“If a company is providing telecom services in Indian, then all communications must be available to Indian security services,” a government representative told AFP. “If Google or Skype have a component that is not accessible, that will not be possible. The message is the same for everybody.”

The Indian government is also said to be wanting access to corporate VPN traffic. How they will do this without compromising the security of corporations is really up for debate.

I wonder if they will be trying to ban IronKeys next?

One benefit to using a hardware PKI token is that the signing keys are stored on the device, and cannot be exported or stolen. This means that stealing a certificate from a browser is not effective, as you also need the private RSA key to be able to use the client-side certificate to log into a website.

Conservative Member of Parliament Rob Halfon claims that the UK government is not doing enough to investigate privacy invasions by Internet companies. He warns that if government does not take more action to investigate Internet companies that are accused of privacy violations, the UK risks having a “privatized version of Big Brother”.

His comments come in the wake of concerns about Google’s StreetMap project that “inadvertently” mapped out the wifi spots of thousands of people.

Dan Raywood of SC Magazine interviewed me about privacy issues and data protection today here in London. You can read the full article here.

I will talk about the evolving cyber-crime threat landscape that is targeting users of online banking systems. I’ll also review various ways that banks can deploy solutions to help protect their users. I’ll look at various protection types for consumer banking versus corporate banking systems and online trading systems.

If you would like to attend the Infragard meeting, you can find more information here: Atlanta Infragard A-List Conference.

Infragard is a partnership of businesses, the FBI, educational entities and the National Infrastructure Protection Center. This alliance is designed to protect IT systems from hacker attacks and other intrusions by providing a network for sharing information, anonymously, about attacks and how to protect against them.

The FBI says that these spies not only used encryption to protect data on their laptops and USB flash drives, but that they also are suspected of using proprietary Russian-build steganography software to hide data inside images and other files on their computers.

Steganography is the technique of hiding information inside other documents or data, so that it cannot be detected. Combining steganography with cryptography can create systems of communications and data protection that are incredibly difficult to detect and to crack.

For example, imagine encrypting a data file using strong encryption, and then inserting that file as noise in the soundtrack or video stream of a large .wmv video file. Then posting that file to a website or sharing it on a bittorrent network for its intended recipients to download. If you communicate out-of-band (through an email or a phone call or SMS) to your recipients the name of the video file, and if there is a key sharing protocol (ie. they know the password to decrypt the data), then its highly likely that only that person will be able to know that the encrypted data is there, and be able to decrypt it.

If anyone else downloads the file, even using steganographic detection tools they are unlikely to detect the encrypted data. And even if they were able to extract it, they would still have to crack the encryption.

In fact, one wishing to communicate covertly would want other people to download the file, so that nobody monitoring networks can tell who the file is intended for.

In the case we are discussing today, the alleged Russian spies were detected sending data to known addresses of Russian government computers (we assume IP addresses). Using the technique I discuss, they would have been able to avoid such detection.

One other thing I found interesting about this article is that a 27 character password was required to access the steganographic data. Sounds like a great security measure to have such a long password. However, the agent wrote the password down on a piece of paper! In such a case, it would have been much more secure to use a shorter password that was more easily remembered.

Today IBM sent out an apology. It seems that the USB flash drives that they handed out were infected with autorun malware. Nice one, IBM.

They should have given out IronKey secure devices. IronKey Enterprise devices have anti-malware software and hardware and firmware protection against autorun USB malware.

This should come as no surprise. The ability to infect USB drives, and then spread onto computers on which those drives are used, has become a widely exploited technique in many malware packages. Perhaps the most famous case of such an infection was in late 2008 when such a worm, “Agent.btz”, infected sensitive Department of Defense computers. This led to a lockdown by the DoD of all removable storage devices until they could define a set of technical operating requirements to ensure that malware cannot spread onto and from removable storage devices.

IronKey worked with the Department of Defense, National Security Agency, and other bureaus to help define these technical requirements. Now these capabilities are available to Enterprise customers of IronKey devices. They include services such as built-in anti-malware scanning, intelligent hardware-based autorun tamper prevention, read-only mode, etc.

“The last eighteen months have delivered some of the most testing challenges to the global banking system. Whilst financial institution and businesses alike both struggle to emerge from a brutal recession, they’re now having to face up to a new threat which can potentially steal away their funds and corporate reputation with the simple click of a mouse.

In this article Dave Tripier, CMO of IronKey, explains how organised cyber crime rings have begun to target corporate banking transactions – and offers valuable advice to help banks and businesses to deal with this new threat.”

Read the full article here.

“In 2009, organized cyber crime rings began to shift away from massive phishing attacks against consumer banking users, and instead target bigger fish – corporate banking users. The cybercriminals use advanced malicious software (malware) to attack the computers of finance professionals in companies and government agencies. If a computer that is used to access a commercial online banking services becomes infected, the attackers can effectively take over the corporate financial accounts in real time by hijacking active banking sessions, and issue commands for funds transfers.

Symantec detected over 70,000 variants of the Zeus Trojan in 2009.

Documented losses to corporate banking customers from fraudulent wire transfers initiated in the USA by next-generation malware on corporate computers have ranged from $10,000 to over $1,000,000 per incident. Much of this money was successfully transferred to ‘money mule’ accounts overseas, and was never recovered. It is far more lucrative for cyber criminals to make numerous $9000 transfers from a single corporate bank account, than to try to hijack thousands of consumer-based accounts and make small money transfers. It is also reasonable to expect that online corporate banking fraud will track historical online consumer banking fraud patterns, and will grow dramatically over the next several years.”

Read the rest of the article at: Financial Services Technology Magazine.