Tuesday, February 28, 2012

Passwords that should never be used

Online passwords are your best friend. Listed are sample passwords you should never use; which includes the name of your best friend too. If your current password is among this list, please change it immediately

·         Password, 123456, 12345678, 1234567, abc123, 'iloveyou', qwerty, abcd1234, security, admin123, Welcome1, letmein, trustno1, 111111,  master, sunshine,  passw0rd, shadow, 123123, 654321, superman, qazwsx,  football, monkey

·         Family or friend name particularly if is among the top 50 most popular names in your country which may or may not be appended by 12,123, 1234, 89

·         Your favorite or one of the most popular football or sports team which may or may not be appended by 12, 123,1234, 89

·         Names of fruits, sports and colors which may or may not be appended by 12,123, 1234, 89

·         Password based on the site name e.g. Facebook123 which may or may not be appended by 12, 123,1234, 89

Related Read

Saturday, February 25, 2012

Six ways to be a model cyber citizen

Be cyber security aware, use security best practices and report cyber crime

Use an antivirus product as it helps not only to protect you but prevents your computer from hosting malware that affect others

Be a good cyber parent, educate your child on the dangers, ethics and safety measures to be used online

Stay away from using pirated products

Encourage your government to invest in raising the national standard of cyber security in curriculum, law and customer protection

Be responsible for your online habits, tweets, as what you do online affects your reputation, family, colleagues, religion, nation and company

Friday, February 17, 2012

What, Why and How of Employee Monitoring

It is common knowledge that companies monitor what employees do in the workplace and on office equipment. I put together a comprehensive  view of  what  was monitored, why it was monitored and how it was monitored. It should be borne in mind that most companies only monitor a small subset of the list below.

Wednesday, February 15, 2012

National and Corporate Security Concerns due to Nortel’s Hack

Could corporate espionage be the reason why a billion dollar firm lost its competitive edge and became bankrupt?  Was the lack of perception that this was a significant threat by top executives a reason for not considering a report about the spying to be a material risk, thereby resulting in limited action and disclosure?
These are the two tough questions each chief executive needs to ask of himself after the recent disclosure that hackers spied on Nortel Networks for nearly a decade, according to report Tuesday in the Wall Street Journal, and had access to Nortel's business plans, reports, emails and other documents by stealing passwords from top company executives and installing spyware they controlled remotely.
For the telecommunication industry it raises fears that hackers may have access to information that can enable them identify exploitable product vulnerabilities, leading to security weaknesses within enterprises as well as affecting national security when used by telecommunication providers.

Related Reads

Sunday, February 12, 2012

Die hard Scenario: Rise in Exploitation of Internet Connected Devices Imminent

There have been two widely publicized news reports on the exploitation of Internet connected devices. These devices were office video conferencing equipment and home video camera’s which allowed skilled individuals to turn on and monitor video and audio feeds from the Internet. There are three primary reasons for allowing such surveillance; the first was an Internet connection without use of a firewall, the second misconfiguration or use of default passwords and thirdly product vulnerabilities.

As more and more devices get connected onto the Internet, these sorts of problems will become more acute. All new devices whether they are cars or power systems are vulnerable. Going forward we must ensure that we configure these devices properly, use strong passwords and ensure these products are patched regularly.
Some of these devices are not commonly used and hence normal methods of discovery and reporting of vulnerabilities do not work very well. There is a need to ensure that such products are securely tested by the product suppliers and carry a specific security certification stamp which enable users make a purchase decision.  Solutions to this specific set of problems will require users to secure and securely operate increasingly interconnected home networks, which is not an easy task going by the many instances of badly secured wifi networks.

Two articles on real life incidents which highlight the severity and urgency of the risk are:
Trendnet security cam flaw exposes video feeds on net

Thursday, February 9, 2012

Google's privacy policy strikes a freedom chord among Netizens

There is much cry over the new Privacy Policy that Google has announced in the United States. Two issues at the center of the privacy storm, are the ability to “opt out” which essentially involves deleting all traces of individual data collected on you or on your net use by Google and the use of linked data (your account/device to your net use) across Google’s product estate such as combining search data for targeted advertising.

In the physical world when you purchase a book, the book seller cannot correlate the books you purchased to determine your interests, of course this changes when you use a loyalty card. In the virtual world, this correlation is almost certain to happen as everything you do is mapped onto a database of sorts. When information across multiple products and their use is combined, Google’s ability to build a more informative personal profile raises manifold. It is the use of this ability which has most netizens up in arms. Collection of information may help user experience, such as quicker and more appropriate search results, but the use of this information for targeted advertising has raised hackles as it reduces the anonymity of an individual.

As business and government interest in the net grows we now witness initiatives and regulations that seek to maximize their interests in virtual markets. SOPA, Google’s Privacy Policy, Court rulings, cyber laws and cyber wars are indications of coming change. Cybercriminal also find the Internet to be a low risk turf with abundant opportunities for scamming and fraud.  The recent World Economic Forum Global Risk Report 2012 posed a thought provoking question “Is online anonymity and integral aspect of freedom in a hyperconnected world “

In the ongoing battle against privacy, netizens are trying to emphasize that the fundamentals of the physical world such as privacy in social transactions and the ability to opt out should be followed as guiding rules of the Internet. They also believe that the underlying reason for the rapid growth of the net was its freedom, and that dominant forces that used this very freedom to grow should not impose a check on new entrants.
if you would like to know what data on you is collected online, then please read my previous post "Personal Data Websites Collects Online".
It is my opinion,  that making the privacy policy simple to read and understand by Google was a good example for other online properties to follow.

Tuesday, February 7, 2012

Be Australia’s First Stay Smart Online Agent

In Australia ,80% of the population uses the Internet for social networking, shopping, online banking, blogging and ecommerce. As the Internet becomes a channel for financial transactions, and an easy means to perpetuate email frauds and scams, cybercrime will start to grow at a rapid rate. Most of us and our children use the Internet without a complete understanding of its risks and the knowledge to protect us. There are over 15 Categories that constitute Cybercrime which we should be aware off, and the upcoming National Cyber Security Awareness week (June 2012) is one such government initiative to bring together industry, community and consumers to raise cyber security awareness among its residents.

One of the unique proposals, this year is to find ambassadors who will help people relate to, and visualize cyber security issues as opposed to reading a boring list of security do’s or don’ts. These brand ambassadors named ‘Stay Smart Online Agents’, will be flown around Australia to attend industry events throughout Awareness Week.  

I liked the trailer of the competition video with its James Bond theme. Of course in reality there is no mystic to cyber security, commonsense is the best weapon. We only need to learn to stay safe on digital highways.

To participate go to Stay Smart Online. Entry is open to all Australian residents who are 18 years or over as at 16 December 2011 and closes on 14th Feb 2012.

Monday, February 6, 2012

Tips: Video Recording Employees in the Workplace

Employees are videotaped in the workplace by the company using CCTV cameras, or by fellow employees using their cellphones.
Companies undertake video surveillance of their workplace for various reasons which include reduction of workplace thefts by employees, recording evidence of sexual harassment, sabotage and workplace violence, to detect break-ins, for crisis control (fire evacuations), for access monitoring (at the perimeter and datacenters) and in a few cases to track employees’ on-the-job performance. In some cases both video and audio may be recorded.
The other way of being videotaped in the workplace is by other employees on their cell phones. Video surveillance by companies is only used for internal purposes but cell phone recordings may be circulated, and posted on social networking sites with embarrassing consequences.
Though laws may vary by country and state, in general it is not unlawful for a company to monitor employees on the companies premise, and companies are not mandated to inform their employees that they are under surveillance. However, over 80% of companies have a written policy and signed employee agreement which clearly communicate to employees that they are or can be monitored.
Unreasonable invasion of privacy like surveillance in changing rooms and bathrooms are unlawful and generally prohibited by law.
Unions may negotiate limitations on video recordings of unionized workers as part of their contracts.
Video cameras that also capture audio recordings may be subject to laws relating to audio recording, including wiretap and eavesdropping laws.  It seems to me that such audio recording may not be legal in many countries or states. In the US, the following report provides an overview of its legality state wise Can We Tape? A Practical Guide to Taping Phone Calls and In-Person Conversation in the 50 States and D.C.
When one employee records another and posts the clip on a social media site, it may not be considered unlawful unless it has been filmed when the employee is in a state of undress or in an area like a changing room. Many companies expressly prohibit on premise filming as part of their policy and in these cases on an employee complaint may be able to take disciplinary action.
I would like to end this blog with a disclaimer. In this blog, I have indicated what some companies do currently; it is not an endorsement of the legal position of these practices. Laws vary in different countries and states and it is advisable to take legal opinion in drafting policies and undertaking any form or surveillance.

Friday, February 3, 2012

WEF Risk Report says Collective Response a Catalyst to combat cybercrime

The World Economic Forum WEF Global Risk 2012 report aptly pointed out the a key risk was the potential failure of information infrastructure resilience in a connected world. Cyber attacks were identified as a key threat agent, which for the moment the world seemed quite unprepared to face.

One of the thought provoking suggestions made in the report was the recommendation to build a collective response to improve infrastructure resilience by all the stakeholders. The report recommended a community response in terms of coordinated action, policy harmonization, neighborhood watch and mutual aid to help reduce the risk in the global supply chain. Such examples exist between firms, in disaster management and could be extended to the online world. According to the report, the objective was to arrive at a critical mass. It cited for immunizing a population, 100% immunization was not needed, but critical mass should be achieved, sufficient to isolate outbreaks and disrupt the spread of the disease.

The report stressed that the shared benefits of security protection were not understood, as firms have an incentive to invest in security systems to protect their own interest rather that the entire infrastructure. It gave online security as an example to illustrate this point. According to the report “Online security is an example of public good; cost is borne privately and benefits are shared. When a user uses antivirus software they do not take into account the benefit of protecting other users from Advanced Persistent Threats or spam if their computer is malware infected”

Wednesday, February 1, 2012

All my Cybersecurity Awareness Strips of 2011

Security strips are one interesting way of portraying cyber security awareness. Over the last year, I published six such security adventures and misadventures. For those who may have missed it, please do read them. Also please circulate this link to security professionals who have an interest in cybersecurity awareness.

1) Corporate Espionage
2) The Secret
3) The Lottery Scam
4) The Audit
5) Tom's First Job
6) The Access

Cyber Attacks among the top five risks identified in WEF Global Risk Report 2012

I was not at all surprised that the World Economic Forum WEF Global Risk 2012 report showed up “Cyber Attacks” among the top five risks rated by likelihood for the first time since its seven years of inception. A similar Global Economic Crime Survey report from PwC titled “Cybercrime: protecting against the growing threat” also saw cybercrime among the top four economic frauds. This was inevitable, as 2011 witnessed several visible cyber attacks on corporate, governments and utilities. Media reports and prominent disclosures by Hacktivists clearly demonstrated the lack of cyber security preparation by major companies.

The exponential rise in connected devices such as mobile phones, home networks, smart grids and smart cities raised the specter of a single vulnerability creating a catastrophic disruption in the global information infrastructure. Cyber attacks is a key threat vector which can be executed remotely and with near anonymity by a variety of state and non-state actors.
It was quite clear that while the risk appeared on the radar, there was not much being done about it, as stakeholders did not seem to view the risk as impactful, and favorably viewed the benefits of a connected world over the risk. One of the main reasons for this view was that terrorism, crime and war in the online world have so far been less deadly that physical counterparts.
One of the key conclusions of the report was the need to obtain a firm understanding of the security problem by improving the quality of risk reporting through empirical research. Current research by security vendors is viewed with skepticism because of the possibility of bias, and non vendor research in infancy because victims prefer to remain silent.
In the long-term reliable indicators of crimes, attacks and losses is key to ensure that the full impact of cyber attacks and crime is known, its economic consequences measured and investments made to reduce their impact.