Thursday, August 20, 2015

Should one fret over the leaked Ashley Madison data?


Several news sites have reported that 15 GB of identity data stolen last month from AshleyMadison.com online has been made available on the darknet. Three sites have since sprung up with allows interested parties to query the site to ascertain the identity of Ashley Madison users.   AshleyMadison.com allowed married people to have short extramarital affairs. While the morality of the services provided may be questionable, and is perhaps best left to judgment of individuals, there is a serious risk of reputation damage if the data is fake.
There are several reasons why it may be. Firstly this is not the first leak to appear online; there have been several in the span of the last month. Then, there is the question of the validity of the email address and other details which were never verified. There is always a probability that a prominent person or an associate’s identity was used to create a profile. From one analysis, it seems that 90% of the users were male and most of the female profiles were fake. If this is true than users subscribed but may not have been able to use the site. Many users may have subscribed due to curiosity or for fun. Some articles seem to suggest that once subscribed removing a personal profile from the site was not easy. Finally, there is a strong suspicion that some of this data may have been amalgamated from other breaches.

On the flip side there seems to be several reports of individuals claiming to verify that they were users of the site and confirming their email ids in the released data.
Whatever, may be the truth, I would like cybercitizens to know that though it seems to be a sordid affair not to disrupt your personal lives purely by data that cannot be verified put out on the net. 

Tuesday, August 18, 2015

8 steps to prevent a stolen phone from ruining you digital life


Smart phones are lost because they were accidental forgotten at public places or stolen. A phone today, is a cybercitizens gateway to their digital life. It allows use of apps for services such as for banking, social networking and taxi booking, storage for personal pictures and videos, email, instant messaging and telephony.
Most phones have an Internet finder program which helps to locate phones connected to the Internet. The service works well, if the phone is forgotten at places which are likely to have a lost and found counter like airports and restaurants where the staff is unlikely to pocket it. More often, the key risk is the loss of battery life effectively shutting down the phone. Even when a phone is lost and picked up by a person wanting to return it, a study has shown that most of the people browse private data like contact and pictures, understandably to locate the owner.
Most thieves quickly switch off the phone and remove the SIM card to effectively disable the Internet finder applications. When a phone is stolen or lost there are three risks that the owner face.
Financial Loss
Typically, you lose the value of the phone and the additional cost of calls made from the phone which obviously, one has to pay for. While there may be insurance that can be bought to recover part of the cost of the phone; to prevent fraudulent calls the cellular provider needs to be quickly alerted to deactivate the number.  Ensuring that the phone is protected by a strong screen saver password will mitigate the risk of expensive calls.
Reputation Loss
Many personal applications like Facebook, twitter, email or such social media accounts are logged on and can be accessed without a password allowing personal information to be read or malicious comments to be written. Such comments may affect personal reputation or be defamatory which may results in soured relationships or legal action. Hereto a strong screen saver password can help. If the thief is unable to crack the password, the simplest action would be to format the phone, reload the operating system and sell it in the black market
Privacy Loss
Privacy can be lost in two ways. By viewing data stored directly on the phone memory or on memory cards such as personal pictures, by reading private posts, email and by looking up the browsing history. Private data such as sexting pictures of other individuals received and stored on the phone may compromise their privacy.
Four steps that cybercitizens should take to reduce the risks to themselves and the incentive a thief gets from a stolen phone:-
1.        Set a strong password and short lock screen timeout.  If your phone provides the option to erase data after several unsuccessful tries to enter a passcode, typically 10, activate it. New phones disallow the formatting of the operating system without a password thereby rendering the phone worthless and reducing the incentive to steal it. A strong password or passcode has at least 8 characters that include some combination of letters, numbers, and special characters
2.        Try to avoid using external memory cards unless they are encrypted
3.        Update the phone regularly, to ensure that  vulnerabilities which can be exploited to unlock password protected phones is patched
4.         Backup contacts and other data
 
Four steps that cybercitizens should take when the phone has been stolen or lost and returned.
1.        Use the Internet finder app to locate the phone and erase data
2.        Reset all passwords for apps and accounts even if the phone has been returned
3.        If returned, reformat and reload the operating system to avoid any malware being surreptitiously loaded. Malware can be used to spy, steal credentials and cause an even bigger financial loss
4.        Block you SIM card by calling up your cellular provider

Saturday, August 15, 2015

LuciusonSecurity among the Top 50 Infosec Blogs 2015


Digital Guardian a Gartner Quadrant leader in the Data Protection product market has named this blog as one of the Top 50 Infosec Blogs you should be reading.

Thanks you Digital Guardian

Friday, August 14, 2015

I lost money because my petrol pump was hacked by attendants!


The neighborhood petrol pump which I occasional use, was in the news for allegedly tampering with the meter readings. Some of the staffers had hacked the circuitry to modify the pulser readings which converted the flow volume to the digital readout. As a consequence, 5% of the bill value was inflated. Hacking is typically associated with software and remote Internet connections, but all sort of meter readings can be tampered with to skim small sums of money or develop glitches that result in inflated bills.
The only way to tackle such misuse is by surprise calibration checks and stringent penalties. In the case of the above petrol pump, the ingenious system also had a switch to toggle back to normal values during a calibration inspection.

The police believes that this particular fraud may be widespread, which simply demonstrates the ease with which the perpetrator of the modified pulser is able to sell his invention without being caught.

Thursday, August 13, 2015

Hacking SMART services in Cars, Homes, and Medical Devices – a cinch!


Businesses are reinventing themselves by transforming traditional services and service delivery into digital services. Digital services utilize smart products to provide enhanced service quality, additional features and to collect data that can be used to improve performance. Smart products can be remotely controlled using Wi-Fi or cellular connections, software, sensors that makes smart dumb devices, cloud infrastructure and mobiles.
Examples of digital products and services are network connected cars, home appliances, surveillance systems, wearables, medical devices, rifles and so on. Very recently ethical hackers exploited a software glitch that allowed them to take control of a Jeep Cherokee while on the road and drive it into a ditch. All this with the hapless driver at the wheel!

While the car hack made headlines and led to the recall of 1.4 m vehicles, it also signaled the beginning of an era where cyber-attacks or software glitches cause physically harm to cyber citizens, blurring the lines between safety and security. Cyber-attacks in the near future will do a lot more damage than destroy reputations, steal money or spy on intimate moments people would prefer to keep private, it may maim or kill in a targeted or random fashion and that too in the privacy of one’s own home.
The severity of some of the demonstrated exploits by ethical hackers were downplayed because the attacker required physical access to the vehicle to execute the attack. I for one, do not know what happens to my vehicle while it is serviced or valet parked, both ideal opportunities to fiddle with the electronic systems and even modify the firmware.

All smart devices will be connected and updatable over wireless networks. Wireless updates are ideal opportunities for hackers to obtain access or control over these devices. However, digital products or services must have built in defenses not only for over the air hacks but equally on risks from technicians, mechanics or others that have physical access to the smart infrastructure.
Startups with limited budgets may struggle to provide adequate security to their new incubations, allowing ample opportunity for maliciously minded individuals and cyber criminals to find ways to compromise the service. Investment in smart product security will be driven by liabilities around safety regulations, compliance and strict penal provisions.

Saturday, August 8, 2015

Darknet, where child pornography is rampant

Child porn is rampant in what is known as the dark web or darknet. The part of Internet that cannot be reached by using a search engine like Google. It is that part which is accessed using a special browser (TOR) which is freely downloadable, and works to ensure the anonymity of the user online. It achieves this by use of encryption and bouncing encrypted communication across a network of nodes before it reaches the intended site. The information that the intended site possess is the IP address of the last node which makes the original destination anonymous. The downside of the TOR network is its slow speed.

Coupling an anonymous network with an anonymous currency like BITCOIN allows illegal activity such as the buying and selling of drugs, child porn, and counterfeits to flourish without the fear of tracking either information or financial flows. Cybercriminals, terrorists, drug peddlers and pedophiles among others, use the darknet to further their business as the darknet protects both them and their customer’s identities.

Criminal users on the darknet are savvy and sophisticated in covering their tracks and erasing the digital fingerprints they leave online. They conduct their business on secret password protected websites limited to trusted users (excluding undercover police), utilize sophisticated hard disk encryption (including some with multiple passwords, each opening up a different volume), distributed storage across multiple computers to ensure that each computer will not have a complete image and move sites frequently.  These tactics coupled with the volume of sites on the darknet makes it a formidable task for law enforcement to identify criminal rings and catch them.

Making the darknet safe requires detectives to impersonate criminals or their customers to infiltrate criminal rings. It is a tedious task with limitations in jurisdiction and prosecution. In the next few years this old fashioned method will be supplemented with technology to map and analyze darknet sites, contents and activity to profile criminal behavior.


For Governments wanting to crack down on child porn, like as in India, the only option is to set-up a team of specialized investigators to explore darknet activity originating from within the country and to partner with their counterparts from like thinking countries to nab criminals within their jurisdiction.

Thursday, August 6, 2015

Can child porn be blocked by banning websites?

 
The Indian government is trying to block child porn by banning websites, an ineffective strategy, primarily due to the difficulty in the identification of child porn websites. Child porn is traded within closed rings of pedophiles using the dark internet. The dark internet are sites on the Internet not accessible through the search engines. Pornographic material are actively bought and sold between collectors who form these rings using peer to peer software and encrypted communications. Some reports estimate that there are over 100000 individuals who deal in pornography through secret chat rooms and other communication channels.
Child porn is broadly defined as the creation, distribution and collection of photographs, audio or video recordings of sexual activity involving a prepubescent person. The pornographic content may range in severity from posing while clothed, nakedness to explicit sexual activity, assault and bestiality.
Children who are victims of child pornographers suffer physical pain, somatic symptoms and physiological distress. Many do not complain out of loyalty to the offender (who could be a relative) and a sense of shame.
One of ways child porn is produced is through the malicious use social networks and the Internet to groom innocent children into sharing explicit images of themselves and then blackmail them into producing more content. The content is then sold to other collectors for a fee. With the widespread availability of webcams and Internet, the remote pornographer has direct video access to a groomed child, within the once secure confines of the child bedroom.
Reducing the amount of child porn on the Internet is a noble initiative and one that requires the co-operation of several stakeholders such as law enforcement, parents, victims, social groups, ISP’s, search engines and the community. Catching and shutting down rings has to be a priority and ISP’s hosting dark sites need to quickly detect and shutdown such child abuse sites.  The catch rate of child pornographers is quite low, at around 1000 a year with no mechanism to prevent repeat offenses.
In India, I would believe simply going by the increased spate of media reports on physical child abuse in prominent schools, that physical child abuse is a larger problem than tackling online pedophilia. All parents must be alert to the cues that their child provides to quickly identify abuse.
 

Saturday, August 1, 2015

Sites you use online, may tarnish your reputation and relationships


Cybercitizens use sites on the Internet as resources that offer them services with scant thought as to how their data and activity information could be used by site owners and others who have access to it. The others are entities who are sold this information, cyber criminals who steal it, third parties who provide services to the site owners and also innocuous users who come across this data because the sites privacy protection or in some cases security is not adequate.

Cybercitizens should note that many sites provide services for free, supported by advertisement revenue. These sites collect and analyze profile and activity information which includes clicks, page visits, and transaction information to selectively display advertisements suited to the user’s demographic profile or searches. This helps advertisers obtain better returns on their advertisement dollar. Most of the larger and more popular sites make their users sign up to lengthy terms and conditions, which few read or understand, to enable them use personal data. Larger more established sites lay out well worded privacy statements on their websites which users can read. In all cases, information related to financial transactions are normally governed by strict regulations and compliances which regulates use and specifies standards for the security of card data.

But, there are many other firms with questionable credentials and whose ownership remain largely unknown. They may be popular sites too, but on the vast global highway, there is no way that one can truly ascertain where your data resides, who sees it and what use it is put too.  The case of the hack of the extramarital affair dating site Ashley Madison, clearly demonstrates the vulnerability of those users to reputational damage, blackmail and extortion. There are many sites, whose membership if disclosed could hurt the reputations of millions of people. Pornographic sites for instance.

The trail of personal data that one puts online remains. For example, curious users of the Ashley Madison site would have no way of proving to their spouse that they subscribed to the site out of curiosity and not for intended use. 

The effect of disclosure of personal data varies from tarnished reputation and financial losses to minor privacy intrusions. Cybercitizens should evaluate these risks and their potential consequences when they use certain sites.

Saturday, July 25, 2015

Cyber Risks in a “Connected World” can take human lives and cause physical damage

I believe that the cyber risks are always grossly underestimated or trivialized. Over the last few years due to the rapid digitization of businesses, there has been a growing spate of cyber-attacks the world over. New start-ups offer a panacea of digitized solutions through cloud platforms. With limited budgets and a focus on perfecting their business model, companies need to navigate the tradeoff between the portions of their financial capital that goes into product security as against growing the business.

The next phase of digital evolution is themed “connected” – connected cars, connected homes, and connected humans (with intelligent body parts like wireless enabled pacemakers). As businesses race to bring new connected products or to make intelligent existing products using internet enabled sensors, wireless, cloud management and mobile apps, they still seem to not realize the criticality of fool proofing these systems against cyber threats.

The risks have now extended beyond purely financial and reputation losses to threats which affect human lives.  As the world digitizes, cyber threats that damage property, cause physical harm and even kill will materialize at a scale that is virtually impossible to contain.

An early indication is the recent recall of 1.4m vehicles by Fiat Chrysler Automobiles, the world's seventh largest automaker, to fix a vulnerability that allowed hackers to use the cellular network to electronically control vital functions. Functions, which when manipulated could shut the engine down while it was being driven down the highway, take control of the steering wheel and disable the brakes. Similar threats would materialize if hackers were able to find flaws in a wireless pacemakers or other such devices.

The core issue is twofold. Firstly as the connected world becomes individualized,  malicious hackers would find and exploit flaws in products used by individuals or organizations they target. Remotely engineered assassinations may just become a reality.

The second and more dangerous consequence, is of terrorist organizations utilizing vulnerabilities that affect products used by many, cars for example, to launch mass attacks which would instantly cause more damage and widespread chaos, than detonating explosives. Such remote attacks from the Internet will bypass all conventional border security measures.

In a digitized world, cybersecurity and safety become intrinsically linked and as new standards slowly evolve, an immediate concerted attempt must be made by companies to build secure products to protect naïve cyber citizens against all sort of risks.


For a cybercitizen, security should be under the hood, so as to speak. Cybercitizens are unable to determine the extent to which these products are safe to use. Besides building safe products, systems to securely and instantly plug vulnerabilities will need to be perfected.

Saturday, April 11, 2015

Cyber scams that target senior citizens in India


A senior citizen’s primary gadget is a mobile phone which in earlier years was used to make/ receive calls and SMSes. With rising Internet penetration, children living in different cities and countries, video calls and rising costs; senior citizens have begun to use alternate communication channels like Whatsapp and Skype. Senior citizens have become easy targets for cybercriminals given their trusting nature and poor understanding on how voice and data services work.  Cybercriminals and Spammers target these four types of communication channels (voice, instant messaging, SMS and internet telephony) to defraud senior citizens. The three most prevalent types of scams are:

Missed Call or One Ring Telephone Scams

The most popular one is the “missed call” scam. A missed call from an international number is made to a senior citizen’s phone. When the senior citizen calls back, the call is connected to a premium rate number where the bill rates are significantly higher as there is a third party service charge for these services added to the bill. Senior citizens end up with large postpaid bills or find their prepaid credit wiped out. The modus operandi of these missed call scams is to ensure that once a call back is received, the caller is kept on the line for several minutes. The longer the duration the more money the scammer makes. To do so, either the caller is looped in an interactive voice response system which tells the caller to wait while the call is connected or the caller is connected to a recorded adult phone message. One senior citizen was so perturbed that she wanted to call the police because she heard a woman being beaten and screaming for help. Fortunately for her, she had limited prepaid credit and the call ran out. Many senior citizens become anxious and literarily rush to their telecommunication service provider only to receive a stoic response that they are not responsible for any calls made or received. To resolve their excess charge they are advised to take up the matter with the third party service provider, usually a dubious adult chat firm in a third world country. For the small sum of money lost, the cost of this pursuit would make it an unviable option with no guarantee of refunds.

Senior citizens can protect themselves by:

1.    Restricting outbound international calling,  if there is no necessity to make overseas call

2.    Ignore short duration missed calls from international destinations

3.    Checking the international dial code for missed numbers before returning the call. If the number originates from a country where they do not expect a call from, then it would be best not to return them

Lottery Type Scams 

In fake lottery scams, senior citizens receive SMSes or Whatsapp messages congratulating them on having won a “big lottery” and asking them to quickly claim their money.  One senior citizens though this was a valid claim because “it was not classified as spam” by the service provider. 40% of spam is not blocked by spam filters and spam filters only help but do not guarantee that a communication is legitimate. Once a request for redeeming the claim is made these scams always ask for either personal information or the payment of an advance fee, which when paid is either followed by a further request for money and the eventual disappearance act by the scamster.

 Senior citizens must not share personal data online and always avoid requests made for money to process a lottery win or to release a parcel, or to send a free gift as these are sure signs of fraudulent behavior. Senior citizens should also consult knowledgeable family members or friends before responding.

Disclosure of Personal Information

Extracting personal information which can later be sold or used to access online back accounts is another type of scam. Scammers pose as officials in position of authority (banks, police, and income tax) or as sellers of credits cards/personal loans using these “roles” to exert sufficient pressure to extract personal and financial data.

Senior citizens should always remember that however convincing the callers are information like bank accounts, financial records and passwords are never sought by authorities or banks.