Saturday, April 30, 2011

Immediate Precautions Sony’s PlayStation Network Customers Should Take

Hackers who broke into the PlayStation Network obtained personal information from 77 million customers. The information that was accessed according to various news reports were name, address, e-mail address, birthdate and PlayStation Network and Qriocity password and login. There is a possibility of financial information such as customers’ billing address, credit card data and account security questions and answers may have been taken.

I advise all customers to take the following immediate precautions

1.    If you use the same password on other online services such as banking, shopping, social networks please change them immediately.
      The same applies if you use a common set of secret questions and answers. It will not be difficult to track down these accounts and attempt to compromise them.  
      Teenagers and Children who have sub accounts may use the same credentials on social networks. Parents should supervise and ensure they are changed immediately.

2.    Beware of scam emails enticing you into various deals. Selling the email database will be a prime source of revenue

3.    Check your credit card statements regularly for signs of misuse. This may not be high risk as Sony claims that credit card information was not compromised.

Thursday, April 28, 2011

Hacking has become a lucrative profession

In the early 90’s, hacking was all about fun and fame. Hackers liked to demonstrate their technical prowess to one and all by creating viruses or defacing websites.  They primarily hacked companies which they felt overcharged, and published these hacks on websites to be used by a large number of amateurs. Some defaced websites to support a cause. In the early 21st century there has been an exponential growth in malware, yet few claimants to fame.  Website defacements have reduced drastically, and are limited to cross border conflicts such as Pakistani hackers attempting to deface Indian government sites. 
So what changed?
Money is the new game not fun and fame.
With the growth of business to consumer commerce, banking, auctions, stock broking and so on, hackers found that it was easier to make money by stealing credentials. Hackers partnered with non tech savvy fraudsters who used this information to conjure a wide range of scams to defraud victims. Hackers also provided fraudsters with elaborate technical methods, tools, malware and scam execution frameworks. This evolution saw the creation of several intermediaries in an organized underground market place for the theft & trade of credentials, malware, and execution of online scams, which vastly enhanced the revenue a hacker made. According to reports in some countries fraudsters fuel the economy of small towns.In parallel with government and consumers becoming sensitive to security breaches, a new market for blackmail was created where hackers stole personal data and returned it to companies for a premium.  Hackers in the last two years migrated from solitary individuals to well funded organized crime rings dedicated to create and establish infrastructure to subvert the  online world.
As these markets for hackers evolve so do regulatory and technical security mechanisms which serve to punish or limit the return a hacker obtains. Hackers react by becoming more innovative and moving away from mass targeting to selective choice of victims.  My post "Fraudster uses Hackers and Spammers in "Pump and Dump" securities scam" demonstrates how innovative scams can be. Of late, I have seen paid hackers active in assisting companies in corporate espionage and sabotage of competitors. I believe this line of business will grow rapidly in the years to come with plenty of opportunity as we build smart homes, smart governments and broadband mobile access.
Hackers run a business; targeting maximum return, low risk with full access to an underground marketplace. The way to get hackers end their ways is not simply to catch and punish but to make it uneconomical for them to run their business. To do so we need software free of vulnerabilities, security awareness and quick deployment of patches from product vendors. We also need accurate figures on how big the cybercrime industry is, to ensure it receives the focus and attention from law agencies and lawmakers.  

Wednesday, April 27, 2011

Cyber Bullying, Parents need to prepare themselves

Sophie came home looking depressed and went to bed much earlier than normal. When she awoke she was reluctant to go to school. On her social network page someone had posted “you are a slut” with a morphed nude picture. Many other had “liked” the posts.  Sophie was a target of petty jealously but the result was  public humiliation in front of her entire friends circle.
According to StopCyberbulling.org  "Cyberbullying" is when a child, preteen or teen is tormented, threatened, harassed, humiliated, embarrassed or otherwise targeted by another child, preteen or teen using the Internet, interactive and digital technologies or mobile phones.
Cyberbullying has become a serious concern as children do not think about what they write online as they would if they wrote a letter. British police say they will start giving perceived cyberbullies a digital tap on the shoulder if their online behavior starts crossing the line of civility.
Star Trek is one of my favorite serials. One of the episodes depicted an alternate universe, with the same characters but with different roles and temperaments.  Today’s online world is very similar to this alternate reality.  The timid lad bullied on the playground becomes a fearsome online cyberbully. The girls who gossiped in school alleyways spread wild rumors on social networking sites.  As the school and neighborhood expands into the online world with the additions of friends of friends and unknown strangers, the impact of cyber bullying becomes severe. Spoken words can be erased quickly and are limited to the few who heard them, but the online written word persists and leaves a lasting impression.
In an offline world such matters would be resolved by teachers and parents but the same does not hold true online. Lack of jurisdiction, limited parental awareness and growing parental intolerance put the focus on fixing the perpetrator, another child rather than on child correction and resolution. If we want to improve the system the focus has to be on raising child awareness through counseling and education. The online world is a reality. Parents cannot cut their child off or protect them from its consequences as much as they can invest time in preparing themselves and their children to understand the risks, and ethics in the online world

Monday, April 25, 2011

How to avoid entrapment via the Internet?

There are two forms of entrapment that take place via the Internet.  The first and most common is making money by scamming for air tickets or appeals for monetary assistance. Fraudster use emails, dating sites or social networks to contact and develop relationships using fake profiles and pictures of attractive men or women.  Fraudsters select their victims by sending mass mails, prospecting those that respond. A sample email is given below:
Hello
my name is Jennifer i see your mail while browse because i am looking for an honest partner for friendship i hope you don't mind, if you don't mind please write me back i can tell you more about myself and my pic

These scams are similiar to lottery and job scams, where the fraudster is normally anonymous and usually in a different country. It is fairly simple to detect because a request for money will eventually be made. I have written several posts with tips on how to recognize and avoid them.
The second and most dangerous form of entrapment is when the victim is specifically targeted  for blackmail as revenge or to extract favors, money and corporate secrets. In these cases the fraudster is normally a real person working to accomplish a mission funded by a corporate house, government or organized crime ring.  It is a more sinister ploy. First contact may be made online but the relationship is progressed in real life. It works well when the entrapped person is cheating on a relationship or is susceptible to a threat of sexual harassment or rape.  I personally think not cheating on a spouse would be the wisest option.  The threat of sexual harassment or rape is normally targeted for extremely rich and senior professionals who have a reputation to lose.

Friday, April 22, 2011

Hue and Cry over Apple Privacy Flaw good for the Industry

Capitol Hill lawmakers are demanding answers from Apple CEO Steve Jobs about an iPhone feature that silently tracks its users' whereabouts and shares this location file with desktops it sync's to for itunes and other media. Concerns were raised on the safety of children whose movement could be tracked by a person with access to this data, on individual privacy and the commercial benefit Apple receives from this feature. While the feature in itself may not be widely exploitable as it requires access to the iPhone or the “synced” desktop, it denotes security and privacy requirements are not fully understood. In all probability this functionality was built by a development team not conversant with or undervaluing the importance of consumer privacy.  
What pleases me is the loud hue and cry by consumers and the US governments will ensure product companies develop better software. My main concern is that while consumer sectors are instantaneously pressurized there is no loud outcry when breaches take place in core sectors like power, oil, gas, and in government.
I would be interesting to see how this episode affects share prices and sales.

Thursday, April 21, 2011

Bashing Microsoft on Security Deficiencies

I have found quite often that many individuals love to hate Microsoft on its track record for security vulnerabilities. In seminars where I commented on software vulnerabilities, I have been surprised by senior individuals walking up to me as saying " I am sure your comments were directed towards Microsoft". Its quite evident in responses to blog posts or news articles..

I believe that we should encourage and not bash Microsoft on its track record for software security. I for one believe that they learnt from the initial bad press and embarked on a committed program for enhancing software security in their products. For this we should support and encourage them rather than continuing to bash them. Only stick and no carrot does not work. We should reserve our bashing for the many other popular products that have been riddled with security flaws. Some of these companies were laughing at Microsoft discomfort instead of fixing flaws in their backyard. They perhaps felt secure because they were not targeted then, as they are now. Microsoft has shown the world that it takes time for well meaning established product companies to migrate to a secure software culture and reprogram massive code bases. Others should learn from this.Our overall goal is to remove software vulnerabilities and ensure software is engineered with security in mind.

Secondly, we should widen our focus to include security vulnerabilities in embedded systems. Embedded systems will fly planes, drive cars, make robot work in plants and so forth. Faulty embedded system software will be a high risk source in the coming years. This scares me.

Tuesday, April 19, 2011

Hacking and Corruption have close Parallels

There is a close parallel between hacking and scams that are emerging as India rises to rid itself of chronic corruption in its system. In an earlier post “Fake Pilots a Big Threat to India’s National Security “I wrote about pilots getting licenses on altered marksheets. Since then every few days a fake pilot has been arrested. The first time money was exchanged to alter a pilot mark sheet, it was a scam but afterwards it became an accepted way of life facilitated by officials themselves who deliberately hassle or fail aspiring pilots. The scam becomes the norm and even competent individuals who normally would not indulge in such practices are forced to comply. Obviously not many realized that when the scam is exposed, they would suffer the consequences. Exploiting loopholes or bypassing regulation has been a key catalyst for sectoral corruption. Violation of FSI (Floor scale index) or environmental norms in real estate is an example. Such corruption is dangerous for the people who buy these properties. On paper its all clear, but when the truth is unearthed it is a different story.  The very sad part about corruption is that the upright person who does things the correct way suffers.
Hackers operate in a similar way. There are few hackers with a sophisticated understanding of technology who are able to uncover vulnerabilities in code and then create code called exploits which exploit this vulnerability. This code is made freely available on hacker sites or sold for a fee to be used by amateurs to gain entry to websites, server, and desktops. In a similar but different way are code snippets called viruses or worms. These have a life of their own. They are created by an expert programmer to exploit one or many such loopholes and are built with the ability to self propagate. Using the network or transferred through files and USB drives these self replicating code propagate through IT systems causing loss of data, outages in IT systems or seeding desktops with more potent malware.
The biggest challenge today is the elimination of these loopholes or vulnerabilities through better processes, accountability, audit, and better software development practices. As consumers and buyers we should demand secure code from the vendors as we demand accountability from those who indulge in corruption. Today, the money earned from corruption is many times more that that earned by hacking but this will change in the next five to ten years.  Software product vendors and developers should heed and take steps now.

Saturday, April 16, 2011

“Perverted Justice” an amazing tale of entrapment, hacking, revenge and pedophiles

Yesterday a New Jersey judge sentenced a hacker for launching a revengeful distributed denial of service attack on websites which hosted a news story that humiliated him. It is truly an amazing true sad story.
The hacker worked for an organization whose members posed as children to trap pedophiles on the Internet. Shortly after, the hacker fell out with the founder of the organization who he allegedly accused of having used his son's photograph as bait. Their relationship became bitter. The founder then posed as a fictitious online woman and started courting the hacker. The hacker was entrapped and in love. During the course of the relationship he shared incriminating pictures of himself. Later the hacker flew down to meet the online woman in real life. Standing in wait at the airport with flowers in hand for the woman who did not appear, the hacker was secretly photographed. These photographs along with transcript of his email exchanges were made public to humiliate him. His wife divorced him and he lost contact with his son. The hacker reacted in revenge, infecting computers with bots and launching a denial of service attack on websites that carried the story. He was caught and sentenced to imprisonment for two years.
The story serves to demonstrate how a fictitious identity created on the Internet can be used to entrap people. I warned readers in my post “Online temptation the art of using search engines to honey trap businessmen, politicians, bureaucrats and military officials? how easy it was to entrap. My post “3G,Cell Phones, Social Networking and the not so Innocent Obsession demonstrates how harmful sharing of personal snaps online can be. The last and most important message is that taking law into your own hands is not the most advisable thing to do.

Frequent reports by Indian print journalists help raise cybercrime awareness

I am frequently delighted to read lengthy articles written by Indian journalist on cybercrime related issues. Issues which perhaps are common place in an offline world, gain a lot of media attention when perpetuated online with arrests made by the cyberpolice. While the topics are normally trivial marital problems leading to harrassment through vulgar emails and slurring on Facebook, these reports serve to create cyber awareness on the dark side of the online world. In particular they aid:
  • Awareness: People are made aware of cybercrime and the mechanisms in place to punish such crimes.
  • Deterence: Perpetuators who commit this crimes under the anonymity of the Internet, realise that in an online world there is no true anonymity and cyber breadcrumbs can be traced back.
  • Empower cyber police: The image and the confidence in the cyberpolice enhances dramatically and is a great motivator in encouraging reporting of cybercrime
I do thank the media for writing such articles and actively encourage them to continue their good work. It provide professionals like me an opportunity to link these articles to our opinion, furthering the benefit to the community. A case in point is this article "Parents should educate their children on the ethical use of Social Networking Sites"

I look forward to a full suppliment on cyber issues, if anyone is listening.

Thursday, April 14, 2011

Webmail! Do you understand the threats to your online and personal identity?

A few days back, Yahoo sent me an email thanking me for being a loyal user of their webmail service for the last eleven years. It was a moment of  introspection on the manner in which my email usage changed over the years; from a replacement to personal snail mail to an account where I receive job offers, financial statements, password resets, spam, promotions, and information from my Linked in, Twitter, Facebook, Google and several other such social networking, news and knowledge sources.
I grew so accustomed to using webmail that I barely noticed that a compromise of my email account would severely inconvenience me.  The same is true for 500 million webmail users, some of whom, as I wrote in my post “3G,Cell Phones, Social Networking and the not so Innocent Obsession “ use these accounts to store and circulate very personal messages, snaps and video’s.
When I first created my footprint on the Internet through my Yahoo account, I did so to segregate my personal correspondence from my corporate one. I knew that anyone could snoop or filter my emails both on the Internet and also in the office, but given the choice of a known versus unknown person snooping into my personal correspondence and the miniscule probability that an anonymous nobody like me on the Internet would interest anyone, a Yahoo email account was a better option. It still is, though the chances that my emails are analyzed for marketing purposes using sophisticated programs are quite high, the filtering still remains impersonal.
In these eleven years, the number of Internet users grew, driven by a consumer driven online ecommerce, social networking and proliferation of access mechanisms such as broadband connection, home desktops, mobiles and cybercafés. Companies began to use the Internet for business and the webmail account replaced snail mail for business to consumer correspondence. Poor and rich could at a low cost become members of the Internet fraternity with a webmail account. These changes ensured that the personal webmail accounts became the center of our Internet identity and therefore increasingly targeted by hackers, governments and scamsters.
Hackers primarily hack into webmail accounts to gain access to financial data, credentials to log into financial systems or in some cases to blackmail victims. They normally access your account through weak passwords, secret questions or sophisticated malware designed to steal your credentials. In some cases the theft of your email account can be used to seize your online identity.
Governments may use it to spy on citizens and by law can seize contents or monitor your mail through service providers. Mail travels in an unencrypted store and forward manner, therefore email between users from two countries may pass through a third country whose government could spy on it.
Scamsters simply flood your mailbox with spam mail enticing you to be part of their fraudulent schemes. Should you fall for one, you would voluntarily be parting with an advance fee to receive a reward that never arrives. An earlier post Online Email Scams a multibillion dollar business or not? You decide gives a graphic description of these scams
Recommendations
Use strong passwords
Avoid cybercafe's

Tuesday, April 12, 2011

Indian Firms unable to realise the value of Security Professionals

“Security Professionals stay hungry” is a frequent comment from independent security professionals and smaller Indian firms selling security services in the Indian market.  There are two main reasons why this occurs. Companies are not investing in security and more predominantly buyers do not pay sufficiently for security services.
A good security professional has a thorough knowledge of both the domain (e.g. IT, Network, Software Development, etc) and related security specialization. Security consultants put in a significant amount of research in enriching and updating their knowledge. For example, cloud is a new trend and security consultants master both cloud technology and cloud security. For the same reason a book trained security/IT professional cannot provide the same quality of input as a security specialized software professional in secure software development. Therefore good consultants command salary premiums over IT counterparts.
The procurement process adopted by companies primarily relies on a tendering system to arrive at the best price. This system technical qualifies a group of security vendors who later bid. The lowest price wins. Many vendors subcontract the project or use low cost IT professional with basic security training to win bids at low prices. Since technical qualification is done at firm level and not on the basis of the actual team that delivers, this strategy succeeds in putting quality conscious security vendors out of business. In India, most of the top security talent works for Indian outsourcing firms for their global clients.
The second reason is the lack of regulatory compliance drivers and penalties that motivate companies to actively invest in security. Security projects are taken up on the basis of acceptable use, lack budgets and are without time pressure. In-house IT staff take on the responsibility of security solution design and implementation supported by vendors and auditors. While this approach may not be incorrect it needs to be backed up by outsourced specialized expert services in security architecture, design and review to be successful. Security is a specialized activity requiring daily research which enterprise IT and security operation staff may find difficult to do while addressing day to day priorities. In-house staff can however maintain and contribute significantly due to their knowledge of business operations.
Although, I have cited the Indian example, it is a common problem the world over. Many organizations have spent more to redo failed security projects. 

Sunday, April 10, 2011

Targeted phishing emails help clone magnetic stripe credit cards

In the last months, I read two interesting news reports. The first was of a couple arrested for using cloned credit cards to make purchases. They were recruited by a local Nigerian crime ring which provided them with cloned the cards to purchase designer goods. These goods were later sold and profits shared. What was most surprising was that the couple was young, about to get married,  MBA's and came from reputable Indian families.

The second was actually several reports of targeted phishing mails using events and antiphishing themes to con user into parting with credit card details. The World Cup Cricket, RBI, Income Tax Department, Kiran Bedi were events, organisations or personalities on which elaborate stories were built to social engineer users.

In India, we still use magnetic stripe cards unlike other countries that use chip and pin which enables phishers to generate cloned cards based on information stripped from phishing scams. These are used by small crime rings to buy goods and sell them for cash.

The other low tech way of obtaining card information is while you shop. Card information is read by a magnetic reader and later used to clone the card. The actually cloning of the card is actually an easy process requiring plastic cards, a printer and an embossing kit. The whole apparatus does not cost more that 5000$.

It may not be easy to fake an rupee note due to the special features built into the note itself, but a magnetic stripe card is fairly simple as it has only a single hologram of the card issuer as credible protection. Low tech forgers usually replace this 3D hologram with a 2D picture, but recently hologram stickers are now available at 100$ for a pack of 10.

Thursday, April 7, 2011

Securing Organisations has become extremely difficult amid the impunity of large breaches

There is much news of security breaches that underpin the competency of Whitehats (the good security professionals) and established security organizations. All this holds no good for the state of Internet security in the days to come. Nevertheless they serve to indicate how challenging the role of a security professional has become. There are two specific reasons why.
I am a great fan of the “Lord of the Rings” trilogy. In the second sequel the impregnable fortress of Hornburg in the Rohanian valley of Helms Deep was stormed by dynamiting its only weakness a fortified aqueduct by the Uruk-Hai. The weakness was exposed by a turncoat with specific insider knowledge of the fortress defenses. In today’s world whitehat security professionals face a similar challenge in securing large organizational perimeters against all forms of attack, whereas a blackhat (hacker) needs to exploit a sole vulnerability to gain access. Finding this one vulnerability though challenging against a well secured organization, is not difficult. Technical weaknesses are easy to find; ranging from leaked data by IT staff and vendors, compromise through social engineering, weak controls, or zero day software vulnerabilities. Mitigation in targeted scenarios where zero day vulnerabilities are closely guarded secrets and used in selective attacks is extremely challenging today.
I also love to compare a security role with the game of chess. Black Hats play the white pieces and the White Hats the black. In the opening game, the first move is to white and black has to defend. Guessing what the white move will be is always a challenge for the player who plays black. In a similar vein the white hats have to defend against an unknown black hat move making defense quite complex and challenging. The only defense is to continuously assess risk and build up organization defenses to thwart future attacks with an unrelenting effort to patch vulnerabilities before a black hat can exploit them.

Tuesday, April 5, 2011

Better Disaster Preparedness for Major Industries a lesson from Fukushima?

When I saw the reports on the destruction the Tsunami that swept Japan’s west coast left in its wake, I felt saddened. Besides destroying life’s it crippled the economy. Japan was well prepared for the earthquake, robust building designs prevented loss of life from a Richter 8 quake and several powerful aftershocks. The same could not be said for the Fukushima reactor, whose cooling system was destroyed by the Tsunami which prevented the reactors from being shut down safely.
While the battle to control the reactor continues, it exposed three vital flaws. A single point of failure in the cooling system, a failure to reassess the damage a tsunami could cause post the Indonesian quake and perhaps the most significant of all a lack of what if scenario’s and related preparedness in dealing with the impact of a failure to contain the reactor on water, land and air.
Expert continues to say it is negligible. Yet we read of radiation levels in plants, drinking and seawater continues to rise. Japanese food exports have been banned and citizens of Tokyo 240 KM away live on imported food and drinking water. Many in fear, as the radiation levels may not be critical.
To me as a layman, I feel a sense that authorities are unprepared to face the post nuclear disaster consequence on plant, animal and water resources. I do not believe we have mitigation measures in place should radiation hit the underlying water table and to prevent adverse consequences on animal, bird and sea life.
As an interesting side note, it seems nuclear reactors are vulnerable to enemy attack and missile strikes. Imagine the consequence of such an attack when there is no time for mitigation. Al Qaeda first plan for 9/11 was to strike nuclear reactor with the commercial airliners which they later abandoned due to small target size and low probability of success.
If this is the level of failure in the nuclear industry, I am sure that it must be similar in related industries such as Chemical. We need to create what if scenario’s from a disaster in these industries and put in mitigation measures even if the probability of occurence is very low as the magnitude of adverse outcome is extremely high. These measures should be made mandatory by law.

Sunday, April 3, 2011

Thefts of Promotional Email Databases enhance the success of Social Engineering Attacks?

Last Friday Epsilon a permission based email marketeer issued a press release which said” On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only”. The company sends over 40 billion emails annually and over 2500 clients. Several high profile clients have quickly informed their customers that they may be subject to social engineering attacks as a result of this breach.
What made the theft of this email database so precious was that customers opt-in for promotional emails from Epsilon’s customers and therefore a spoofed mail has a higher chance of being read and acted upon than unsolicited mail. Email spammers spend significant effort in harvesting and validating customer email addresses and hacking a verified source provides instant rich information. Such data could also be of use to competitors and sold on the black market.
Today, many companies outsource promotional activities such as mail and phone campaigns to small advertising agencies and firms. In order to run these campaigns they need to share subsets of their customer databases with these firms. Ensuring that these firms adequately protect customer data beyond contractual commitments is crucial as small firms may not be equipped to handle security threats, and are easy targets for hackers. Large companies in the banking, financial, telecom and retail sectors which use such agencies are particularly vulnerable. Small firm’s unlike Epsilon may not reveal that they lost customer data or perhaps even realize that they have been breached.
For customers like you and me, as always trust less and be watchful when personal information is asked for, even in solicited mails. You never know!

Saturday, April 2, 2011

Online Scams, the little we can do about it

In my last post “Online Scams how you get suckered and the little you can do about it?” I wrote on the difficulty in protecting oneself from online scams. The only way to reduce online scams is to make it uneconomical for cyber criminals, as cyber law has a long way to catch up.
There is no prescription to fool proof security but there certainly are a few steps that one can take to enhance our defenses. Security strategy works on two cardinal principals, the reduction of risk and window of exposure when compromised.
1.       Check out the story. Check the seller’s reputation
The best way is prevention. Before entering into an online transaction, undertake due diligence to ascertain the legitimacy of the party you are dealing with. Remember there is no refund as the scamsters is an illegitimate business far away in another country, and you do not want the hassle of even trying to recover the few hundred dollars you were conned for.
2.       Keep your desktop updated with the latest antivirus
Reduces your risk of downloaded malicious software remaining undetected for a long time and prevent downloads of known malware. If you do detect malware in a scan, it may be advisable to change your passwords.  In any case frequent change of passwords reduces your window of exposure.
3.       Review your financial and credit card statements for unknown expenses
Incorrect entries or suspicious transactions serve as a warning bell to reset your password and attempt to isolate the cause of your compromise. Run an antivirus scan to detect malware.
4.       Be aware of what details are asked for by legitimate sites
Be aware of what legitimate sites ask for by acquainting yourself with the sites procedure before entering into a transaction

Friday, April 1, 2011

Has the Media Compromised Player Security in the World Cup?

Tommorrow is the much awaited world cup cricket final in Mumbai. The venue is heavily defended due to warnings of terror strikes during the event. Front pages of the newspapers are dominated by cricketing news, from on field rivalries to be settled, an actress willing to go nude as an incentive for the cricket team to win to bookie odds. One large news article caught my attention, a run down of the security provided for the venue and the players. The article described where the players were staying, which part of the building, what security measures were taken on each floor and provided an accurate description of additional measures taken for security.

I personally felt that such news should not be publicised as it serves no interest. The public is interested in their own safety at the venue and not the players. This action has diluted the security precautions and should be avoided in the future. We should learn from the attack on the SriLankan cricketers in Pakistan when their bus was fired upon at a roundabout.