Saturday, January 29, 2011

3G,Cell Phones, Social Networking and the not so Innocent Obsession

When a cell phone with a camera and video recorder, 2G/3G network, email, mobile applications and social networks come together we have an explosive mix of technology which makes it easy to capture and post snapshots of your life experiences.  While most of the images may be innocuous there are a few sent by many which are intended to be intimate private exchanges; nude/semi nude images or video’s designed to tantalize a partner or woo another into a relationship. According to a survey by the National Campaign in Sept 2008 , 21% of teen girls and 18% of teen boys have sent/ posted nude or semi-nude images of themselves.
While sending such personal images or videos is against the law and both the sender and the receiver are liable to prosecution in several countries, the risk is higher if images are widely circulated or distributed. Wide circulation and distribution normally takes places in the following circumstances.
a)      You or your partner lose cell phones where these images are stored. Tens of thousands are lost or stolen each month
e)      More likely, you do not set your privacy settings correctly
i)        You sent a picture to an unknown online friend, believing you were anonymous and cannot be traced
j)        Your pictures are sold to an online pornography site
In many cases the act of recording these images perhaps is a voluntary act. It seemed fun, perhaps was the “in thing “to do, but the unconsidered long term consequences remain captured in the by lanes of the World Wide Web. Any image can be instantly copied and stored in a vast number of places, difficult to retrieve and erase. A significant portion of these images are circulated due to trust between the sender and receiver without considering the consequences if the trust breaks down or the trust was unfounded in the first place.
Recommendations
Recognise the risk of digital distribution and storage of personal content
If you are a victim of blackmail, its best to go get help from the cyber cops
Download and read the survey conducted by The National Campaign

Wednesday, January 26, 2011

Mark Zuckerberg's Facebook page was apparently hacked

Mark Zuckerberg's Facebook page was apparently hacked according to a latest news report. The attacker modified the page with a message, in the same way the French President Nicholas Sarkozy’s page was compromised two days ago. While the needle of suspicion points to the use of a simple login and password over an unencrypted link, what should not be missed is the targeted nature of the attack against the two people, who one would think would be the most secure.

In my opinion the compromise could be an insider job or an exploitation of a technical flaw in Facebook. I am eagerly awaiting the outcome of the investigations.

Recommendation
 For the 400 million plus Facebook users like myself, this is a waking up call to set complex passwords, frequently change them and not to login in to websites which do not use SSL over unsecured WIFI networks in public places.

Click here to view the hacked page

Corporate Espionage






Related Post:- Twitter,Firesheep and the unsecured WIFI at Delhi Airport
Related Strips:- The Secret

Tuesday, January 25, 2011

Celebrities at High Risk from Hackers

At last week’s Sunday lunch while discussing my recent post on Sarah Palin’s email hack, a friend asked me how vulnerable celebrities were to being hacked. It was quite coincidental that few hours later the face book account of the French President Nicholas Sarkozy was hacked into and posted with the message "Dear compatriots, given the exceptional circumstances our country is experiencing, I have decided in my spirit and conscience not to run for office again at the end of my mandate in 2012." This was not the first successful hacking attempt against the President of France. In 2008, President Sarkozy filed a complaint with the police following withdrawals of "small amounts of money" from his personal Parisian bank account. It is alleged that the money was used to set up mobile phone subscriptions. Interestingly the President was a victim of a mass Phishing attack, presumable a fake email linking to a fraudulent bank site where he entered his bank account and password, and not specifically targeted.
Celebrities the world over are specifically targeted due to their status, riches and fanaticisms of a section of fans. Beside compromised email, twitter, face book accounts they are vulnerable to cybersquating (where their domain name is taken over by another individual) and malicious attachments in fan mail. In a few cases celebrity accounts have been hacked through back end systems of social networks.  
Celebrity’s lives are open books with a significant amount of detail about personal life and sexual preferences. This detail makes it easier for a hacker to guess passwords, answers to secret questions or send a credential stealing malware.
When a celebrity account is hacked the typical reward for returning the site to the original owner includes a demand for money, sex or nude pictures.
Recommendation for Celebrities
Celebrities who use social media like Twitter and Facebook to interact with fans, in many cases hire media firms to manage these accounts. It is important to ensure that the media firms who employ teams with access to the celebrity’s account and personal data protect its confidentiality through the use of security best practices
For celebrities who manage their own social media, it is important to recognize the heightened risk and  ensure passwords used for online accounts are strong (certainly not the name of your pet dog as an answer to your secret question) and to follow safe principles while downloading Internet content or attachments in fan email. I would recommend the use of a dedicated desktop solely for updating social network sites and another for fan mail and Internet downloads.
Recommendation for Individuals
Fake celebrity sites are plentiful on the Internet. In times of a major celebrity event such as the death of Michael Jackson security experts observe a surge in fake sites with celebrity news and content designed to attract users with the sole purpose of infecting user desktops with malicious content to send spam or steal credentials. It is preferable to read celebrity news on reputed sites and restrict opening attachments in chain mails or downloading from unknown websites. Attachments range from wall papers to presentations.

Monday, January 24, 2011

Cyber Attacks Against Government Sites

On 20th Jan 2011 Researchers from Imperva's Hacker Intelligence Initiative (HII)  found dozens of US government, university and defense sites have been hacked with access up for sale with prices ranging between $55-$499.
E-government is an online interaction between citizens and government to enable citizens to easily access data on government programs and schemes. World over governments have modernized their infrastructure and built Internet facing portals and applications, but these initiatives have been plagued by security breaches. Such sites become attractive hacking targets for citizens and governments of hostile countries, cyber protests by citizens and for cyber criminals to gain access and manipulate government systems for monetary gain. The results of these cyber attacks on citizens range from non availability or slow access to these services and exposure of citizen personal data. In addition government departments face a reputational loss when sites are defaced.
Some of the prominent hacking instances are:
In Jan 2011 Researchers from Imperva's Hacker Intelligence Initiative (HII) have found dozens of US government, university and defense sites have been hacked with access up for sale with prices ranging between $55-$499.
In Dec 2010 the website of the Central Bureau of Investigation (CBI) India was hacked by programmers identifying themselves as "Pakistani Cyber Army". The home page of the CBI website had a message from the 'Pakistani Cyber Army' warning the Indian Cyber Army not to attack their websites.

Triggered by the arrest of Julian Assange, counter strikes were initiated against all sites that refused Wikileaks hosting, DNS, and payment services and websites of government officials and departments that tried to stop the redistribution of Wikileaks content. The attacks were a form of cyber protest in which many citizens participated by downloading denial of service software from the website of a hacker group.
July 2009 South Korea experienced a wave of suspected cyber-attacks - co-ordinated attempts to paralyse a number of major government and business websites. The attacks were believed to have originated from North Korea

Last year, the Iran nuclear program was attacked by the Stuxnet computer virus, which worked by increasing the speed of uranium centrifuges to breaking point for short periods. At the same time it shut off safety monitoring systems, hoodwinking operators that all was normal. The virus was supposed to have significantly set back Iran nuclear program. It is believed the virus which required significant investment to create and was specifically targeted at Iran was the creation of western governments.



Recommendation

In the years to come, as a large part of the economy begins to depend on Internet based transactions, the need to secure and defend economic sites and country networks will increase. Governments will need to ensure that they have well funded cyber security programs in place with a meaningful focus on employee and citizen security awareness.

Sunday, January 23, 2011

WebMail Hack and Trace

Example: Sept 08 Hacking of Sarah Palin's Yahoo mail for political purposes by the University going son of a democrat who guessed the password and then posted contents of the email account with the changed password on a Internet website. Tracked down by examining logs of an anonymising website, he used, which allows users to surf the Internet without restrictions.

How did it Happen, Who did it and Why?




How was it traced?




Recommendations

Choose strong passwords - add special letters and capitals - e.g if your password was terydx make it Ter!ydx ( Capitalise T, add special character ! and ensure password length is over 6 characters)

Change your secret question if the answer is guessable by a person who can research your history. Write a complicated response, and store it somewhere safe.

Thursday, January 20, 2011

Swiss Banker Whistleblower Reveals Key Customer Data on Wikileaks. White money, Black money or Tax evasion you decide!

Rudolph Elmer was arrested last week for suspected violation of secrecy laws when the ex-banker publicly handed disks over to Wikileaks, the whistle blowing website, which he said contained data on private banks in Switzerland and their affluent clients. Earlier in 2008, he supplied banking information to the website, raising Wikileaks’ profile internationally after the bank tried to shut down the site. The press coverage made interesting reading, particularly the few summarized points I have lifted from the news report in the Hindu titled Swiss banker re-arrested for secrecy breach to Wikileaks” dated 20 Jan 11.
a)   The former executive illegally divulged information about the banks customers and the bank, one of the country’s largest wealth managers after he was fired in 2002. The bank claims it sacked Elmer when he tried to extort money in return for not exposing the banks business practice
b)   The former executive claims he was a whistleblower whose main aim was to expose wrongdoings by the financial sector regarding tax evasion assistance to wealthy international clients and managed to avoid jail time paying a fine of 7500 USD. In addition, Elmer’s lawyers argued that Switzerland’s strict secrecy laws, which regulate the Swiss bank, did not apply in the Cayman Islands, where Elmer was based for eight years.
c)   At the time he sent the messages, he told the court, he was being followed by detectives hired by the bank, causing intense psychological pressure. His daughter, the former banker related, was afraid to go to kindergarten during that period because of the men who tracked the family’s moves.
d)   Banks in countries with confidentiality laws are facing heat, as more foreign governments, are agreeing to pay money for stolen disks that contain information on tax-dodging clients.
e)   In 2009, Bern agreed to relax its rules and allow more transparent international cooperation on tax matters, under heavy pressure from the world’s top economies on so-called tax havens and a scandal in which a Swiss banking giant was found to have aided wealthy U.S. clients evade paying their taxes.
Views
It is seems to be a classic example of a blind eye being turned and laws enacted to support bad business practices. Of governments using underhand means to encourage stealing information to catch wrong doers, thereby violating their own bribery laws and supporting hackers. On the legal side, laws may differ based on the location of the bank branch and do not depend on the country of incorporation. I was also happy to see that the law took a lenient view of the whistleblower.

Tuesday, January 18, 2011

12 Ways to Steal Money from an ATM? Just kidding!

For many of us an ATM looks like a tamperproof device plugged into a wall without any visible openings through which cash could be stolen. Would you be surprised to know that the very ingenious fraudsters have invented over a dozen ways to steal the bank's or your money from an ATM?  Needless to say some of these devices can be purchased on the Internet with prices ranging from 1500 to 5000 US $. Here’s the list in random order as fraud types in countries differ.
  1.  Rob staff filling money into an ATM or the customer visiting an ATM :- An old movie favorite
  2.  Steal the entire ATM :- Dig it out of it slot, hoist on a pick-up truck and take it away
  3.  Use Explosives :- Seal the ATM opening, fill it up with an explosive gas, blast it apart and make away with the cash
  4. Install Fake ATM’s with real cash :- Collect customer card data and pin numbers, forge  new cards and withdraw money from genuine ATM’s
  5. Steal the ATM card :- You will be surprised how many people actually write the PIN on the back of the card
  6. Befriend the driver :- In India, a lot of people actually send the driver to withdraw money from the ATM
  7. Install card skimmers: - Devices which sit over the card insertion slot and have a pinhole camera. As customers use the ATM, the device copies card magnetic data and records the pin through the pinhole camera.  This information is used to create a cloned card to withdraw cash
  8. Steal the card data through a lookalike bank website: - Send fake emails which direct a customer to a lookalike bank website which prompts the customer to fill in the debit card details and pin. This information is used to create a cloned card to withdraw cash
  9. Install malware to compromise the machine and dish out cash :- Most ATM’s use Windows on which customized malware can be written which allows a trigger card to generate a small program to  withdraw cash
  10. Read an ATM manual downloaded from the Internet: - A badly configured ATM with a default passwords may allow administrative access from the customer screen. By modifying privileges cash may be withdrawn
  11. Force the ATM into an error condition while dispersing cash :- In this case the ATM provides  cash while reversing the transaction
  12. Use a cash trap :- A special device inserted into the cash dispensing slot which eat up money which is collected  by the fraudster later
           Recommendations
 Try and use ATM’s which are not in open areas . It is more difficult to install card skimmers in ATM's which are in banks or under surveillance
Avoid writing your PIN on the back of your card, sharing PIN’s or keying in PIN numbers on websites
 Ensure that you react quickly if your receive an SMS for a withdrawal, you did not make.  
Call the bank if the machine did not dispense all the money you withdrew
It may be difficult for a layman to detect card skimmers, fake pin pads or fake ATM shells.

Related Reads

Youngest Team attempt to Raid an ATM in Mumbai



 

Monday, January 3, 2011

Multinational bank fraud perpetuated by trusted insider

In the last week of the old year the main topic making newspaper headlines was the 40 m$ or Indian Rupees 200 crore scam perpetuated by a relationship manager from a leading multinational American bank in India. The relationship manager was alleged to have duped large corporate HNI clients into investments endorsed on allegedly forged endorsement certificates by the bank. The relationship manager opened several accounts in the same bank, in which money was deposited and reinvested, presumably in stock instruments. The wife of the relationship manager was an employee of the same bank branch.
In a few of my earlier blogs, I highlighted the dangers of insider threats, where trusted insiders with a thorough knowledge of how internal systems work, and equipped with additional privileges connive to commit fraud. This is one such classic case has three facets of key interest.
1.       The customers trusted the relationship manager and therefore did not question the genuineness of the banks endorsement. The first warning signals came when the return on the investment was stopped perhaps due to a declining stock market and inability to repay the investment.  The scheme however promised higher than expected returns which are classic signs of fraud and should have triggered a warning signal to the clients who were CFO’s of reputed organizations. Employees of Customers may also be in league with the relationship manager and help propogate the fraud. Therefore the investing corporate should also have investment reviewand monitoring systems in place.

2.       The relationship manager and his wife worked in the same branch. This may have resulted in violation of procedures in account opening, transaction monitoring and access to privileged information due to inadequate segregation of duty and monitoring systems. Segregation of duties prevents a doer (or a person related to a doer) from checking his own work.

3.       An employee on salary opens multiple accounts and begins trading in high value transactions which did not flag internal or regulatory systems. Although the bank claims that it did and thereafter constituted an inquiry, I feel that this may be due to customer complaints rather than proactive measures.
Recommendations
Trusted insiders can subvert normal systems and cover their tracks. In this case the loss was directly incurred by customers resulting in reputational damage to the bank and perhaps regulatory fines. A few crucial steps can be taken by managements to reduce these incidences. 
·         Be aware that insider frauds and threats are a reality
·         Ensure independence of audit
·         Build monitoring systems to raise alerts when employees are seen to be spending/ dealing with monetary transactions beyond their means, are in debt or indulges in vices like gambling. Most fraud is created due to a need for money or revenge
·         Ensure segregation of duties particularly between related individuals and institute job rotation for sensitive functions. Job rotation prevents an employee from covering his tracks as another employee takes on his role for a period of time
·         Strengthen and regularly review internal systems, processes and controls. Systems once set are never fool proof and always face implementation issues

      WHEN WE AS INDIVIDUALS INVEST IN SCHEMES THAT PROMISE EXTRAORDINARY RETURNS WE FALL PREY TO SIMILAR FRAUDS. MANY TIMES THESE ARE ENDORSED BY CLOSE FRIENDS AND RELATIVES WHO HAVE BEEN SIMILARLY FOOLED BY AN INITIAL PERIOD OF HIGH RETURN FOR THEIR INVESTMENT AND INTURN MARKET THE SCHEME TO OTHERS THROUGH INCENTIVE PROGRAMS.