Sunday, February 27, 2011

Who is liable for prosecution for uploading objectionable content onto social networking sites?

No one it seems. Even a crisp globally accepted definition for what one may consider "objectionable" which I believe comprises of offensive, abusive and obscene content does not exist due to vastly differing interpretation of these three terms.
User generated content, typically posts, videos and music has grown so significantly that one large social networking site uploaded over ten billion content items last year. Typically 5%, is considered offensive comprising of pornographic material, hate posts/pictures and derogatory remarks against individuals, religious figures and politicians.
In most countries the ISP’s, content or social networking sites are not liable if they have adequate mechanisms to educate users on what content can be uploaded, monitor  and filter of objectionable material. It is not an easy task for global sites as the definition of objectionable content such as pornography differs by country; so even if the pornographer is legally distributing pornography, the person receiving it may not be legally doing. The second part of the problem and the larger social challenge is dealing with abusive content targeting individuals or small sections of society.

Last week, near my residence there were a mob of 500 protestors blocking roads and pelting stones on vehicles as an unknown user had created a defamatory page on Facebook. It’s quite common to find abusive posts and defamatory fake profiles created to settle grudges. There are other forms of objectionable content, unwittingly put which violate an individual’s data protection rights such as the video of a child being cyber bullied in school.
Prosecution is hampered by the relative anonymity social media sites provide and limitation in global cyber law even in cases that involve the use and distribution of child pornography. This must not imply that the content should not be promptly removed. I did realize that this process as in the situation where riots took place outside my residence was in no way speedy. A court order had to be obtained and faxed to Facebook to shut down the page. I do believe that social networking sites should have a quick method to alleviate the issue, such as temporary suspension, though in no way recommend a role of a cyber moderator or tne shutdown of sites because a section of people protest, or politicians think so.  Social networking sites should also take responsibility for the trauma of an aggrieved individual, because they allow anonymous users to create such profiles.
What can be done if a fake profile or objectionable material is posted against users on social networking sites?
Most sites have a reporting mechanism. Facebook, for example allows user to report other users who violate Facebook’s Statement of Rights and Responsibilities by clicking the "Report/Block this Person" link in the bottom left column of the profile. Users can report profiles that impersonate, use a users photos,  list a fake name, that do not represent a real person and abusive posts, improper images, nudity, illegal drug use, terrorism and cyber harassment. There are no statistics on the effectiveness of these measures and steps followed once reported.
Some countries which have specific laws relating to objectionable content have blocked these sites to prevent users within the country from browsing objectionable content.
Recommendations
In the future social networking sites should institute mechanisms to verify users prior to registration. It may not be a welcome idea as it add extra costs and slows down the rate of growth of subscribers to these sites. In the long run however, the online world will cease to be as anonymous as it is now and a beginning is needed.
Secondly, if objectionable content is quickly removed it will reduce the motivation of individuals to perpetuate such acts. This process should be simple, quick and region specific.

Thursday, February 24, 2011

Online temptation the art of using search engines to honey trap businessmen, politcians, bureaucrats and military officials?

A honey trap is a scheme in which a victim is lured into a compromising sexual situation to create an opportunity for blackmail. Honey traps are the oldest form of extracting military secrets, political favors and corporate espionage by tricking individuals into relationship, followed by blackmail which ensures their cooperation. There are several cases of high ranking officials  who have been honey trapped into revealing secret information such as crucial stances on policy, negotiating stances and weakness of other officials.
An intelligence report claims China is training an army of agents to use Honey Traps for corporate espionage.  It was alleged that an Indian naval officer negotiating the retrofitting of an aircraft carrier with Russia, was honey trapped by a Russian blonde compromising the ongoing negotiation which resulted in a price escalation of several billion dollars. Julian Assange from Wikileaks was allegedly honey trapped by two Swedish women with whom he had unprotected sex with.
Search engines track user surfing behavior to target advertisements when they visit different websites. In order to spy a fundamental requirement is to study behavior, identify weaknesses and create opportunities for exploitation. For instance if a senior government official surfs the net for pornography, monitoring sites visited and images viewed would reveal his sexual preferences. Social networking sites such as Facebook, connect related individuals using prompts such as “People you may know”. This feature can be manipulated to introduce spies that meet the official’s preference. Once the bait is sprung in the online world, it can translate into physical contact and extraction of information.

Countries which host search engines or free/anonymous proxies, popular social networking sites and pornographic sites have the greatest advantage in setting honey traps.

Wednesday, February 23, 2011

Parents should educate their children on the ethical use of Social Networking Sites

Our daily newspaper reported an incident of a 13-year-old, Class VII student school posting “abusive language” on the principal’s Facebook wall. When the principal read the obscene comments and complained to the boy’s parents, they claimed a friend of their son who was studying with him had posted the messages. The boy’s friend request the Principal claimed, was accepted by her daughter on her behalf by mistake.

This incident highlights the lack of education that parents offer to their children on the use of Facebook. The first is obviously the lack of courtesy, the second is on sharing passwords with friends or even with one’s own child and thirdly a lack of supervision of what the child is doing while on social networking sites.

Unsupervised some children unconsciously download malware, make the wrong type of online friends, enter adult chat groups, post contents that enable the child to be stalked or as in this case, play mischief with another friends account.

Recommendations

The new generation should be taught cyber skills and ethics at an early age. Their parents should be conscious that supervision of the child’s online cyber activity like websites surfed and content downloaded is necessary.  It is also important for parents to be aware of who a child’s online friends are in real life and perhaps meet their parents too.

It should be kept in mind that the resulting real life repercussions of online pranks may leave a lasting trauma which cannot be undone.

In India, more often the child is more adept at using a computer and Internet than parents are. In such cases parents must make a consious effort to learn to use computers, social networking and the Internet along with the child, and encourage open discussion on the pitfalls of Internet use. In addition, it is recommended that the computer be kept in an open area where the childs activity can easily be monitored visually.

Tuesday, February 22, 2011

Top CISO’s need to reinvent themselves to face new world challenges

Ten years ago it was unlikely that most companies had a designation called Chief Information Security Officer (CISO). Security was a least understood, under budgeted item in the corporate ecosystem.  The chief threat was rogue viruses spreading through floppy disks which caused funny things to happen on computer screens and corrupt files. Hackers who created these viruses were regarded more as a nuisance that anything else.
 In the years that followed, with the exponential growth of the Internet, externalization of corporate networks to customers, partners and suppliers and negative customer sentiment from security breaches; there was a rapid rise in financially motivated hackers, increased regulation and establishment of internationally accepted security standards. Security moved from being solely Information Technology Security or the IT department’s responsibility to Information Security, a corporate role in the overall organizational governance. This shift saw the emergence of the CISO.
Security is now shifting beyond simple compliance into the heart of business transformation using cloud and mobile computing. Conventional challenges are replaced by more insidious threats such as cyber protests, corporate espionage, whistleblowers, mutating targeted malware and customer security.
To adapt CISOs need to master five new skills; Business Acumen, Technology Understanding; Negotiation; Customer Advocacy and Cost/Implementation Focus. Read the full article on Search Security titled 5 CISO Skills for the Emerging Business Environment

Monday, February 21, 2011

Online Email Scams a multibillion dollar business or not? You decide

In the last two weeks, I received four scam emails in my yahoo spam folder. Every day spammers belch 200 billion spam emails from across the world. Currently India is rated no 1 and produces 10% of the overall spam. Typical spam topics involve Sexual Enhancers, Pharmacy, Loans, Replicas, Pornography, Software, Jobs/Academics, Degrees, Stocks, Casino, and Phishing. 10% or 20 billion of such emails are frauds or scams of some sort. They promise cheaper drugs (quality unknown), lottery wins, advance fee for some services like money transfer (actually money laundering in some cases), fake degrees, fake jobs and of course fool gullible men on dating sites. These 20 billion emails sent each day are mutated versions of campaigns based on similar themes. Due to the sheer volume, tracking and reporting such scams is not very effective but spam filters do reduce the threat significantly. User awareness is therefore a must.

Scamsters must earn well enough to sustain such large global operations as the income they make from victims helps fund further scam operations, amusement, opening and maintaining drug routes, and terrorism. They rarely get caught, and it is the victim who ends up facing losses or law enforcement agencies. These operations are run by criminal gangs and not individuals.

Scamsters prey on gullible people and their desires of riches and pleasure, winning trust through convincing tales and pretending to be lawyers, claims agents, bankers, law enforcement agents, basically any title to convince people they are legit. Once a person starts communicating with the scammer, a call agent at their back office operation marks the person using a dedicated cell phone on which the persons name and the assumed identity of the back office operator is noted.

It is difficult to trace such scamsters as the net offers anonymity, and they operate from countries in Africa. And if conned individuals, as in some cases do travel to these African countries to find the scamster or as part of the con, they end up dead or held for ransom. Most often individual lose money and end up on the wrong side of the law if they inadvertently end up transshipping goods or laundering money.

These scamsters also request for personal details to steal identity's, using personal banking, passport, driver's license, or credit card information to open accounts, to buy things and take loans in the victims name and not pay for them. These crimes leave the victim facing creditors and law enforcement.

Recommendation

You can identify scam emails by commonsense. Here are some tips.
1. Ask yourself why did you receive this email?
2. Ask yourself if there is anything like free money? Or are you doing something illegal?
3. Insert the subject of the email into GOOGLE’s search frame and read the response? It may quickly point you to similar scams reported by other people
4. Insert the subject of the email adding the word scam into GOOGLE’s search frame and read the response? It may quickly point you to similar scams reported by other people
5. Do not click on any links within the email?
6. Do not reply to the email even with incorrect information to find out if you can trace the scamsters? You may unknowingly reveal personal details?
7. Be suspicious if personal details are asked for
8. Do not visit any websites provided as links on these emails, they may result in malware being installed on your computer. Also remember that websites including lookalikes of legitimate websites can be hosted by anyone
9. Also remember, that webmail ids do not require identity verifications and many accounts in different names can be set up by a single individual

I have enclosed two fraud samples, I received this week. Try and use the tips above to sharpen your skills in fraud identification

SAMPLE 1 Fraud Email Detection Training

Australia Online National Lottery


From: OFFICE OF MR. ADAMS JONES
AUSTRALIA Online National Lottery
New South Wales SOUTH AUSTRALIA
P O Box 1010


BATCH NUMBER: 8056490902/188
WINNING NUMBER: KB8701/ LPRC

RE: AUSTRALIA LOTTERY PROMOTIONS AWARD 2011.

Attention: Beneficiary,

We are delighted to inform you that your e-mail address has won the sum of $250,000.00 Dollars in the ongoing New Year Promo 2011 Australia Lottery Bonanza.

HOW YOU WON:
HOW YOU WON:
All participant were selected through computer balloting system drawn form Nine hundred thousand E-mail addresses from Canada,Australia,United States, Asia, Europe, Middle East, Africa and Oceania as part of our international promotions program which is conducted every beginning of the year. This Lottery was promoted and sponsored by a conglomerate of some international companies as part of their social responsibility to the citizens in the communities where they have operational base.

HOW TO CLAIM YOUR PRIZE:

Your detail (e-mail address) falls within our African representative office as indicated in your play coupon and your prize of US$12,000.00 will be released to you through an accredited paying bank in Africa with the assistance of our Agent in Africa.Your are therefore advised to kindly send an application for prize release to our Fiduciary Agent on the below Information
HOW TO CLAIM YOUR PRIZE:

Your detail (e-mail address) falls within our African representative office as indicated in your play coupon and your prize of US$12,000.00 will be released to you through an accredited paying bank in Africa with the assistance of our Agent in Africa.Your are therefore advised to kindly send an application for prize release to our Fiduciary Agent on the below Information:

Barrister Mark henry,
Phone+266 (changed)
Email: xx@abc.com (changed)

Enclose the following in your application:
1.Your full names,
2.Your full contact Address
3.Your Telephone
4.Your age
5.Current occupation
6.Your Payment code : AU/WIN-132/2010-AFR

For security reasons, we advice all winners to keep this information confidential from the public until your prize is processed and released to you. This is part of our security protocol to avoid double claiming and unwarranted taking advantages of this program by non-participant or the official personnel.

YOUR RESPONSE MUST BE SENT TO OUR AGENT IN AFRICA ON THE FOLLOWING
E-MAIL: xx@abc.com (changed) ANY RESPONSE SENT BACK TO US WILL
NOT BE PROCESSED.

Accept our congratulations.

Best Regards

MR. ADAMS JONES
(ANNOUNCER
___________________________________________________________________________________
SAMPLE 2 Email Detection Training

FROM THE DESK OF MR.MOHAMED ISSAKA.
NO #24 AHAJI KABRIU CRESCENT,
BURKINA FASO, OUAGADOUGOU,
WEST AFRICA.
Email.(xx@abc.com changed)

I am Mr. Mohamed Issaka, an auditor with African Development Bank (ADB). There was an account opened in this bank in1998 and since 2000 nobody has operated on this account again. After going through some old files in the records, I discovered that if I do not remit this money out urgently, this funds will go down the drains, into the hands of either the board of directors of this bank or the funds may eventually be discovered by the government as a dormant fund in the forth coming audit by the Nations auditors.

They will confiscate or send it into the government's treasury account. The question now is who is the government and where is the treasury? They are human beings like you and I. The owner of this account is Mr Morris Thompson, a foreigner, and a miner at Kruger gold co, a geologist by profession and he died in 2000. No other person knows about this account or any thing concerning it, the account has no other beneficiary and my investigation proved to me as well that his company does not know anything about this account.

The amount involved is Ten Million, Five Hundred and thirty Thousand United States Dollars.10,530.000.00. I am only contacting you as a foreigner because this money cannot be approved to a local bank account here, but can only be approved to any foreign account and foreign beneficiary because the money is in US dollars and the real owner of the account is Mr Morris Thompson, he is a foreigner too. I only got your contact address from my secretary who operates computer, with believe in God that you will never let me down in this business so that I will inform you the next step to take immediately.

I need your full co-operation to make this work fine because the management is ready to approve this payment to any foreigner, who has correct information of this account, which I will give to you later, if you will be able to handle such amount in strictest confidence and trust according to my instructions and advice for our mutual benefit because this opportunity will never come again in our life. With my position now in the office, I can transfer this money to any foreigner's reliable account, which you can provide with assurance that this money will be intact pending my physical arrival in your country for sharing and investment.

I will also use my position and influence to effect legal approvals for onward transfer of this money to your account with appropriate clearance documents from the ministries and foreign exchange department. But, it will only cost us small money as to procure such back up documents from the ministries in-concern. Your earliest response to this letter will be appreciated.

Reply via my private email l(xx@abc.com).

Please call me as soon as you read this mail on my private telephone(+226 )

I look forward to your earliest reply.

Yours Friendly,
Mr. Mohamed Issaka.

Friday, February 18, 2011

What makes security professionals different from IT administrators and application developers?

Security consulting has been a passion.  To me it is about realizing the weaknesses in technology and sociology, understanding how things that work can be made to stop working and possessing the ability to link multiple threads to obtain a desired outcome!  This maverick attitude differentiates security professionals from their more traditional IT counterparts.  Let us take three common examples to demonstrate how security people perceive reality differently.
IT professionals trust software and their features
Cloud computing is a rage with security a key concern. I asked an experienced IT administrator who set up an open source cloud infrastructure why he felt it was secure. His felt it was because he had properly configured the software security features. IT people trust the software and its features and on the contrary security proffessionals view them with skepticism, fully knowing that a backdoor would eventually emerge.
IT professionals do not understand security risks
The second example is of a senior IT operation head trying to convince me that running security operations was similar to IT operations. He believed that any IT or network administrator could as easily maintain a security infrastructure, as all it needed was a knowledge of the security product, similar to a good old server or router. What the IT professional failed to realize was that during security operations such as a rule change there is a risk process to discover what underlying assets will be exposed and why. IT professionals follow structured incident or change management processes and do not consider the surrounding evaluation of security risk and consequent asset exposure. They also fail to realize the dynamic nature of security threats as normal IT risks are fairly static.
Security Professionals have sophisticated understanding of underlying code and its ecosystem
The third example lies in the false belief of software professionals that they build secure software. Most developers and testers feel that their code is not vulnerable; it is the infrastructure that is. Testers do not realize the difference between use cases and misuse cases. They believe that testing for secure login is simply about checking the application response if an incorrect password is used. Security professionals do smarter things like SQL injections, which is a combination of exploiting two unchecked valid authentication and database mechanisms.  The same can be stated about developers who lack the understanding of how code logic can be manipulated by persons with an intuitive understanding of how code runs, like hackers. The security professional has a sophisticated understanding of the underlying code and its ecosystem using their skill to exploit weaknesses in working and tested code.
There are only a few IT professionals who are security savvy, for a vast majority there is a need to learn to think like security professionals to build security into every aspect of IT without the need for a security professional.
But for true security professionals, our jobs will still remain as there is one element no IT professional will ever take away; our ability to challenge and defeat even the most secure system, because that’s simply who we are.

Wednesday, February 16, 2011

Six ways your phone can be illegally tapped

Phone tapping in India has become a national concern with a leading operator revealing that at peak there are upto 100 phone tapping requests a day. In India there are ten major operators, at a conservative average of 50 taps a day per operator, there would be 182,000 authorized phone taps each year.  Not a significant number for a country of 500 million cell phones considering the real need to tap corrupt officials, drug dealers, suspected terrorists, mafia and other antisocial elements.

To meet this requirement over 2000 such phone tapping equipment was imported by private security agencies, large businesses besides police and government agencies. Since phone taps are authorized only by the government, it is quite probable that some of the equipment in private hands is being used illegally for spying on politicians and businessmen. 
There are six ways in which modern phone systems can be illegally tapped for corporate espionage and spying:

1)   Use of Over the Air technology

Modern phone tapping equipment uses over the air technology and does not require to be installed within the premises of the telecom operators. These devices can record conversations of a person within a range of 2 kilometers; all one has to do is to feed in the particular mobile number. Such  equipment has reportedly been imported by private agencies in India over the last five years.

2)  Unauthorized use of the Lawful Interception System in Telecom Companies

Employees of the Telecom company or security agency can use the telecom company’s lawful interception system to illegally tap phone and delete any audit trails. In a recent case in India where a politician claimed his phone was tapped it was found to out that an employee of a security agency, on contract with a telecom service provider, using a forged letter, was involved in an unlawful tapping.

3)  Using Off the shelf software installed on smart phones

In a related post titled "I can spy on your mobile and read your SMSes" , I wrote about the ease where any person could download software to spy on another user’s cell phone. This requires access to the phone or the ability to induce the cell owner to download the software.

4)   Voice mail Hacks

Voice mail accounts can be accessed via different telephones provided the password is known. Many users may use weak passwords or default passwords which may allow a third party to hack into voice mail accounts. There is a long running story of phone hacking of voicemails in UK, which saw the News of the World's (NoW) royal editor and a private investigator, jailed for hacking into the mobile phones of royal aides. In July 2009, the Guardian newspaper claimed NoW journalists were involved in hacking up to 3,000 public figures.

5)   Sophisticated bugs on Telephone Exchanges

 In early March 2005, Vodafone’s network in Greece was infiltrated by phone-tapping software using sophisticated bugging techniques targeting cell phones of senior police and defense officials, cabinet members and the prime minister himself. The bugging operation used two pieces of sophisticated software. The equipment providers own lawful intrusion software and a rogue software that the eavesdroppers implanted in parts of Vodafone’s network to activate the interception feature in the equipment and at the same time hide all traces that the feature was in use. The software allowed the cell phone calls of the targeted individuals to be monitored via 14 prepaid cellphones. Obviously such software was designed by an organization with access to similar network equipment.

6) Exploiting flaws in Base Station Design

In a recent conference, security researchers demonstrated how a fake base station could be set-up to route user call through and eavesdrop on them in the process. The system exploited a weakeness in the GSM authentication process and was relatively cheap and easy to set-up and install.

Recommendations:

  1.  Ensure that your voice mail accounts has a strong password
  2.  Ensure that you do not allow individuals to download software on your cell phone and  take   precaution over what software you download
  3.  Ensure that law enforcement agencies and governments have proper phone tapping policies, strict laws to deal with illegal taps, and proper processes for implementation of legal taps to ensure the system is not misused

Tuesday, February 8, 2011

Personal Data Privacy Lacking in Indian Banking Sector

A survey done by the Data Security Council of India and KPMG, under the aegis of CERT-In (Computer Emergency Response Team), the cyber security wing of the ministry of information technology found banks to be lax in the security of card transactions and customer data privacy protection.
 In an earlier blog, I wrote about privacy being a key issue due to the lack of a regulatory and legal framework that penalized Indian enterprise for non compliance. It is therefore not surprising that the survey found “concrete systems for customers' privacy protection are yet to be implemented by many banks”. Almost 80 per cent of the banks surveyed did not have a separate privacy function. The survey recommended “banks to align internal policies, procedures and deploy technology safeguards for protecting sensitive personal information.” On a positive note the survey results revealed that the understanding of data privacy in the banking sector is growing with over half of the respondents being aware of privacy principles and roles and entities for data protection.
Another area which needs attention is the collection of proofs such as income statements by third party agents while processing information for loans and credit cards. This data in particular can be misused to commit banking fraud or passed on to mafia involved in extortion.

The survey found that security and privacy was not constrained due to availability of budget and technical skills. In order to build a sustainable privacy protection program, the bank should institute a top down approach whereby the executive management conveys the importance of customer privacy.  This philosophy should be engrained into business process, employee awareness and into specific technological controls such as data encryption.

 India is a country where the 9% rate of growth.  The rapid expansion of banking institutions to meet demand results in a diminished attention to privacy and security. In addition, banks should put in place a comprehensive system to prevent disclosures such as the Swiss Bank revelations on Wikileaks.  It is not possible to provide a fully descriptive list of mandatory controls which banks must adhere too or be penalized. Therefore a process to motivate banks to adopt best practices through consumer action and publishing of results of statutory audits is needed.

The survey can be obtained from the DSCI website.

Monday, February 7, 2011

State of Personal Data Privacy of the Indian Citizen

I received an SMS which read “Greetings! U & Ur spouse r eligible for a Free 32” LCD TV* as customers of Holiday and Lifestyle Festival. Pls sms & confirm your Name & Name of Car Owned *(T & C). The SMS is a blatant attempt to harvest demographic details of subscribers for the purpose of creating a phone directory for telemarketers. There are other variants of this SMS which ask for age and gender. Unsuspecting subscribers who respond to this SMS link their name to what was originally a random telephone number helping the SMS originator build a database which would probably be sold for a fee several times over. 
Personal Data Privacy is not a high priority issue for Indians. Indians by nature take a genuine interest in the lives of friends, neighbors, colleagues commonly asking questions of personal nature, quite contrary to Western culture. As a consequence this issue does not reflect high on the political agenda hindering the development of a regulatory and legal framework.
The focus on personal privacy is due to the large IT offshore industry which processes personal information of western citizens who require such information to be protected in accordance with laws in their countries. This prompted IT related bodies to build personal data privacy frameworks, lobby to amend the Indian IT ACT to provide legal safeguards which enable such companies enter into specific contracts which include legal penalties for data breaches. But these actions are industry specific and do not extend to the Indian consumer.
Recently personal privacy took a center stage when the personal conversations of a leading industrialist were leaked to the public after his phone conversations with a lobbyist were intercepted as part of an ongoing investigation into a telecom scam. The conversation themselves were private and did not have much relevance to the ongoing investigation but were leaked as part of the hype. The Indian Government is modifying the act to ensure stringent safeguards for phone taps based on directives of the Supreme Court, but the larger issue of personal privacy was not picked upon.
Incessant telemarketing calls and SMS spam have become a gross intrusion in personal space of the average Indian. TRAI (Telecom Regulatory Authority of India) has introduced regulation on SMSes and calls, which restrict the total number of SMSes per sender per day, require identification of promotional SMSes with codes, enforce the registration of telemarketer’s and the mandatory use of a Do Not Disturb list.
In the absence of a proper regulatory and legal framework where penalties can be imposed for non compliance to these regulations, they may be not implemented in spirit. For the government and enterprises dealing with personal data it is the cost of upgrading systems and changing employee awareness in dealing with subscriber data.  To a certain extent regulatory frameworks like PCI standards have ensured that credit card data is protected. But that is all.
And for the telecom operators it would result in choking off a handy source of revenue. Therefore it was not surprising that I could not find a link on my service provider’s portal to report the spam even though I had subscribed to the Do Not Disturb Registry. Or that services that prevent telemarketers calling you such as DND list subscription and the introduction of caller tunes to inform callers that you are roaming (the cost of national and international roaming calls are astronomical) are least advertised. The fallout is the increased vulnerability of the Indian consumer to fraudulent messages.
In an Internet world, which now requires some aspects of personal data to be kept secret to prevent spam, scams and other sorts of personal intrusion, the trusting Indians will find themselves increasingly susceptible to cyber crime and identity theft. Large programs like UID and E-governance will not work well if personal data once digitized is not protected properly.
The clear definition of personal data and adherence to certain norms and conditions when corporate and other entities collect, store, process and transmit such data is urgently needed. Quick introduction of a comprehensive data protection act with strict deadlines for implementation is pivotal to ensure that the coop is not bolted once the birds have flown.

Wednesday, February 2, 2011

Password, the WORST security tool we need to eliminate, but can’t

A username and a password protect our access to virtually all applications that we use from stock trading, enterprise to social networking. A typical individual would have over half a dozen passwords. Since passwords are the key to unlock the data or functionality within these systems they are the focus of attack by hackers. Hackers use a combination of four methods to steal passwords:
Tools and techniques to guess passwords: Easily guessable are passwords which are less than six characters, or are based on dictionary words or commonly known personal information or simple answers to secret questions.
Social Engineering Techniques such as phishing, spear phishing or vishing: Methods used to deceive an individual’s into giving away passwords in response to a perceived genuine request from an organization or person. The request is couched in an officially looking email with a link to a fake bank website or via an urgent telephone request from an IT staffer for your password to load the latest software on your laptop!
Use of malware or key loggers: Sophisticated applications which steal credentials from your desktop or when you key them in at cyber café’s. Malware typically gets installed when your surf malicious websites or download application such as games, audio, movies or tools.
Over a WIFI or wired network such as the Internet: Passwords may travel over an unencrypted channel over the network, both wired and wifi. In case of a wifi network it is easy to sniff traffic over an unencrypted home or public network within a given range. In case of wired networks the compromise requires access to network nodes such as the internet router in the WIFI café, or within the cable operator or network provider network. In either case, credentials can be harvested in bulk by simple tools. Some, not all websites or applications use SSL or an encrypted link which help encrypt the channel over which the unencrypted password is sent and reduces chances of compromise.
If we put two and two together, a strong password and the best password policies may not serve to prevent password theft.
So what really protect us our anonymity? Technology? Security Awareness? A combination? or just luck?
Or
Perhaps being security smart just helps to reduce not eliminate the risks. To enhance protection, security awareness and judgmental decisions is a must. Should I or Should I not follow this link or download this application shared by a friend and so forth. None of us can simply afford to turn of the tap to anything and everything. 100% safe means pen and paper. The world does not work that way any more
Technology helps to reduce the frame of exposure. Banks and large enterprises use one time passwords to protect access to their specific applications. In a sense minimize risks to those systems where your money can be stolen. But there is a limit to the number of tokens you carry and affordability.
My view of the future is a token based system on a credit card or a mobile phone to support access to all our applications.  But sadly, we are not there yet. Till then, take care, get lucky and be smart.

Related Strips:- The Secret