Tuesday, February 26, 2013

Installing malicious software by exploiting online trust

The endgame of a hacker is to introduce malicious software onto a computer which can later be used for a wide variety of nefarious activities such as stealing user credentials to access social and financial sites or encrypting data on the computer followed by a ransom fee to decrypt it or using it for antisocial activities like spam, pornography and hacking.
Antivirus software, even those from well known brands are not effective against targeted or selective use of malicious malware as there are more suited for defense against mass viruses. Even, if these products are able to update their signature database for specific low volume malware, the process takes four weeks which is a long window of exposure.

The easiest way to introduce malicious software is to convince the user to download it by exploiting online trust networks.  Social networks and Email are two frequently used channels for such exploitation:
Social Networks

Social network can be compromised by using network trust to motivate a user. For example, a link forwarded by a friend is normally considered trusted and a user will click on it without much introspection as to the cyber risk. Introducing posts with malicious links into a social network friend’s circle is commonly undertaken through an anonymous profile or by hacking into a legitimate account.
A second option is to use a malicious third party application or exploiting a weakness in third party applications. For example, third-party applications for twitter help user to schedule tweets automatically. These applications are normally given permissions to read or write on behalf of the user on a social network. Hackers exploit weakness in these applications to introduce malicious posts or tweets.

Emails are used in a similar manner as social networks. Legitimate accounts are hacked into to send bulk email with malicious links.  Users assume the email has come from a trusted source and click on the link to download the malware. According to a recent blog post by Google, they saw “a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time”. Google claims that this activity has reduced significantly in Gmail due to the use of risk based authentication and two step verification.


Monday, February 11, 2013

"Don't Get Scroogled by Gmail" - Free Services or Enhanced Privacy?

Solving the emotive issue of an individual’s privacy online is a daunting task, when consumers want free services, and the underlying economics of making services free  is driven by ad revenue.  Companies pay for advertisements only if they derive measurable return from their marketing spend – product sales based on ad clicks and in turn pay ad providers on the number of consumer clicks on displayed ads. To make this system effective, advertisements have to be kept relevant to the audience. Key to this success is the identification of target segments based on demographics or context; such as a baby diaper advertisement on sites or search queries related to mother care.

Search engines and social networks do not have content of their own, and therefore have to display ads by interpreting the context of a user’s action such as a search query or post. This interpretation is deeply enhanced by the knowledge of a user’s search histories or messages which provide a view into the user’s top of the mind need. Using such insights, search engines increases their click through rate by serving relevant advertisements on web pages or on other services the person visits or uses.

Many netizens do not read the privacy policies of online sites before they click to accept them, as they are lengthy and the legalese too cumbersome to comprehend.  Even if one did manage to make sense of the policy, one would find that all alternative service providers offered a similar variant. To not sign up is not an option unless a user wishes to live with a severely curtailed version of the Internet. Even in paid services without ads, a user may not be absolved of such risks because legal departments take precautions against every single eventuality, which includes the right to use data.

Microsoft campaign against Google called "Don't Get Scroogled by Gmail" is designed to tap into a consumer's growing fear that their privacy is being compromised on the Internet. The campaign was based on a GfK Roper poll commissioned by Microsoft that found that 70 percent of people didn't know services scanned personal email for ad targeting, with 88 percent disapproving of the practice.

While most of these emails are scanned by automated agents to bring in a level of robotic abstraction from the human persona, it does not guarantee absolute privacy. Contextually, if it can be determined that a user is searching for a mortgage, then the same logic would  tell if a user is in a relationship or even reveal more intimate associations. After all, a contextual search on a giant database only requires clever algorithms. There is no malicious intent in such searches as big firms have no interest in the person apart from enhancing their ad revenue, but the real danger is from potentially malicious insiders or hackers who gain the ability to use such contextual searches for their own end. Such tools are currently in use by law enforcement to combat crime and terror.

Cybercitizens and their associations collectively apply pressure on websites to reign in their tendency to misuse privacy related data (user profiles, search histories, messages or posts). Such actions have effectively maintained a check on privacy misuse, and ensured large firms modified their systems under their pressure. This is because reputed firms can be trusted to not misuse individual privacy or rights in ways that will hurt the financial or emotional well being of their consumers, as this would severely undermine their business viability. Today, privacy gaffe’s made during the implementation of a technologically smart idea by an engineer with no clue of its privacy implications are on the decline, as large firms have instituted privacy reviews and awareness programs.

However, there is no slowdown on the automated or robotic use of big data analytics to mine a user’s needs, behavior and actions and translate them into sales and new products. Privacy is also a not so important topic among the younger generation. In the future, we should expect a careful balance between privacy, its economics and legal deterrent to data abuse. This is an imperative to keep the Internet free, for it to grow and to foster continuous innovation in online technology, products and services.

Sunday, February 10, 2013

StaySafe CyberCitizen, a free ebook on Security Awareness makes The Rising List on Scribd.com

 “StaySafe CyberCitizen” has made it to The Rising List on the online document site Scribd.com in the first five days since its release.
Cyber criminals are coming up with increasing sophisticated ways and means to dupe cyber users in scams, siphon money from their online accounts or to harass them.
To reduce this, “StaySafe CyberCitizen” covers topics such the basics of cybercrime, best practices in online trading, email scams, employee blogging, cyber parenting and child safety, online ethics, online banking, how hackers earn and security insights for consumers and security professionals as well.
My  free e-book on cyber security is for individuals, consumers, traders, corporate, parents, bloggers and social networkers, to be aware using simple examples and real life incidents of key risks and practices to remain safe online. The book can be used as a security awareness tool by companies.

Monday, February 4, 2013

StaySafe Cybercitizens – a free ebook on Cyber Security for individuals, parents and employees

I am delighted to announce the launch of my free ebook StaySafe CyberCitizen. The book concept grew out of my passion for writing blogs on cyber security along with snippets of advice to keep us and our children safe when we browse the Internet. I trust that you will enjoy reading as much as I did when I wrote it. - Lucius
Download your copy or read online – StaySafe Cybercitizen

About the book StaySafe Cybercitizen

We live in a fast-changing world where many aspects of our everyday lives are touched, influenced or governed by technology. The ease with which we are able to access information online, keep in touch with friends and family, and work while on the move, also comes at a price. As we adapt to a pervasive online presence, cybercriminals are coming up with increasingly sophisticated ways and means to misuse this connectivity.
Little do we realise that our activities online open us to a host of security risks, some of which are relatively easy to exploit. Cyber-criminals will continue to reach us in the confines of homes and offices, or in crowded places. Threats cannot be wished away, left to others or simply ignored. We need to assess such threats, take prudent steps and use best practices to reduce their danger.
This book aims to paint a picture of prevailing cyber threats using real incidents. In seven chapters it explains why cyber risks occur, what form they take, and how they affect cybercitizens as individuals, employees, citizens and parents