Sunday, October 12, 2014

Do Indian matrimonial sites guarantee the privacy of your most sensitive information?


I personally believe users of some of the Indian matrimonial sites face the risk of unconsented use of their sensitive personal information. When, I read the privacy polices of these sites, it felt quite apparent that there was a genuine lack of understanding as to what was needed to protect the privacy of the sites users. I would advise all users to first read the Privacy Policies of these sites to select a suitable one to use and to ensure the deletion of personal data when the matchmaking process is finished.
Users of matrimonial sites fully disclose sensitive personal information to make a match. Initially in the matching process their profiles remain anonymous, but as the selection narrows down, the level of disclosure increases as the parties interact on the site. Personal information includes a person’s name, email  address, sex, age, mailing address, credit card or debit card details  medical records and history , photograph, sexual orientation, biometric information,  interests, information tracked while navigation, horoscope and occupation.  If other services linked to the sites such as chats are used, the contents of these chats may also be recorded. Interestingly, some sites also allow users to submit public and private information on behalf of others like child, relative, and friends without their explicit consent.

Information stored on these sites is used for advertising and shared with partners companies. None of these sites stated what data was shared (I presume all of it) and for what purpose. Sites have to be transparent and obtain explicit consent of users on the way in which personal data is used. Under data protection laws, blanket permissions are not allowed.
Most of the sites were nonspecific about their process for deletion of personal information, in full or part, when requested by the user. One site stated that the deletion of information would take a long time because of residual copies on servers and could not guarantee their removal from backup systems.

What was left ambiguous was information on the sites mechanism to ensure anonymity of personal information at all times, except when the user consented to selectively disclose information to a selected match. While this is an implicit assumption, it was never explicitly confirmed. The two questions that came to mind was a) on how the employees of these matrimonial sites were authorized to access to the data and b) whether the data was secured using encryption. Reading through disclosure made by sites on their security mechanisms, my conclusion was that most of the sensitive data lies unencrypted (except for credit card information). Some sites openly disclaimed their inability to secure the data.
In event of a data breach, matrimonial sites would be liable to pay compensation or penalty under section 43 A of the Indian IT Act. To avoid penalty they need to prove that their security systems were adequate enough to secure sensitive private data. Without encryption, the ability to fully delete information and restrictions on sharing copies of personal data with advertising partners, it would be difficult to convince a court that reasonable practices were in place.

To reemphasize;
I would advise all users to first read the Privacy Policies of these sites to select a suitable one to use and ensure the deletion of personal data when the matchmaking process is finished.

Saturday, October 11, 2014

CyberCitizens logout of in country hosted messaging apps services


Instant messaging apps hosted out of a cybercitizens country of residence have become a favorite after fears that the home government could look into chat logs for evidence that may ultimately be used to prosecute the sender or receiver of the chat messages.  When the NSA PRISM spying episode unraveled, the loudest protests were from Americans.  A similar story appears to be playing out in South Korea where over 1.5 m users have abandoned their Korean messaging app service  Kakao Talk used by 70% of the population for the Telegram Messenger - an encrypted messaging service based in Germany, with no servers in South Korea. The secret chat technology ensures that the messages are not stored on the company’s server, self-destruct and are encrypted and therefore they cannot be handed over to law enforcement.
The underlying reason for the exodus has been the crackdown by law enforcement on people allegedly spreading rumors about the president of South Korea on Kakao Talk. Rumors were spreading due to the public discontent on the way the South Korean Sewol ferry disaster, where 304 people died was handled.

Cybercitizens seem to have more trust in foreign governments who have no apparent incentive to trawl their data. Receiving data from foreign sites even for genuine cases of cybercrime or harassment is an issue for law enforcement as they need to get appropriate court orders. Requests also have to be made before logs are deleted, these are usually retained for a limited time, usually a month.
Encryption is a two way sword it protects the privacy of the good and the bad. Terrorist, cybercriminals and other such elements can always use these apps. For this reason there will be pressure from law enforcement on any provider of encrypted communication to ensure that there is a way to decrypt the message. Encrypting a message which cannot be decrypted only protects the content of the message, other details such sender, receiver, attachment size, date and time, ip addresses (and hence location) of both sender and receiver would be still available.

Thursday, October 9, 2014

Conmen use fake matrimonial profiles to scam prospective grooms seeking arranged marriages


News reports of matrimonial scams are becoming increasingly frequent in India. Undertaken by lone operatives, these cons put up attractive fake profiles on dating and matrimonial sites to lure prospective suitors into online relationships, and then pry small sums of money from them. Once drawn into emotional relationship, the con asks for small sums of money to fund a medical emergency or a friend’s urgent need for cash. The sums are small enough not to arouse suspicion until the con vanishes. When a request for money is made after several months of building an online relationship it becomes difficult for the victim to exhibit a lack of trust by questioning the need for money or denying the request.

Participants on these online matrimonial sites exchange personal information during the get to know each other period. Personal information and pictures may later be used to tarnish reputation for blackmail or revenge. Most of these sites do not offer any validation or verification as to the authenticity of the profiles on the sites. It would not be appropriate to engage with any prospective suitors online without real world verification. Users of matrimonial sites should bear in mind that the conmen have a lot of patience and engage multiple victims simultaneously for months. A request for money is usually a warning indicator.

There was also the interesting case of a man suing a popular matrimonial profile for allegedly putting fake profiles of beautiful girls on their site to lure members to take a paid membership. When the man subscribed and found that none of the attractive girls seemed interested in his profile, he faked several profiles which met their requirements of an ideal groom and found a similar lack of response. This led him to conclude the profiles were faked, and besides having been cheated of the subscription fee, deprived him of his self-confidence.

Tuesday, October 7, 2014

Stalker Apps - the first arrest


In a blog I wrote four years ago titled “I can spy on your mobile and read your SMS”, I highlighted the fast growing mobile spyware product market producing stalker apps which monitor a victims’ phone calls, text messages, videos, emails and other communications "without detection" when installed on a target's phone. These apps were advertised as solutions to keep track of cheating spouses and to monitor the online activities of children. Obviously, there are a variety of nefarious ways stalkers, domestic abusers, cybercriminals, private detectives, and inquisitive colleagues can use the app for; such as corporate espionage, snooping on the private lives, and monitoring employees – all without the victims’ knowledge.
Use of these apps violates laws which mandate that any surveillance on individuals has to be done with a court approval and by law enforcement.  Over the last four years, these applications have become even more sophisticated with features that send alerts when a mobile phone crosses a certain geographic boundaries, records and forwards incoming and outgoing calls, forwards messages based on keyword triggers and even allows remote activation of the app in order to monitor all surrounding conversations within a 15-foot radius. These apps are available for all versions of mobile operating systems and messaging application such as SMS, WhatsApp and Email. The very fact that there are atleast four companies subsisting through online sales indicates that there is a thriving market place for these apps.

In what is a first, a US District court has arrested the founder of one such company and charged him with conspiracy, sale of a surreptitious interception device, advertisement of a known interception device and advertising a device as a surreptitious interception device.
While this is in itself is a positive development, much more activism is required from the judiciary and law enforcement to take cognizance of the many ways individual privacy can be compromised online using surreptitious devices or by misusing personal information without consent.

Saturday, October 4, 2014

Large data breaches enable sophisticated profiling making cybercitizens vulnerable to frauds


JP Morgan reported that 76 million households and 8 million small businesses were exposed in a data breach. The firm in a SEC filing disclosed that user contact information – name, address, phone number and email address – and internal JPMorgan Chase information relating to such users have been compromised. The immediate impact of the breach on cybercitizens may be limited given that the bank also stated that there was is no evidence that account information for such affected customers – account numbers, passwords, user IDs, dates of birth or Social Security numbers – was compromised during this attack.
What remain unexplained is the rationale behind the cyber breach and the value that cyber criminals would extract from it. Banks invest large amounts of money on security. JP Morgan would have done no less. This gives us a clue as to how determined and sophisticated the cybercriminal ring was. Cybercriminals operate for financial gain and apparently invested a lot of money to penetrate the bank. What we do not know is whether they successfully completed the acquisition of the data they wanted before they were found out, and if so, it would be apparent that the extracted data was valuable to them.
I wrote in a previous blog “Beware, your email id and possibly your password is with atleast one organized cyber-criminal gang” on how the large scale aggregation of personal data in large banks, egovernance services and popular service provider’s makes them juicy targets for cybercriminals and offensive nation state actors.
 In my opinion, the real value behind large data breaches is the enrichment of underground criminal data bases which profile cybercitizens. Such databases, built by accumulating personal data stolen from multiple breaches allow the execution of fraudulent attacks in a manner designed to bypass security mechanisms and existing methods of fraud detection. The pairing of information from two of the recent big US breaches, at JP Morgan (bank) and Target (retailer) would tie together a user’s credit card information with their home address thereby allowing cybercriminals using cloned credit cards to mimic buying behavior which allows their fraudulent use to go undetected for a longer-time or even provide sufficient information to answer user verification questions for call center services.  While companies notify stolen data mandated by law they may exclude details of other stolen data which may allow cybercriminals to contextualize each user – for example data on their financial status based on products subscribed.
Once a critical mass of user data is acquired, enriching the database by linking it with self-disclosed data found on social media is a simply task for criminal call centers. In the coming years these mature databases when used with sophisticated algorithms (which guess passwords for example), will be used to defeat existing security mechanism for password resets and fraud alerts creating a major challenge for the security of our online infrastructure.
 

Falling victim to fake lottery scams

The Audit - A funny take on how some employees view the importance of security audits

Friday, October 3, 2014

Launch of the LuciusonSecurity Security Awareness YouTube Channel

There is no better occasion than the  Indian festival of Dussehera which commemorates the victory of good over evil to launch the LuciusonSecurity Youtube channel which will feature security awareness talks, training and cartoons. The first video is a short cartoon titled “The Lottery” which highlights the plight of unfortunate victims who fall for the fake lottery scam.

Eleven Pledges a Good Cyber Citizen Should Take to Stay Safe Online


1.    I pledge not to cyber bully and act as an active or passive participant in cyberbullying. Wherever I see it, I will condemn it and inform my parents or teachers.

2.    I pledge to not make inappropriate comments on social media, blogs and websites because they are hurtful. I will ignore cyber trolls and their nasty comments wherever I come across them

3.    I pledge to not disclose personal information and pictures which may embarrass the person who sent it to me without their explicit consent

4.    I pledge to pressurize online service providers that use my personal data for advertisement and other commercial activities to act in a responsible manner which protects my privacy and dignity

5.    I pledge to pressurize online service providers to invest in security solutions that make their services, more private and secure. To show their commitment to strong authentication, transparent disclosures, data breach notifications and hassle free filtrations of inappropriate content.

6.    I pledge to not indulge in any immoral or criminal activity either for fun or profit such as the hacking of colleagues or partner’s social media accounts, sending anonymous insulting messages, harassing, posting pictures of sexual nature on revenge sites, stealing from online accounts of family members, selling household items online without consent or setting up online scams for quick money.

7.    I pledge to take onto myself the responsibility to ensure that my personal (and family) digital devices are made secure and kept free from malware. I will learn to set and keep configured minimum technical security controls such as software and patches.

8.    I pledge to take on the self-responsibility of protecting myself from cyber risks by keeping  aware of cyber risks and the means to safeguard against them

9.    I pledge to not fall victim to online solicitations from online scams the promise quick gains from money transfers, weight loss, international dating, lottery wins or whatever the enticing offer may be. Each time, I receive such solicitations, I will GOOGLE to verify their authenticity.

10.  I pledge to be a good cyber parent and to take on the responsibility of keeping my children safe online and to be their role model for ethical online behavior.

11.  I pledge to abide by my companies security policy and online code of conduct irrespective of my personal beliefs.

 

Thursday, October 2, 2014

Six Actions Cybercitizens can take as part of the National Cyber Security Awareness Month (#NCSAM)


The National Cyber Security Awareness Month (OCT 1-31) organized in joint participation between the public sector partners and the US Government is an opportunity for citizens to better understand  cyber security risks, cyber ethics and to own their part in the  collective responsibility  of making the Internet  a safer place. Reduction of cyber risks will not come about even after large cyber security investments, technology advances, improved laws and the best efforts of law enforcement. It will only occur if cybercitizens use situational awareness and common sense as they go about their digital lives. 

Start now with Six Simple Actions to keep you safe

  1. Start a family discussion on cyber risks that every member may face when they connect to the Internet.
  2. Audit the security measures on your digital devices. Ensure the antimalware program is updated, the latest operating system (Windows, MAC) patches are applied and each device is password protected using a strong password.
  3. Immediately reset passwords to online accounts that are not strong or unique to each service.
  4. Self-pledge to think before you post, email or message personal information and pictures that may damage your reputation if widely publicized
  5. Keep and offline back-up of data stored on the cloud.
  6. And if you are a parent, accept the additional responsibility of understanding cyber risks that your children face, the means to mitigate them and to be their guide to online safety. Get started with my short primer titled "Keeping your child safe online".

Program and participation details for NCSAM are available at the following link www.dhs.gov/national-cyber-security-awareness-month

Tuesday, September 30, 2014

Shell Shock vulnerability in UNIX discovered after thirty years hits core infrastructure


The last few days saw frenzied remediation of a critical vulnerability called Shell Shock which allows a hacker to fire remote privileged commands to UNIX servers. UNIX is an integral part of the core Internet infrastructure, and BASH (the shell which is vulnerable) is a well-used program. The program has been in use for the last thirty years before the flaw was recently uncovered.

A remote compromise simply means that websites, cloud services and internal datacenters are all vulnerable to cyber-attack either from malicious insiders or if accessible remotely, from cybercriminal across the globe. Such attacks result in data theft, downtime and outright wiping of data from these servers. Given the nature of BASH, there is the fearful possibility of automated exploitation of the vulnerability using a small piece of mobile code called “worms” which travels over the network infecting servers.

The good news for most cybercitizens using the Windows operating system is that it is not affected and therefore home networks which use Windows based laptops and desktops are relatively safe. Apple has released a patch for the Bash vulnerability for its OS X Lion, Mountain Lion and Mavericks software. Mac users are advised download the Bash update and patch their systems. Apple had earlier advised that OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services.The bad news is that most online services are built on UNIX and unless they are patched quickly a potential breach would affect a cybercitizens security and privacy. 

Most of the large service providers will take quick steps to assess their vulnerability and ensure remediation with available patches and other countermeasures.  This should reduce the risk to most of the services cybercitizens commonly use. Cybercriminals will attempt to exploit the time to remediate by targeting vulnerable and financially lucrative systems. Therefore for system administrators and security professionals it is literally a race against time. For cybercitizens, who own Apple Mac’s the patch should be quickly installed.

There are multiple core vulnerabilities yet undiscovered or undisclosed, which in future will have an overriding effect on the resiliency of the networks and services that form the Internet. These exist due to the difficulty in security testing products, assumptions on the secure nature of mature products and as we are all well aware, due to governmental action which requires pre-installed backdoors or weakened security defenses :- such as in the case of data encryption.

Cybercitizens should be aware that core vulnerabilities are a lurking problem that may surface as targeted attacks on large companies at any point in time, and will most certainly be used during a proxy or cyberwar. Governments today, maintain a war chest of similar vulnerabilities.

The only tip that I could possible offer is to keep an offline copy of the data or transactions stored online. Paper back-up of critical documents may seem archaic but seems to be a good idea.

Sunday, September 28, 2014

1.2 billion Indians need cybersecurity education in the next five years


Mid 2013, the Indian government in its Nation Cyber Security Policy outlined the need for India to create half a million security professionals to protect and assure its digital assets.  A policy focus of this magnitude necessitates the introduction of cybersecurity postgraduate programs in India’s higher education system and a larger fund outlay to promote academic research in security.  On the cards are venture funds to aid entrepreneurs invest in the local manufacture of indigenous telecom and security products, in an attempt to try and tap Indian IT talent to create a new industry sector.
While the economic need for security professionals to protect a strong and vibrant economy is a reality, with 1.2 billion Indian’s online we face a much larger social challenge to minimize security risk and instill ethical use. Citizens will engage in online social activities like games and social media, e-governance, personal communication, ecommerce and much more.  A digital India will comprise at least 5 billion individual owned digital assets online – now called the Internet of Everything – these include Internet connected refrigerators, microwaves, thermostats, net nannies, cars, wearables, health device and so on. All which are to be secured by each cybercitizen on their own.

State intervention in personal online security will be a daunting task. Today we face challenges in drafting legislation and in gearing up the law enforcement and judicial system to deal with infringements. Training of the Indian judiciary and law enforcement is itself a huge challenge. The numbers are at the minimum a 1,00,000 policemen and judges to provide the very basic investigation and forensic assistance at every police station and court house.
The greatest risk to a large citizen owned digital asset base is twofold. The first is the exploitation of unprotected or inadequately protected assets by cyber criminals. Compromised assets are used to steal money from cybercitizens themselves as well as a staging point to launch attacks on others.  The second and more importantly are the security issues introduced by the non-ethical and unsafe use of social media and technology by young Indians.

There is no doubt, a young India will immensely benefit from the opportunities that cyberspace brings and that we should gear up to openly embrace its spread and use. But, at the same time we need to instill in every Indian a culture of cyber ethics using traditional Indian values and the ability to protect themselves online. Online, as there is no attribution, no valid authenticity to digital content and crime being global, the opportunity for manipulation by exposure to content such as pornography, radical ideologies, divisive political elements and advertisement is immense.
Cybercitizens themselves, and not politicians will have to shape the future of this new world. A world which at minimum requires every school to have cyber-safety and ethics courses as part of their curriculum. A few awareness lectures will not suffice. We need to instill deep values in our children. More importantly given the divide between parents who grapple to use the Internet and their children who are digital adepts, attention has to be paid to the cyber safety education that parents receive to help them guide and be good role models to their children. Unfortunately there have been many cases where adults set a bad example themselves through their online comments and actions. For parents wanting to understand the basic of cyber risks  and their prevention faced by children, please read my short awareness course titled "Keeping your child safe online".

The Internet of the future will be all pervasive and bring in opportunities for children of all ages. Let us not fritter it away by not preparing our children to use it safely, securely and without fear.

Saturday, September 27, 2014

How to recover money if your credit card was used to make a fraudulent online purchase


To make an online credit card purchase cybercriminals must have knowledge of the information on the front and back of the credit card, namely expiry date, cardholders name and CVV number. Online, it does not matter whether the credit card used the stronger chip and pin technology or the old fashioned magnetic stripe as the physical card is not needed.

Credit card information is a highly perishable asset in the underground market whose value is largely determined by its validity, and enhanced if additional information such as the owners buying behavior and home location is known.  Stolen credit card data is sold in batches using dedicated websites or forums to criminal outfits which either resells them in smaller batches -, much like a retail supply chain comprising of producers, distributors and resellers. At each stage the buyer may resell the same information multiple times. With time the value of the cards drop as the percentage of non-valid cards in a batch increase. To validate if a card is active; criminals use a process called “carding”. Carders will take a batch of stolen credit cards and attempt to use them to make small low-value purchases to verify the card works.

The continued spate of data breaches is a clear indication of the thriving market for credit card information. Once stolen, criminals normally are in a race for time to extract as much money as possible, usually within the first few weeks of a breach.  They exploit two time windows; the first between the actual theft and the victimized company notifying its affected customers and the second is the time taken by a notified card owner to deactivate it. The entire window of exposure from theft to card deactivation can range from between a few weeks to months. Data breaches are just one of the ways by which thieves get hold of credit card details; information could be obtained from normal use at stores, hotels, copies we make for visa’s applications and so on.

To facilitate a more secure online experience credit card companies have instituted an additional authentication measures called 3D Secure which requires a user to enter a preregistered secret code.  Unfortunately, getting past this additional authentication mechanism is not difficult as the cybercriminal could easily guess the code; reset it with publicly available information such as the credit card holder date of birth and mother’s name or as in most cases phish the information.  Very recently, the system seems to have been made more secure using a One Time Password sent directly to a mobile phone instead of having to enter a passcode. One lacuna is lack of an alert if an incorrect password was entered, which would indicate a criminals attempt to use the card online. While the OTP system is much more secure it can be compromised if your phone becomes infected with sophisticated malware designed to pass on such SMS’s to cybercriminals, but it will negate the value of bulk stolen data in underground markets.

The best way to protect against fraudulent losses is to maintain vigilance of transactions made and to swiftly block the card the moment a fraudulent transaction occurs. In India, credit card companies send a SMS alert to the card owner each time a transaction is made. If that fails, the next option is to scan the monthly credit card statement. Quick deactivation of the card helps to curb losses and to claim insurance.

Choose a credit card where there are few caveats and hassles to claim a refund for fraudulent transaction is a good idea. When signing up for a card, it is always a good idea to find out what the fine print reads when claiming a refund.  Most of these come with caveats, for example the value of the insurance, valid time to make a claim, in some cases the refund is applicable only if the fraudulent transaction is reported within 24 hours or if the card was previously reported as stolen.  Insurance payouts may be higher if transaction used 3DSecure authentication and some insurance companies may allow you to claim within 15 days of receiving your credit card statement. Most require that a police complaint is filed.

While the main intention behind this article was on online fraudulent purchases, in countries which still use magnetic strip cards, the stolen data is used to clone cards which are then used to make in store purchases. Chip and pin users are safer as the technology is difficult to clone. In many countries no alert is issued through SMS. If you are aware that your card was stolen, then report it immediately. The other advice remains the same as in online frauds.

Monday, September 22, 2014

Four ways your password is hacked by criminals and your best friend


Compromise of authentication credentials to gain access to online services is the weak link most often exploited by cybercriminals and casual hackers. Empowered with the genuine authentication codes the cyber intruder usually abuses the stolen identities to earn money through money transfers from Internet Banking accounts, online buying and selling, or cashing gaming points. The casual hacker is usually known to the account owner and hacks for fun or for revenge planting fake posts on social network sites, viewing personal pictures or reading personal emails.

Authentication Credentials are exploited in fours ways:
  1. Passwords that are simple are easy to guess or crack using tools by cyber criminals. The secret questions used to reclaim a forgotten password in many cases are easier to guess than the password itself. If these passwords were reused on other more important sites, the cybercriminal gains access to those services too. To avoid, these types of attacks, cybercitizens should use strong passwords and difficult to guess secret questions and not reuse them. 
  2. In large data breaches the entire password database was stolen by the misuse of privileged access rights by trusted insiders, compromised administrative authentication codes or via an application flaw. In this way the cyber intruder obtains a large bulk of passwords which are used to compromise accounts on the affected services as well as on other services where the password may have been reused. To avoid these types of attacks, cybercitizens should regularly change their passwords, not reuse them and if notified about a breach immediately change the password.
  3. Sophisticated malware that has been unintentionally downloaded as part of free software or during a visit to malware infected sites helps steal authentication credentials from user devices.  Such malware intercepts user credentials when the user logons to online services. Sophisticated malware besides stealing authentication credentials can intercept one time passwords sent from financial sites via sms, which when used in conjunction with spoofed sites are highly effective in compromising a user’s financial transactions. Cybercitizens should install a reliable antimalware product that blocks malicious sites and filters malware. Though not foolproof, it helps reduce the risk. To avoid spoofed sites, it is best to check the ownership and validity of the SSL certificate by clicking on the padlock in the address field of the browser.
  4. Passwords, in many instances are naively handed over to cybercriminals impersonating law enforcement officers, bank officials or even as IT support. Cybercitizens are tricked into believing that these requests to share passwords come from genuine and authoritative sources.  To avoid such types of attacks cybercitizens should never share their passwords, as no organization will ever ask for them by phone or mail.

Saturday, September 20, 2014

Why countries where porn is illegal do not ban Internet porn sites?


It is quite well known that except for a very few countries that allow it, in most others the creation, distribution and consumption of pornographic content is not permissible. Actually, it is illegal and usually punishable with a prison sentence. Governments which allow porn, benefit from the 100 billion dollar or more Internet pornographic industry.
Today, the concept of soft porn which raged in the eighties no longer exists; it has been replaced by what we call sensual advertising. What is easily available on the Internet is hard porn showing erotic fantasies and sometimes violent or abusive sexual acts. Most of the pornographic sites do not even have the mandatory age notification and directly host hard porn on their home page. The ill effects of pornographic content on impressionable young children, starting from as early an age of eleven, are well known. Normal relationships and sexual acts are redefined, and as a consequence unnatural sex such as anal sex is on the rise.  It is a documented statistic that such acts reshape the perception of women in society and have led to a rise in cases of sexual misconduct and violence.  

Mobile phones and fast internet connections are making it easier for children to consume porn at odd hours, in schools and colleges and everywhere else. Entrepreneurial shopkeepers in India have seized on a business opportunity to sell preloaded memory cards with downloaded pornographic content to their customers who do not have an Internet connection. Instant messaging apps have made it easier to sext- sending nude or seminude selfies to partners. In many countries a nude selfie would actually contravene the law and one taken by an underage child would invoke the harsher penalty of child pornography.
Most companies rely on content filtering technologies and strict penalties to block pornographic sites. They are quite successful in blocking porn use with the added benefit of limiting exposure to malware that is normally found on illegitimate sites. Similar technologies, though not fool proof, can block the casual user from stumbling on pornographic material. Most countries have already mandated their telecom service providers to install technology to filter Internet sites based on court or government directives, as it is difficult to shut down sites hosted on Internet servers in other countries. True, these filters can be bypassed by proxies and there is the difficulty of pinning down the addresses of fast moving illegal pornographic sites but it would still restrict usage. Porn censorship will certainly limit the use of pornography, much in the away that prohibition cuts down alcohol consumption, though it still remains available through a thriving black market.

Personally, I believe the big reason why governments fail to censor is because of the assumed effect on their vote bank. Young voters in the digital age consider paramount their “freedom of expression online”. In reality, most of these digital citizens are themselves concerned as to the ill effects of pornography and would endorse any attempt to filter these sites, provided the decisions to filter are made transparently.

Wednesday, September 17, 2014

Terrorist and antisocials use Twitter to spread their ideology, spark hate or to gain notoriety


Militants from Islamic State (Isis) are so dependent on broadcast sites like Twitter that they recently threatened to kill Twitter employees if they continue to shut down their accounts used for propaganda. The group use hashtags of major events such as the World Cup to disseminate pro-Isis content, in addition to using various Isis-specific hashtags. Hashtags such as #WorldCup2014 allow Twitter users to easily search for related content.
As cybercitizens increasingly use closed group instant messaging channels like WhatsApp for their private conversations, twitter still remains a favorite public broadcast medium for extremist groups who propound their ideology to gain more recruits or to establish legitimacy, politicians who generate hate campaigns to polarize and gain votes, and individuals who deliberately write sensational comments to draw attention to themselves.

The ability of Twitter to police rogue usage is minimal. Many times their posts fall in “grey” areas of offensive versus inoffensive content, making it difficult to moderate. In most cases, deletion or inactivation of accounts happens much after the damage has occurred. This does not prevent the perpetrators from establishing alternate or slightly different twitter id’s to resume their propaganda.  Most of these rogue accounts cannot be acted upon by law enforcement because those countries from where they operate do not have effective law enforcement or they do not consider it a crime yet.

Inciteful posts have high impact, and are often unsubstantiated. Being public broadcasts they rapidly go viral and reach a large global audience. Posts such as those sent by ISIS have been effective in influencing youngster to join their ranks from across the world. Youngsters, taken up by these messages sign up for a cause from which there is no return even when the harsher realization dawns.

Governments, have an active interest to not bar these tweets, as they form a rich source of real-time information, in many ways more useful than covert intelligence. Sympathizers in countries with effective law enforcement may put themselves into trouble, if they draw attention through retweet or likes.  Of late, governments have attempted to spread counter messages to negate the effect of these broadcasts.

Monday, September 15, 2014

Indian Internet Addicts: Boy stabs mom for cutting internet access while another finds a Facebook Mom


It takes shocking incidents to bring to fore what is a rapidly growing problem with children; a predisposition to the excessive use of the Internet while avoiding studies, social interactions and physical activity. Recently in the Indian city of Pune, a 15-year-old student addicted to the Internet turned violent and tried to attack his teacher mother with a kitchen knife when she tried to take away his smartphone. The student spent hours on different messaging platforms and had around 500 friends, most of whom he had never met in person.  He even borrowed money from nearby shopkeepers to recharge his mobile. The boy was so addicted that after being taken for counselling he stripped naked in protest at the hospital and threatened to harm himself if his net access was taken away.
Online chatting offers children a way to escape emotional problems and they start to think that these online friends care for them more than their parents. Imagine the confusion last week in another part of India, when a twenty year old decided that an elderly nurse he met on Facebook was his “mother” and wanted to swap his real parents for her. The Facebook mom landed up at her “son’s” door, to add to the confusion of his parents, where he clasped her hand and expressed a desire to go with her.

According to Indian psychologists and child counsellors there is a 40 per cent year-on-year rise in the number of Internet addicts aged between 8 and 18, driven by the easy access to technology, peer pressure and messaging apps.
The most common form of Internet addictions are cybersex, online gaming, and cyber-relationships.

  • Cybersex is the compulsive use of Internet pornography and adult chat rooms. 
  •  Cyber-Relationship addiction is an addiction to social networking, chat rooms, texting, and messaging. 
  • Online Gaming  addiction is compulsive online gaming with virtual friends and currency. 
To find out is your child is vulnerable to Internet addiction, watch for these behavioral changes:

  • Becomes irritable or agitated when time online is interrupted. In the case of the Pune student he turned violent, threatened to harm himself and even stripped naked.
  • Withdrawal from activities that involve socialization with real people. Most addicts isolate themselves from people and spend most of their time with virtual friends
  • Spends a lot of time online at all or odd hours. Addicts constantly message driven by the urge to respond to their online constituency instantly. They carry their phone everywhere even to the toilet.
The only way to prevent such situations is to build an open relationship with your child, while limiting technology use, constantly watching for signs on addiction and to the extent possible supervising online behavior.  At the outset, set the rules of Internet use clearly distinguishing between productive Internet use for homework and nonproductive use such as social networking. Timely intervention could help prevent and reduce cases of Internet addiction

Friday, September 12, 2014

Speaking@I5Talks on Building a cyber-resilient & secure cyber space for industry and cyber citizens


It was a great delight to speak at the Tenth Edition of i5 Talks on “Building a cyber-resilient & secure cyber space for industry and cyber citizens " organized by Tech Mahindra.   The talks brought together insightful perspectives from the leading lights of the Indian security industry in vibrant talks and panel discussions. Speakers included eminent CISO’s, entrepreneurs, researchers, bloggers, consultants and hackers. I spoke on the three big risks to cyber security and resilience. The first was, what happens to a nation if the power grid is shot down by cyber-attacks and fails for long durations, the second demonstrated how exposed cyber citizens are due to the ubiquitous and seamless use of cloud storage and thirdly, the high level of organizational skill and investment, cyber criminals put in to commit high value cybercrime on financial institutions. A short summary of the speakers and their takeaways are:

Aseem Jhakar -  Director , Payatu Technologies
  • Lack of communication between the hacker community and the industry is a big problem. Hackers are seem as untouchables except when they are needed he most
  • Bug bounty trends are increasing and rewards are sufficient to sustain a hacker’s income
  • Industry has maligned the word “hacker”. Today, the word and community is associated with criminals.

Vishal Salvi Chief Information Security Officer, HDFC
  • Companies need to transform and build a new security architecture to meet new and emerging threats
  • Industry competitors need to collaborate to build secure supply chains to ensure that common suppliers do not skip investing in security
  • Agile security should be the new paradigm. The current models of reacting to incidents or building defense in depth is too slow to combat the spate of attacks
  • Security is today beyond CIA and assets – looks towards the business

Keith Prabhu, Chairman, Cloud Security Alliance, Mumbai chapter
  • We need to brave the risks of using the cloud by using secure technology. We cannot go back to the bullock cart age because cars today are unsafe
  • It is a matter of time before we see the first big attack on a cloud provider. They are a big target that cybercriminals cannot ignore
  • The case of a refrigerator sending spam, is simply the tip of the iceberg as far as the Internet of things is concerned

Dr Zia Saquib, ED CDAC
  • The Indian Government is researching on the use of alternate protocols to IP for setting up our secure critical infrastructure like nuclear stations
  • The Indian Government has allocated large funds to the enhancement of IT and security

Shomiron Dasgupta, founder NetMonastery
  • Entrepreneurship is difficult and needs perseverance
  • Signal protection will be the next security wave

LS Subramaniam CEO NISE and Blogger
  • Consumer education is a must to thwart cloud risks as they are easy prey for social engineering attacks

Puneet Garkhel, Head-Fraud Risk Practice, Mahindra Special Services Group
  • Many miss the gorilla in the room when focusing on routine tasks
  • Fraud happens because enterprises miss the obvious


Monday, September 8, 2014

CLOUDSEC 2014 Internet of Everything CNBC Telecast

For those who missed attending Cloudsec 2014 at Mumbai, CNBC TV 18 has put out a 30 minute condensed version with the main messages on Youtube.  Cloudsec 2014 brought in expert perspectives on the security of cloud services and the fast growing Internet of Everything


Life-sized celebrity nude pictures draw attention to artist XVALA’s Internet privacy campaign


There was public outcry when the Los Angeles artist XVALA, nee Jeff Hamilton announced last week that his upcoming exhibition titled “No Delete” would include the recently leaked nude private images of Jennifer Lawrence and Kate Upton.

Lifesize and uncensored, Avala’s campaign called “Fear Google” as part of the ongoing privacy debate to protest over how large online businesses and search engines have turned an individual’s privacy into everybody’s business. AVALA’s earlier exhibitions had featured celebrity images, including a portrait of Britney Spears with her shaved head and nude images of Scarlett Johansson (at that time with the private parts covered with “Fear Google” logos). Early last year, he melted down trash collected from Jobs' home to build a sculpture of the Mac creator, complete with iPhone in hand, to demonstrate that individuals are “giving out all our information to the Internet just as we give our trash to the world." Besides Job’s, he targeted other leading figures like Mark Zuckerberg. His projects titled the "Not Very Well Hung Hangers Of Silicon Valley," was to build items from the personal belongings of people whose companies profit from the collection of our data.

XVALA used GOOGLE to find the addresses of Internet leading lights, and to mine for the compromised images either inadvertently posted or leaked by paparazzi or hackers.

He rightly states that once we share our images with technology our privacy is at stake. The tradeoff between free online services and privacy is raging and in the next few years, judging by the way the industry is moving there will be better privacy protection for users both paid and unpaid of online services. But, till them we all remain at risk.

Interested in Celebrity nudes! Are you not concerned about your own sexted photo?


Most of us have read or heard that on many online anonymous bulletin boards, were posted over 100 nude photographs of prominent celebrities like Jennifer Lawrence and Kate Upton. These celebrities had two things in common; firstly they used Apple iCloud to back up their store of photographs and secondly, many had deleted the published pictures one or two years prior.

Obviously, nude pictures or videos of celebrities are worth a lot of money to collectors who bought and sold these pictures on underground forums. Hackers targeted celebrity accounts for these pictures because of their high demand in the underground markets.  Reports suggested that hackers compromised iCloud accounts by either guessing the account password or the answer to the secret question, and probably held on to this access for several years because the account owner never changed the password or the answer to the secret question.  iCloud’s password protection services during this period lacked basic security features such as alerts on backups or one time authentication passwords which would have prevented this type of known attacks. In the near future, we may see an enriched set of security features such as one time authentication.

Nude photographs of celebrities certainly made hot news and sparked universal outrage, security awareness and a FBI hunt for these hackers. Yet, online sites such as the bulletin boards which notoriously benefited before they self-censored under the threat of legal action, have gone scot free.

Once online and public, these photographs besides finding their way into the hands of many individuals, have found home in several interesting places such as pornographic sites and even to an upcoming art event called “No Delete” in Los Angeles which will print onto life-sized canvas the leaked private images of Jennifer Lawrence and Kate Upton.

While we dwell on the sensational and juicy fallout of these nude revelations, all cybercitizens particularly those that sext should pause and reflect. Surely, it could have been your photo that is on one of these sub groups, porn sites, revenge site or circulating among peer to peer networks among your partners friends. Like collectors, partners may over a drink share or compare pictures in competition or conquest. To protect one self, reflect on the potential fallout when you create, transmit or store sensitive personal information that may be used against you by third parties that get their hands on it or when relationships sour. Would you regret a nude picture taken five years ago that suddenly appeared when you are happily in a relationship or be able to laugh it off? – Do ask yourself?

To find out what one must do to secure your password and be aware of cyber risks to personal privacy, do download and read my book “StaySafe CyberCitizen”

Saturday, September 6, 2014

HOW DO YOU KNOW IF YOUR CHILD IS SAFE ONLINE?

I was delighted to have conducted my first tutorial for parents on "How to keep children safe online" on Teachers Day, 5th Sept. It was a proud moment and I was able to receive feedback from enthusiastic parents on how to improve the material. The audience was very touched and emotional as I showed them the video on Amanda Todd and explained to them what happened to her. For many she remains a teacher and a hope. The tutorial description is given below and for those interested; the training content “Keeping your child safe online” is available to download.

Cybersecurity Awareness for Parents
Is your child safe while using the Internet is a nagging question that all parents seek to answer? While parents are convinced that the every child must know how to use the Internet, most are unaware of the extent of cyber risk and the vulnerability of their children to them. Cyber-criminals will continue to reach your child in the confines of your homes, schools and in crowded places. Threats cannot be wished away, left to others or simply ignored. We need to assess such threats, take prudent steps and use best practices to reduce their danger.

Parents who are digital immigrants as compared to children, who are digital natives adept at navigating the bylanes of the Internet, find themselves at odds to guide and mentor their children on their online behavior. The session Keep Your Child Safe Online exposes parents to real life cyber risks and provides guidelines to identify vulnerable children and steps to protect their children from cyber risks.
Spend two hours in a frank, open and interactive guided session with cyber expert Lucius Lobo, author of the book “Stay Safe CyberCitizen” to understand the dark secrets behind the Internet and simple steps to protect your family.



 

Beware, your email id and possibly your password is with atleast one organized cyber-criminal gang


South Korea is a perfect example of a soon to be interconnected world where all its citizens have high speed broadband, regularly access online ecommerce and e-governance services and where online activities like games form a major part of social interactions. Large scale online services centralize the aggregation of user credentials such as email ids and passwords, making these online stores a juicy target for cybercriminals and offensive nation state actors.

Cyber criminals who obtain possession of these caches of personal data sell it to organized gangs which specialize in email frauds or who withdraw small sums from the online balance in gaming and other financial accounts. Nation state actors may use these credentials to disrupt vital economic operations by shutting down or altering the integrity of operation of financial system or utilities.

Not only are these credentials hacked through the exploitation of online vulnerabilities and poor system security design, but they are breached by trusted insiders with privileged access who steal and sell it for a fee.

Four major incidents, in South Korea, all in the last year where almost 50% of the credentials of the nation’s population were stolen, highlighted the impact and ease of exploitation of these online stores. According to press reports:

·             A group of hacker’s successfully compromised 220 million records of 27 million people from online gaming sites

·             Hackers broke into the popular Nate and Cyworld websites extricating names, email addresses, phone numbers and resident registration numbers of 35 million users.

·             Regulators fined three credit card companies after 20 million residents had their data stolen by an IT contractor.

·             12 million names, resident registration numbers and bank account details stolen from telecom company KT Corp were being investigated by the government.

These incidents will not remain isolated to South Korea but will happen across the world, as in-country online services proliferate.

Email addresses are no longer secret; they are freely given away by people on business cards, survey forms or even to solicit advertising mails. These emails have been aggregated and compiled into large databases which are sold globally for a small fee. There are also programs which trawl the net searching specifically for email addresses. Given the scale of data breaches or aggregation of email information, every cybercitizen should consider their email to be in the hand of atleast one organized cybercriminal ring.

Given, this assumption one should expect to be a target of an email scams or deliberate attacks to steal banking credentials or to install malware that will later be used to steal banking credentials and personal data. To minimize the impact of such adverse fallouts cybercitizens must ensure that they do not use the same password on multiple systems and use unique passwords for key banking and other services that can affect their wallet or reputation. Frequently changing passwords reduces the window of exposure and consequently losses. The other important consideration is to keep an eye on email scams. To know more do read “Online Email Scams a multibillion dollar business or not? You decide”.

To prevent malware, ensure that you do not log onto your computer with administrative rights when using the Internet. Create another profile without administrative rights for Internet use.

 

Saturday, August 30, 2014

Internet of Everything @CLOUDSEC Mumbai


I was delighted to be part of CLOUDSEC, Mumbai panel on “The Internet SECURITY of Everything- Strategic perspectives and implications for government and business” hosted by Trend Micro and CNBC TV 18

The proliferation of things connected to the internet and each other will present new cyber security challenges to corporate IT and cloud computing. By 2020, analysts expect tens of billions of devices to be connected to the Internet and to each other. The Internet of Everything (IoE), will be powered by next generation enterprise assets such as corporate servers, mobile technologies, cloud computing, big data, intelligent networking and software applications.  The panel discussed what was available in terms of new strategies and solutions to address the new opportunities and potential risks that the Internet of Everything will introduce to organizations.

This year the theme was based on the emerging security concerns due to the Internet of Everything and the growing maturity of controls to audit and secure cloud infrastructure. One of my key takeaways was that reporting of cybercrimes continues to be low, either because the victim may suffer a reputational loss or the value of the crime was low or because there is not much faith in the ability of law enforcement to track global crime.

For those interested all presentation copies are available on www.cloudsec.com/on-demand

Founded in 2011, CLOUDSEC is one of the leading vendor neutral internet security conferences in Asia Pacific  hosted by Trend Micro, supported by industry leaders, government agencies, non-government organisations, professional associations, technology vendors, and internet security professionals.

Tuesday, August 26, 2014

Changing lifestyles’ makes kids increasing vulnerable online


Children who are vulnerable are often victims of online predators, as their online activities, usually posts or videos about themselves, cause them to attract the attention of lumpen elements like pedophiles, trolls and criminals. These criminals exploit a child desire for attention, usually derived from not having a healthy relationship with parents or with other kids and at school.  When a child shuts off their normal support system, criminals fill the gap with their sweet talk, gaining trust and access to exploit the child. The degree of exploitation may vary, but at the simplest it involves coaxing a child to perform nude or seminude before a webcam. Recorded videos are sold or shared over porn sites.  In the worst cases children are repeatedly blackmailed into performing and each session is touted by the pedophile as an achievement of the level of control they can exert, to others in their ring.
In today’s world with rising consumerisation, an increasing number of advertisements are directed at younger children to help them look like adults. Today, lingerie for the age group 4-12 is advertised online using children of the same age as models. Parents too, are drawn into promoting their kids. It is not surprising that with instant messaging children are increasingly sending pictures and videos of themselves to other friends, some of which as in the case of sexting may be considered self-made pornography. Statistics from an old study in 2009 and the trend has grown since then show that 22% of teen girls and 20% of teen boys have sent nude or seminude photos of themselves over the Internet or their phones and a majority believe those exchanging sexy content are "expected" to date or hook up. Beside legal action for having such porn stored on their mobiles or being responsible for their distribution, there is the even greater danger of these pictures being used to harass and defame years after. What the child might have sent on the spur of the moment becomes their worst nightmare.

Online lifestyles also allow children to broadcast their talents and create a fan club of unknown fans, some of whom may be undesirable elements and older people. These elements through flattering messages slowly gaining the trust of the child, in pursuit of their nefarious goals.

As lifestyles change parents must keep a closer watch on their children, be more participative and have health dialogues on their online lifestyle

Sunday, August 24, 2014

How to prevent and recover from Ransomware Attacks


The desktop freezes with a warning message from the local police that the user has violated the law by visits to pornographic sites and has been fined 300 dollars or local equivalent. Until the fine is paid, either all critical files on the desktop have been encrypted or access to the system barred via a locked screen. Victims promptly pay up, running scared of the threat of legal action and the resulting public humiliation of having being caught viewing porn. The victim does not realize that he was set-up by a small group of cyber criminals who specialize in setting up malicious sites that  when visited, infect desktops, with a malicious piece of malware known as Ransomware.  Faced with no option but to pay, as it is very hard to crack encryption or to avoid the embarrassment that could follow, victims pay – thereby making the crime profitable.
Ransomware as the name suggests is a piece of malicious software that either encrypts files on or locks screens to shut access to a desktop, tablet or mobile phone until a ransom is paid to obtain a secret key used to decrypt files or to unlock the device.
In case of desktops the malicious software is usually surreptitiously downloaded and installed from malicious or legitimate website infected with malicious code. The user is unaware that the system has been infected until the files have been encrypted and the malware popped-up messages demanding ransom.  Surreptitious download and installation without a user’s acceptance is possible due to vulnerabilities in browsers and made easier if the user possessed administrative rights to install applications. Due to the design of the operating system used in mobiles and tablets, malware once downloaded requires user intervention to install the application. Cybercriminals disguise these applications as system updates or fake versions of popular applications, which users believe are genuine and allow their installation.

How to prevent Ransomware infections
Recovering from a ransomware attack is very difficult, due to the hard to crack encryption. Prevention and regular offline back-ups remain the best defense. Antivirus software alone will not be effective due to the fast emerging variations of ransomware programs and attack methods. A few useful tips to help prevention are:

1.    Restrict administrative rights

2.    Restrict use of Java, flash and other such programs to trusted sites. This can be done through browser settings

3.    Check to see if the pop-ups are genuine. Updates should come from vendor sites

4.    Download apps from genuine app stores

5.    Keep an offline back-up of your data ( online backup can be encrypted by the malware, particularly if automated)

6.    Keep your system patch levels updated

7.    Use antivirus software which will help control access to malicious sites and delete known instances of ransomware.

How to Recover from Ransomware infections
A typical ransom requested is usually below 500$, in the form of vouchers that can be used to buy goods and services online and even if paid there is a good chance that system is not unlocked. It is therefore best to be prepared to lose the data on the device. The two articles (links below) are excellent resources to recover from Ransomware Attacks

Decrypting the Crypto Locker  – a tool from FireEye and Fox-IT to decrypt files encrypted by Cryptolocker, a dangerous strain of ransomware

One of the frequent methods used to recover is by paying the ransom, and if through this the users files were successfully decrypted, it is best to save critical data, wipe the disk clean and reinstall a fresh copy of the operating system and other application executables, as there could be further residual malware of a different type. And then there obviously remains the task of preventing further infections.