Cert In - NEWS POLITE

CERT-in Flags High-Risk Security Flaws in Apple, Samsung Devices; iPhone, iPad Vulnerable to Exploits

Apple, Samsung and other smartphone manufacturers issue timely updates and security patches to keep their devices robust against various threats and vulnerabilities. Despite regular fixes, both iOS and Android platforms could fall prey to malicious exploits. The government has issued high-risk security alerts for users of both Apple and Samsung devices. The Indian Computer Emergency Response Team (CERT-In) has flagged severe vulnerabilities in Apple and Samsung products this week. The reported vulnerabilities could put users’ sensitive information at risk.

In an advisory issued December 15, CERT-In reported multiple vulnerabilities in Apple products. These vulnerabilities affect iPhone, iPad, Mac, Apple TV, Apple Watch and Safari Web browser. According to CERT-In, iOS and iPadOS versions prior to 17.2 and 16.7.3, macOS Sonoma versions prior to 14.2, macOS Ventura versions prior to 13.6.3, macOS Monterey versions prior to 12.7.2, tvOS versions prior to 17.2, watchOS versions prior to 10.2, and Safari versions prior to 17.2 are all facing high-risk vulnerabilities.

“Multiple vulnerabilities have been reported in Apple products which could allow an attacker to access sensitive information, execute arbitrary code, bypass security restrictions, cause denial of service (DoS) conditions, bypass authentication, gain elevated privileges, and perform spoofing attacks on the targeted systems,” CERT-In said in the advisory.

The nodal security agency, which comes under the Ministry of Electronics and Information Technology (MeitY), warned that two of the vulnerabilities reported, CVE-2023-42916 and CVE-2023-42917, could be exploited by malicious entities and urged users to update to the latest OS patches.

Additionally, CERT-In also issued a vulnerability note for Samsung products on December 13, flagging Android versions 11, 12, 13, and 14 on Samsung devices under high risk of threats that could allow attackers to bypass security restrictions, access sensitive user information, and run arbitrary code on the targeted system.

The vulnerabilities on Samsung devices could be exploited to access device SIM PIN and send a broadcast with elevated privilege, among other actions. Samsung users can get the newest OS update on their devices, along with the latest security patch, to avoid falling prey to these threats.

Last month, CERT-In had warned of multiple security vulnerabilities affecting older iPhone and iPad models. In its vulnerability note CIVN-2023-0303 issued earlier in October, CERT-In had flagged security flaws that had affected older versions of iOS and iPadOS. The vulnerabilities affected OS versions prior to iOS 16.7.1 and iPadOS 16.7.1, according to the agency.

Affiliate links may be automatically generated – see our ethics statement for details.

Check out our Latest News and Follow us at Facebook

Original Source

Daam Virus That Steals Call Logs, History and Accesses Cameras Spreading on Android Phones, CERT-in Warns

An Android malware called ‘Daam’ that infects mobile phones and hacks into sensitive data like call records, contacts, history and camera has been found to be spreading, the national cyber security agency has said in its latest advisory.

The virus is also capable of “bypassing anti-virus programs and deploying ransomware on the targeted devices”, the Indian Computer Emergency Response Team or CERT-In said.

The agency is the federal technology arm to combat cyber attacks and guard the cyber space against phishing and hacking assaults and similar online attacks.

The Android botnet gets distributed through third-party websites or applications downloaded from untrusted/unknown sources, the agency said.

“Once it is placed in the device, the malware tries to bypass the security check of the device and after a successful attempt, it attempts to steal sensitive data, and permissions such as reading history and bookmarks, killing background processing, and reading call logs etc,” the advisory said.

‘Daam’ is also capable of hacking phone call recordings, contacts, gaining access to camera, modifying device passwords, capturing screenshots, stealing SMSes, downloading/uploading files, etc. and transmitting to the C2 (command-and-control) server from the victim’s (affected persons) device, the advisory said.

The malware, it said, utilises the AES (advanced encryption standard) encryption algorithm to code files in the victim’s device.

Other files are then deleted from the local storage, leaving only the encrypted files with “.enc” extension and a ransom note that says “readme_now.txt”, the advisory said.

The central agency suggested a number of do’s and don’ts to avoid getting attacked by such viruses and malware.

The Cert-In advised against browsing “un-trusted websites” or clicking on “un-trusted links”. Caution should be exercised while clicking on any link provided in unsolicited emails and SMSes, it said. Install and maintain updated anti-virus and anti-spyware software, it suggested.

It also suggested that users should be on the lookout for “suspicious numbers” that don’t look like “real mobile phone numbers” as scammers often mask their identity by using email-to-text services to avoid revealing their actual phone number.

“Genuine SMS messages received from banks usually contain sender ID (consisting of bank’s short name) instead of a phone number in the sender information field,” it said.

It also asked users to exercise caution towards shortened URLs (uniform resource locators), such as those involving ‘bitly’ and ‘tinyurl’ hyperlinks like: “http://bit.ly/” “nbit.ly” and “tinyurl.com/”.

Users are advised to hover their cursors over the shortened URLs to see the full website domain which they are visiting or use a URL checker that will allow the user to enter a short URL and view the full URL, the advisory suggested.

Samsung Galaxy A34 5G was recently launched by the company in India alongside the more expensive Galaxy A54 5G smartphone. How does this phone fare against the Nothing Phone 1 and the iQoo Neo 7? We discuss this and more on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Affiliate links may be automatically generated – see our ethics statement for details.

Check out our Latest News and Follow us at Facebook

Original Source

Electric Vehicle Charging Stations Vulnerable to Cyber Attacks, Hints Union Minister Nitin Gadkari

Electric vehicle charging stations are also susceptible to cyber attacks and cyber security incidents like any other technological application, Parliament was informed on Thursday.

In a written reply to Lok Sabha, Union Minister Nitin Gadkari said the Indian Computer Emergency Response Team (CERT-In), which is mandated to track and monitor cyber security incidents in India, received reports of vulnerabilities in products and applications related to electric vehicle charging stations.

“The government is fully cognizant and aware of various cyber security threats and is actively taking steps to combat the issue of hacking,” Gadkari said.

He said as per the information reported to and tracked by CERT-In, the number of cyber security incidents during 2018, 2019, 2020, 2021 and 2022 is 2,08,456; 3,94,499; 11,58,208; 14,02,809 and 13,91,457, respectively.

Replying to a separate query, the road transport and highways minister said Rs. 147 lakh was disbursed as compensation to victims of hit-and-run cases in current fiscal year till February.

The ministry has notified the Compensation to Victims of Hit and Run Motor Accidents Scheme, 2022.

It provides for increased compensation to victims of hit-and-run accidents, Rs. 50,000 (in case of grievous injury) and Rs. 2,00,000 (in case of death) including detailed procedure for availing this compensation.

Replying to another question, Gadkari said the ministry has set a higher target of 12,200 km for construction of National Highways during current financial year as compared to previous three financial years.

“The target of construction of NHs for financial year 2023-24 has not yet been finalized,” he added.

The minister informed that there are 19 projects costing Rs. 21,864 crore which are delayed due to delays in land acquisition.

Check out our Latest News and Follow us at Facebook

Original Source

50 Government Websites Hacked, 8 Data Breaches in 2022: IT Minister Ashwini Vaishnaw

Union Minister for Communications, Electronics, and Information Technology on Friday informed Rajya Sabha in a written reply that 50 government websites have been hacked in the year 2022-23. Union Minister informed the upper House on the question of the details of instances of hacking of Central Ministries/Departments and State Government websites since 2020, year-wise.

In response to a parliamentary question raised by CPI MP Binoy Viswam, Minister said that as per information reported to and tracked by the Indian Computer Emergency Response Team (CERT-In), a total of 59, 42 and 50 websites of the Central Government Ministries/Departments and State Governments were hacked during the years 2020, 2021 and 2022 respectively.

“CERT-In has further informed it has detected and prevented 2,83,581, 4,32,057, 3,24,620 malicious scams during the years 2020, 2021 and 2022 respectively,” he informed Rajya Sabha

Union Minister Vaishnaw further said that as per the information reported to and tracked by CERT-In, a total number of 6, 7 and 8 data breach incidents related to government organisations were observed during the years 2020, 2021 and 2022 respectively.

” There have been attempts from time to time to launch cyber-attacks on Indian cyberspace from both outside and within the country. It has been observed that such attacks compromised computer systems located in different parts of the world and use masquerading techniques and hidden servers to hide the identity of actual systems from which the attacks are launched” he added

Union IT Minister further informed Rajya Sabha in a written reply that CERT-In coordinates incident response measures with affected organisations, service providers, respective sector regulators as well as law enforcement agencies. CERT-In notifies the affected organizations regarding cyber incidents, along with remedial actions to be taken. It also issues alerts and advisories on an ongoing basis regarding the latest cyber threats/vulnerabilities and countermeasures to protect computers and networks.

Affiliate links may be automatically generated – see our ethics statement for details.

Check out our Latest News and Follow us at Facebook

Original Source

Provident Fund Data of 28 Crore Indians Leaked By Hackers, Claims Ukraine Based Researcher

Provident Fund (PF) data of about 28 crore Indians was found to have been leaked by hackers earlier this month. A cybersecurity researcher from Ukraine, Bob Diachenko, made the discovery on August 1 and found that details such as Universal Account Number (UANs), names, marital status, Aadhaar details, gender, and bank account details were exposed online. According to Diachenko, he found two different internet protocol (IP) addresses hosting two clusters of leaked data. Both of these IPs were hosted on Microsoft’s Azure cloud storage service.

Cybersecurity researcher Bob Diachenko detailed the leak in a post on LinkedIn. On August 2, Diachenko discovered two separate IP clusters of data that contained indices called UAN. Upon reviewing the clusters, he found that the first cluster contained 280,472,941 records, whereas the second IP contained 8,390,524 records.

“After quick review of the samples (using a simple browser), I was sure that I am looking at something big and important”, Diachenko said in his post. However, he was not able to find who owned the data. Both the IP addresses were hosted on Microsoft’s Azure platform and were India-based. He wasn’t able to obtain other information via a reverse DNS analysis.

The Shodan and Censys search engines from Diachenko’s SecurityDiscovery firm found these clusters on August 1. However, it is not clear how long the information was available online. The data could’ve been misused by hackers to gain access to the PF account. Data such as name, gender, Aadhaar details, could also be used to create fake identities and documents.

The researcher tagged the Indian Computer Emergency Response Team (CERT-In) in a tweet informing them about the leak. The CERT-In replied to his tweet asking him to provide a report of the hack in an email. Both IP addresses were taken down within 12 hours after his tweet. Diachenko says that since August 3, no company or agency has come forward to take responsibility for the hack

Check out our Latest News and Follow us at Facebook

Original Source

VPN Service Providers Raise Concerns Over Government’s Order, Set to Leave Country If No Options Given

Virtual private network (VPN) service providers are raising concerns over the government’s order under which it directed them to keep user data for at least five years and share records with authorities when required. Some of the major VPN companies including NordVPN are set to leave the country if the government does not provide them the room to serve their customers in a private manner. At the same time, legal advocacy groups are suggesting the government remove the requirements violating user privacy.

The order, which was passed by the Ministry of Electronics and Information Technology’s agency CERT-In last week and is coming into force from June 28, directs VPN service providers to preserve data including the validated names, email IDs, and IP addresses of their users for five years or longer “as mandated by the law” even after cancellation or withdrawal of their registration.

It also says that “all service providers” should “mandatorily enable logs” of their systems and maintain them securely for a rolling period of 180 days and the “same shall be maintained within the Indian jurisdiction.” The directive restricts service providers to provide the logs to CERT-In when ordered or directed by the agency.

According to the order, it is aimed to help limit cybercrime and cybersecurity incidents in the country. Failing to furnish the information or non-compliance with the directions may invite “punitive action” under sub-section (7) of the section 70B of the IT Act, 2000, and other laws as applicable, the government agency said.

However, VPN service providers — as their default model — offer paramount user privacy to attract customers.

“Surfshark has a strict no-logs policy, which means that we don’t collect or share our customer browsing data or any usage information,” said Gytis Malinauskas, Head of Legal department at Surfshark, in a statement to Gadgets 360. “Moreover, we operate only with RAM-only servers, which automatically overwrite user-related data. Thus, at this moment, even technically, we would not be able to comply with the logging requirements.”

Malinauskas added by saying that Surfshark is still investigating the new regulations and its implications but has no plans to compromise on user privacy and is aimed to continue providing no-logs services to all of its users.

Similar to Surfshark, Nord Security — the parent company of NordVPN — is currently investigating the order passed by CERT-In in a surprise move.

Laura Tyrylyte, Head of Public Relations at Nord Security, told Gadgets 360 that it was exploring the best course of action and is currently operating as usual as there are still “at least two months left” until the order comes into effect.

“We are committed to protecting the privacy of our customers therefore, we may remove our servers from India if no other options are left,” Tyrylyte said.

India is one of the biggest markets for VPNs — considering the Internet censorship in the country that is growing and is implemented using various technological methodologies, including DNS restrictions and TCP/IP blocking. In many cases, users have reported certain restrictions that are limited to some Internet service providers (ISPs), which can be overcome using an VPN service. The 2020 lockdown in the country also resulted in a significant growth of VPN services including ExpressVPN.

According to a report by UK-based VPN review website Top10VPN.com, India has been the second biggest market for VPNs globally, with as much as 45 percent of its total Internet user base relying on a VPN, as of 2020.

“While there are a huge number of VPN users in India, few VPN providers have a direct physical presence in the country, which will make it hard for authorities to enforce the new legislation,” said Simon Migliano, Head of Research at Top10VPN.com.

Service providers such as NordVPN do have their servers in India, per the details available on Panama-headquartered VPN company’s site.

But nonetheless, Migliano said that there would be little impact on customers as they could simply connect to a VPN service based in another country.

“All in all, it seems highly unlikely that any legitimate VPN provider will comply with the CERT-In legislation as it is not only hard to enforce but goes against everything that they stand for,” the researcher said.

The order also directs service providers, data centres, and organisations to report cyber incidents within six hours of their notice to CERT-In. This has been considered as a positive move by legal advocacy groups including SFLC.in — given the fact that the country is seeing a number of cybersecurity cases.

However, Mishi Choudhary, Technology Lawyer and Founder of SFLC.in, said that the requirements to register VPN users and linking of identification to IP addresses raised serious privacy concerns and should be removed.

“CERT-In cannot take away the right to use certain tools in the garb of cybersecurity,” she told Gadgets 360.

Prasanth Sugathan, Legal Director at SFLC.in, said that collection of excessive data about consumers went against the policy of most VPN providers and might result in some of them to exit the country rather than complying with “the cumbersome provisions” given in the order.

Legal experts find the directive of an ambiguous nature as it does not clearly detail the implications for service providers.

“These directions came without any sort of public consultation,” said Prateek Waghre, Policy Director at the Internet Freedom Foundation (IFF).

He added that the order does not give any clarity on what the rules mean for VPN service providers and their operations in India.

“It’s also unclear whether the VPN service providers who are not operating an Indian IP will still be liable under the provisions of the directive,” he said, adding that the development would certainly add a layer of concern if any of these service providers have employees in the country.

In the recent past, restrictions focussing on VPN services were suggested by legislators. Telecom operators including Reliance Jio were also seen limiting access to some VPN services. Nevertheless, VPN users in the country have continued to grow so far.

Check out our Latest News and Follow us at Facebook

Original Source

India Mandates Five-Year Data Saving for Crypto Exchanges, Concerned Experts Foresee Corporate Upheaval

India has mandated a five-year data storage period for crypto exchanges operating in the nation. All virtual asset service providers will essentially have tp store customer information they get via their KYC identification forms for Indian users. The rule also applies to all firms providing Virtual Private Network (VPN) services to Indians. The law has been brought in by India’s Computer Emergency Response Team (CERT-In). It also instructs concerned companies to report any threat or compromise to security networks within six hours of identifying.

“To address the identified gaps and issues so as to facilitate incident response measures, CERT-In has issued directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents” the government-backed agency said in a statement.

India has witnessed a healthy growth in crypto adoption. Last year, Tracxn data claimed that India already has close to 400 crypto-startups and 12 non-fungible token (NFT) players in the country.

Industry insiders have expressed concerns about the slew of corporate changes that are foreseeable because of this new law, at this point where the crypto ecosystem is still in its early establishment stages in India.

“I think this request from the government of India is extraordinary when it comes to the preservation of data for long, five years. So, I believe they have to completely change their business models if they want to comply with the new rules,” Anshul Dhir, Co-founder and Chief Operating Officer (COO) of EasyFi Network told Gadgets 360. India-founded EasyFi is a Layer 2 DeFi Lending protocol for digital assets powered by Polygon blockchain.

Sensitive data such as IP addresses with timestamps and time zones, transaction IDs, public keys, and wallet addresses have been named by the CERT-In in the list of information that digital assets firms need to store for five years.

Additional tracking data such as the nature and date of transaction along with details on the amount transferred have also been listed to be maintained and saved.

The CERT-In has justified its decision citing national security and cyber safety reasons.

This rule, seeking sensitive user information, could lead to a largescale departure of customers from affected services, Kazim Rizvi, the Founding Director of Indian think tank ‘The Dialogue’ told Gadgets 360.

“The customer information sought under this requirement is sensitive and could deter consumers from availing the affected VPN, crypto, and Cloud services,” Riavi said.

Many companies use VPNs to secure their systems and operations and additional burden on VPN players. As per Rizvi, a lawyer by degree, this law could deter them from operating in India, thus impacting the security of businesses and privacy of users in the nation.

The public policy entrepreneur has suggested the Indian government to refrain from “burdening” crypto, VPN, and Cloud players in the country.

“It is imperative that we refrain from placing additional burdens which may not help CERT-In achieve its objectives, while at the same time might affect the growth of relevant sectors in India. We believe the additional data collection may not be necessary for achieving the cyber security objectives. Also, for validation for customers, all service providers will have to develop additional infrastructure, which will increase costs of operation,” Rizvi added.

The EasiFi chief had also seconded Rizvi in predicting that the CERT-In rule could be detrimental to the ongoing growth trajectory of the impacted sectors.

As per the Indian government, these directions will become effective after 60 days.

Along with crypto exchanges, custodian wallet providers have also been included on the list of virtual asset industry players that will be impacted by this rule.

India has been introducing new rules in order to keep transactions of virtual digital assets, traceable. The government aims to curb potential misuses of digital assets for money laundering and terror financing.

The tax rules on digital asset transactions went live in India last month.

Days later, research firm Crebaco reported that the volume of cryptocurrency trading in India nosedived by upto 70 percent since the tax laws came into effect.

The country is not looking to give any tax relaxations or incentives to crypto players setting up the industry ecosystem. In March, industry experts had raised concerned on India’s restricted approach to the virtual assets industry.

Check out our Latest News and Follow us at Facebook

Original Source

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.