India Turns Down WTO’s Trade Facilitation Agreement

On August 1, the United States of America Secretary of State, John Kerry met the Indian Prime Minister, Narendra Modi for the fifth India-US strategic dialogue. Kerry appreciated Modi’s agenda of Sabka Saath, Sabka Vikas (cooperation of all,  development for all) but the forty-minutes meeting didn’t turn out the way it was expected.

India vetoed from the World Trade Organisation’s (WTO) Trade Facilitation Agreement (TFA), fearing that the country might have to compromise on its food security. Modi said that the developed countries should understand the problems faced by the developing nations. For instance, India has a challenge of feeding a huge population.
The US secretary of State responded by saying that faliure in signing the agreement has undermined India’s image and it sends a confusing signal.
In December, 2013 a trade agreement, called the Bali Package, was signed among all the WTO members (159 countries) in Bali, Indonesia aiming at lowering global trade barriers.
TFA, which is a part of the Bali Package, aims at reducing the bureaucratic obligations in import-export of goods among the signatories. But the problem with the TFA arises with the clause that restricts the agricultural subsidies to 10 percent of the total agricultural production. If the limit is crossed then other nations can impose a trade penalty for disobeying the rule. This clause is likely to have an adverse effect on food security in developing countries, as there are major issues like that of poverty and over-population.
India’s agreement to the TFA was based on the premise that developing nations would be provided with relief and no tax or penalty would be imposed till 2017. A permanent solution, according to the agreement, was to be later worked out.
India is now against the TFA because the 10 percent limit on subsidy is based on 1986-88 prices when the cost of food grains were much lower. This magnifies the already existing problem of limited subsidy. Also developed countries like US provide huge subsidies to its farmers, but developing countries like India have got restricted permission.
India now demands a permanent solution to the restricted subsidy issue, its stand being supported by China and some southern African countries as well. Whereas according to the WTO, subsidies that require the recipient to meet certain export targets, or to use domestic goods instead of imported good distort the international trade and affect the farmers of other signing countries.
It is well taken that the concerns of the developing nations is a valid one, but they are still forced by developed giants like the US. With India’s initiative of turning down the TFA, other developing countries might also join hands with India in its opposition to the agreement.

Read More

Microsoft issues Emergency Windows Update to Block Fake SSL Certificates

Today, Microsoft has issued an emergency update for almost all versions of Windows and also for Microsoft devices running Windows Phone 8 and 8.1 to secure users from attacks that abuse the latest issued rogue SSL certificates, which could be used to impersonate Google and Yahoo! websites.

A week after the search engine giant Google spotted and blocked unauthorized digital certificates for a number of its domains that could result in a potentially serious security and privacy threat, Microsoft has responded back to block the bogus certificates from being used on its software as well.

"Today, we are updating the Certificate Trust List (CTL) for all supported releases of Microsoft Windows to remove the trust of mis-issued third-party digital certificates," said Dustin Childs, group manager of response communications.

The fake digital certificates, issued by the National Informatics Centre (NIC) of India - a unit of India’s Ministry of Communications and Information Technology, were uncovered at the beginning of this month by Google's security team.

Microsoft officials warned the country's certification authorities as well as Microsoft, because the certificates issued by NIC are included in the Microsoft Root Store and so are trusted by a large number of applications running on Windows, including Internet Explorer and Chrome.

Yet, Microsoft is not aware of any kind of attack leveraging this issue, but millions of websites operated by banks, e-commerce companies and other types of online services make use of such kind of cryptographic credentials to encrypt the web traffic and prove the authenticity of their servers.

"These SSL certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against Web properties," a Microsoft advisory warned. "The subordinate CAs may also have been used to issue certificates for other, currently unknown sites, which could be subject to similar attacks."

The Certificate Trust list (CTL) update has been rolled out to all users who have automatic updates enabled, and for those who do not have the automatic updater of revoked certificates installed, Microsoft has released a patch that can be manually installed.

The emergency update addresses all Microsoft PC operating systems including Windows Vista, Windows version 8, 8.1, RT, RT 8.1, Server 2012, Server 2012 R2, and its Windows Phone 8 software. At this moment, there is no update available for systems running Windows Server 2003 to revoke the fraudulent certificates – Microsoft says it will issue an update as soon as one becomes available. Also Server 2003 support ends next year, but the company will provide a fix before then.

Read More

Android Vulnerability Allows Applications to Make Unauthorized Calls without Permissions

A major vulnerability believed to be present in most versions of Android can allow a malicious Android applications on the Android app store to make phone calls on a user’s device, even when they lack the necessary permissions.

The critical vulnerability was identified and reported to Google Inc. late last year by researchers from German security firm Curesec. The researchers believe the virus was first noticed in Android version 4.1, also known as “Jelly Bean.”

APPS CAN MAKE CALLS FROM YOUR PHONE

“This bug can be abused by a malicious application. Take a simple game which is coming with this code. The game won’t ask you for extra permissions to do a phone call to a toll number – but it is able to do it,” Curesec’s CEO Marco Lux and researcher Pedro Umbelino said Friday in a blog post. “This is normally not possible without giving the app this special permission.”

By leveraging these vulnerabilities, malicious applications could initiate unauthorized phone calls, disrupt ongoing calls, dialing out to expensive toll services, potentially framing up big charges on unsuspecting users' phone bills.

Android bug allows unauthorized users to terminate outgoing calls and Send USSD

The vulnerability can also be exploited to disconnect the outgoing calls, to send and execute :

• Unstructured Supplementary Service Data (USSD)
• Supplementary Service (SS)
• Manufacturer-defined MMI (Man-Machine Interface) codes.

These special codes can be used to access various device functions or operator services, which makes the problem a nasty one for those who value the data they store on their mobile phone.

“The list of USSD/SS/MMI codes is long and there are several quite powerful ones like changing the flow of phone calls (forwarding), blocking your SIM card, enabling or disabling caller anonymisation and so on,” reads the blog post.

Even the Android security programs, where apps without the CALL_PHONE permission should not be able to initiate phone calls, can be easily bypassed and offer no protection from these flaws, because the exploits have capability to deceive the Android permissions system altogether.

"As the app does not have the permission but is abusing a bug, such apps cannot easily protect you from this without the knowledge that this bug exists in another class on the system," wrote the researchers.

A large number of versions of Android are affected by the vulnerabilities. Researchers have found two different flaws that can be exploited to achieve the same ends – one that's present in newer Android releases and another that's found in older versions.

FIRST BUG - AFFECTS NEWER VERSION OF ANDROID

The first security bug, identified as CVE-2013-6272, appears to be introduced in Android version 4.1.1 Jelly Bean, and outlasted all the way through 4.4.2 KitKat before the security team at Google was able to fixed it in Android 4.4.4.

But, luckily only about 14% of users are currently updated to the latest version of the mobile Operating System. So, just think about it, How many users are currently in the grip of the flaws? Not less than a generous users open to vulnerabilities and attack paths.

SECOND BUG - AFFECTS OLDER VERSION OF ANDROID

The second security hole is wider in its reach, affecting both Android 2.3.3 and 2.3.6, the popular versions of Gingerbread variant which are used by lower-end smartphones, budget-style smartphones which continue to surge in popularity amongst emerging markets like those found in Brazil, China, and Russia.

The bug was fixed in Android 3.0 Honeycomb, but that was a tablet-only release that no longer even charts on Google's Android statistics. That means the bugs leave nearly 90 percent of Android users running vulnerable versions of the Operating System to dialer-manipulating vulnerability.

Researchers at Curesec have provided source code and a proof-of-concept demonstration app for both the bugs, so that customers can help themselves to test if their Android devices are vulnerable or not.

It is strongly advised to Android users those are running KitKat on their devices to get upgraded to the latest version 4.4.4 as soon as possible. It is expected that the device makers and carriers will soon roll out the updates in the coming weeks.

Read More