 6BP. ENGLAND.

* The SMS alerts are available as an optional choice by authorised controllers for a small annual fee. This fee currently stands at £29 per annum (including VAT), which covers the cost of the SMS messaging.

Services

2009-01-01T14:50:00.010Z

Training

Microexpert provide comprehensive training courses for people new to the field or those wanting to obtain more in depth experience of Smart Cards and their applications.

Smart Card Foundation Course

Microexpert are running Smart Card foundation training courses for people new to the Smart Card industry and those who want to achieve a rapid knowledge of the commercial and technical issues surrounding the use of Smart Cards. The session will cover the role of Smart Cards in major application areas, such as the financial, government, telecoms and entertainment markets, and provides an overview of Smart Card applications. The training courses will be given over four sessions in a single day. The courses will also cover aspects of security and PKI technologies as they relate to Smart Card applications. No previous technical knowledge is necessary.

For the Smart Card Foundation Course Brochure (Download File pdf):
http://consult.microexpert.com/foundationtraining.pdf

ITSO Foundation Training Course

ITSO foundation training courses are designed to provide an overview of the use of Smart Cards within transport and will in particular refer to the ITSO specifications. The training course will be given over four sessions in a single day. Our ITSO foundation training course aims to show the advances in technology, which will make inter-operability of UK Smart Card schemes possible. The training course will cover the general background to contactless Smart Cards, the security requirements surrounding the use of Smart Cards in transport applications, the architecture necessary to achieve an interoperable transport scheme and give an overview of current Smart Card transport schemes throughout the world.

For the ITSO Foundation Course Brochure (Download File pdf):
http://consult.microexpert.com/ITSOtraining.pdf

Custom Training Courses

A tailored course in any of the following fields are also available

Physical/Logical Access Control Systems
Biometrics/ ID Cards
Cryptography
Public Key Infrastructure
JavaCard
MiFare

Training Testimonials

“It was without doubt the most comprehensive and interesting training, which I have attended. I even surprised myself in that, not only did I fulfil my objectives in obtaining a rounded business-oriented understanding of the Smart Cards, but I now have a thorough understanding (for me at any rate) of the technical issues involved.” R.B.

Technical Downloads

Smart Card Tutorial(Download File .pdf)

This tutorial is designed to help people new to the industry to acquire a good technical background to the controlling technology.
http://www.smartcard.co.uk/tutorials/sct-itsc.pdf

Ant JCOP JavaCard Build Set-Up, For compiling, loading and deleting JavaCard Applets

The solution contains all the files you need to build and load a JavaCard applet onto IBM JCOP Cards or emulators. You must first have the IBM JCOP tools installed (see

http://www.blogger.com/www.zurich.ibm.com/JavaCard

Unzip the archive and read README.TXT for full instructions.

Download v1.1 updated files now:
zip (http://consult.microexpert.com/jcop-ant-v1.1.zip)
or
tar (http://consult.microexpert.com/jcop-ant-v1.1.tar.gz)

Protective Monitoring

We all know about anti-virus and anti-malware software, who would dare operate their PC on the internet without such protection? Commercial and government organisations are also well briefed in keeping their software up to date by installing the latest patches and most home users have the auto-update software installed on their PCs.

The truth is that this cannot protect you from the real dangers of the internet. No matter how well designed the software on your computer, there will always be holes that can be exploited by a range of attackers from the insider, a disgruntled employee at work or even your spouse at home, to the highly qualified team of hackers employed by organised crime or Foreign Intelligence Services (FIS).

The University of Toronto has reported (March 2009) that a Chinese spying operation has obtained sensitive informaprove that the Chinese government was behind the attacks (dubbed ‘GhostNet’) but they did note that the topics of interest included activities by the Tibetan independence activists. Denied of course by the Chinese government tion from more than a thousand computers in over 100 countries. The University specialists were unable to but these forms of attacks are now becoming well known and cyber warfare is becoming a bigger feature in information security.

The damage done to an organisation through even unintentional data loss can be severe enough to break the organisation. In 2005 CardSystems Solutions lost 40 million debit and credit card account details which resulted in the company going bankrupt in 2007. A recent survey by Ipsos MORI discovered that over 50% of account holders in the UK (about 23 million) would move bank if their bank lost their personal account details. The affect on the offending bank is incalculable.

It is not technically possible to have a perfectly secure system, there will always be flaws in the software or the combination of the software and hardware platform that makes up your computer system. By Everett’s Principle we know that there are many attacks on computer systems that cannot be stopped, but they can always be detected. This is the primary objective of Protective Monitoring, to analyse the interactions with our computer system to detect when some unexplained or prohibited behaviour is taking place and to alert the authorised controllers accordingly.

The UK government is well versed in the requirements for Protective Monitoring, which is documented in CESG Infosec Memo 22. The application of such techniques is mandatory in many sensitive government information management systems.

Some organisations employ Intrusion Detection Systems (IDS) to detect attacks upon their system, but Protective Monitoring takes this further by looking for attacks by insiders who may use the information systems quite normally to steal confidential data, which is subsequently made available to external parties. Other employees may use the computing facilities made available by the company in order to undertake tasks that would be in breach of the company’s security policy, sex and violence in emails or web sites for example. Others may spend a disproportionate amount of their day interfacing with social web sites such as FaceBook or Twitter.

It is easy to forget that it is the user of computer systems that needs to be protected. Most people and particularly young children would be inexperienced or unaware of the dangers of the internet jungle. Phishing where users are mislead into giving away sensitive information to hacker sites purporting to be their financial institution is, for example, a major concern. Today these same organisations are moving to the internet as the main method of communicating with their customers and that can only cause greater confusion and vulnerability for their customers.

Children are a particular vulnerability when it comes to the internet and it’s not only the downloading of inappropriate material, there have been numerous reports of young persons uploading material of a sexual nature sometimes in which they are intimately involved. Then there is the grooming of young persons by paedophiles, a threat that is regrettably on the increase. Another area of concern is bullying which can be quite prevalent with young people including girls. We tend to think of it as a physical attack but some of the worst cases of bullying are actually caused by psychological damage and here the girls dominate, ‘if you talk to her again you won’t be my friend any more’

Protective Monitoring is usually undertaken by inserting one or more network monitoring device into your computer system. In the case of the home, it can be just one device that seamlessly connects between your broadband modem and your home network, be it one PC or even a home wireless network. This Protective Monitoring device analyses the traffic on your network to detect the forms of unacceptable behaviour we have discussed. In the event of such detection, the appliance can arrange for the authorised controller to be alerted by email or SMS text message and it can even be configured to block the unacceptable activity.

Although in principle you could implement Protective Monitoring by adding software modules to your computer, they would however present a significant performance penalty to your machine and would themselves be subject to attack by internal and external threats.

The Microexpert Team

2009-01-01T12:58:00.008Z

Dr David Everett - Principal Consultant

David Everett graduated from Southampton University in 1976 and became Head of Electronics when he joined the Medical Research Council, Mill Hill, London. He was subsequently made Director of Computing and Electronics where his interest in coding theory and cryptography for the protection of data was stimulated. David founded Open Security Ltd in 1980, which was responsible for the design of tamper resistant cryptographic hardware modules that authenticated messages for CHAPS (Clearing Houses Automated Payment Scheme). He then went on to be a security consultant at EftPos UK from 1985 to 1990, where he was responsible for the security design of the first commercial product to use the RSA cryptographic algorithm. During 1990 to 2000, David worked as Technical Director at platform seven, a division of National Westminster Bank. David was the technical architect of Mondex, a concept for a Smart Card electronic purse and was also responsible for the design and development of a multi-application Smart Card operating system based on the use of a virtual machine in the IC chip known as Multos. David first proposed the use of a virtual machine for Smart Cards in 1985 whilst working on the ISO 7816 standard. He was awarded the IEE Ambrose Flemming award for the design of a Compton Effect gamma ray camera in 1978, and in 1984 the BCS Application Award for the design of a software protection system using enciphered code. David is currently the Technical Editor of Smart Card News Ltd. David is also a member of the CLAS (CESG Listed Advisor scheme).

Bill Reding - Smart Card Systems Consultant
Bill began his career at Barclays Bank in 1966, where he worked as a programmer on several major internal systems and customer-specific solutions. In 1976 he joined the Sema Group (then CAP, now SchlumbergerSema) as a consultant working on a wide range of tasks including feasibility studies, requirements analysis and design tasks, consultancy studies, project reviews, security reviews, systems and acceptance testing and project management. Clients during this period included American Express, APACS, Barclays Bank, DataCard, EftPos UK Ltd, Lloyds Bank, MasterCard, Mercantile Credit, Midland Bank (HSBC), Morgan Guaranty Trust, NatWest and Rank Xerox. Bill was also closely involved in the development of electronic purse projects (including Mondex) and the MULTOS operating system during this period. Bill joined DataCard in 2000 and has been an active participant in GlobalPlatform and other standards groups involved with the application of multi-application Smart Cards. He has conducted training to DataCard worldwide staff on Smart Cards, security and card management, as well as training external organisations. Bill left DataCard in 2002 and is now a Member of the British Computer Society and an Associate of the Chartered Institute of Bankers. Bill's areas of expertise are systems design and Multi-application Smart Cards.

Dr Keith Jackson - Smart Card Systems Consultant
Keith started his post doctoral career initially at Guys Hospital Medical School, London. He moved into data security when he joined Open Computer Security in Brighton to head the technical development for a range of products designed to provide the necessary security for inter bank financial payment systems, of which CHAPS (Clearing Houses Automated Payment Scheme) involved the secure transfer of billions of pounds on a daily basis. At Oceonics SPL, Keith was employed as Principal Consultant involved in the design, development, and manufacture of commercial encryption and authentication equipment. Keith was one of the consultants employed by EftPos UK, a company owned by the major UK banks, to implement a national EftPos scheme. The project was recognised for its innovative use of modern cryptography, including the first use of RSA in a commercial retail environment. In 1990, Keith joined the National Westminster Development Team, working on the Mondex electronic purse scheme, which used Smart Cards to implement a secure value transfer scheme. He developed the early demonstration system necessary to establish the core business case to the project sponsors. This involved working with the earliest Smart Card systems capable of implementing Public Key cryptography. Since those early days, Keith has been involved with many aspects of Smart Cards, including more modern multi-application Smart Cards. He is a prolific writer and has published numerous articles on fraud and security, including computer viruses. Keith has also co-authored several books on computer security, including “Computer Security Solutions”, “Information Services and Use”, “The PC security guide 1990/1991” and “IBM Systems Journal”, and was the sole author of a PC encryption book, “Secure Information Transfer- PC Encryption: A Practical Guide”, published in January 1990, and “Computer Security Reference Book”, published in January 1992.

Dr Susan Thompson - Senior Consultant
Susan has a PhD in Mathematics (Best Approximation in Normed Linear Spaces) and is an applied mathematician with over 18 years of experience in security and cryptography. She was with DataCard Consult P7 for 7 years, working on the design of cryptographic algorithms for projects such as Mondex and JavaCard. Previously, as Head of the System Security Group, Susan worked for Plessey Crypto on a number of technical assignments. She was also involved with the EftPos UK project, producing design specifications for security components and security procedures. More recently, Susan has been working with TNO TPD in signal and power analysis of Smart Cards, Biometrics and design methodologies for Smart Card evaluation, including Common Criteria.

Peter Hawkes - Senior Consultant
Peter has an impressive record of successful business development of new automatic identification technologies. These include Biometrics, Smart Cards and RFID tags. At BTG Plc, he was responsible for acquiring the invention rights in the Super tag RFID technology and then developing and exploiting it as the first true radio label system with very large scale applications.

The biometric projects began with the NPL's “Verisign” dynamic signature verification project of 1972. Following the successful licensing of this, Peter developed a licensing business for BTG in hand vein pattern biometrics. Later, he helped commercialise further signature biometrics from the University of Kent. The Kent software was the subject of the first public trial of biometrics in 1992.

Contact Us

2009-01-01T12:22:00.010Z

If you have a project you need advice on or there are any queries or concerns you wish to highlight, please feel free to contact the team at Microexpert.

You can contact us via E-mail, Telephone, or by Post, where we shall get back to you as quickly as possible.

Write to us at:

Microexpert Ltd,

Anchor Springs,
Duke Street,
Littlehampton,
West Sussex.
BN17 6BP.
ENGLAND.
Phone: (+44) 1903 721 668
Fax: (+44) 1903 734 318
E-mail: info@microexpert.com
VAT Number: GB 436 0920 63

Company Profile

2009-01-01T12:07:00.008Z

Identity Management

Identity management is concerned with the life cycle of the identity of subjects and objects and, by default, being able to prove this identity as and when required.
There is nothing new about the concepts of identity management and arguably is the basis of a community of which these entities are members.

Each entry must have a reference characteristic that is unique within the community to which they belong. It could be anything from a simple name to an 80 digit number, which would be enough to identify every atom in the universe.

Originally, individuals only ever existed in their own environmental community, a tribe of perhaps 100 people, where everyone knew everybody else. Over time this has expanded to the use of intermediaries for vouching identity, an employer or a banker's reference for example. Of course in some cases, this identity has to be established from scratch, when you move area for example.

But in all cases what is clear is that the identity only makes sense in terms of the relationship between two entities. The only difference is about how quickly you establish the trust that underlies a relationship. In the electronic world, these concepts have morphed into two approaches;

1. The eBay model, where you start from scratch and build up a reputation (under your eBay ID) that both parties (buyer and seller) to a relationship can freely observe.
2. The reference model, where some third party vouches for your identity. We tend immediately to think of Certification Authorities and digital Certificates but in actual fact our credit card is a form of reference ID. The bank takes on the role of vouching for our identity in a totally foreign community and providing the necessary (in this case) commitment to pay.

Payment Systems
Microexpert's consultants have been at the forefront of payment systems from Automated Clearing Houses (ACH) to low value cashless payments using contactless Smart Cards. In the Smart Card arena EMV (Chip and PIN) have dominated in recent years, but now we have seen enormous growth in contactless payments and numerous projects piloting Near Field Communications (NFC). We can work with you in all these areas.

Trusted Transactions
Trusted transactions rely on an end to end relationship between the participants. In the network world, these relationships are established over remote link that may involve many routers but from a security point of view, the transactions must be protected across the two end points generally assuming all intermediate points and links to be insecure.

The transaction will require some combination of security services:

Confidentiality
Data integrity
Entity authentication
Non-repudiation

These combinations are normally provided using cryptographic mechanisms. The user cannot create such techniques without the use of some cryptographic tokens, so it is additionally required to be able to bind the user to the tokens using password or biometrics.

The scheme must provide adequate assurance for:

Tamper Resistant Node Properties
Strength of Protocols and Mechanisms
Node Processing Integrity
Node Identification
User Binding (e.g. passwords or biometrics)

These properties are difficult to achieve in practice and we will be pleased to advise you on the best path for your particular requirements.

Secure Access Control
Access control is concerned with only allowing access to resources by authorised entities, which may be people or computer processes.

The resources may be physical, such as buildings and car parks, or logical, such as network access to a local or remote server.

Smart Cards in both contact and contactless mode may be used to secure control such physical and logical access. In essence, the Smart Card acts as an authentication token that can be bound to the user by (for example) passwords or biometrics. This provides what is commonly referred to as a 2-Factor authentication, the Smart Card token and the password. A cryptographic infrastructure, both secret key and public key, can provide the necessary level of assurance when combined with a suitable Smart Card chip.

Anti-Counterfeiting
Anti-counterfeiting is all about embedding a security object in the device to be protected. Traditional objects (e.g. holograms) can be visually checked while electronic devices such as contactless RFID tags are capable of machine interrogation.

The properties of the object are that;

It cannot be reproduced by an attacker
It cannot be transferred (i.e. from one device to another) by an unauthorised person
It's authenticity can be proved

Integrated circuit chips in various form factors can provide a whole range of solutions with varying security levels. Please contact us to discuss your requirements.

IPR Management
Sometimes products fail to meet expectations, on other occasions, issues arise surrounding the Intellectual Property Rights (IPR) of your product or a competing product. Microexpert can help you here, by analysing the relevant product and determining the cause of the problems or the rights of the parties involved.

We have specialists in all aspects of Smart Cards and cryptographic security. Microexpert can also provide Expert Witnesses for legal proceedings.

Clients
Below is a list of clients that Microexpert's consultants have been involved with, including how they participated in our clients' projects:

CHAPS (Clearing Houses Automated Payment Scheme, UK – Design and development of the cryptographic authentication modules used to protect the inter-bank financial messages. Today CHAPS passes over £100 billion pounds per day

Eurocheque Security Architecture – Design of cryptographic modules for protecting financial transactions

EftPos UK Security Design – Design of the security architecture for a national electronic point of sale scheme, which was the first commercial implementation of the RSA public key cryptographic system

Mondex – Design of the first totally transferable electronic purse system using an off-line secure Smart Card protocol

Multos – Design architecture of the first open platform virtual machine multi-application operating system for Smart Cards

AMEX – Development of a multi-platform Smart Card management system. The scheme can handle both Multos and JavaCard platforms

DataCard – Smart Card log-on and authentication system for Novel Network systems

About Us

2009-01-01T11:51:00.003Z

Microexpert is a part of the Smart Card Group of companies' and was formed as a security consultancy over 20 years ago in 1983. We have been active in the Digital Security arena for the last 15 years and continue to advise clients on using secure integrated circuits in the form of Smart Cards, Crypto Tokens and RFID Tags for a variety of business applications, ranging from transport tickets to payment cards and satellite condition access cards.

When it comes to developing new products, we are very aware of the potential problems facing industry. Project teams within Business Development often find that they are able to see far beyond the capability of their in-house IT department, which are already loaded with existing projects. Microexpert helps these project teams to remove the pressure of the situation.

Our consultants here at Microexpert have been involved in many national and international Digital Security projects, including the designing and production of the Mondex electronic purse scheme and being actively involved in the development of smart card management systems, one of which was developed by DataCard and brought by American Express. The most well known of the lightweight card management systems, was developed by the team at Microexpert., is the 'Rosco', which was designed for remote control of Smart Card applications and platforms.

Among the management systems developed in the projects aided and commissioned by Microexpert, we have also been using modern Public Key cryptographic systems to implement a security system for citizen cards. With identity and authentication being a core part of the Microexpert design infrastructure, the security designs implemented have been based around the use of the JavaCard, which effectively invokes a remote security session with the individual citizens cards. One implementation of the citizen card security system has been enforced by Aberdeen county council through their Accord Card.

At present, we have been expanding our key areas to include Protective Monitoring. With very little quantities of products available both industrially and domestically, we have opened a project to boost network and internet security through the protection and monitoring of private data leaving nodes (clients and servers).

With more and more exposure to data vulnerability and loss, Microexpert are currently developing Protective Monitoring devices, rather than software (as software can bloat and cause instability on computers), that can actively monitor internet traffic, blocking private data from leaving the home. The Protective Monitoring devices will also be capable of using analysis logs to identify the coercion of paedophiles and other internet nasties, that may be trying to access and gain personal and sensitive data from networks.

What can our consultants do for you?

The consultants at Microexpert are highly skilled in a wide range of key areas. These have included:

Smart Cards and Tokens, including the specialism of multi-application Smart Cards,
Chip and Pin (EMV) and payment systems
Biometrics/ Identity and Authentication
Cryptography
Public Key Infrastructures
Satellite Conditional Access Schemes
Protocol Design and Analysis
Software Design and Development
Network and Internet Security
ITSEC and Common Criteria security evaluation and certification