Friday, February 10, 2017

Are my password freely available on the Internet? Four actions that can minimize damage

Frequently we hear of large data breaches from email, social networking, news and other types of websites which we are members off.  Many of us may have been challenged by the site owner to change our password when the site suffered a breach and would even have received a breach notification email.

It would however be useful to have a service which could tell us if our passwords were available in plain text online, anytime we wished. The good news is that a security blogger Troy Hunt has set-up a site http://haveibeenpwned.com/   Here you could enter your email id (a common login credential) and find out if the corresponding password was exposed on breached sites.  The bad news is that it covers only data breaches where the hacker has dumped the compromised list of passwords on paste sites such as PasteBin. This represent a small fraction of the passwords exposed and in all probability allowed a window of time for the hacker to gain access to your account before the breach was uncovered. It also allows anyone (friend, foe, bully, ex-partner, relative, competitor and colleague) who knows your email id to check for the password, and selectively target you.

My advice to all Cybercitizens in general but more specifically after you discover that your password has been exposed is to”

1.    Never reuse that exposed password and to never reuse password on multiple sites. A single exposure can have a cascading effect in the compromise of your online assets. If you have used the same password on multiple sites then quickly change the password on all of them.
2.    To use two factor authentication which a large majority of sites offer to limit the use of disclosed passwords
3.    To change your passwords once every 3 months to limit the exposure window. In large dumps the hacker may take time to target your account and if you have changed your password by then, you would get lucky
4.    To quickly change passwords once you are aware that there has been a breach


Thursday, October 13, 2016

Catching IRS fraudsters proves the scale and profitability of impersonation cons

 Fraudsters who posed as IRS officials threatened hardworking Americans with imprisonments for the crime of tax default. Their modus operandi was simple; question victims about defaulting on their tax payments, threaten legal action, arrest, deportation or suspension of business rights, and finally offer an easy way out – a chance to close the case without prosecution for a onetime deposit in a bank account or alternatively getting the bank account details of the victim which were then wiped clean.

Incredible as it may seem, the con was so successful that the kingpin lived a life of 5 star luxury, with fancy cars and hotel stays. In a short span of two years he amassed significant wealth and employed over a 700 people in several call centers across India and the US. Most of these call centers were owned by trusted associates and employed high school graduates or drop outs who they lured with high pay and luxurious lifestyles.

Income earned in dollars was converted into India rupees using illegal money laundering channels called Hawala. All employees were paid in cash. Call center executives were offered incentives based on the income they generated from these frauds, and the ones that performed were even offered a chance to work directly with the kingpin, in his home city of Ahmedabad, Gujarat while being put up in 3 and 4 star hotels.

Fortunately, India takes these crimes seriously, and once reported, Mumbai police detectives over a period of 15 days, went incognito and surveyed these call centers before busting them and arresting over 50 people. All convicted will be tried under the Indian IT act and penal code.

There are however, several countries that do not take action on these crimes as the victims are not citizens of their countries.

Cybercitizen’s are advised to be wary about calls which ask for personal information and money in some form or the other.  

Wednesday, February 10, 2016

Will you pay 300$ and allow scamsters remote control to your computer ! child play for this BPO

Microsoft customers in Arizona were scammed by a BPO setup by fraudsters who’s executives represented themselves as Microsoft employees and managed to convince them that for a 300$ charge they would enhance the performance of their desktop computers. 

Once signed up, the BPO technician logged onto using a remote access software that provided full remote control over the desktop and proceeded to delete the trash and cache file, sometimes scanning for personal information. The unsuspecting customer ended up with a marginal improvement in performance. After one year of operation, the Indian police nabbed the three men behind the operation and eleven of their employees.

There were several aspects to this case “Pune BPO which cheated Microsoft Clients in the US busted” that I found interesting:

1)    The ease with which customers were convinced to part with money and to allow an unknown third party to take remote control over their computer. With remote control one can also install malicious files to act as remote backdoor or spyware making the machine vulnerable.
2)    The criminals had in their possession a list of 1 million Microsoft customers with updated contact information
3)    The good fortune that the Indian government is unsympathetic to cybercrime both within and outside their shores which resulted in the arrests. In certain other countries crimes like these continue unhindered.

Cybercitizens should ensure that they do not surrender remote access to their computers or install software unless they come from trusted sources.


Saturday, February 6, 2016

Three Must Do’s to make a Security Awareness Champion

Setting an example is the best way to institutionalize security awareness within a workplace or at home. Colleagues and children naturally follow examples set by champions as it makes it easy to mimic rather than spend time to self-learn. I found three important aspect to championing security awareness.

Be a role model

Cybercitizens champions take an active interest in being secure by keeping themselves updated and implementing security guidelines for the gadgets and services they use at home, for work and on the Internet. Knowledge on the do and don’ts of security for workplace system is normally obtained through corporate security awareness programs but for personal gadgets and services one needs to invest time to read the security guidelines provided by the service/product provider or on gadget blogs. Security guidelines provide information on the best practice to be used for secure configuration of gadgets, use of passwords, malware prevention and methods to erase data.  Besides security issues like password theft or loss of privacy, there is the possibility of becoming a victim of fraud when using ecommerce. Most ecommerce sites have a fraud awareness section to educate customers on the common types of frauds and on techniques to safeguard against them. Role models take pride in what they do and this passion becomes a source of motivation to others around them. A security champion delights on possessing detailed insights on how to use the best security features in gadgets (say mobile phones) or on recent security incidents.

Be a security buddy at your home

Telling people what to do to keep themselves secure online is difficult, primarily because security controls lower the user experience; as an example most people may prefer not to have a password or keep a simple one for ease of use. People tend to accept risk because they do not fully realize the consequences of a damaged reputation or the financial impact from the fraudulent use of credit cards until they or someone close, experiences its effects firsthand. Security champions act as security buddies at home. They take time to understand how their family members both young and old, use the Internet and to themselves learn about the safety, privacy and security issues related to those sites. Buddies perform the role of coaches, engaging in regular discussions on the use of these sites from a perspective of avoiding security pitfalls and the avoidance of risky behavior that may lead to unwanted attention from elements looking to groom children for sex or terrorism. Highlighting incidents of similar nature helps raise awareness of the reality of the risk.

Display commitment to security at your workplace

Small acts go a long way in promoting useful security behavior. A small security cartoon displayed on a work bench can immensely add to the corporate security awareness effort. Champions bring attention to the importance of security in business by bringing up security in routine business discussions; for example circulating insights into recent published security incident within a discussion group (leadership, business) and popping the security question “what if a customer security or privacy is affected” during project discussions.